Help I was hijacted

eric123 · 02-23-2005, 11:35 PM

My explorer was hijacted. The page would be redirected to 69.20.16.183. Please tell me how to remove this spy ware.

**Pancake** · 02-24-2005, 12:18 AM

Hi...
Please download HijackThis. Create a folder at C:\HJT and move HijackThis.exe there. Run a scan and save the log file. Post the whole log file here. Do not fix anything since most of them listed there are harmless (some are system required). This program will help us best determine if there is any spyware/malware on your computer.

eric123 · 02-24-2005, 02:29 AM

hi I ve done what you said
here is the result
thank you

Logfile of HijackThis v1.99.1
Scan saved at 下午 06:26:54, on 2005/2/24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\IC\Card Reader Driver v1.9e3\Disk_Monitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: MSN 工具列 - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\zh-tw\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_1_6_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\IC\Card Reader Driver v1.9e3\Disk_Monitor.exe
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Zhghbr] C:\Program Files\Jbvlqt\Scey.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {18000D07-72C4-11D4-B4BD-004026422A29} (Hot_net Control) - http://www.hitoriasobi.com/netidol/i...b/Hot_net2.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/TW/install.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/16ffe304...dxIE601_tw.cab
O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://pki.toptrade.com.tw/onsite/VSApps/vspta3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B6B7500-5A0C-4118-A7C4-AD77E0B4505F}: NameServer = 61.57.160.66,61.57.168.11
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\gpr4l39q1.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod 服務 (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus 自動防護服務 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

**Pancake** · 02-24-2005, 04:21 AM

Hi..
First get the LSPFix and run it....To remove winlspak.dll from your winsock layers click the "I know what I'm doing" checkbox and check all the instances of winlspak.dll (and nothing else). Then move checked file/s to the "Remove" pane and click Finish and reboot.

When that is done we need to fix this 01 Host VX2 Trojan so download L2mfix

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This scan takes time to complete, then notepad will open with a log. Copy the contents of that log and paste it here

Please Do NOT run option #2 OR any other files in the l2mfix folder until told to.

eric123 · 02-24-2005, 06:28 AM

Here is what I got. I really appreciate your help.

L2MFIX find log 1.02b
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntlRun.OC]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\j8j60i1se8.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E1D1F89C-24F2-4A21-A8AA-CF95CF39EE04}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="多媒體檔案內容表"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM 掃描器管理"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS 安全設定頁"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile 內容頁"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="顯示介面卡 CPL 擴充"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="顯示監視器 CPL 擴充"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="顯示面板 CPL 擴充"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="安全設定頁"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="磁碟複製擴充"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM 監視器管理"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM 印表機管理"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="加密內容功能表"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="公事包"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="字型"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC 設定檔"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="印表機安全設定頁"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="網路連線"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="網路連線"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="掃描器與數位相機"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="掃描器與數位相機"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="掃描器與數位相機"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="掃描器與數位相機"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="掃描器與數位相機"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft 資料連結"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="排定的工作"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="工作列和 [開始] 功能表"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="搜尋"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="說明及支援"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="說明及支援"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="執行..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="網際網路"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="電子郵件"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="系統管理工具"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="媒體列"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="網址(&A)"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="可存取的"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="網址列分析器"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="網際網路"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX 快取資料夾"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="訂閱資料夾"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ 檔案縮圖解壓縮器"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="摘要資訊縮圖處理器 (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML 縮圖展開程式"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="網頁發佈精靈"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="經由網際網路訂購沖印"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="取得 Passport 精靈"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="頻道檔"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="頻道捷徑"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="離線檔案資訊夾"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="人員(&P)..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{63AFBDFB-5EF8-4791-AF79-9A3C0DE48974}"="EditPlus Context Menu Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{2B3453E4-49DF-11D3-8229-0080BE509050}"="GMail Drive"
"{2B3453E4-49DF-11D3-8229-0080BE509052}"="GMailFS Property Sheet"
"{2B3453E4-49DF-11D3-8229-0080BE509054}"="GMailFS Drop Handler"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{01089EC7-4BB9-408C-B3AF-C1BED3031FB2}"=""
"{AB47B844-D0C9-4998-838C-8760882CA1DD}"=""
"{B89D61DB-9A14-4219-A679-5E36C0D0324A}"=""
"{0FE8608C-2370-41AA-A9F9-EAB8D93E07EA}"=""
"{97379452-C45B-46C7-866C-F91968BFCC57}"=""
"{481C2BEA-4713-42EB-B537-8849154F72E4}"=""
"{8C59129F-6C36-4B07-AF69-4E5DDF5CF617}"=""
"{284AF703-05F0-49DA-8AA1-129D4DC2A744}"=""
"{2408F199-49FC-444C-BF8F-16BA4A32283D}"=""
"{C50C031D-2DFB-457E-9D1D-0462548D6D38}"=""
"{A82A534D-7E87-4D81-BD72-10E504DA97FC}"=""
"{9E432968-855F-47A9-BFEC-1056386A1962}"=""
"{884C6471-F25D-4EF0-92FA-EFF4F55D1B3C}"=""
"{5E8F885C-E2B0-4AFC-A3C0-32B0F9A13686}"=""
"{1AB12896-1F2B-416E-A4A7-7F662F5C3B4E}"=""
"{84A38D76-CE38-4930-9B78-E05CF95D0633}"=""
"{6C3DAF95-BC56-446F-AD2E-6DF6C81E69AA}"=""
"{8258DC11-9079-4D6F-AE43-7C5DF31DEA80}"=""
"{2F89C6BC-B369-41D2-8B99-33B52A8584A9}"=""
"{331A41D9-F89B-46E2-AFD1-CAAA5F392F0B}"=""
"{C4B4D43E-D057-45A0-AF0E-9FA41EE08904}"=""
"{9636402F-BF5E-4AEC-8389-0C874BEADF3C}"=""
"{2841BEB3-CCFB-4E50-B15F-CFB325F161A0}"=""
"{5149B651-3A8A-47A0-BA13-34A2162375D9}"=""
"{121E72D0-B78D-4610-B165-2AB90D8E34B4}"=""
"{F8A0784A-949A-4B0E-8CEB-448B31170A2A}"=""
"{95615436-2354-4D59-B3D4-60134838FC40}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{AB47B844-D0C9-4998-838C-8760882CA1DD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AB47B844-D0C9-4998-838C-8760882CA1DD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AB47B844-D0C9-4998-838C-8760882CA1DD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AB47B844-D0C9-4998-838C-8760882CA1DD}\InprocServer32]
@="C:\\WINDOWS\\system32\\ucrfaxa.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B89D61DB-9A14-4219-A679-5E36C0D0324A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B89D61DB-9A14-4219-A679-5E36C0D0324A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B89D61DB-9A14-4219-A679-5E36C0D0324A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B89D61DB-9A14-4219-A679-5E36C0D0324A}\InprocServer32]
@="C:\\WINDOWS\\system32\\abtxprxy.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0FE8608C-2370-41AA-A9F9-EAB8D93E07EA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0FE8608C-2370-41AA-A9F9-EAB8D93E07EA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0FE8608C-2370-41AA-A9F9-EAB8D93E07EA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0FE8608C-2370-41AA-A9F9-EAB8D93E07EA}\InprocServer32]
@="C:\\WINDOWS\\system32\\cmbcatq.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{97379452-C45B-46C7-866C-F91968BFCC57}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{97379452-C45B-46C7-866C-F91968BFCC57}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{97379452-C45B-46C7-866C-F91968BFCC57}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{97379452-C45B-46C7-866C-F91968BFCC57}\InprocServer32]
@="C:\\WINDOWS\\system32\\mnprivs.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{481C2BEA-4713-42EB-B537-8849154F72E4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{481C2BEA-4713-42EB-B537-8849154F72E4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{481C2BEA-4713-42EB-B537-8849154F72E4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{481C2BEA-4713-42EB-B537-8849154F72E4}\InprocServer32]
@="C:\\WINDOWS\\system32\\mTpi32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8C59129F-6C36-4B07-AF69-4E5DDF5CF617}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8C59129F-6C36-4B07-AF69-4E5DDF5CF617}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8C59129F-6C36-4B07-AF69-4E5DDF5CF617}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8C59129F-6C36-4B07-AF69-4E5DDF5CF617}\InprocServer32]
@="C:\\WINDOWS\\system32\\wtpasf.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{284AF703-05F0-49DA-8AA1-129D4DC2A744}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{284AF703-05F0-49DA-8AA1-129D4DC2A744}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{284AF703-05F0-49DA-8AA1-129D4DC2A744}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{284AF703-05F0-49DA-8AA1-129D4DC2A744}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2408F199-49FC-444C-BF8F-16BA4A32283D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2408F199-49FC-444C-BF8F-16BA4A32283D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2408F199-49FC-444C-BF8F-16BA4A32283D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2408F199-49FC-444C-BF8F-16BA4A32283D}\InprocServer32]
@="C:\\WINDOWS\\system32\\dqintf.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C50C031D-2DFB-457E-9D1D-0462548D6D38}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C50C031D-2DFB-457E-9D1D-0462548D6D38}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C50C031D-2DFB-457E-9D1D-0462548D6D38}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C50C031D-2DFB-457E-9D1D-0462548D6D38}\InprocServer32]
@="C:\\WINDOWS\\system32\\krdno1.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A82A534D-7E87-4D81-BD72-10E504DA97FC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A82A534D-7E87-4D81-BD72-10E504DA97FC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A82A534D-7E87-4D81-BD72-10E504DA97FC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A82A534D-7E87-4D81-BD72-10E504DA97FC}\InprocServer32]
@="C:\\WINDOWS\\system32\\mcvcirt.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9E432968-855F-47A9-BFEC-1056386A1962}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9E432968-855F-47A9-BFEC-1056386A1962}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9E432968-855F-47A9-BFEC-1056386A1962}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9E432968-855F-47A9-BFEC-1056386A1962}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{884C6471-F25D-4EF0-92FA-EFF4F55D1B3C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{884C6471-F25D-4EF0-92FA-EFF4F55D1B3C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{884C6471-F25D-4EF0-92FA-EFF4F55D1B3C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{884C6471-F25D-4EF0-92FA-EFF4F55D1B3C}\InprocServer32]
@="C:\\WINDOWS\\system32\\sdxcoins.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5E8F885C-E2B0-4AFC-A3C0-32B0F9A13686}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5E8F885C-E2B0-4AFC-A3C0-32B0F9A13686}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5E8F885C-E2B0-4AFC-A3C0-32B0F9A13686}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5E8F885C-E2B0-4AFC-A3C0-32B0F9A13686}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1AB12896-1F2B-416E-A4A7-7F662F5C3B4E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1AB12896-1F2B-416E-A4A7-7F662F5C3B4E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1AB12896-1F2B-416E-A4A7-7F662F5C3B4E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1AB12896-1F2B-416E-A4A7-7F662F5C3B4E}\InprocServer32]
@="C:\\WINDOWS\\system32\\wiadmoe.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{84A38D76-CE38-4930-9B78-E05CF95D0633}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{84A38D76-CE38-4930-9B78-E05CF95D0633}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{84A38D76-CE38-4930-9B78-E05CF95D0633}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{84A38D76-CE38-4930-9B78-E05CF95D0633}\InprocServer32]
@="C:\\WINDOWS\\system32\\doserial.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6C3DAF95-BC56-446F-AD2E-6DF6C81E69AA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6C3DAF95-BC56-446F-AD2E-6DF6C81E69AA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6C3DAF95-BC56-446F-AD2E-6DF6C81E69AA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6C3DAF95-BC56-446F-AD2E-6DF6C81E69AA}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8258DC11-9079-4D6F-AE43-7C5DF31DEA80}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8258DC11-9079-4D6F-AE43-7C5DF31DEA80}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8258DC11-9079-4D6F-AE43-7C5DF31DEA80}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8258DC11-9079-4D6F-AE43-7C5DF31DEA80}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2F89C6BC-B369-41D2-8B99-33B52A8584A9}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2F89C6BC-B369-41D2-8B99-33B52A8584A9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2F89C6BC-B369-41D2-8B99-33B52A8584A9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2F89C6BC-B369-41D2-8B99-33B52A8584A9}\InprocServer32]
@="C:\\WINDOWS\\system32\\jHvaprxy.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{331A41D9-F89B-46E2-AFD1-CAAA5F392F0B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{331A41D9-F89B-46E2-AFD1-CAAA5F392F0B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{331A41D9-F89B-46E2-AFD1-CAAA5F392F0B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{331A41D9-F89B-46E2-AFD1-CAAA5F392F0B}\InprocServer32]
@="C:\\WINDOWS\\system32\\ndvdmd.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C4B4D43E-D057-45A0-AF0E-9FA41EE08904}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C4B4D43E-D057-45A0-AF0E-9FA41EE08904}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C4B4D43E-D057-45A0-AF0E-9FA41EE08904}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C4B4D43E-D057-45A0-AF0E-9FA41EE08904}\InprocServer32]
@="C:\\WINDOWS\\system32\\oqjsel.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9636402F-BF5E-4AEC-8389-0C874BEADF3C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9636402F-BF5E-4AEC-8389-0C874BEADF3C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9636402F-BF5E-4AEC-8389-0C874BEADF3C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9636402F-BF5E-4AEC-8389-0C874BEADF3C}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2841BEB3-CCFB-4E50-B15F-CFB325F161A0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2841BEB3-CCFB-4E50-B15F-CFB325F161A0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2841BEB3-CCFB-4E50-B15F-CFB325F161A0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2841BEB3-CCFB-4E50-B15F-CFB325F161A0}\InprocServer32]
@="C:\\WINDOWS\\system32\\ezcdec.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5149B651-3A8A-47A0-BA13-34A2162375D9}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5149B651-3A8A-47A0-BA13-34A2162375D9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5149B651-3A8A-47A0-BA13-34A2162375D9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5149B651-3A8A-47A0-BA13-34A2162375D9}\InprocServer32]
@="C:\\WINDOWS\\system32\\cqfview.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{121E72D0-B78D-4610-B165-2AB90D8E34B4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{121E72D0-B78D-4610-B165-2AB90D8E34B4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{121E72D0-B78D-4610-B165-2AB90D8E34B4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{121E72D0-B78D-4610-B165-2AB90D8E34B4}\InprocServer32]
@="C:\\WINDOWS\\system32\\akivtmxx.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F8A0784A-949A-4B0E-8CEB-448B31170A2A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F8A0784A-949A-4B0E-8CEB-448B31170A2A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F8A0784A-949A-4B0E-8CEB-448B31170A2A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F8A0784A-949A-4B0E-8CEB-448B31170A2A}\InprocServer32]
@="C:\\WINDOWS\\system32\\mawsock.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{95615436-2354-4D59-B3D4-60134838FC40}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{95615436-2354-4D59-B3D4-60134838FC40}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{95615436-2354-4D59-B3D4-60134838FC40}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{95615436-2354-4D59-B3D4-60134838FC40}\InprocServer32]
@="C:\\WINDOWS\\system32\\wep.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Locate .tmp files:
**********************************************************************************
Directory Listing of system files:
磁碟區 C 中的磁碟沒有標籤。
磁碟區序號: 2039-190E

C:\WINDOWS\System32 的目錄

2005/02/24 下午 10:09 231,798 azau0a39ed.dll
2005/02/24 下午 10:02 231,798 j8j60i1se8.dll
2005/02/24 下午 08:44 231,798 mv4ul9h91.dll
2005/02/24 下午 01:36 231,798 ir08l5du1.dll
2005/02/24 上午 09:11 231,798 h2j40c1qef.dll
2005/02/24 上午 07:51 232,008 h44mleh11h4.dll
2005/02/24 上午 07:31 231,798 akivtmxx.dll
2005/02/23 下午 11:39 230,818 o684lglq16qe.dll
2005/02/23 下午 07:56 230,365 m0280afued280.dll
2005/02/23 上午 10:16 230,766 hr0o05d3e.dll
2005/02/23 上午 10:03 230,715 ir6ml5j11.dll
2005/02/23 上午 08:46 228,979 en2ol1f31.dll
2005/02/23 上午 01:15 229,051 lvpm0971e.dll
2005/02/23 上午 01:00 229,230 lvl4093qe.dll
2005/02/22 下午 09:33 228,872 wwnrulesak.dll
2005/02/22 下午 09:01 228,872 ir0ol5d31.dll
2005/02/22 下午 08:43 228,872 r08slal71dq.dll
2005/02/22 下午 04:02 231,625 n28olcl31fq.dll
2005/02/22 上午 11:21 228,872 l08mlal11dq.dll
2005/02/22 上午 09:51 231,625 ir68l5ju1.dll
2005/02/22 上午 08:32 228,872 ir4ol5h31.dll
2005/02/21 下午 12:21 229,806 k0pmla711d.dll
2005/02/21 下午 12:14 228,787 ir2ql5f51.dll
2005/02/21 上午 11:15 229,806 o0lu0a39ed.dll
2005/02/21 上午 09:32 230,401 j4j6le1s1h.dll
2005/02/21 上午 09:10 231,625 dn2801fue.dll
2004/09/18 下午 01:50 32 {F5787646-0AE5-489E-93B1-9FEF8386C19D}.dat
2004/03/25 下午 08:41 32 {76AD4C99-DCA8-4DB2-BD4D-E2BF6BEF0951}.dat
2004/03/25 下午 08:00 <DIR> Microsoft
2004/03/25 下午 07:04 <DIR> dllcache
28 個檔案 5,990,819 位元組
2 個目錄 15,414,951,936 位元組可用

**Pancake** · 02-24-2005, 03:55 PM

Close all open programs

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then press enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it here, along with a new HJT log.

Please Do NOT run any other files in the l2mfix folder until you are told to

Before you post the hjt log we need to fix a missing registry entry caused by the VX2.

Copy and paste the contents of the quote box below into notepad.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: *All files* and save it on your Desktop.

Quote:

REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

Then, locate fixme.reg on your desktop and <double-click> it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".

eric123 · 02-24-2005, 04:37 PM

Here is the result
thank you for help
the new log
L2Mfix 1.02b

Running From:
C:\Documents and Settings\Eric\桌面\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C access for really "Everyone"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Eric\桌面\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Eric\桌面\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 240 'explorer.exe'
Killing PID 240 'explorer.exe'
Killing PID 240 'explorer.exe'
Killing PID 240 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\wtpasf.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\dbnhupnp.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\mnprivs.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\dqintf.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\ndvdmd.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\ucrfaxa.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\ir2ql5f51.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\krdno1.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\mcvcirt.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\o0lu0a39ed.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\k0pmla711d.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\ir4ol5h31.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\wiadmoe.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\mycbase.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\doserial.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\oqjsel.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\ezcdec.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\dn2801fue.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\cqfview.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\j4j6le1s1h.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\ir68l5ju1.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\mTpi32.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\mawsock.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\akivtmxx.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\ir0ol5d31.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\n28olcl31fq.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\l08mlal11dq.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\r08slal71dq.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\ir08l5du1.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\lvl4093qe.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\lvpm0971e.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\en2ol1f31.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\wwnrulesak.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\hr0o05d3e.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\ir6ml5j11.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\o684lglq16qe.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\jHvaprxy.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\m0280afued280.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\h44mleh11h4.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\mv4ul9h91.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\h2j40c1qef.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\lvn2095oe.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\guard.tmp
複製了 1 個檔案。
deleting: C:\WINDOWS\system32\wtpasf.dll
Successfully Deleted: C:\WINDOWS\system32\wtpasf.dll
deleting: C:\WINDOWS\system32\dbnhupnp.dll
Successfully Deleted: C:\WINDOWS\system32\dbnhupnp.dll
deleting: C:\WINDOWS\system32\mnprivs.dll
Successfully Deleted: C:\WINDOWS\system32\mnprivs.dll
deleting: C:\WINDOWS\system32\dqintf.dll
Successfully Deleted: C:\WINDOWS\system32\dqintf.dll
deleting: C:\WINDOWS\system32\ndvdmd.dll
Successfully Deleted: C:\WINDOWS\system32\ndvdmd.dll
deleting: C:\WINDOWS\system32\ucrfaxa.dll
Successfully Deleted: C:\WINDOWS\system32\ucrfaxa.dll
deleting: C:\WINDOWS\system32\ir2ql5f51.dll
Successfully Deleted: C:\WINDOWS\system32\ir2ql5f51.dll
deleting: C:\WINDOWS\system32\krdno1.dll
Successfully Deleted: C:\WINDOWS\system32\krdno1.dll
deleting: C:\WINDOWS\system32\mcvcirt.dll
Successfully Deleted: C:\WINDOWS\system32\mcvcirt.dll
deleting: C:\WINDOWS\system32\o0lu0a39ed.dll
Successfully Deleted: C:\WINDOWS\system32\o0lu0a39ed.dll
deleting: C:\WINDOWS\system32\k0pmla711d.dll
Successfully Deleted: C:\WINDOWS\system32\k0pmla711d.dll
deleting: C:\WINDOWS\system32\ir4ol5h31.dll
Successfully Deleted: C:\WINDOWS\system32\ir4ol5h31.dll
deleting: C:\WINDOWS\system32\wiadmoe.dll
Successfully Deleted: C:\WINDOWS\system32\wiadmoe.dll
deleting: C:\WINDOWS\system32\mycbase.dll
Successfully Deleted: C:\WINDOWS\system32\mycbase.dll
deleting: C:\WINDOWS\system32\doserial.dll
Successfully Deleted: C:\WINDOWS\system32\doserial.dll
deleting: C:\WINDOWS\system32\oqjsel.dll
Successfully Deleted: C:\WINDOWS\system32\oqjsel.dll
deleting: C:\WINDOWS\system32\ezcdec.dll
Successfully Deleted: C:\WINDOWS\system32\ezcdec.dll
deleting: C:\WINDOWS\system32\dn2801fue.dll
Successfully Deleted: C:\WINDOWS\system32\dn2801fue.dll
deleting: C:\WINDOWS\system32\cqfview.dll
Successfully Deleted: C:\WINDOWS\system32\cqfview.dll
deleting: C:\WINDOWS\system32\j4j6le1s1h.dll
Successfully Deleted: C:\WINDOWS\system32\j4j6le1s1h.dll
deleting: C:\WINDOWS\system32\ir68l5ju1.dll
Successfully Deleted: C:\WINDOWS\system32\ir68l5ju1.dll
deleting: C:\WINDOWS\system32\mTpi32.dll
Successfully Deleted: C:\WINDOWS\system32\mTpi32.dll
deleting: C:\WINDOWS\system32\mawsock.dll
Successfully Deleted: C:\WINDOWS\system32\mawsock.dll
deleting: C:\WINDOWS\system32\akivtmxx.dll
Successfully Deleted: C:\WINDOWS\system32\akivtmxx.dll
deleting: C:\WINDOWS\system32\ir0ol5d31.dll
Successfully Deleted: C:\WINDOWS\system32\ir0ol5d31.dll
deleting: C:\WINDOWS\system32\n28olcl31fq.dll
Successfully Deleted: C:\WINDOWS\system32\n28olcl31fq.dll
deleting: C:\WINDOWS\system32\l08mlal11dq.dll
Successfully Deleted: C:\WINDOWS\system32\l08mlal11dq.dll
deleting: C:\WINDOWS\system32\r08slal71dq.dll
Successfully Deleted: C:\WINDOWS\system32\r08slal71dq.dll
deleting: C:\WINDOWS\system32\ir08l5du1.dll
Successfully Deleted: C:\WINDOWS\system32\ir08l5du1.dll
deleting: C:\WINDOWS\system32\lvl4093qe.dll
Successfully Deleted: C:\WINDOWS\system32\lvl4093qe.dll
deleting: C:\WINDOWS\system32\lvpm0971e.dll
Successfully Deleted: C:\WINDOWS\system32\lvpm0971e.dll
deleting: C:\WINDOWS\system32\en2ol1f31.dll
Successfully Deleted: C:\WINDOWS\system32\en2ol1f31.dll
deleting: C:\WINDOWS\system32\wwnrulesak.dll
Successfully Deleted: C:\WINDOWS\system32\wwnrulesak.dll
deleting: C:\WINDOWS\system32\hr0o05d3e.dll
Successfully Deleted: C:\WINDOWS\system32\hr0o05d3e.dll
deleting: C:\WINDOWS\system32\ir6ml5j11.dll
Successfully Deleted: C:\WINDOWS\system32\ir6ml5j11.dll
deleting: C:\WINDOWS\system32\o684lglq16qe.dll
Successfully Deleted: C:\WINDOWS\system32\o684lglq16qe.dll
deleting: C:\WINDOWS\system32\jHvaprxy.dll
Successfully Deleted: C:\WINDOWS\system32\jHvaprxy.dll
deleting: C:\WINDOWS\system32\m0280afued280.dll
Successfully Deleted: C:\WINDOWS\system32\m0280afued280.dll
deleting: C:\WINDOWS\system32\h44mleh11h4.dll
Successfully Deleted: C:\WINDOWS\system32\h44mleh11h4.dll
deleting: C:\WINDOWS\system32\mv4ul9h91.dll
Successfully Deleted: C:\WINDOWS\system32\mv4ul9h91.dll
deleting: C:\WINDOWS\system32\h2j40c1qef.dll
Successfully Deleted: C:\WINDOWS\system32\h2j40c1qef.dll
deleting: C:\WINDOWS\system32\lvn2095oe.dll
Successfully Deleted: C:\WINDOWS\system32\lvn2095oe.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: wtpasf.dll (deflated 5%)
adding: dbnhupnp.dll (deflated 4%)
adding: mnprivs.dll (deflated 5%)
adding: dqintf.dll (deflated 5%)
adding: ndvdmd.dll (deflated 5%)
adding: ucrfaxa.dll (deflated 5%)
adding: ir2ql5f51.dll (deflated 4%)
adding: krdno1.dll (deflated 4%)
adding: mcvcirt.dll (deflated 5%)
adding: o0lu0a39ed.dll (deflated 5%)
adding: k0pmla711d.dll (deflated 5%)
adding: ir4ol5h31.dll (deflated 4%)
adding: wiadmoe.dll (deflated 5%)
adding: mycbase.dll (deflated 4%)
adding: doserial.dll (deflated 4%)
adding: oqjsel.dll (deflated 5%)
adding: ezcdec.dll (deflated 5%)
adding: dn2801fue.dll (deflated 5%)
adding: cqfview.dll (deflated 5%)
adding: j4j6le1s1h.dll (deflated 5%)
adding: ir68l5ju1.dll (deflated 5%)
adding: mTpi32.dll (deflated 4%)
adding: mawsock.dll (deflated 6%)
adding: akivtmxx.dll (deflated 6%)
adding: ir0ol5d31.dll (deflated 4%)
adding: n28olcl31fq.dll (deflated 5%)
adding: l08mlal11dq.dll (deflated 4%)
adding: r08slal71dq.dll (deflated 4%)
adding: ir08l5du1.dll (deflated 6%)
adding: lvl4093qe.dll (deflated 5%)
adding: lvpm0971e.dll (deflated 4%)
adding: en2ol1f31.dll (deflated 4%)
adding: wwnrulesak.dll (deflated 4%)
adding: hr0o05d3e.dll (deflated 5%)
adding: ir6ml5j11.dll (deflated 5%)
adding: o684lglq16qe.dll (deflated 5%)
adding: jHvaprxy.dll (deflated 5%)
adding: m0280afued280.dll (deflated 5%)
adding: h44mleh11h4.dll (deflated 6%)
adding: mv4ul9h91.dll (deflated 6%)
adding: h2j40c1qef.dll (deflated 6%)
adding: lvn2095oe.dll (deflated 6%)
adding: guard.tmp (deflated 6%)
adding: echo.reg (deflated 5%)
adding: clear.reg (deflated 71%)
adding: desktop.ini (deflated 15%)
adding: readme.txt (deflated 49%)
adding: direct.txt (stored 0%)
adding: lo2.txt (deflated 84%)
adding: test2.txt (deflated 49%)
adding: test3.txt (deflated 49%)
adding: test5.txt (deflated 49%)
adding: test.txt (deflated 81%)
adding: xfind.txt (deflated 76%)
adding: backregs/shell.reg (deflated 71%)
adding: backregs/AB47B844-D0C9-4998-838C-8760882CA1DD.reg (deflated 70%)
adding: backregs/B89D61DB-9A14-4219-A679-5E36C0D0324A.reg (deflated 70%)
adding: backregs/0FE8608C-2370-41AA-A9F9-EAB8D93E07EA.reg (deflated 70%)
adding: backregs/97379452-C45B-46C7-866C-F91968BFCC57.reg (deflated 70%)
adding: backregs/481C2BEA-4713-42EB-B537-8849154F72E4.reg (deflated 70%)
adding: backregs/8C59129F-6C36-4B07-AF69-4E5DDF5CF617.reg (deflated 70%)
adding: backregs/284AF703-05F0-49DA-8AA1-129D4DC2A744.reg (deflated 70%)
adding: backregs/2408F199-49FC-444C-BF8F-16BA4A32283D.reg (deflated 70%)
adding: backregs/C50C031D-2DFB-457E-9D1D-0462548D6D38.reg (deflated 70%)
adding: backregs/A82A534D-7E87-4D81-BD72-10E504DA97FC.reg (deflated 70%)
adding: backregs/9E432968-855F-47A9-BFEC-1056386A1962.reg (deflated 70%)
adding: backregs/884C6471-F25D-4EF0-92FA-EFF4F55D1B3C.reg (deflated 70%)
adding: backregs/5E8F885C-E2B0-4AFC-A3C0-32B0F9A13686.reg (deflated 70%)
adding: backregs/1AB12896-1F2B-416E-A4A7-7F662F5C3B4E.reg (deflated 70%)
adding: backregs/84A38D76-CE38-4930-9B78-E05CF95D0633.reg (deflated 70%)
adding: backregs/6C3DAF95-BC56-446F-AD2E-6DF6C81E69AA.reg (deflated 70%)
adding: backregs/8258DC11-9079-4D6F-AE43-7C5DF31DEA80.reg (deflated 70%)
adding: backregs/2F89C6BC-B369-41D2-8B99-33B52A8584A9.reg (deflated 70%)
adding: backregs/331A41D9-F89B-46E2-AFD1-CAAA5F392F0B.reg (deflated 70%)
adding: backregs/C4B4D43E-D057-45A0-AF0E-9FA41EE08904.reg (deflated 70%)
adding: backregs/9636402F-BF5E-4AEC-8389-0C874BEADF3C.reg (deflated 70%)
adding: backregs/2841BEB3-CCFB-4E50-B15F-CFB325F161A0.reg (deflated 70%)
adding: backregs/5149B651-3A8A-47A0-BA13-34A2162375D9.reg (deflated 70%)
adding: backregs/121E72D0-B78D-4610-B165-2AB90D8E34B4.reg (deflated 70%)
adding: backregs/F8A0784A-949A-4B0E-8CEB-448B31170A2A.reg (deflated 70%)
adding: backregs/95615436-2354-4D59-B3D4-60134838FC40.reg (deflated 70%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for really "Everyone"

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: wtpasf.dll
deleting local copy: dbnhupnp.dll
deleting local copy: mnprivs.dll
deleting local copy: dqintf.dll
deleting local copy: ndvdmd.dll
deleting local copy: ucrfaxa.dll
deleting local copy: ir2ql5f51.dll
deleting local copy: krdno1.dll
deleting local copy: mcvcirt.dll
deleting local copy: o0lu0a39ed.dll
deleting local copy: k0pmla711d.dll
deleting local copy: ir4ol5h31.dll
deleting local copy: wiadmoe.dll
deleting local copy: mycbase.dll
deleting local copy: doserial.dll
deleting local copy: oqjsel.dll
deleting local copy: ezcdec.dll
deleting local copy: dn2801fue.dll
deleting local copy: cqfview.dll
deleting local copy: j4j6le1s1h.dll
deleting local copy: ir68l5ju1.dll
deleting local copy: mTpi32.dll
deleting local copy: mawsock.dll
deleting local copy: akivtmxx.dll
deleting local copy: ir0ol5d31.dll
deleting local copy: n28olcl31fq.dll
deleting local copy: l08mlal11dq.dll
deleting local copy: r08slal71dq.dll
deleting local copy: ir08l5du1.dll
deleting local copy: lvl4093qe.dll
deleting local copy: lvpm0971e.dll
deleting local copy: en2ol1f31.dll
deleting local copy: wwnrulesak.dll
deleting local copy: hr0o05d3e.dll
deleting local copy: ir6ml5j11.dll
deleting local copy: o684lglq16qe.dll
deleting local copy: jHvaprxy.dll
deleting local copy: m0280afued280.dll
deleting local copy: h44mleh11h4.dll
deleting local copy: mv4ul9h91.dll
deleting local copy: h2j40c1qef.dll
deleting local copy: lvn2095oe.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\wtpasf.dll
C:\WINDOWS\system32\dbnhupnp.dll
C:\WINDOWS\system32\mnprivs.dll
C:\WINDOWS\system32\dqintf.dll
C:\WINDOWS\system32\ndvdmd.dll
C:\WINDOWS\system32\ucrfaxa.dll
C:\WINDOWS\system32\ir2ql5f51.dll
C:\WINDOWS\system32\krdno1.dll
C:\WINDOWS\system32\mcvcirt.dll
C:\WINDOWS\system32\o0lu0a39ed.dll
C:\WINDOWS\system32\k0pmla711d.dll
C:\WINDOWS\system32\ir4ol5h31.dll
C:\WINDOWS\system32\wiadmoe.dll
C:\WINDOWS\system32\mycbase.dll
C:\WINDOWS\system32\doserial.dll
C:\WINDOWS\system32\oqjsel.dll
C:\WINDOWS\system32\ezcdec.dll
C:\WINDOWS\system32\dn2801fue.dll
C:\WINDOWS\system32\cqfview.dll
C:\WINDOWS\system32\j4j6le1s1h.dll
C:\WINDOWS\system32\ir68l5ju1.dll
C:\WINDOWS\system32\mTpi32.dll
C:\WINDOWS\system32\mawsock.dll
C:\WINDOWS\system32\akivtmxx.dll
C:\WINDOWS\system32\ir0ol5d31.dll
C:\WINDOWS\system32\n28olcl31fq.dll
C:\WINDOWS\system32\l08mlal11dq.dll
C:\WINDOWS\system32\r08slal71dq.dll
C:\WINDOWS\system32\ir08l5du1.dll
C:\WINDOWS\system32\lvl4093qe.dll
C:\WINDOWS\system32\lvpm0971e.dll
C:\WINDOWS\system32\en2ol1f31.dll
C:\WINDOWS\system32\wwnrulesak.dll
C:\WINDOWS\system32\hr0o05d3e.dll
C:\WINDOWS\system32\ir6ml5j11.dll
C:\WINDOWS\system32\o684lglq16qe.dll
C:\WINDOWS\system32\jHvaprxy.dll
C:\WINDOWS\system32\m0280afued280.dll
C:\WINDOWS\system32\h44mleh11h4.dll
C:\WINDOWS\system32\mv4ul9h91.dll
C:\WINDOWS\system32\h2j40c1qef.dll
C:\WINDOWS\system32\lvn2095oe.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{01089EC7-4BB9-408C-B3AF-C1BED3031FB2}"=-
"{AB47B844-D0C9-4998-838C-8760882CA1DD}"=-
"{B89D61DB-9A14-4219-A679-5E36C0D0324A}"=-
"{0FE8608C-2370-41AA-A9F9-EAB8D93E07EA}"=-
"{97379452-C45B-46C7-866C-F91968BFCC57}"=-
"{481C2BEA-4713-42EB-B537-8849154F72E4}"=-
"{8C59129F-6C36-4B07-AF69-4E5DDF5CF617}"=-
"{284AF703-05F0-49DA-8AA1-129D4DC2A744}"=-
"{2408F199-49FC-444C-BF8F-16BA4A32283D}"=-
"{C50C031D-2DFB-457E-9D1D-0462548D6D38}"=-
"{A82A534D-7E87-4D81-BD72-10E504DA97FC}"=-
"{9E432968-855F-47A9-BFEC-1056386A1962}"=-
"{884C6471-F25D-4EF0-92FA-EFF4F55D1B3C}"=-
"{5E8F885C-E2B0-4AFC-A3C0-32B0F9A13686}"=-
"{1AB12896-1F2B-416E-A4A7-7F662F5C3B4E}"=-
"{84A38D76-CE38-4930-9B78-E05CF95D0633}"=-
"{6C3DAF95-BC56-446F-AD2E-6DF6C81E69AA}"=-
"{8258DC11-9079-4D6F-AE43-7C5DF31DEA80}"=-
"{2F89C6BC-B369-41D2-8B99-33B52A8584A9}"=-
"{331A41D9-F89B-46E2-AFD1-CAAA5F392F0B}"=-
"{C4B4D43E-D057-45A0-AF0E-9FA41EE08904}"=-
"{9636402F-BF5E-4AEC-8389-0C874BEADF3C}"=-
"{2841BEB3-CCFB-4E50-B15F-CFB325F161A0}"=-
"{5149B651-3A8A-47A0-BA13-34A2162375D9}"=-
"{121E72D0-B78D-4610-B165-2AB90D8E34B4}"=-
"{F8A0784A-949A-4B0E-8CEB-448B31170A2A}"=-
"{95615436-2354-4D59-B3D4-60134838FC40}"=-
[-HKEY_CLASSES_ROOT\CLSID\{01089EC7-4BB9-408C-B3AF-C1BED3031FB2}]
[-HKEY_CLASSES_ROOT\CLSID\{AB47B844-D0C9-4998-838C-8760882CA1DD}]
[-HKEY_CLASSES_ROOT\CLSID\{B89D61DB-9A14-4219-A679-5E36C0D0324A}]
[-HKEY_CLASSES_ROOT\CLSID\{0FE8608C-2370-41AA-A9F9-EAB8D93E07EA}]
[-HKEY_CLASSES_ROOT\CLSID\{97379452-C45B-46C7-866C-F91968BFCC57}]
[-HKEY_CLASSES_ROOT\CLSID\{481C2BEA-4713-42EB-B537-8849154F72E4}]
[-HKEY_CLASSES_ROOT\CLSID\{8C59129F-6C36-4B07-AF69-4E5DDF5CF617}]
[-HKEY_CLASSES_ROOT\CLSID\{284AF703-05F0-49DA-8AA1-129D4DC2A744}]
[-HKEY_CLASSES_ROOT\CLSID\{2408F199-49FC-444C-BF8F-16BA4A32283D}]
[-HKEY_CLASSES_ROOT\CLSID\{C50C031D-2DFB-457E-9D1D-0462548D6D38}]
[-HKEY_CLASSES_ROOT\CLSID\{A82A534D-7E87-4D81-BD72-10E504DA97FC}]
[-HKEY_CLASSES_ROOT\CLSID\{9E432968-855F-47A9-BFEC-1056386A1962}]
[-HKEY_CLASSES_ROOT\CLSID\{884C6471-F25D-4EF0-92FA-EFF4F55D1B3C}]
[-HKEY_CLASSES_ROOT\CLSID\{5E8F885C-E2B0-4AFC-A3C0-32B0F9A13686}]
[-HKEY_CLASSES_ROOT\CLSID\{1AB12896-1F2B-416E-A4A7-7F662F5C3B4E}]
[-HKEY_CLASSES_ROOT\CLSID\{84A38D76-CE38-4930-9B78-E05CF95D0633}]
[-HKEY_CLASSES_ROOT\CLSID\{6C3DAF95-BC56-446F-AD2E-6DF6C81E69AA}]
[-HKEY_CLASSES_ROOT\CLSID\{8258DC11-9079-4D6F-AE43-7C5DF31DEA80}]
[-HKEY_CLASSES_ROOT\CLSID\{2F89C6BC-B369-41D2-8B99-33B52A8584A9}]
[-HKEY_CLASSES_ROOT\CLSID\{331A41D9-F89B-46E2-AFD1-CAAA5F392F0B}]
[-HKEY_CLASSES_ROOT\CLSID\{C4B4D43E-D057-45A0-AF0E-9FA41EE08904}]
[-HKEY_CLASSES_ROOT\CLSID\{9636402F-BF5E-4AEC-8389-0C874BEADF3C}]
[-HKEY_CLASSES_ROOT\CLSID\{2841BEB3-CCFB-4E50-B15F-CFB325F161A0}]
[-HKEY_CLASSES_ROOT\CLSID\{5149B651-3A8A-47A0-BA13-34A2162375D9}]
[-HKEY_CLASSES_ROOT\CLSID\{121E72D0-B78D-4610-B165-2AB90D8E34B4}]
[-HKEY_CLASSES_ROOT\CLSID\{F8A0784A-949A-4B0E-8CEB-448B31170A2A}]
[-HKEY_CLASSES_ROOT\CLSID\{95615436-2354-4D59-B3D4-60134838FC40}]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E1D1F89C-24F2-4A21-A8AA-CF95CF39EE04}"=-
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{E1D1F89C-24F2-4A21-A8AA-CF95CF39EE04}</IDone>
<IDtwo>VT00</IDtwo>
<VERSION>200</VERSION>
****************************************************************************

HJT LOG
Logfile of HijackThis v1.99.1
Scan saved at 下午 06:26:54, on 2005/2/24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\IC\Card Reader Driver v1.9e3\Disk_Monitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: MSN 工具列 - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\zh-tw\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_1_6_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\IC\Card Reader Driver v1.9e3\Disk_Monitor.exe
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Zhghbr] C:\Program Files\Jbvlqt\Scey.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {18000D07-72C4-11D4-B4BD-004026422A29} (Hot_net Control) - http://www.hitoriasobi.com/netidol/i...b/Hot_net2.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/TW/install.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/16ffe304...dxIE601_tw.cab
O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://pki.toptrade.com.tw/onsite/VSApps/vspta3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B6B7500-5A0C-4118-A7C4-AD77E0B4505F}: NameServer = 61.57.160.66,61.57.168.11
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\gpr4l39q1.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod 服務 (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus 自動防護服務 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

**Pancake** · 02-24-2005, 05:10 PM

Hi
It may help you if you print out or copy this page for easy reference.. Make sure to work through the fixes in the exact order its listed.

Please Keep your browser and all open programs closed (except firewalls and antivirus) when you are carrying out the fixes.

Please do not run HJT on the desktop or a temp folder.In Windows Explorer create new a permanent folder just for HijackThis. C:\HJT is a good folder name..

Turn off System Restore instructions (WinXP)
Rightclick My Computer | Properties | System Restore | check “Turn off System Restore”, <Apply>, <OK>. Reboot. When we have confirmed that your log file is clean, you may renable System Restore and create a new restore point.

SHOW HIDDEN FILES AND FOLDERS.
To show hidden files instructions (WinXP)
Doubleclick My Computer | Tools | Folder Options | View tab
Select Show Hidden Files and Folders
Uncheck Hide extensions for known file types
Uncheck Hide protected operating system files (Recommended)
Select Apply to All Folders | Yes | Apply | OK
------------------------------------------------------------------

Download and run Adaware SpyBot (check for updates) for a preliminary cleanup first.Some files below may not be present after running the above programs.Full instructions below.

How to setup Ad-Aware
Download Ad-Aware SE build 1.05

If you have a previous version of AdAware installed, you will be prompted to uninstall or keep the older version during installation. Be sure to choose Uninstall The Previous Version. Save aawsepersonal.exe into its own directory, NOT in a TEMPorary folder or on the Desktop. I recommend c:/program files/Adaware/
Doubleclick aawsepersonal.exe. Make sure to direct the program to install in the c:/program files/adaware/ directory, NOT the default directory.
Open AdAware from Start | Programs | Lavasoft | AdAware.
Select <Check for updates now>, <Proceed>
After installation, run the program and click the start button.Then click the next button. This lets ad-aware scan your computer.
After ad-aware is done running, hit the next button. Then right click the area with the listed spy ware objects.Choose the "Select all objects" option.
At this point all the boxes next to the items should be checked. Then hit the next button.
It will ask if you want to delete the selected objects. Hit the Okay button.
Now most of the spyware should have been deleted from your hard drive.

----------------------------------------------------------------------

How to setup Spybot Search & Destroy
Download Spybot

Save spybotsd13.exe into its own directory, NOT in a TEMPorary folder or on the Desktop.
I recommend c:/program files/spybot/
Doubleclick spybotsd13.exe. Make sure to direct the program to install in the c:/program files/spybot/ directory, NOT the default directory.
Open Spybot from Start | Programs | Spybot | Spybot S&D
Select <Search for Updates>. Let it install all updates. This is very important!
Select <Immunize>
Select <Check for Problems>
Check all entries that are in RED. Only RED, NOTHING ELSE. For your records, write/print out each item that you have fixed. Date it.
Select <Fix Selected Problems>
Close Spybot//

------------------------------------------------------

First get the LSPFix and run it....To remove winlspak.dll from your winsock layers click the "I know what I'm doing" checkbox and check all the instances of winlspak.dll (and nothing else). Then move checked file/s to the "Remove" pane and click Finish and reboot.

------------------------------------------------------

Files highlighted in BLACK will need to be removed from your hard drive.

Folders that have been highlighted RED will need to be uninstalled.

------------------------------------------------------------------

Please start by putting HJT in SAFE MODE. During reboot, tap the F8 key. Select Safe Mode
------------------------------------------------------------------

Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed.

Scey.exe
------------------------------------------------------------------

Uninstall these programs (if they still exist) from Start | Settings | Control Panel | Add/Remove Programs

Jbvlqt

-------------------------------------------------------------------
Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Zhghbr] C:\Program Files\Jbvlqt\Scey.exe
O16 - DPF: {18000D07-72C4-11D4-B4BD-004026422A29} (Hot_net Control) - http://www.hitoriasobi.com/netidol/...ab/Hot_net2.CAB
O16 - DPF: {18000D07-72C4-11D4-B4BD-004026422A29} (Hot_net Control) - http://www.hitoriasobi.com/netidol/...ab/Hot_net2.CAB
O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\gpr4l39q1.dll
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

------------------------------------------------------------------

Open Windows Explorer and delete the following highlighted file/s (or delete the whole (Red) folder if listed).

C:\Program Files\Jbvlqt\Scey.exe
C:\WINDOWS\system32\gpr4l39q1.dll
-------------------------------------------------------------------
Check that you have carried out all the above steps/fixes and then reboot into Normal Mode and download Cleanup This will clean out your tempory files.

When finished please get the latest version of HJT v1.99.1 and post a new log......

eric123 · 02-25-2005, 04:19 PM

Thank you My browser now works normally. I really appreciate you help.
here is what I got after I done your suggestion.
Logfile of HijackThis v1.99.1
Scan saved at 上午 01:27:35, on 2005/2/26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\spybot\SPYBOT~1\SDHelper.dll
O3 - Toolbar: MSN 工具列 - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\zh-tw\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_1_6_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\IC\Card Reader Driver v1.9e3\Disk_Monitor.exe
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Zhghbr] C:\Program Files\Jbvlqt\Scey.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\spybot\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {18000D07-72C4-11D4-B4BD-004026422A29} (Hot_net Control) - http://www.hitoriasobi.com/netidol/i...b/Hot_net2.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/TW/install.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/16ffe304...dxIE601_tw.cab
O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://pki.toptrade.com.tw/onsite/VSApps/vspta3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B6B7500-5A0C-4118-A7C4-AD77E0B4505F}: NameServer = 61.57.160.66,61.57.168.11
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod 服務 (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus 自動防護服務 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

eric123 · 02-25-2005, 06:25 PM

I would like to install a real-time anti-spyware software to prevent another spyware attack. Could you recommend one for me? Now I have spybot reside in my computer. It would show promt asking you for approval or denial when some changes happen. I dont know which one I should approve and which one I should deny. Could you tell me how to decide? Thank you.

Eric Wu @Taiwan

**Pancake** · 02-25-2005, 06:53 PM

Just a bit more to do..run hjt and fix these items and remove the red folder and file...

O4 - HKLM\..\Run: [Zhghbr] C:\Program Files\Jbvlqt\Scey.exe
O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

Post a new log when done.....

To help prevent future spyware installations/infections, please read the anti-spyware section and use the tools provided.

eric123 · 02-26-2005, 06:23 PM

Thank you truly big help
here is the result

Logfile of HijackThis v1.99.1
Scan saved at 上午 10:13:03, on 2005/2/27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\IC\Card Reader Driver v1.9e3\Disk_Monitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\notepad.exe
C:\HJT\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\spybot\SPYBOT~1\SDHelper.dll
O3 - Toolbar: MSN 工具列 - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\zh-tw\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_1_6_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\IC\Card Reader Driver v1.9e3\Disk_Monitor.exe
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [Zhghbr] C:\Program Files\Jbvlqt\Scey.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {18000D07-72C4-11D4-B4BD-004026422A29} -
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/TW/install.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/16ffe304...dxIE601_tw.cab
O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://pki.toptrade.com.tw/onsite/VSApps/vspta3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B6B7500-5A0C-4118-A7C4-AD77E0B4505F}: NameServer = 61.57.160.66,61.57.168.11
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod 服務 (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus 自動防護服務 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

**Pancake** · 02-26-2005, 07:31 PM

This file still needs to be deleted and the item removed from the log
.Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process if listed.

O4 - HKLM\..\Run: [Zhghbr] C:\Program Files\Jbvlqt\Scey.exe

eric123 · 02-28-2005, 10:20 PM

I opened the process manager. I didnt see the process you mentioned. I saved the list and posted below. Did I do anything wrong?
Process list saved on 下午 02:16:27, on 2005/3/1
Platform: Windows XP SP2 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
424 C:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
496 C:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
540 C:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
552 C:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
700 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
860 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1052 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe 1.0.0.37 Symantec Corporation
1204 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.2180 Microsoft Corporation
1424 C:\WINDOWS\Explorer.EXE 6.0.2900.2180 Microsoft Corporation
1552 C:\Program Files\Norton AntiVirus\navapsvc.exe 9.0.0.1106 Symantec Corporation
168 C:\WINDOWS\SOUNDMAN.EXE 5.1.0.10 Realtek Semiconductor Corp.
132 C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
228 C:\Program Files\IC\Card Reader Driver v1.9e3\Disk_Monitor.exe 1.7.5.617 Neodio Corp.
304 C:\Program Files\Common Files\Symantec Shared\ccApp.exe 1.0.0.106 Symantec Corporation
352 C:\Program Files\QuickTime\qttask.exe 6.5.1.17 Apple Computer, Inc.
372 C:\Program Files\iTunes\iTunesHelper.exe 4.7.1.30 Apple Computer, Inc.
380 C:\Program Files\Common Files\Real\Update_OB\realsched.exe 0.1.0.3208 RealNetworks, Inc.
392 C:\WINDOWS\system32\ctfmon.exe 5.1.2600.2180 Microsoft Corporation
1396 C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
816 C:\Program Files\spywareguard\SpywareGuard\sgmain.exe 2.2.0.1
1356 C:\Program Files\iPod\bin\iPodService.exe 4.7.1.30 Apple Computer, Inc.
2232 C:\WINDOWS\system32\wscntfy.exe 5.1.2600.2180 Microsoft Corporation
2476 C:\Program Files\spywareguard\SpywareGuard\sgbhp.exe 2.2.0.1
2504 C:\Program Files\Internet Explorer\iexplore.exe 6.0.2900.2180 Microsoft Corporation
2916 C:\Program Files\Messenger\msmsgs.exe 4.7.0.3001 Microsoft Corporation
2972 C:\HJT\HijackThis.exe 1.99.0.1 Soeperman Enterprises Ltd.

**Pancake** · 02-28-2005, 10:31 PM

Just post a new log please.

eric123 · 03-01-2005, 07:08 PM

Is this log file you want?

Logfile of HijackThis v1.99.1
Scan saved at 上午 11:05:31, on 2005/3/2
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\IC\Card Reader Driver v1.9e3\Disk_Monitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\spywareguard\SpywareGuard\sgmain.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\spywareguard\SpywareGuard\sgbhp.exe
C:\HJT\HijackThis.exe
C:\HJT\HijackThis.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\spywareguard\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\spybot\SPYBOT~1\SDHelper.dll
O3 - Toolbar: MSN 工具列 - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\zh-tw\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_1_6_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\IC\Card Reader Driver v1.9e3\Disk_Monitor.exe
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {18000D07-72C4-11D4-B4BD-004026422A29} -
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/TW/install.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/16ffe304...dxIE601_tw.cab
O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://pki.toptrade.com.tw/onsite/VSApps/vspta3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B6B7500-5A0C-4118-A7C4-AD77E0B4505F}: NameServer = 61.57.160.66,61.57.168.11
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod 服務 (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus 自動防護服務 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

**Pancake** · 03-01-2005, 07:46 PM

Your log is clear...no bugs.

eric123 · 03-02-2005, 12:59 AM

Many thanks.

02-23-2005, 11:35 PM	#1 (permalink)
eric123 Registered User Join Date: Feb 2005 Posts: 10 OS: Win XP Home edition	Help I was hijacted My explorer was hijacted. The page would be redirected to 69.20.16.183. Please tell me how to remove this spy ware.

02-24-2005, 02:29 AM	#3 (permalink)
eric123 Registered User Join Date: Feb 2005 Posts: 10 OS: Win XP Home edition	I ve done what you said hi I ve done what you said here is the result thank you Logfile of HijackThis v1.99.1 Scan saved at 下午 06:26:54, on 2005/2/24 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe C:\Program Files\IC\Card Reader Driver v1.9e3\Disk_Monitor.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Messenger\msmsgs.exe C:\HJT\HijackThis.exe R3 - Default URLSearchHook is missing O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O3 - Toolbar: MSN 工具列 - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\zh-tw\msntb.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_1_6_0.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\IC\Card Reader Driver v1.9e3\Disk_Monitor.exe O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [Zhghbr] C:\Program Files\Jbvlqt\Scey.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/ O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409 O16 - DPF: {18000D07-72C4-11D4-B4BD-004026422A29} (Hot_net Control) - http://www.hitoriasobi.com/netidol/i...b/Hot_net2.CAB O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/TW/install.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/16ffe304...dxIE601_tw.cab O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://pki.toptrade.com.tw/onsite/VSApps/vspta3.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{6B6B7500-5A0C-4118-A7C4-AD77E0B4505F}: NameServer = 61.57.160.66,61.57.168.11 O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\gpr4l39q1.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: iPod 服務 (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Norton AntiVirus 自動防護服務 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

02-24-2005, 06:28 AM	#5 (permalink)
eric123 Registered User Join Date: Feb 2005 Posts: 10 OS: Win XP Home edition	Hi Mr.Pancake Here is what I got. I really appreciate your help. L2MFIX find log 1.02b These are the registry keys present ******************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntlRun.OC] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\j8j60i1se8.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 ****************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{E1D1F89C-24F2-4A21-A8AA-CF95CF39EE04}"="" ****************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{00022613-0000-0000-C000-000000000046}"="多媒體檔案內容表" "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM 掃描器管理" "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS 安全設定頁" "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile 內容頁" "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing" "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension" "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="顯示介面卡 CPL 擴充" "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="顯示監視器 CPL 擴充" "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="顯示面板 CPL 擴充" "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="安全設定頁" "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page" "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler" "{59099400-57FF-11CE-BD94-0020AF85B590}"="磁碟複製擴充" "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects" "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM 監視器管理" "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM 印表機管理" "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression" "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension" "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI" "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="加密內容功能表" "{85BBD920-42A0-1069-A2E4-08002B30309D}"="公事包" "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext" "{BD84B380-8CA2-1069-AB1D-08000948F534}"="字型" "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC 設定檔" "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="印表機安全設定頁" "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing" "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension" "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension" "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension" "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="網路連線" "{992CFFA0-F557-101A-88EC-00DD010CCC48}"="網路連線" "{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="掃描器與數位相機" "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="掃描器與數位相機" "{905667aa-acd6-11d2-8080-00805f6596d2}"="掃描器與數位相機" "{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="掃描器與數位相機" "{83bbcbf3-b28a-4919-a5aa-73027445d672}"="掃描器與數位相機" "{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension" "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host" "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft 資料連結" "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler" "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension" "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="排定的工作" "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="工作列和 [開始] 功能表" "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="搜尋" "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="說明及支援" "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="說明及支援" "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="執行..." "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="網際網路" "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="電子郵件" "{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts" "{D20EA4E1-3957-11d2-A40B-0C5020524153}"="系統管理工具" "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler" "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler" "{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler" "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler" "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler" "{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor" "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar" "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status" "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder" "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2" "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy" "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand" "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band" "{32683183-48a0-441b-a342-7c2a440a9478}"="媒體列" "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search" "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search" "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility" "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="網址(&A)" "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox" "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete" "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor" "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List" "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List" "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="可存取的" "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar" "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="網址列分析器" "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List" "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List" "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container" "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu" "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp" "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar" "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite" "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist" "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings" "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band" "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service" "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer" "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture" "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut" "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service" "{FF393560-C2A7-11CF-BFF4-444553540000}"="History" "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook" "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen" "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook" "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC" "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC" "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="網際網路" "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space" "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band" "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX 快取資料夾" "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck" "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr" "{F5175861-2688-11d0-9C5E-00AA00A45957}"="訂閱資料夾" "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler" "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent" "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent" "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent" "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent" "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent" "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler" "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager" "{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator" "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher" "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs" "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory" "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ 檔案縮圖解壓縮器" "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="摘要資訊縮圖處理器 (DOCFILES)" "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML 縮圖展開程式" "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler" "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="網頁發佈精靈" "{add36aa8-751a-4579-a266-d66f5202ccbb}"="經由網際網路訂購沖印" "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object" "{58f1f272-9240-4f51-b6d4-fd63d1618591}"="取得 Passport 精靈" "{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts" "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler" "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target" "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="頻道檔" "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="頻道捷徑" "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object" "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu" "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties" "{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview" "{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext" "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control" "{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control" "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control" "{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control" "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control" "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI" "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object" "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find" "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find" "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI" "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs" "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook" "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target" "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties" "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu" "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options" "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="離線檔案資訊夾" "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler" "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell" "{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%" "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler" "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer" "{32714800-2E5F-11d0-8B85-00AA0044F941}"="人員(&P)..." "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler" "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler" "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler" "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension" "{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders" "{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler" "{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler" "{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler" "{63AFBDFB-5EF8-4791-AF79-9A3C0DE48974}"="EditPlus Context Menu Handler" "{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults" "{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page" "{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions" "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder" "{2B3453E4-49DF-11D3-8229-0080BE509050}"="GMail Drive" "{2B3453E4-49DF-11D3-8229-0080BE509052}"="GMailFS Property Sheet" "{2B3453E4-49DF-11D3-8229-0080BE509054}"="GMailFS Drop Handler" "{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices" "{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu" "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes" "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player" "{01089EC7-4BB9-408C-B3AF-C1BED3031FB2}"="" "{AB47B844-D0C9-4998-838C-8760882CA1DD}"="" "{B89D61DB-9A14-4219-A679-5E36C0D0324A}"="" "{0FE8608C-2370-41AA-A9F9-EAB8D93E07EA}"="" "{97379452-C45B-46C7-866C-F91968BFCC57}"="" "{481C2BEA-4713-42EB-B537-8849154F72E4}"="" "{8C59129F-6C36-4B07-AF69-4E5DDF5CF617}"="" "{284AF703-05F0-49DA-8AA1-129D4DC2A744}"="" "{2408F199-49FC-444C-BF8F-16BA4A32283D}"="" "{C50C031D-2DFB-457E-9D1D-0462548D6D38}"="" "{A82A534D-7E87-4D81-BD72-10E504DA97FC}"="" "{9E432968-855F-47A9-BFEC-1056386A1962}"="" "{884C6471-F25D-4EF0-92FA-EFF4F55D1B3C}"="" "{5E8F885C-E2B0-4AFC-A3C0-32B0F9A13686}"="" "{1AB12896-1F2B-416E-A4A7-7F662F5C3B4E}"="" "{84A38D76-CE38-4930-9B78-E05CF95D0633}"="" "{6C3DAF95-BC56-446F-AD2E-6DF6C81E69AA}"="" "{8258DC11-9079-4D6F-AE43-7C5DF31DEA80}"="" "{2F89C6BC-B369-41D2-8B99-33B52A8584A9}"="" "{331A41D9-F89B-46E2-AFD1-CAAA5F392F0B}"="" "{C4B4D43E-D057-45A0-AF0E-9FA41EE08904}"="" "{9636402F-BF5E-4AEC-8389-0C874BEADF3C}"="" "{2841BEB3-CCFB-4E50-B15F-CFB325F161A0}"="" "{5149B651-3A8A-47A0-BA13-34A2162375D9}"="" "{121E72D0-B78D-4610-B165-2AB90D8E34B4}"="" "{F8A0784A-949A-4B0E-8CEB-448B31170A2A}"="" "{95615436-2354-4D59-B3D4-60134838FC40}"="" ****************************************************************************** HKEY ROOT CLASSIDS: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{AB47B844-D0C9-4998-838C-8760882CA1DD}] @="" [HKEY_CLASSES_ROOT\CLSID\{AB47B844-D0C9-4998-838C-8760882CA1DD}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{AB47B844-D0C9-4998-838C-8760882CA1DD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{AB47B844-D0C9-4998-838C-8760882CA1DD}\InprocServer32] @="C:\\WINDOWS\\system32\\ucrfaxa.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{B89D61DB-9A14-4219-A679-5E36C0D0324A}] @="" [HKEY_CLASSES_ROOT\CLSID\{B89D61DB-9A14-4219-A679-5E36C0D0324A}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{B89D61DB-9A14-4219-A679-5E36C0D0324A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{B89D61DB-9A14-4219-A679-5E36C0D0324A}\InprocServer32] @="C:\\WINDOWS\\system32\\abtxprxy.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{0FE8608C-2370-41AA-A9F9-EAB8D93E07EA}] @="" [HKEY_CLASSES_ROOT\CLSID\{0FE8608C-2370-41AA-A9F9-EAB8D93E07EA}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{0FE8608C-2370-41AA-A9F9-EAB8D93E07EA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{0FE8608C-2370-41AA-A9F9-EAB8D93E07EA}\InprocServer32] @="C:\\WINDOWS\\system32\\cmbcatq.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{97379452-C45B-46C7-866C-F91968BFCC57}] @="" [HKEY_CLASSES_ROOT\CLSID\{97379452-C45B-46C7-866C-F91968BFCC57}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{97379452-C45B-46C7-866C-F91968BFCC57}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{97379452-C45B-46C7-866C-F91968BFCC57}\InprocServer32] @="C:\\WINDOWS\\system32\\mnprivs.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{481C2BEA-4713-42EB-B537-8849154F72E4}] @="" [HKEY_CLASSES_ROOT\CLSID\{481C2BEA-4713-42EB-B537-8849154F72E4}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{481C2BEA-4713-42EB-B537-8849154F72E4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{481C2BEA-4713-42EB-B537-8849154F72E4}\InprocServer32] @="C:\\WINDOWS\\system32\\mTpi32.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{8C59129F-6C36-4B07-AF69-4E5DDF5CF617}] @="" [HKEY_CLASSES_ROOT\CLSID\{8C59129F-6C36-4B07-AF69-4E5DDF5CF617}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{8C59129F-6C36-4B07-AF69-4E5DDF5CF617}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{8C59129F-6C36-4B07-AF69-4E5DDF5CF617}\InprocServer32] @="C:\\WINDOWS\\system32\\wtpasf.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{284AF703-05F0-49DA-8AA1-129D4DC2A744}] @="" [HKEY_CLASSES_ROOT\CLSID\{284AF703-05F0-49DA-8AA1-129D4DC2A744}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{284AF703-05F0-49DA-8AA1-129D4DC2A744}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{284AF703-05F0-49DA-8AA1-129D4DC2A744}\InprocServer32] @="C:\\WINDOWS\\system32\\guard.tmp" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{2408F199-49FC-444C-BF8F-16BA4A32283D}] @="" [HKEY_CLASSES_ROOT\CLSID\{2408F199-49FC-444C-BF8F-16BA4A32283D}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{2408F199-49FC-444C-BF8F-16BA4A32283D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{2408F199-49FC-444C-BF8F-16BA4A32283D}\InprocServer32] @="C:\\WINDOWS\\system32\\dqintf.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{C50C031D-2DFB-457E-9D1D-0462548D6D38}] @="" [HKEY_CLASSES_ROOT\CLSID\{C50C031D-2DFB-457E-9D1D-0462548D6D38}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{C50C031D-2DFB-457E-9D1D-0462548D6D38}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{C50C031D-2DFB-457E-9D1D-0462548D6D38}\InprocServer32] @="C:\\WINDOWS\\system32\\krdno1.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{A82A534D-7E87-4D81-BD72-10E504DA97FC}] @="" [HKEY_CLASSES_ROOT\CLSID\{A82A534D-7E87-4D81-BD72-10E504DA97FC}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{A82A534D-7E87-4D81-BD72-10E504DA97FC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{A82A534D-7E87-4D81-BD72-10E504DA97FC}\InprocServer32] @="C:\\WINDOWS\\system32\\mcvcirt.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{9E432968-855F-47A9-BFEC-1056386A1962}] @="" [HKEY_CLASSES_ROOT\CLSID\{9E432968-855F-47A9-BFEC-1056386A1962}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{9E432968-855F-47A9-BFEC-1056386A1962}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{9E432968-855F-47A9-BFEC-1056386A1962}\InprocServer32] @="C:\\WINDOWS\\system32\\guard.tmp" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{884C6471-F25D-4EF0-92FA-EFF4F55D1B3C}] @="" [HKEY_CLASSES_ROOT\CLSID\{884C6471-F25D-4EF0-92FA-EFF4F55D1B3C}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{884C6471-F25D-4EF0-92FA-EFF4F55D1B3C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{884C6471-F25D-4EF0-92FA-EFF4F55D1B3C}\InprocServer32] @="C:\\WINDOWS\\system32\\sdxcoins.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{5E8F885C-E2B0-4AFC-A3C0-32B0F9A13686}] @="" [HKEY_CLASSES_ROOT\CLSID\{5E8F885C-E2B0-4AFC-A3C0-32B0F9A13686}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{5E8F885C-E2B0-4AFC-A3C0-32B0F9A13686}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{5E8F885C-E2B0-4AFC-A3C0-32B0F9A13686}\InprocServer32] @="C:\\WINDOWS\\system32\\guard.tmp" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{1AB12896-1F2B-416E-A4A7-7F662F5C3B4E}] @="" [HKEY_CLASSES_ROOT\CLSID\{1AB12896-1F2B-416E-A4A7-7F662F5C3B4E}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{1AB12896-1F2B-416E-A4A7-7F662F5C3B4E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{1AB12896-1F2B-416E-A4A7-7F662F5C3B4E}\InprocServer32] @="C:\\WINDOWS\\system32\\wiadmoe.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{84A38D76-CE38-4930-9B78-E05CF95D0633}] @="" [HKEY_CLASSES_ROOT\CLSID\{84A38D76-CE38-4930-9B78-E05CF95D0633}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{84A38D76-CE38-4930-9B78-E05CF95D0633}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{84A38D76-CE38-4930-9B78-E05CF95D0633}\InprocServer32] @="C:\\WINDOWS\\system32\\doserial.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{6C3DAF95-BC56-446F-AD2E-6DF6C81E69AA}] @="" [HKEY_CLASSES_ROOT\CLSID\{6C3DAF95-BC56-446F-AD2E-6DF6C81E69AA}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{6C3DAF95-BC56-446F-AD2E-6DF6C81E69AA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{6C3DAF95-BC56-446F-AD2E-6DF6C81E69AA}\InprocServer32] @="C:\\WINDOWS\\system32\\guard.tmp" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{8258DC11-9079-4D6F-AE43-7C5DF31DEA80}] @="" [HKEY_CLASSES_ROOT\CLSID\{8258DC11-9079-4D6F-AE43-7C5DF31DEA80}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{8258DC11-9079-4D6F-AE43-7C5DF31DEA80}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{8258DC11-9079-4D6F-AE43-7C5DF31DEA80}\InprocServer32] @="C:\\WINDOWS\\system32\\guard.tmp" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{2F89C6BC-B369-41D2-8B99-33B52A8584A9}] @="" [HKEY_CLASSES_ROOT\CLSID\{2F89C6BC-B369-41D2-8B99-33B52A8584A9}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{2F89C6BC-B369-41D2-8B99-33B52A8584A9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{2F89C6BC-B369-41D2-8B99-33B52A8584A9}\InprocServer32] @="C:\\WINDOWS\\system32\\jHvaprxy.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{331A41D9-F89B-46E2-AFD1-CAAA5F392F0B}] @="" [HKEY_CLASSES_ROOT\CLSID\{331A41D9-F89B-46E2-AFD1-CAAA5F392F0B}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{331A41D9-F89B-46E2-AFD1-CAAA5F392F0B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{331A41D9-F89B-46E2-AFD1-CAAA5F392F0B}\InprocServer32] @="C:\\WINDOWS\\system32\\ndvdmd.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{C4B4D43E-D057-45A0-AF0E-9FA41EE08904}] @="" [HKEY_CLASSES_ROOT\CLSID\{C4B4D43E-D057-45A0-AF0E-9FA41EE08904}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{C4B4D43E-D057-45A0-AF0E-9FA41EE08904}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{C4B4D43E-D057-45A0-AF0E-9FA41EE08904}\InprocServer32] @="C:\\WINDOWS\\system32\\oqjsel.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{9636402F-BF5E-4AEC-8389-0C874BEADF3C}] @="" [HKEY_CLASSES_ROOT\CLSID\{9636402F-BF5E-4AEC-8389-0C874BEADF3C}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{9636402F-BF5E-4AEC-8389-0C874BEADF3C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{9636402F-BF5E-4AEC-8389-0C874BEADF3C}\InprocServer32] @="C:\\WINDOWS\\system32\\guard.tmp" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{2841BEB3-CCFB-4E50-B15F-CFB325F161A0}] @="" [HKEY_CLASSES_ROOT\CLSID\{2841BEB3-CCFB-4E50-B15F-CFB325F161A0}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{2841BEB3-CCFB-4E50-B15F-CFB325F161A0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{2841BEB3-CCFB-4E50-B15F-CFB325F161A0}\InprocServer32] @="C:\\WINDOWS\\system32\\ezcdec.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{5149B651-3A8A-47A0-BA13-34A2162375D9}] @="" [HKEY_CLASSES_ROOT\CLSID\{5149B651-3A8A-47A0-BA13-34A2162375D9}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{5149B651-3A8A-47A0-BA13-34A2162375D9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{5149B651-3A8A-47A0-BA13-34A2162375D9}\InprocServer32] @="C:\\WINDOWS\\system32\\cqfview.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{121E72D0-B78D-4610-B165-2AB90D8E34B4}] @="" [HKEY_CLASSES_ROOT\CLSID\{121E72D0-B78D-4610-B165-2AB90D8E34B4}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{121E72D0-B78D-4610-B165-2AB90D8E34B4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{121E72D0-B78D-4610-B165-2AB90D8E34B4}\InprocServer32] @="C:\\WINDOWS\\system32\\akivtmxx.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{F8A0784A-949A-4B0E-8CEB-448B31170A2A}] @="" [HKEY_CLASSES_ROOT\CLSID\{F8A0784A-949A-4B0E-8CEB-448B31170A2A}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{F8A0784A-949A-4B0E-8CEB-448B31170A2A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{F8A0784A-949A-4B0E-8CEB-448B31170A2A}\InprocServer32] @="C:\\WINDOWS\\system32\\mawsock.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{95615436-2354-4D59-B3D4-60134838FC40}] @="" [HKEY_CLASSES_ROOT\CLSID\{95615436-2354-4D59-B3D4-60134838FC40}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{95615436-2354-4D59-B3D4-60134838FC40}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{95615436-2354-4D59-B3D4-60134838FC40}\InprocServer32] @="C:\\WINDOWS\\system32\\wep.dll" "ThreadingModel"="Apartment" ****************************************************************************** Files Found are not all bad files: Locate .tmp files: ******************************************************************************** Directory Listing of system files: 磁碟區 C 中的磁碟沒有標籤。磁碟區序號: 2039-190E C:\WINDOWS\System32 的目錄 2005/02/24 下午 10:09 231,798 azau0a39ed.dll 2005/02/24 下午 10:02 231,798 j8j60i1se8.dll 2005/02/24 下午 08:44 231,798 mv4ul9h91.dll 2005/02/24 下午 01:36 231,798 ir08l5du1.dll 2005/02/24 上午 09:11 231,798 h2j40c1qef.dll 2005/02/24 上午 07:51 232,008 h44mleh11h4.dll 2005/02/24 上午 07:31 231,798 akivtmxx.dll 2005/02/23 下午 11:39 230,818 o684lglq16qe.dll 2005/02/23 下午 07:56 230,365 m0280afued280.dll 2005/02/23 上午 10:16 230,766 hr0o05d3e.dll 2005/02/23 上午 10:03 230,715 ir6ml5j11.dll 2005/02/23 上午 08:46 228,979 en2ol1f31.dll 2005/02/23 上午 01:15 229,051 lvpm0971e.dll 2005/02/23 上午 01:00 229,230 lvl4093qe.dll 2005/02/22 下午 09:33 228,872 wwnrulesak.dll 2005/02/22 下午 09:01 228,872 ir0ol5d31.dll 2005/02/22 下午 08:43 228,872 r08slal71dq.dll 2005/02/22 下午 04:02 231,625 n28olcl31fq.dll 2005/02/22 上午 11:21 228,872 l08mlal11dq.dll 2005/02/22 上午 09:51 231,625 ir68l5ju1.dll 2005/02/22 上午 08:32 228,872 ir4ol5h31.dll 2005/02/21 下午 12:21 229,806 k0pmla711d.dll 2005/02/21 下午 12:14 228,787 ir2ql5f51.dll 2005/02/21 上午 11:15 229,806 o0lu0a39ed.dll 2005/02/21 上午 09:32 230,401 j4j6le1s1h.dll 2005/02/21 上午 09:10 231,625 dn2801fue.dll 2004/09/18 下午 01:50 32 {F5787646-0AE5-489E-93B1-9FEF8386C19D}.dat 2004/03/25 下午 08:41 32 {76AD4C99-DCA8-4DB2-BD4D-E2BF6BEF0951}.dat 2004/03/25 下午 08:00 <DIR> Microsoft 2004/03/25 下午 07:04 <DIR> dllcache 28 個檔案 5,990,819 位元組 2 個目錄 15,414,951,936 位元組可用

02-24-2005, 04:37 PM	#7 (permalink)
eric123 Registered User Join Date: Feb 2005 Posts: 10 OS: Win XP Home edition	Hi There Here is the result thank you for help the new log L2Mfix 1.02b Running From: C:\Documents and Settings\Eric\桌面\l2mfix RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Setting registry permissions: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Denying C access for really "Everyone" - adding new ACCESS DENY entry Registry Permissions set too: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (CI) DENY --C------- Everyone (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Setting up for Reboot Starting Reboot! C:\Documents and Settings\Eric\桌面\l2mfix System Rebooted! Running From: C:\Documents and Settings\Eric\桌面\l2mfix killing explorer and rundll32.exe Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 240 'explorer.exe' Killing PID 240 'explorer.exe' Killing PID 240 'explorer.exe' Killing PID 240 'explorer.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Error, Cannot find a process with an image name of rundll32.exe Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! Backing Up: C:\WINDOWS\system32\wtpasf.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\dbnhupnp.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\mnprivs.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\dqintf.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\ndvdmd.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\ucrfaxa.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\ir2ql5f51.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\krdno1.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\mcvcirt.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\o0lu0a39ed.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\k0pmla711d.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\ir4ol5h31.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\wiadmoe.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\mycbase.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\doserial.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\oqjsel.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\ezcdec.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\dn2801fue.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\cqfview.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\j4j6le1s1h.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\ir68l5ju1.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\mTpi32.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\mawsock.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\akivtmxx.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\ir0ol5d31.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\n28olcl31fq.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\l08mlal11dq.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\r08slal71dq.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\ir08l5du1.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\lvl4093qe.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\lvpm0971e.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\en2ol1f31.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\wwnrulesak.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\hr0o05d3e.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\ir6ml5j11.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\o684lglq16qe.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\jHvaprxy.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\m0280afued280.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\h44mleh11h4.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\mv4ul9h91.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\h2j40c1qef.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\lvn2095oe.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\guard.tmp 複製了 1 個檔案。 deleting: C:\WINDOWS\system32\wtpasf.dll Successfully Deleted: C:\WINDOWS\system32\wtpasf.dll deleting: C:\WINDOWS\system32\dbnhupnp.dll Successfully Deleted: C:\WINDOWS\system32\dbnhupnp.dll deleting: C:\WINDOWS\system32\mnprivs.dll Successfully Deleted: C:\WINDOWS\system32\mnprivs.dll deleting: C:\WINDOWS\system32\dqintf.dll Successfully Deleted: C:\WINDOWS\system32\dqintf.dll deleting: C:\WINDOWS\system32\ndvdmd.dll Successfully Deleted: C:\WINDOWS\system32\ndvdmd.dll deleting: C:\WINDOWS\system32\ucrfaxa.dll Successfully Deleted: C:\WINDOWS\system32\ucrfaxa.dll deleting: C:\WINDOWS\system32\ir2ql5f51.dll Successfully Deleted: C:\WINDOWS\system32\ir2ql5f51.dll deleting: C:\WINDOWS\system32\krdno1.dll Successfully Deleted: C:\WINDOWS\system32\krdno1.dll deleting: C:\WINDOWS\system32\mcvcirt.dll Successfully Deleted: C:\WINDOWS\system32\mcvcirt.dll deleting: C:\WINDOWS\system32\o0lu0a39ed.dll Successfully Deleted: C:\WINDOWS\system32\o0lu0a39ed.dll deleting: C:\WINDOWS\system32\k0pmla711d.dll Successfully Deleted: C:\WINDOWS\system32\k0pmla711d.dll deleting: C:\WINDOWS\system32\ir4ol5h31.dll Successfully Deleted: C:\WINDOWS\system32\ir4ol5h31.dll deleting: C:\WINDOWS\system32\wiadmoe.dll Successfully Deleted: C:\WINDOWS\system32\wiadmoe.dll deleting: C:\WINDOWS\system32\mycbase.dll Successfully Deleted: C:\WINDOWS\system32\mycbase.dll deleting: C:\WINDOWS\system32\doserial.dll Successfully Deleted: C:\WINDOWS\system32\doserial.dll deleting: C:\WINDOWS\system32\oqjsel.dll Successfully Deleted: C:\WINDOWS\system32\oqjsel.dll deleting: C:\WINDOWS\system32\ezcdec.dll Successfully Deleted: C:\WINDOWS\system32\ezcdec.dll deleting: C:\WINDOWS\system32\dn2801fue.dll Successfully Deleted: C:\WINDOWS\system32\dn2801fue.dll deleting: C:\WINDOWS\system32\cqfview.dll Successfully Deleted: C:\WINDOWS\system32\cqfview.dll deleting: C:\WINDOWS\system32\j4j6le1s1h.dll Successfully Deleted: C:\WINDOWS\system32\j4j6le1s1h.dll deleting: C:\WINDOWS\system32\ir68l5ju1.dll Successfully Deleted: C:\WINDOWS\system32\ir68l5ju1.dll deleting: C:\WINDOWS\system32\mTpi32.dll Successfully Deleted: C:\WINDOWS\system32\mTpi32.dll deleting: C:\WINDOWS\system32\mawsock.dll Successfully Deleted: C:\WINDOWS\system32\mawsock.dll deleting: C:\WINDOWS\system32\akivtmxx.dll Successfully Deleted: C:\WINDOWS\system32\akivtmxx.dll deleting: C:\WINDOWS\system32\ir0ol5d31.dll Successfully Deleted: C:\WINDOWS\system32\ir0ol5d31.dll deleting: C:\WINDOWS\system32\n28olcl31fq.dll Successfully Deleted: C:\WINDOWS\system32\n28olcl31fq.dll deleting: C:\WINDOWS\system32\l08mlal11dq.dll Successfully Deleted: C:\WINDOWS\system32\l08mlal11dq.dll deleting: C:\WINDOWS\system32\r08slal71dq.dll Successfully Deleted: C:\WINDOWS\system32\r08slal71dq.dll deleting: C:\WINDOWS\system32\ir08l5du1.dll Successfully Deleted: C:\WINDOWS\system32\ir08l5du1.dll deleting: C:\WINDOWS\system32\lvl4093qe.dll Successfully Deleted: C:\WINDOWS\system32\lvl4093qe.dll deleting: C:\WINDOWS\system32\lvpm0971e.dll Successfully Deleted: C:\WINDOWS\system32\lvpm0971e.dll deleting: C:\WINDOWS\system32\en2ol1f31.dll Successfully Deleted: C:\WINDOWS\system32\en2ol1f31.dll deleting: C:\WINDOWS\system32\wwnrulesak.dll Successfully Deleted: C:\WINDOWS\system32\wwnrulesak.dll deleting: C:\WINDOWS\system32\hr0o05d3e.dll Successfully Deleted: C:\WINDOWS\system32\hr0o05d3e.dll deleting: C:\WINDOWS\system32\ir6ml5j11.dll Successfully Deleted: C:\WINDOWS\system32\ir6ml5j11.dll deleting: C:\WINDOWS\system32\o684lglq16qe.dll Successfully Deleted: C:\WINDOWS\system32\o684lglq16qe.dll deleting: C:\WINDOWS\system32\jHvaprxy.dll Successfully Deleted: C:\WINDOWS\system32\jHvaprxy.dll deleting: C:\WINDOWS\system32\m0280afued280.dll Successfully Deleted: C:\WINDOWS\system32\m0280afued280.dll deleting: C:\WINDOWS\system32\h44mleh11h4.dll Successfully Deleted: C:\WINDOWS\system32\h44mleh11h4.dll deleting: C:\WINDOWS\system32\mv4ul9h91.dll Successfully Deleted: C:\WINDOWS\system32\mv4ul9h91.dll deleting: C:\WINDOWS\system32\h2j40c1qef.dll Successfully Deleted: C:\WINDOWS\system32\h2j40c1qef.dll deleting: C:\WINDOWS\system32\lvn2095oe.dll Successfully Deleted: C:\WINDOWS\system32\lvn2095oe.dll deleting: C:\WINDOWS\system32\guard.tmp Successfully Deleted: C:\WINDOWS\system32\guard.tmp Desktop.ini sucessfully removed Zipping up files for submission: adding: wtpasf.dll (deflated 5%) adding: dbnhupnp.dll (deflated 4%) adding: mnprivs.dll (deflated 5%) adding: dqintf.dll (deflated 5%) adding: ndvdmd.dll (deflated 5%) adding: ucrfaxa.dll (deflated 5%) adding: ir2ql5f51.dll (deflated 4%) adding: krdno1.dll (deflated 4%) adding: mcvcirt.dll (deflated 5%) adding: o0lu0a39ed.dll (deflated 5%) adding: k0pmla711d.dll (deflated 5%) adding: ir4ol5h31.dll (deflated 4%) adding: wiadmoe.dll (deflated 5%) adding: mycbase.dll (deflated 4%) adding: doserial.dll (deflated 4%) adding: oqjsel.dll (deflated 5%) adding: ezcdec.dll (deflated 5%) adding: dn2801fue.dll (deflated 5%) adding: cqfview.dll (deflated 5%) adding: j4j6le1s1h.dll (deflated 5%) adding: ir68l5ju1.dll (deflated 5%) adding: mTpi32.dll (deflated 4%) adding: mawsock.dll (deflated 6%) adding: akivtmxx.dll (deflated 6%) adding: ir0ol5d31.dll (deflated 4%) adding: n28olcl31fq.dll (deflated 5%) adding: l08mlal11dq.dll (deflated 4%) adding: r08slal71dq.dll (deflated 4%) adding: ir08l5du1.dll (deflated 6%) adding: lvl4093qe.dll (deflated 5%) adding: lvpm0971e.dll (deflated 4%) adding: en2ol1f31.dll (deflated 4%) adding: wwnrulesak.dll (deflated 4%) adding: hr0o05d3e.dll (deflated 5%) adding: ir6ml5j11.dll (deflated 5%) adding: o684lglq16qe.dll (deflated 5%) adding: jHvaprxy.dll (deflated 5%) adding: m0280afued280.dll (deflated 5%) adding: h44mleh11h4.dll (deflated 6%) adding: mv4ul9h91.dll (deflated 6%) adding: h2j40c1qef.dll (deflated 6%) adding: lvn2095oe.dll (deflated 6%) adding: guard.tmp (deflated 6%) adding: echo.reg (deflated 5%) adding: clear.reg (deflated 71%) adding: desktop.ini (deflated 15%) adding: readme.txt (deflated 49%) adding: direct.txt (stored 0%) adding: lo2.txt (deflated 84%) adding: test2.txt (deflated 49%) adding: test3.txt (deflated 49%) adding: test5.txt (deflated 49%) adding: test.txt (deflated 81%) adding: xfind.txt (deflated 76%) adding: backregs/shell.reg (deflated 71%) adding: backregs/AB47B844-D0C9-4998-838C-8760882CA1DD.reg (deflated 70%) adding: backregs/B89D61DB-9A14-4219-A679-5E36C0D0324A.reg (deflated 70%) adding: backregs/0FE8608C-2370-41AA-A9F9-EAB8D93E07EA.reg (deflated 70%) adding: backregs/97379452-C45B-46C7-866C-F91968BFCC57.reg (deflated 70%) adding: backregs/481C2BEA-4713-42EB-B537-8849154F72E4.reg (deflated 70%) adding: backregs/8C59129F-6C36-4B07-AF69-4E5DDF5CF617.reg (deflated 70%) adding: backregs/284AF703-05F0-49DA-8AA1-129D4DC2A744.reg (deflated 70%) adding: backregs/2408F199-49FC-444C-BF8F-16BA4A32283D.reg (deflated 70%) adding: backregs/C50C031D-2DFB-457E-9D1D-0462548D6D38.reg (deflated 70%) adding: backregs/A82A534D-7E87-4D81-BD72-10E504DA97FC.reg (deflated 70%) adding: backregs/9E432968-855F-47A9-BFEC-1056386A1962.reg (deflated 70%) adding: backregs/884C6471-F25D-4EF0-92FA-EFF4F55D1B3C.reg (deflated 70%) adding: backregs/5E8F885C-E2B0-4AFC-A3C0-32B0F9A13686.reg (deflated 70%) adding: backregs/1AB12896-1F2B-416E-A4A7-7F662F5C3B4E.reg (deflated 70%) adding: backregs/84A38D76-CE38-4930-9B78-E05CF95D0633.reg (deflated 70%) adding: backregs/6C3DAF95-BC56-446F-AD2E-6DF6C81E69AA.reg (deflated 70%) adding: backregs/8258DC11-9079-4D6F-AE43-7C5DF31DEA80.reg (deflated 70%) adding: backregs/2F89C6BC-B369-41D2-8B99-33B52A8584A9.reg (deflated 70%) adding: backregs/331A41D9-F89B-46E2-AFD1-CAAA5F392F0B.reg (deflated 70%) adding: backregs/C4B4D43E-D057-45A0-AF0E-9FA41EE08904.reg (deflated 70%) adding: backregs/9636402F-BF5E-4AEC-8389-0C874BEADF3C.reg (deflated 70%) adding: backregs/2841BEB3-CCFB-4E50-B15F-CFB325F161A0.reg (deflated 70%) adding: backregs/5149B651-3A8A-47A0-BA13-34A2162375D9.reg (deflated 70%) adding: backregs/121E72D0-B78D-4610-B165-2AB90D8E34B4.reg (deflated 70%) adding: backregs/F8A0784A-949A-4B0E-8CEB-448B31170A2A.reg (deflated 70%) adding: backregs/95615436-2354-4D59-B3D4-60134838FC40.reg (deflated 70%) Restoring Registry Permissions: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Revoking access for really "Everyone" Registry permissions set too: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successful deleting local copy: wtpasf.dll deleting local copy: dbnhupnp.dll deleting local copy: mnprivs.dll deleting local copy: dqintf.dll deleting local copy: ndvdmd.dll deleting local copy: ucrfaxa.dll deleting local copy: ir2ql5f51.dll deleting local copy: krdno1.dll deleting local copy: mcvcirt.dll deleting local copy: o0lu0a39ed.dll deleting local copy: k0pmla711d.dll deleting local copy: ir4ol5h31.dll deleting local copy: wiadmoe.dll deleting local copy: mycbase.dll deleting local copy: doserial.dll deleting local copy: oqjsel.dll deleting local copy: ezcdec.dll deleting local copy: dn2801fue.dll deleting local copy: cqfview.dll deleting local copy: j4j6le1s1h.dll deleting local copy: ir68l5ju1.dll deleting local copy: mTpi32.dll deleting local copy: mawsock.dll deleting local copy: akivtmxx.dll deleting local copy: ir0ol5d31.dll deleting local copy: n28olcl31fq.dll deleting local copy: l08mlal11dq.dll deleting local copy: r08slal71dq.dll deleting local copy: ir08l5du1.dll deleting local copy: lvl4093qe.dll deleting local copy: lvpm0971e.dll deleting local copy: en2ol1f31.dll deleting local copy: wwnrulesak.dll deleting local copy: hr0o05d3e.dll deleting local copy: ir6ml5j11.dll deleting local copy: o684lglq16qe.dll deleting local copy: jHvaprxy.dll deleting local copy: m0280afued280.dll deleting local copy: h44mleh11h4.dll deleting local copy: mv4ul9h91.dll deleting local copy: h2j40c1qef.dll deleting local copy: lvn2095oe.dll deleting local copy: guard.tmp The following Is the Current Export of the Winlogon notify key: ************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 The following are the files found: ************************************************************************ C:\WINDOWS\system32\wtpasf.dll C:\WINDOWS\system32\dbnhupnp.dll C:\WINDOWS\system32\mnprivs.dll C:\WINDOWS\system32\dqintf.dll C:\WINDOWS\system32\ndvdmd.dll C:\WINDOWS\system32\ucrfaxa.dll C:\WINDOWS\system32\ir2ql5f51.dll C:\WINDOWS\system32\krdno1.dll C:\WINDOWS\system32\mcvcirt.dll C:\WINDOWS\system32\o0lu0a39ed.dll C:\WINDOWS\system32\k0pmla711d.dll C:\WINDOWS\system32\ir4ol5h31.dll C:\WINDOWS\system32\wiadmoe.dll C:\WINDOWS\system32\mycbase.dll C:\WINDOWS\system32\doserial.dll C:\WINDOWS\system32\oqjsel.dll C:\WINDOWS\system32\ezcdec.dll C:\WINDOWS\system32\dn2801fue.dll C:\WINDOWS\system32\cqfview.dll C:\WINDOWS\system32\j4j6le1s1h.dll C:\WINDOWS\system32\ir68l5ju1.dll C:\WINDOWS\system32\mTpi32.dll C:\WINDOWS\system32\mawsock.dll C:\WINDOWS\system32\akivtmxx.dll C:\WINDOWS\system32\ir0ol5d31.dll C:\WINDOWS\system32\n28olcl31fq.dll C:\WINDOWS\system32\l08mlal11dq.dll C:\WINDOWS\system32\r08slal71dq.dll C:\WINDOWS\system32\ir08l5du1.dll C:\WINDOWS\system32\lvl4093qe.dll C:\WINDOWS\system32\lvpm0971e.dll C:\WINDOWS\system32\en2ol1f31.dll C:\WINDOWS\system32\wwnrulesak.dll C:\WINDOWS\system32\hr0o05d3e.dll C:\WINDOWS\system32\ir6ml5j11.dll C:\WINDOWS\system32\o684lglq16qe.dll C:\WINDOWS\system32\jHvaprxy.dll C:\WINDOWS\system32\m0280afued280.dll C:\WINDOWS\system32\h44mleh11h4.dll C:\WINDOWS\system32\mv4ul9h91.dll C:\WINDOWS\system32\h2j40c1qef.dll C:\WINDOWS\system32\lvn2095oe.dll C:\WINDOWS\system32\guard.tmp Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. ************************************************************************ REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{01089EC7-4BB9-408C-B3AF-C1BED3031FB2}"=- "{AB47B844-D0C9-4998-838C-8760882CA1DD}"=- "{B89D61DB-9A14-4219-A679-5E36C0D0324A}"=- "{0FE8608C-2370-41AA-A9F9-EAB8D93E07EA}"=- "{97379452-C45B-46C7-866C-F91968BFCC57}"=- "{481C2BEA-4713-42EB-B537-8849154F72E4}"=- "{8C59129F-6C36-4B07-AF69-4E5DDF5CF617}"=- "{284AF703-05F0-49DA-8AA1-129D4DC2A744}"=- "{2408F199-49FC-444C-BF8F-16BA4A32283D}"=- "{C50C031D-2DFB-457E-9D1D-0462548D6D38}"=- "{A82A534D-7E87-4D81-BD72-10E504DA97FC}"=- "{9E432968-855F-47A9-BFEC-1056386A1962}"=- "{884C6471-F25D-4EF0-92FA-EFF4F55D1B3C}"=- "{5E8F885C-E2B0-4AFC-A3C0-32B0F9A13686}"=- "{1AB12896-1F2B-416E-A4A7-7F662F5C3B4E}"=- "{84A38D76-CE38-4930-9B78-E05CF95D0633}"=- "{6C3DAF95-BC56-446F-AD2E-6DF6C81E69AA}"=- "{8258DC11-9079-4D6F-AE43-7C5DF31DEA80}"=- "{2F89C6BC-B369-41D2-8B99-33B52A8584A9}"=- "{331A41D9-F89B-46E2-AFD1-CAAA5F392F0B}"=- "{C4B4D43E-D057-45A0-AF0E-9FA41EE08904}"=- "{9636402F-BF5E-4AEC-8389-0C874BEADF3C}"=- "{2841BEB3-CCFB-4E50-B15F-CFB325F161A0}"=- "{5149B651-3A8A-47A0-BA13-34A2162375D9}"=- "{121E72D0-B78D-4610-B165-2AB90D8E34B4}"=- "{F8A0784A-949A-4B0E-8CEB-448B31170A2A}"=- "{95615436-2354-4D59-B3D4-60134838FC40}"=- [-HKEY_CLASSES_ROOT\CLSID\{01089EC7-4BB9-408C-B3AF-C1BED3031FB2}] [-HKEY_CLASSES_ROOT\CLSID\{AB47B844-D0C9-4998-838C-8760882CA1DD}] [-HKEY_CLASSES_ROOT\CLSID\{B89D61DB-9A14-4219-A679-5E36C0D0324A}] [-HKEY_CLASSES_ROOT\CLSID\{0FE8608C-2370-41AA-A9F9-EAB8D93E07EA}] [-HKEY_CLASSES_ROOT\CLSID\{97379452-C45B-46C7-866C-F91968BFCC57}] [-HKEY_CLASSES_ROOT\CLSID\{481C2BEA-4713-42EB-B537-8849154F72E4}] [-HKEY_CLASSES_ROOT\CLSID\{8C59129F-6C36-4B07-AF69-4E5DDF5CF617}] [-HKEY_CLASSES_ROOT\CLSID\{284AF703-05F0-49DA-8AA1-129D4DC2A744}] [-HKEY_CLASSES_ROOT\CLSID\{2408F199-49FC-444C-BF8F-16BA4A32283D}] [-HKEY_CLASSES_ROOT\CLSID\{C50C031D-2DFB-457E-9D1D-0462548D6D38}] [-HKEY_CLASSES_ROOT\CLSID\{A82A534D-7E87-4D81-BD72-10E504DA97FC}] [-HKEY_CLASSES_ROOT\CLSID\{9E432968-855F-47A9-BFEC-1056386A1962}] [-HKEY_CLASSES_ROOT\CLSID\{884C6471-F25D-4EF0-92FA-EFF4F55D1B3C}] [-HKEY_CLASSES_ROOT\CLSID\{5E8F885C-E2B0-4AFC-A3C0-32B0F9A13686}] [-HKEY_CLASSES_ROOT\CLSID\{1AB12896-1F2B-416E-A4A7-7F662F5C3B4E}] [-HKEY_CLASSES_ROOT\CLSID\{84A38D76-CE38-4930-9B78-E05CF95D0633}] [-HKEY_CLASSES_ROOT\CLSID\{6C3DAF95-BC56-446F-AD2E-6DF6C81E69AA}] [-HKEY_CLASSES_ROOT\CLSID\{8258DC11-9079-4D6F-AE43-7C5DF31DEA80}] [-HKEY_CLASSES_ROOT\CLSID\{2F89C6BC-B369-41D2-8B99-33B52A8584A9}] [-HKEY_CLASSES_ROOT\CLSID\{331A41D9-F89B-46E2-AFD1-CAAA5F392F0B}] [-HKEY_CLASSES_ROOT\CLSID\{C4B4D43E-D057-45A0-AF0E-9FA41EE08904}] [-HKEY_CLASSES_ROOT\CLSID\{9636402F-BF5E-4AEC-8389-0C874BEADF3C}] [-HKEY_CLASSES_ROOT\CLSID\{2841BEB3-CCFB-4E50-B15F-CFB325F161A0}] [-HKEY_CLASSES_ROOT\CLSID\{5149B651-3A8A-47A0-BA13-34A2162375D9}] [-HKEY_CLASSES_ROOT\CLSID\{121E72D0-B78D-4610-B165-2AB90D8E34B4}] [-HKEY_CLASSES_ROOT\CLSID\{F8A0784A-949A-4B0E-8CEB-448B31170A2A}] [-HKEY_CLASSES_ROOT\CLSID\{95615436-2354-4D59-B3D4-60134838FC40}] REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{E1D1F89C-24F2-4A21-A8AA-CF95CF39EE04}"=- "SV1"="" ************************************************************************ Desktop.ini Contents: ************************************************************************ [.ShellClassInfo] CLSID={645FF040-5081-101B-9F08-00AA002F954E} <IDone>{E1D1F89C-24F2-4A21-A8AA-CF95CF39EE04}</IDone> <IDtwo>VT00</IDtwo> <VERSION>200</VERSION> ************************************************************************** HJT LOG Logfile of HijackThis v1.99.1 Scan saved at 下午 06:26:54, on 2005/2/24 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe C:\Program Files\IC\Card Reader Driver v1.9e3\Disk_Monitor.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Messenger\msmsgs.exe C:\HJT\HijackThis.exe R3 - Default URLSearchHook is missing O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O3 - Toolbar: MSN 工具列 - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\zh-tw\msntb.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_1_6_0.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\IC\Card Reader Driver v1.9e3\Disk_Monitor.exe O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [Zhghbr] C:\Program Files\Jbvlqt\Scey.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/ O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409 O16 - DPF: {18000D07-72C4-11D4-B4BD-004026422A29} (Hot_net Control) - http://www.hitoriasobi.com/netidol/i...b/Hot_net2.CAB O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/TW/install.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/16ffe304...dxIE601_tw.cab O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://pki.toptrade.com.tw/onsite/VSApps/vspta3.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{6B6B7500-5A0C-4118-A7C4-AD77E0B4505F}: NameServer = 61.57.160.66,61.57.168.11 O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\gpr4l39q1.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: iPod 服務 (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Norton AntiVirus 自動防護服務 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

02-25-2005, 04:19 PM	#9 (permalink)
eric123 Registered User Join Date: Feb 2005 Posts: 10 OS: Win XP Home edition	Hi Mr.Pancake Thank you My browser now works normally. I really appreciate you help. here is what I got after I done your suggestion. Logfile of HijackThis v1.99.1 Scan saved at 上午 01:27:35, on 2005/2/26 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\HJT\HijackThis.exe R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\spybot\SPYBOT~1\SDHelper.dll O3 - Toolbar: MSN 工具列 - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\zh-tw\msntb.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_1_6_0.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\IC\Card Reader Driver v1.9e3\Disk_Monitor.exe O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [Zhghbr] C:\Program Files\Jbvlqt\Scey.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\spybot\Spybot - Search & Destroy\TeaTimer.exe O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/ O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409 O16 - DPF: {18000D07-72C4-11D4-B4BD-004026422A29} (Hot_net Control) - http://www.hitoriasobi.com/netidol/i...b/Hot_net2.CAB O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/TW/install.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/16ffe304...dxIE601_tw.cab O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://pki.toptrade.com.tw/onsite/VSApps/vspta3.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{6B6B7500-5A0C-4118-A7C4-AD77E0B4505F}: NameServer = 61.57.160.66,61.57.168.11 O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: iPod 服務 (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Norton AntiVirus 自動防護服務 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

02-24-2005, 12:18 AM	#2 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	Hi... Please download HijackThis. Create a folder at C:\HJT and move HijackThis.exe there. Run a scan and save the log file. Post the whole log file here. Do not fix anything since most of them listed there are harmless (some are system required). This program will help us best determine if there is any spyware/malware on your computer.

02-24-2005, 04:21 AM	#4 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	Hi.. First get the LSPFix and run it....To remove winlspak.dll from your winsock layers click the "I know what I'm doing" checkbox and check all the instances of winlspak.dll (and nothing else). Then move checked file/s to the "Remove" pane and click Finish and reboot. When that is done we need to fix this 01 Host VX2 Trojan so download L2mfix Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This scan takes time to complete, then notepad will open with a log. Copy the contents of that log and paste it here Please Do NOT run option #2 OR any other files in the l2mfix folder until told to.

02-24-2005, 05:10 PM	#8 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	Hi It may help you if you print out or copy this page for easy reference.. Make sure to work through the fixes in the exact order its listed. Please Keep your browser and all open programs closed (except firewalls and antivirus) when you are carrying out the fixes. Please do not run HJT on the desktop or a temp folder.In Windows Explorer create new a permanent folder just for HijackThis. C:\HJT is a good folder name.. Turn off System Restore instructions (WinXP) Rightclick My Computer \| Properties \| System Restore \| check “Turn off System Restore”, <Apply>, <OK>. Reboot. When we have confirmed that your log file is clean, you may renable System Restore and create a new restore point. SHOW HIDDEN FILES AND FOLDERS. To show hidden files instructions (WinXP) Doubleclick My Computer \| Tools \| Folder Options \| View tab Select Show Hidden Files and Folders Uncheck Hide extensions for known file types Uncheck Hide protected operating system files (Recommended) Select Apply to All Folders \| Yes \| Apply \| OK ------------------------------------------------------------------ Download and run Adaware SpyBot (check for updates) for a preliminary cleanup first.Some files below may not be present after running the above programs.Full instructions below. How to setup Ad-Aware Download Ad-Aware SE build 1.05 If you have a previous version of AdAware installed, you will be prompted to uninstall or keep the older version during installation. Be sure to choose Uninstall The Previous Version. Save aawsepersonal.exe into its own directory, NOT in a TEMPorary folder or on the Desktop. I recommend c:/program files/Adaware/ Doubleclick aawsepersonal.exe. Make sure to direct the program to install in the c:/program files/adaware/ directory, NOT the default directory. Open AdAware from Start \| Programs \| Lavasoft \| AdAware. Select <Check for updates now>, <Proceed> After installation, run the program and click the start button.Then click the next button. This lets ad-aware scan your computer. After ad-aware is done running, hit the next button. Then right click the area with the listed spy ware objects.Choose the "Select all objects" option. At this point all the boxes next to the items should be checked. Then hit the next button. It will ask if you want to delete the selected objects. Hit the Okay button. Now most of the spyware should have been deleted from your hard drive. ---------------------------------------------------------------------- How to setup Spybot Search & Destroy Download Spybot Save spybotsd13.exe into its own directory, NOT in a TEMPorary folder or on the Desktop. I recommend c:/program files/spybot/ Doubleclick spybotsd13.exe. Make sure to direct the program to install in the c:/program files/spybot/ directory, NOT the default directory. Open Spybot from Start \| Programs \| Spybot \| Spybot S&D Select <Search for Updates>. Let it install all updates. This is very important! Select <Immunize> Select <Check for Problems> Check all entries that are in RED. Only RED, NOTHING ELSE. For your records, write/print out each item that you have fixed. Date it. Select <Fix Selected Problems> Close Spybot// ------------------------------------------------------ First get the LSPFix and run it....To remove winlspak.dll from your winsock layers click the "I know what I'm doing" checkbox and check all the instances of winlspak.dll (and nothing else). Then move checked file/s to the "Remove" pane and click Finish and reboot. ------------------------------------------------------ Files highlighted in BLACK will need to be removed from your hard drive. Folders that have been highlighted RED will need to be uninstalled. ------------------------------------------------------------------ Please start by putting HJT in SAFE MODE. During reboot, tap the F8 key. Select Safe Mode ------------------------------------------------------------------ Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed. Scey.exe ------------------------------------------------------------------ Uninstall these programs (if they still exist) from Start \| Settings \| Control Panel \| Add/Remove Programs Jbvlqt ------------------------------------------------------------------- Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT. R3 - Default URLSearchHook is missing O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O4 - HKLM\..\Run: [Zhghbr] C:\Program Files\Jbvlqt\Scey.exe O16 - DPF: {18000D07-72C4-11D4-B4BD-004026422A29} (Hot_net Control) - http://www.hitoriasobi.com/netidol/...ab/Hot_net2.CAB O16 - DPF: {18000D07-72C4-11D4-B4BD-004026422A29} (Hot_net Control) - http://www.hitoriasobi.com/netidol/...ab/Hot_net2.CAB O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\gpr4l39q1.dll O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing) ------------------------------------------------------------------ Open Windows Explorer and delete the following highlighted file/s (or delete the whole (Red) folder if listed). C:\Program Files\Jbvlqt\Scey.exe C:\WINDOWS\system32\gpr4l39q1.dll ------------------------------------------------------------------- Check that you have carried out all the above steps/fixes and then reboot into Normal Mode and download Cleanup This will clean out your tempory files. When finished please get the latest version of HJT v1.99.1 and post a new log......

02-25-2005, 06:25 PM	#10 (permalink)
eric123 Registered User Join Date: Feb 2005 Posts: 10 OS: Win XP Home edition	Hi again I would like to install a real-time anti-spyware software to prevent another spyware attack. Could you recommend one for me? Now I have spybot reside in my computer. It would show promt asking you for approval or denial when some changes happen. I dont know which one I should approve and which one I should deny. Could you tell me how to decide? Thank you. Eric Wu @Taiwan

02-25-2005, 06:53 PM	#11 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	Just a bit more to do..run hjt and fix these items and remove the red folder and file... O4 - HKLM\..\Run: [Zhghbr] C:\Program Files\Jbvlqt\Scey.exe O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing) Post a new log when done..... To help prevent future spyware installations/infections, please read the anti-spyware section and use the tools provided. __________________ Eddy

02-26-2005, 06:23 PM	#12 (permalink)
eric123 Registered User Join Date: Feb 2005 Posts: 10 OS: Win XP Home edition	Hi Mr.Pancake Thank you truly big help here is the result Logfile of HijackThis v1.99.1 Scan saved at 上午 10:13:03, on 2005/2/27 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe C:\Program Files\IC\Card Reader Driver v1.9e3\Disk_Monitor.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe C:\WINDOWS\system32\notepad.exe C:\HJT\HijackThis.exe C:\Program Files\Messenger\msmsgs.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\spybot\SPYBOT~1\SDHelper.dll O3 - Toolbar: MSN 工具列 - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\zh-tw\msntb.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_1_6_0.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\IC\Card Reader Driver v1.9e3\Disk_Monitor.exe O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" O4 - HKLM\..\Run: [Zhghbr] C:\Program Files\Jbvlqt\Scey.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/ O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409 O16 - DPF: {18000D07-72C4-11D4-B4BD-004026422A29} - O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/TW/install.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/16ffe304...dxIE601_tw.cab O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://pki.toptrade.com.tw/onsite/VSApps/vspta3.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{6B6B7500-5A0C-4118-A7C4-AD77E0B4505F}: NameServer = 61.57.160.66,61.57.168.11 O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: iPod 服務 (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Norton AntiVirus 自動防護服務 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

02-26-2005, 07:31 PM	#13 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	This file still needs to be deleted and the item removed from the log .Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process if listed. O4 - HKLM\..\Run: [Zhghbr] C:\Program Files\Jbvlqt\Scey.exe __________________ Eddy

02-28-2005, 10:20 PM	#14 (permalink)
eric123 Registered User Join Date: Feb 2005 Posts: 10 OS: Win XP Home edition	Hi There I opened the process manager. I didnt see the process you mentioned. I saved the list and posted below. Did I do anything wrong? Process list saved on 下午 02:16:27, on 2005/3/1 Platform: Windows XP SP2 (WinNT 5.01.2600) [pid] [full path to filename] [file version] [company name] 424 C:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation 496 C:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation 540 C:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation 552 C:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation 700 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation 860 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation 1052 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe 1.0.0.37 Symantec Corporation 1204 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.2180 Microsoft Corporation 1424 C:\WINDOWS\Explorer.EXE 6.0.2900.2180 Microsoft Corporation 1552 C:\Program Files\Norton AntiVirus\navapsvc.exe 9.0.0.1106 Symantec Corporation 168 C:\WINDOWS\SOUNDMAN.EXE 5.1.0.10 Realtek Semiconductor Corp. 132 C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe 228 C:\Program Files\IC\Card Reader Driver v1.9e3\Disk_Monitor.exe 1.7.5.617 Neodio Corp. 304 C:\Program Files\Common Files\Symantec Shared\ccApp.exe 1.0.0.106 Symantec Corporation 352 C:\Program Files\QuickTime\qttask.exe 6.5.1.17 Apple Computer, Inc. 372 C:\Program Files\iTunes\iTunesHelper.exe 4.7.1.30 Apple Computer, Inc. 380 C:\Program Files\Common Files\Real\Update_OB\realsched.exe 0.1.0.3208 RealNetworks, Inc. 392 C:\WINDOWS\system32\ctfmon.exe 5.1.2600.2180 Microsoft Corporation 1396 C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe 816 C:\Program Files\spywareguard\SpywareGuard\sgmain.exe 2.2.0.1 1356 C:\Program Files\iPod\bin\iPodService.exe 4.7.1.30 Apple Computer, Inc. 2232 C:\WINDOWS\system32\wscntfy.exe 5.1.2600.2180 Microsoft Corporation 2476 C:\Program Files\spywareguard\SpywareGuard\sgbhp.exe 2.2.0.1 2504 C:\Program Files\Internet Explorer\iexplore.exe 6.0.2900.2180 Microsoft Corporation 2916 C:\Program Files\Messenger\msmsgs.exe 4.7.0.3001 Microsoft Corporation 2972 C:\HJT\HijackThis.exe 1.99.0.1 Soeperman Enterprises Ltd.

02-28-2005, 10:31 PM	#15 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	Just post a new log please. __________________ Eddy

03-01-2005, 07:08 PM	#16 (permalink)
eric123 Registered User Join Date: Feb 2005 Posts: 10 OS: Win XP Home edition	Hi There Is this log file you want? Logfile of HijackThis v1.99.1 Scan saved at 上午 11:05:31, on 2005/3/2 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe C:\Program Files\IC\Card Reader Driver v1.9e3\Disk_Monitor.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\spywareguard\SpywareGuard\sgmain.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe C:\Program Files\spywareguard\SpywareGuard\sgbhp.exe C:\HJT\HijackThis.exe C:\HJT\HijackThis.exe O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\spywareguard\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\spybot\SPYBOT~1\SDHelper.dll O3 - Toolbar: MSN 工具列 - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\zh-tw\msntb.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_1_6_0.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\IC\Card Reader Driver v1.9e3\Disk_Monitor.exe O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/ O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409 O16 - DPF: {18000D07-72C4-11D4-B4BD-004026422A29} - O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/TW/install.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/16ffe304...dxIE601_tw.cab O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://pki.toptrade.com.tw/onsite/VSApps/vspta3.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{6B6B7500-5A0C-4118-A7C4-AD77E0B4505F}: NameServer = 61.57.160.66,61.57.168.11 O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: iPod 服務 (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Norton AntiVirus 自動防護服務 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

03-01-2005, 07:46 PM	#17 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	Your log is clear...no bugs. __________________ Eddy

03-02-2005, 12:59 AM	#18 (permalink)
eric123 Registered User Join Date: Feb 2005 Posts: 10 OS: Win XP Home edition	Hi Many thanks.