Help! I did it to myself!

mtporter · 11-29-2005, 06:55 PM

I cannot get my computer to restart, it sits idle at Windows is starting.

here is my HJT logfile:

Logfile of HijackThis v1.99.1
Scan saved at 8:38:57 PM, on 11/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - URLSearchHook: Cram Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\Cram Toolbar\untitled1.dll
N1 - Netscape 4: user_pref("browser.startup.homepage", "www.iwon.com"); (C:\Program Files\Netscape\Users\mporter\prefs.js)
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Cram Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\Cram Toolbar\untitled1.dll
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1104956288\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCShowBuzz] C:\Program Files\inKline Global\PCShowBuzz\PCShowBuzz.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20003\services.exe
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe"
O4 - HKLM\..\Run: [timessquare] c:\windows\timessquare.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [imoz] C:\PROGRA~1\COMMON~1\imoz\imozm.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ComcastHSI - {A946A040-E5F3-11D6-9BC6-0004E237CB26} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {A946A041-E5F3-11D6-9BC6-0004E237CB26} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {A946A042-E5F3-11D6-9BC6-0004E237CB26} - http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1094089955781
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1130272488531
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\m6julg1916.dll
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\system32\msctl32.dll
O21 - SSODL: SysTray.Exsl - {6368D5FC-6F5C-4f5b-B164-E67214F67859} - C:\WINDOWS\system32\jhehipfd.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

sUBs · 11-30-2005, 02:05 AM

Please do the following:

Download & immediately run - L2MFix.exe
Click "Install" to extract the contents to a newly created folder.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder, double click l2mfix.bat
Select option #2 for Run Fix by typing 2 and then pressing enter.

Your desktop and icons will disappear as L2mfix scans/disinfects your computer.
When finished, you will be required to press any key to automatically reboot.
On the reboot notepad will open with a log. Copy/paste the contents of that log back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the log does not open double click on it in the l2mfix folder to locate log.txt.

If you receive an error - \system32\Autoexec.nt is not suitable for running MS-Dos applications, you will need to visit this website to download additional files.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Please download these additional files/programs. Do not run them untill instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp! - Install.

smitRem.exe - extract it to it's own folder.

Ewido Security Suite

Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

If you have not already installed Ad-Aware SE 1.06, download and update aawsepersonal.exe

'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING

This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

With HiJackThis & place a check next to these items and select "Fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - URLSearchHook: Cram Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\Cram Toolbar\untitled1.dll
O3 - Toolbar: Cram Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\Cram Toolbar\untitled1.dll
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20003\services.exe
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe"
O4 - HKLM\..\Run: [timessquare] c:\windows\timessquare.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [imoz] C:\PROGRA~1\COMMON~1\imoz\imozm.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\m6julg1916.dll
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\system32\msctl32.dll
O21 - SSODL: SysTray.Exsl - {6368D5FC-6F5C-4f5b-B164-E67214F67859} - C:\WINDOWS\system32\jhehipfd.dll

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Next, please reboot your computer in SafeMode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:

Cram Toolbar

Please note any other programs that you dont recognize in that list in your next response

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.

Tick - Show hidden files and folder
Untick - Hide file extensions for known types
Untick - Hide protected operating system files

Click Yes to confirm & then click OK

Locate and delete the following files/folders, if present:

c:\secure32.html
C:\Program Files\Cram Toolbar\
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\inet20003\
C:\WINDOWS\system32\igps.exe
c:\windows\timessquare.exe
C:\winstall.exe
C:\PROGRA~1\COMMON~1\imoz
C:\Program Files\SpySheriff\
C:\WINDOWS\system32\msctl32.dll
C:\WINDOWS\system32\jhehipfd.dll

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache

Delete Newsgroup Subscriptions

Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Open Ad-aware and close ALL other windows.

1. Click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:

In the General window make sure the following are selected in green:
- Automatically save log-file
- Automatically quarantine objects prior to removal
- Safe Mode (always request confirmation)
- Prompt to update outdated definitions - set the number of days = 7
Click on the Scanning button on the left and select in green:
- Scan Within Archives
- Under Select drives & folders to scan:
  - choose all hard drives
- Scan Active Processes
- Scan Registry
- Deep Scan Registry
- Scan my IE favorites for banned URL’s
- Scan my Hosts file
Click on the Advanced button on the left and select in green:
- Move deleted files to recycle bin
- include addtional object information
- DeSelect - include negligible objects information
- Don't log streams smaller than 0 bytes
- Don't log ADS with the following names: CA_INOCULATEIT
Click the Tweak button:
1. Under Scanning Engine:
  - Unload recognized processes during scanning
  - Ignore spanned files when scanning cab archives
  - Scan registry for all users instead of current user only
2. Under Cleaning Engine:
  - Let Windows remove files in use at next reboot
3. Under Log Files:
  - Include basic Ad-aware SE settings in logfile
  - Include additional Ad-aware SE settings in logfile
  - Include computer & username in logfile
  - Please DeSelect: Include Module list in logfile

2. Click on Proceed to save the settings.
3. Click Start
4. Choose - Perform Full System Scan
5. DeSelect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
6. Click Next and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
7. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
8. Right-click on the list and choose Select All
9. Click Next to finish removing the items that were found

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
.Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Next go to Control Panel click Display>Desktop>Customize Desktop>Website>Uncheck "Security Info" if present.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

REBOOT TO NORMAL MODE

Perform an online scan with Internet Explorer with Panda ActiveScan

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.
Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).

Double-click the tmas-web-scan.exe icon
It will say "Loading TrendMicro definitions".
Click "Start Scan"

After it's done scanning, click "Scan Results"

Make sure all items found have a check next to them, then click "Clean Threats Now".
Click Exit.

Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

It would produce a log called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

In your next post, please include fresh logs from:

HiJackThis log

Online Scan

Ewido

Smitfile.txt

L2Mfix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

mtporter · 11-30-2005, 03:32 AM

Ok, I did the HJT deletions, and uninstalled Cram Toobar as well found all files and deleted those except:

C:\WINDOWS\system32\msctl32.dll

It didn't allow me to delete.

I did this all in Safe Mode and as well ran cleanup and rebooted but I still get 'Windows is starting up' and it stops there. I cannot connect to the Net via Safe Mode in order to download the other fixes.

MicroBell · 11-30-2005, 04:00 AM

Did you run any of the tools...or just the fix things with hijackthis? If you just fixed things...that won't cut it. The tools need to be run. Download them from another PC and move them to the infected PC.

You'll likely have to hold off on running L2MFix as it will error out in safe mode...but run the others.

mtporter · 11-30-2005, 04:13 PM

Incident Status Location

Virus:Trj/Agent.AWK Not disinfected C:\contextplus.exe
Adware:Adware/SpySheriff Not disinfected C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\Cache\59AE4C3Bd01[crack.exe]
Adware:Adware/DollarRevenue Not disinfected C:\drsmartload1.exe
Adware:Adware/ISearch Not disinfected C:\mte3ndi6odoxng.exe
Adware:Adware/Sqwire Not disinfected C:\stub_113_4_0_4_0.exe
Adware:Adware/CWS.Searchmeup Not disinfected C:\WINDOWS\ms1.exe
Adware:Adware/Redswoosh Not disinfected C:\WINDOWS\RSEDNClientUninstaller.exe
Adware:Adware/Secure32 Not disinfected C:\WINDOWS\secure32.html
Virus:Trj/Spabot.Y Not disinfected C:\WINDOWS\SYSTEM32\child.dll
Adware:Adware/CWS.Searchmeup Not disinfected C:\WINDOWS\SYSTEM32\gjcbhpan.exe
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\SYSTEM32\guard.tmp
Adware:adware/msctl32 Not disinfected C:\WINDOWS\SYSTEM32\msctl32.dll
Adware:Adware/Sqwire Not disinfected C:\WINDOWS\SYSTEM32\tsuninst.exe
Adware:Adware/SpySheriff Not disinfected C:\WINDOWS\tool2.exe
Virus:Bck/Galapoper.FS Not disinfected C:\WINDOWS\tool3.exe
Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\tool5.exe
Adware:Adware/SpySheriff Not disinfected C:\WINDOWS\toolbar.exe

mtporter · 11-30-2005, 04:14 PM

Logfile of HijackThis v1.99.1
Scan saved at 6:16:18 PM, on 11/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\COMMON~1\AOL\110495~1\EE\AOLHOS~1.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\COMMON~1\AOL\110495~1\EE\AOLServiceHost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\a2\a2guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Logitech\ImageStudio\LowLight.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
N1 - Netscape 4: user_pref("browser.startup.homepage", "www.iwon.com"); (C:\Program Files\Netscape\Users\mporter\prefs.js)
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1104956288\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCShowBuzz] C:\Program Files\inKline Global\PCShowBuzz\PCShowBuzz.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ComcastHSI - {A946A040-E5F3-11D6-9BC6-0004E237CB26} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {A946A041-E5F3-11D6-9BC6-0004E237CB26} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {A946A042-E5F3-11D6-9BC6-0004E237CB26} - http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1094089955781
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1130272488531
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\kt26l7fs1.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

mtporter · 11-30-2005, 04:18 PM

Every few minutes I'm getting pop ups like crazy!!! In Nescape and MSIE. I use to have Google's pop up blocker, but now they require it to be installed in Firefox.

sUBs · 11-30-2005, 04:23 PM

Please recount which part of my earlier instructions you have managed to carry out.

Also let me know if all the tools are downloaded to your machine.

Are you still stuck in Safe Mode?

mtporter · 11-30-2005, 04:42 PM

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:43:19 PM, 11/30/2005
+ Report-Checksum: 21DE2A97

+ Scan result:

[1256] C:\WINDOWS\system32\wkvcore2.dll -> Spyware.Look2Me : Error during cleaning
[3516] C:\WINDOWS\system32\guard.tmp -> Spyware.Look2Me : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.147:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.151:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.159:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.169:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
:mozilla.172:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.173:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.179:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.180:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.184:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.186:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.187:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.188:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.189:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.190:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.191:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Mark Porter\Local Settings\Temp\Cookies\mark porter@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Mark Porter\Local Settings\Temp\Cookies\mark porter@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Mark Porter\Local Settings\Temp\Cookies\mark porter@excite[1].txt -> Spyware.Cookie.Excite : Cleaned with backup
C:\Documents and Settings\Mark Porter\Local Settings\Temp\Cookies\mark porter@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\WINDOWS\SYSTEM32\guard.tmp -> Spyware.Look2Me : Cleaned with backup

::Report End

mtporter · 11-30-2005, 04:43 PM

Not in safe mode! Sorry, forgot to mention that.
Ran all the tools...
I'm now running again to get fresh log files and then I'm posting in here.
Yes, all tools downloaded

mtporter · 11-30-2005, 04:49 PM

Checking for L2MFix account(0=no 1=yes):
0
Checking for L2MFix account(0=no 1=yes):
0

sUBs · 11-30-2005, 04:51 PM

Post a new HJT log now

mtporter · 11-30-2005, 04:56 PM

Logfile of HijackThis v1.99.1
Scan saved at 6:57:55 PM, on 11/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\PROGRA~1\COMMON~1\AOL\110495~1\EE\AOLHOS~1.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\a2\a2guard.exe
C:\PROGRA~1\COMMON~1\AOL\110495~1\EE\AOLServiceHost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Logitech\ImageStudio\LowLight.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Logitech\Video\AlbumDB2.exe
C:\downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
N1 - Netscape 4: user_pref("browser.startup.homepage", "www.iwon.com"); (C:\Program Files\Netscape\Users\mporter\prefs.js)
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1104956288\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCShowBuzz] C:\Program Files\inKline Global\PCShowBuzz\PCShowBuzz.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ComcastHSI - {A946A040-E5F3-11D6-9BC6-0004E237CB26} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {A946A041-E5F3-11D6-9BC6-0004E237CB26} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {A946A042-E5F3-11D6-9BC6-0004E237CB26} - http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1094089955781
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1130272488531
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O20 - Winlogon Notify: ExtShellViews - C:\WINDOWS\system32\lvju0919e.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

sUBs · 11-30-2005, 05:02 PM

Have Hijackhis fix these:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
N1 - Netscape 4: user_pref("browser.startup.homepage", "www.iwon.com"); (C:\Program Files\Netscape\Users\mporter\prefs.js)

The run L2Mfix's option #1 & post the resultant log.
DO NOT REBOOT YOUR COMPUTER AFTER YOU HAVE POSTED THE LOG

Did you manage to run the smitRem tool whilst in Safe Mode? If so, it should produce a log called smitfiles.txt located at Drive C

mtporter · 11-30-2005, 05:08 PM

I got to go somewhere for a few hours but I'll be back. Here is the log file:

L2MFIX find log 1.99
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ExtShellViews]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lvju0919e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{665423F6-985C-E1A0-4E5A-AC2B3F9F710A}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{3AD1E410-AAB9-11d0-89D7-00C04FC9E26E}"="Name Space Control Band"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{7D688A77-C613-11D0-999B-00C04FD655E1}"="SlowFile Icon Overlay"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{5a61f7a0-cde1-11cf-9113-00aa00425c62}"="IIS Shell Extension"
"{8DE56A0D-E58B-41FE-9F80-3563CDCB2C22}"="Default Image Extrator for Properties"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="Web Folders"
"{336B02CE-F88A-4aea-8731-79EF94D3723A}"="Free AOL & Unlimited Internet.lnk"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{5E44E225-A408-11CF-B581-008029601108}"="Roxio DragToDisc Shell Extension"
"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}"="My Media"
"{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}"="CopyToCD shell extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{B446400D-0030-457b-8F64-422A19605186}"="Logitech Gallery"
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}"="My Logitech Pictures"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{4F37EF96-38E8-45B9-A65E-E599E45A758E}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4F37EF96-38E8-45B9-A65E-E599E45A758E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4F37EF96-38E8-45B9-A65E-E599E45A758E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4F37EF96-38E8-45B9-A65E-E599E45A758E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4F37EF96-38E8-45B9-A65E-E599E45A758E}\InprocServer32]
@="C:\\WINDOWS\\system32\\vnr.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Fri Sep 2 2005 6:52:04p A.... 1,019,904 996.00 K
cdfview.dll Fri Sep 2 2005 6:52:04p A.... 151,040 147.50 K
cdosys.dll Fri Sep 9 2005 8:53:42p A.... 2,067,968 1.97 M
child.dll Tue Nov 29 2005 5:53:28p A.... 14,336 14.00 K
danim.dll Fri Sep 2 2005 6:52:04p A.... 1,053,696 1.00 M
dxtrans.dll Fri Sep 2 2005 6:52:04p A.... 205,312 200.50 K
extmgr.dll Fri Sep 2 2005 6:52:04p ..... 55,808 54.50 K
gdi32.dll Wed Oct 5 2005 10:09:36p A.... 280,064 273.50 K
hp2023~1.dll Wed Nov 30 2005 3:53:22p ..S.R 234,272 228.78 K
iepeers.dll Fri Sep 2 2005 6:52:04p A.... 251,392 245.50 K
inseng.dll Fri Sep 2 2005 6:52:04p A.... 96,256 94.00 K
lvju09~1.dll Wed Nov 30 2005 6:47:50p ..S.R 236,818 231.27 K
mshtml.dll Tue Oct 4 2005 4:26:00p A.... 3,015,168 2.88 M
mshtmled.dll Fri Sep 2 2005 6:52:06p A.... 448,512 438.00 K
msrating.dll Fri Sep 2 2005 6:52:06p A.... 146,432 143.00 K
mstime.dll Fri Sep 2 2005 6:52:06p A.... 530,432 518.00 K
o0ro0a~1.dll Wed Nov 30 2005 6:48:50p ..S.R 235,899 230.37 K
pncrt.dll Sun Nov 20 2005 8:47:18p A.... 278,528 272.00 K
pndx5032.dll Mon Nov 21 2005 6:01:02p A.... 5,632 5.50 K
pngfilt.dll Fri Sep 2 2005 6:52:06p A.... 39,424 38.50 K
shdocvw.dll Fri Sep 2 2005 6:52:06p A.... 1,483,776 1.41 M
shell32.dll Thu Sep 22 2005 10:05:30p A.... 8,450,560 8.06 M
shlwapi.dll Fri Sep 2 2005 6:52:06p A.... 473,600 462.50 K
sndmix.dll Tue Nov 29 2005 5:53:14p A.... 57,344 56.00 K
ssldr32.dll Tue Nov 29 2005 5:53:22p A.... 10,240 10.00 K
stodperf.dll Tue Nov 29 2005 5:54:20p A.... 45,056 44.00 K
urlmon.dll Fri Sep 2 2005 6:52:06p A.... 608,768 594.50 K
vnr.dll Wed Nov 30 2005 6:55:34p ..S.R 236,818 231.27 K
wininet.dll Fri Sep 2 2005 6:52:06p A.... 658,432 643.00 K

29 items found: 29 files (4 H/S), 0 directories.
Total of file sizes: 22,391,487 bytes 21.35 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 7044-3AFA

Directory of C:\WINDOWS\System32

11/30/2005 06:55 PM 236,818 vnr.dll
11/30/2005 06:48 PM 235,899 o0ro0a93ed.dll
11/30/2005 06:47 PM 236,818 lvju0919e.dll
11/30/2005 03:53 PM 234,272 hp2023fmg.dll
11/20/2005 08:21 PM <DIR> dllcache
10/26/2002 04:08 PM <DIR> Microsoft
10/01/2000 12:59 PM 6,144 access.ctl
05/10/2000 11:00 PM 397,312 Msrdo20.dll
03/13/2000 11:00 PM 151,552 Rdocurs.dll
7 File(s) 1,498,815 bytes
2 Dir(s) 22,674,752,512 bytes free

sUBs · 11-30-2005, 05:46 PM

The fix which I gonna give you will not work like this.

When you get back, reboot your computer & post a fresh L2Mfix option #1 log.

The computer must not be rebooted after the log is obtained. This infection changes names with each reboot.

mtporter · 11-30-2005, 07:53 PM

L2MFIX find log 1.99
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lvju0919e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ExtShellViews]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\vnr.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{665423F6-985C-E1A0-4E5A-AC2B3F9F710A}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{3AD1E410-AAB9-11d0-89D7-00C04FC9E26E}"="Name Space Control Band"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{7D688A77-C613-11D0-999B-00C04FD655E1}"="SlowFile Icon Overlay"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{5a61f7a0-cde1-11cf-9113-00aa00425c62}"="IIS Shell Extension"
"{8DE56A0D-E58B-41FE-9F80-3563CDCB2C22}"="Default Image Extrator for Properties"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="Web Folders"
"{336B02CE-F88A-4aea-8731-79EF94D3723A}"="Free AOL & Unlimited Internet.lnk"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{5E44E225-A408-11CF-B581-008029601108}"="Roxio DragToDisc Shell Extension"
"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}"="My Media"
"{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}"="CopyToCD shell extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{B446400D-0030-457b-8F64-422A19605186}"="Logitech Gallery"
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}"="My Logitech Pictures"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{4F37EF96-38E8-45B9-A65E-E599E45A758E}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4F37EF96-38E8-45B9-A65E-E599E45A758E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4F37EF96-38E8-45B9-A65E-E599E45A758E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4F37EF96-38E8-45B9-A65E-E599E45A758E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4F37EF96-38E8-45B9-A65E-E599E45A758E}\InprocServer32]
@="C:\\WINDOWS\\system32\\vnr.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Fri Sep 2 2005 6:52:04p A.... 1,019,904 996.00 K
cdfview.dll Fri Sep 2 2005 6:52:04p A.... 151,040 147.50 K
cdosys.dll Fri Sep 9 2005 8:53:42p A.... 2,067,968 1.97 M
cgpbk32.dll Wed Nov 30 2005 9:52:28p ..S.R 236,818 231.27 K
child.dll Tue Nov 29 2005 5:53:28p A.... 14,336 14.00 K
danim.dll Fri Sep 2 2005 6:52:04p A.... 1,053,696 1.00 M
dxtrans.dll Fri Sep 2 2005 6:52:04p A.... 205,312 200.50 K
extmgr.dll Fri Sep 2 2005 6:52:04p ..... 55,808 54.50 K
gdi32.dll Wed Oct 5 2005 10:09:36p A.... 280,064 273.50 K
hp2023~1.dll Wed Nov 30 2005 3:53:22p ..S.R 234,272 228.78 K
iepeers.dll Fri Sep 2 2005 6:52:04p A.... 251,392 245.50 K
inseng.dll Fri Sep 2 2005 6:52:04p A.... 96,256 94.00 K
mshtml.dll Tue Oct 4 2005 4:26:00p A.... 3,015,168 2.88 M
mshtmled.dll Fri Sep 2 2005 6:52:06p A.... 448,512 438.00 K
msrating.dll Fri Sep 2 2005 6:52:06p A.... 146,432 143.00 K
mstime.dll Fri Sep 2 2005 6:52:06p A.... 530,432 518.00 K
o0ro0a~1.dll Wed Nov 30 2005 6:48:50p ..S.R 235,899 230.37 K
pncrt.dll Sun Nov 20 2005 8:47:18p A.... 278,528 272.00 K
pndx5032.dll Mon Nov 21 2005 6:01:02p A.... 5,632 5.50 K
pngfilt.dll Fri Sep 2 2005 6:52:06p A.... 39,424 38.50 K
shdocvw.dll Fri Sep 2 2005 6:52:06p A.... 1,483,776 1.41 M
shell32.dll Thu Sep 22 2005 10:05:30p A.... 8,450,560 8.06 M
shlwapi.dll Fri Sep 2 2005 6:52:06p A.... 473,600 462.50 K
sndmix.dll Tue Nov 29 2005 5:53:14p A.... 57,344 56.00 K
ssldr32.dll Tue Nov 29 2005 5:53:22p A.... 10,240 10.00 K
stodperf.dll Tue Nov 29 2005 5:54:20p A.... 45,056 44.00 K
urlmon.dll Fri Sep 2 2005 6:52:06p A.... 608,768 594.50 K
vnr.dll Wed Nov 30 2005 6:55:34p ..S.R 236,818 231.27 K
wininet.dll Fri Sep 2 2005 6:52:06p A.... 658,432 643.00 K

29 items found: 29 files (4 H/S), 0 directories.
Total of file sizes: 22,391,487 bytes 21.35 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 7044-3AFA

Directory of C:\WINDOWS\System32

11/30/2005 09:52 PM 236,818 cgpbk32.dll
11/30/2005 06:55 PM 236,818 vnr.dll
11/30/2005 06:48 PM 235,899 o0ro0a93ed.dll
11/30/2005 03:53 PM 234,272 hp2023fmg.dll
11/20/2005 08:21 PM <DIR> dllcache
10/26/2002 04:08 PM <DIR> Microsoft
10/01/2000 12:59 PM 6,144 access.ctl
05/10/2000 11:00 PM 397,312 Msrdo20.dll
03/13/2000 11:00 PM 151,552 Rdocurs.dll
7 File(s) 1,498,815 bytes
2 Dir(s) 22,672,224,256 bytes free

sUBs · 11-30-2005, 08:14 PM

Read through the entire passage before beginning this fix. It's a bit complicated.

Download the file I've attached to this post - l2m.zip

Download KillBox .zip

______________

Double-click on Killbox.exe to run the program.

At the bottom right of the main screen, click on the arrow to the right of System Process
(The area is to the left of the yellow triangle.)
Select the following entry: rundll32.exe
Now click the yellow triangle to End Task

Wait a few seconds, and check again for rundll32.exe, as it may reload!
If so, End Task once again.

Next, open l2m.zip & doubleclick on l2m.bat

______________

Go to Killbox & select the following options:

delete on Reboot

Select all the filenames listed below & then right-click & select Copy

C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\vnr.dll
C:\WINDOWS\System32\o0ro0a93ed.dll
C:\WINDOWS\System32\lvju0919e.dll
C:\WINDOWS\System32\hp2023fmg.dll
C:\WINDOWS\System32\cgpbk32.dll

Go to the File menu, and choose Paste from Clipboard
In the Full Path of File to Delete box you should see the first entry.
- Make sure guard.tmp appears on the list.
- If not, end task for 'rundll32.exe' again. (End Task on rundll32.exe until guard.tmp is on the list!)
Then, highlight the file entries once again and press the Ctrl and the C key at the same time to copy them to the clipboard:
Click on the File menu of Pocket KillBox and select: Paste from Clipboard
- In the Full Path of File to Delete box you should see the first entry. (use the down arrow to see the rest of the files.).guard.tmp must appear on the list!!
Click the RED X button.
Click Yes at the Delete on Reboot prompt.
Click Yes at the 'Pending Operations prompt'.

______________

If the PendingFileRenameOperations error appears , then you must reboot.
Upon reboot, L2M file names may change.
In that case, exit out of KillBox
Run L2MFix Option 1 and post its log in your reply.
>>Please wait for new instructions!!<<

______________

If the PendingFileRenameOperations error does not appear, post a fresh HJT log & a fresh L2Mfix option #1 log after you have rebooted

mtporter · 11-30-2005, 08:41 PM

PendingFileRenameOperations error did not appear

Logfile of HijackThis v1.99.1
Scan saved at 10:40:09 PM, on 11/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\PROGRA~1\COMMON~1\AOL\110495~1\EE\AOLHOS~1.EXE
C:\Program Files\Logitech\ImageStudio\LowLight.exe
C:\PROGRA~1\COMMON~1\AOL\110495~1\EE\AOLServiceHost.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\DOCUME~1\MARKPO~1\LOCALS~1\Temp\KillBox.exe
C:\WINDOWS\system32\rundll32.exe
C:\downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\mporter\prefs.js)
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1104956288\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCShowBuzz] C:\Program Files\inKline Global\PCShowBuzz\PCShowBuzz.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ComcastHSI - {A946A040-E5F3-11D6-9BC6-0004E237CB26} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {A946A041-E5F3-11D6-9BC6-0004E237CB26} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {A946A042-E5F3-11D6-9BC6-0004E237CB26} - http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1094089955781
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1130272488531
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\lvju0919e.dll (file missing)
O20 - Winlogon Notify: ShellExtensions - C:\WINDOWS\system32\vnr.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

L2MFIX find log 1.99
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lvju0919e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellExtensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\vnr.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{665423F6-985C-E1A0-4E5A-AC2B3F9F710A}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{3AD1E410-AAB9-11d0-89D7-00C04FC9E26E}"="Name Space Control Band"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{7D688A77-C613-11D0-999B-00C04FD655E1}"="SlowFile Icon Overlay"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{5a61f7a0-cde1-11cf-9113-00aa00425c62}"="IIS Shell Extension"
"{8DE56A0D-E58B-41FE-9F80-3563CDCB2C22}"="Default Image Extrator for Properties"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="Web Folders"
"{336B02CE-F88A-4aea-8731-79EF94D3723A}"="Free AOL & Unlimited Internet.lnk"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{5E44E225-A408-11CF-B581-008029601108}"="Roxio DragToDisc Shell Extension"
"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}"="My Media"
"{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}"="CopyToCD shell extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{B446400D-0030-457b-8F64-422A19605186}"="Logitech Gallery"
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}"="My Logitech Pictures"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{4F37EF96-38E8-45B9-A65E-E599E45A758E}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4F37EF96-38E8-45B9-A65E-E599E45A758E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4F37EF96-38E8-45B9-A65E-E599E45A758E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4F37EF96-38E8-45B9-A65E-E599E45A758E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4F37EF96-38E8-45B9-A65E-E599E45A758E}\InprocServer32]
@="C:\\WINDOWS\\system32\\dLdramp.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Fri Sep 2 2005 6:52:04p A.... 1,019,904 996.00 K
cdfview.dll Fri Sep 2 2005 6:52:04p A.... 151,040 147.50 K
cdosys.dll Fri Sep 9 2005 8:53:42p A.... 2,067,968 1.97 M
child.dll Tue Nov 29 2005 5:53:28p A.... 14,336 14.00 K
danim.dll Fri Sep 2 2005 6:52:04p A.... 1,053,696 1.00 M
dldramp.dll Wed Nov 30 2005 10:33:26p ..... 236,818 231.27 K
dxtrans.dll Fri Sep 2 2005 6:52:04p A.... 205,312 200.50 K
extmgr.dll Fri Sep 2 2005 6:52:04p ..... 55,808 54.50 K
gdi32.dll Wed Oct 5 2005 10:09:36p A.... 280,064 273.50 K
hp2023~1.dll Wed Nov 30 2005 3:53:22p ..S.R 234,272 228.78 K
iepeers.dll Fri Sep 2 2005 6:52:04p A.... 251,392 245.50 K
inseng.dll Fri Sep 2 2005 6:52:04p A.... 96,256 94.00 K
l2r00c~1.dll Wed Nov 30 2005 10:33:26p ..S.R 236,910 231.36 K
mshtml.dll Tue Oct 4 2005 4:26:00p A.... 3,015,168 2.88 M
mshtmled.dll Fri Sep 2 2005 6:52:06p A.... 448,512 438.00 K
msrating.dll Fri Sep 2 2005 6:52:06p A.... 146,432 143.00 K
mstime.dll Fri Sep 2 2005 6:52:06p A.... 530,432 518.00 K
o0ro0a~1.dll Wed Nov 30 2005 6:48:50p ..S.R 235,899 230.37 K
pncrt.dll Sun Nov 20 2005 8:47:18p A.... 278,528 272.00 K
pndx5032.dll Mon Nov 21 2005 6:01:02p A.... 5,632 5.50 K
pngfilt.dll Fri Sep 2 2005 6:52:06p A.... 39,424 38.50 K
shdocvw.dll Fri Sep 2 2005 6:52:06p A.... 1,483,776 1.41 M
shell32.dll Thu Sep 22 2005 10:05:30p A.... 8,450,560 8.06 M
shlwapi.dll Fri Sep 2 2005 6:52:06p A.... 473,600 462.50 K
sndmix.dll Tue Nov 29 2005 5:53:14p A.... 57,344 56.00 K
ssldr32.dll Tue Nov 29 2005 5:53:22p A.... 10,240 10.00 K
stodperf.dll Tue Nov 29 2005 5:54:20p A.... 45,056 44.00 K
urlmon.dll Fri Sep 2 2005 6:52:06p A.... 608,768 594.50 K
vnr.dll Wed Nov 30 2005 6:55:34p ..... 236,818 231.27 K
wininet.dll Fri Sep 2 2005 6:52:06p A.... 658,432 643.00 K

30 items found: 30 files (3 H/S), 0 directories.
Total of file sizes: 22,628,397 bytes 21.58 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Wed Nov 30 2005 10:36:26p ..... 236,818 231.27 K

1 item found: 1 file, 0 directories.
Total of file sizes: 236,818 bytes 231.27 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 7044-3AFA

Directory of C:\WINDOWS\System32

11/30/2005 10:33 PM 236,910 l2r00c9mef.dll
11/30/2005 06:48 PM 235,899 o0ro0a93ed.dll
11/30/2005 03:53 PM 234,272 hp2023fmg.dll
11/20/2005 08:21 PM <DIR> dllcache
10/26/2002 04:08 PM <DIR> Microsoft
10/01/2000 12:59 PM 6,144 access.ctl
05/10/2000 11:00 PM 397,312 Msrdo20.dll
03/13/2000 11:00 PM 151,552 Rdocurs.dll
6 File(s) 1,262,089 bytes
2 Dir(s) 22,631,828,480 bytes free

sUBs · 11-30-2005, 08:51 PM

Do me a favor & launch Killbox.

Click help & select 'About Killbox'

Let me know the version number

11-29-2005, 06:55 PM	#1 (permalink)
mtporter Registered User Join Date: Jun 2005 Posts: 106 OS: XP	Help! I did it to myself! I cannot get my computer to restart, it sits idle at Windows is starting. here is my HJT logfile: Logfile of HijackThis v1.99.1 Scan saved at 8:38:57 PM, on 11/29/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\Explorer.EXE C:\downloads\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast R3 - URLSearchHook: Cram Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\Cram Toolbar\untitled1.dll N1 - Netscape 4: user_pref("browser.startup.homepage", "www.iwon.com"); (C:\Program Files\Netscape\Users\mporter\prefs.js) O1 - Hosts: 216.19.0.250 idenupdate.motorola.com O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Cram Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\Cram Toolbar\untitled1.dll O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1104956288\EE\AOLHostManager.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [PCShowBuzz] C:\Program Files\inKline Global\PCShowBuzz\PCShowBuzz.exe O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20003\services.exe O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe" O4 - HKLM\..\Run: [timessquare] c:\windows\timessquare.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4 O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe" O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe O4 - HKCU\..\Run: [imoz] C:\PROGRA~1\COMMON~1\imoz\imozm.exe O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: ComcastHSI - {A946A040-E5F3-11D6-9BC6-0004E237CB26} - http://www.comcast.net (file missing) (HKCU) O9 - Extra button: Help - {A946A041-E5F3-11D6-9BC6-0004E237CB26} - http://www.comcast.net/memberservices/ (file missing) (HKCU) O9 - Extra button: Support - {A946A042-E5F3-11D6-9BC6-0004E237CB26} - http://www.comcastsupport.com (file missing) (HKCU) O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1094089955781 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1130272488531 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) - O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\m6julg1916.dll O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\system32\msctl32.dll O21 - SSODL: SysTray.Exsl - {6368D5FC-6F5C-4f5b-B164-E67214F67859} - C:\WINDOWS\system32\jhehipfd.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

11-30-2005, 02:05 AM	#2 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,409 OS: N/A	Please do the following: Download & immediately run - L2MFix.exe Click "Install" to extract the contents to a newly created folder. Close any programs you have open since this step requires a reboot. From the l2mfix folder, double click l2mfix.bat Select option #2 for Run Fix by typing 2 and then pressing enter. Your desktop and icons will disappear as L2mfix scans/disinfects your computer. When finished, you will be required to press any key to automatically reboot. On the reboot notepad will open with a log. Copy/paste the contents of that log back into this thread, along with a new hijackthis log. IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! If after the reboot the log does not open double click on it in the l2mfix folder to locate log.txt. If you receive an error - \system32\Autoexec.nt is not suitable for running MS-Dos applications, you will need to visit this website to download additional files. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Please download these additional files/programs. Do not run them untill instructed to do so. Unless otherwise stated, they should be stored in same directory as the HiJackThis program. CleanUp! - Install. smitRem.exe - extract it to it's own folder. Ewido Security Suite Install Ewido Security Suite When installing, under "Additional Options" uncheck.. Install background guard Install scan via context menu Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. If you have not already installed Ad-Aware SE 1.06, download and update aawsepersonal.exe 'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise. If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * With HiJackThis & place a check next to these items and select "Fix checked": R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R3 - URLSearchHook: Cram Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\Cram Toolbar\untitled1.dll O3 - Toolbar: Cram Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\Cram Toolbar\untitled1.dll O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20003\services.exe O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe" O4 - HKLM\..\Run: [timessquare] c:\windows\timessquare.exe O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe O4 - HKCU\..\Run: [imoz] C:\PROGRA~1\COMMON~1\imoz\imozm.exe O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) - O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\m6julg1916.dll O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\system32\msctl32.dll O21 - SSODL: SysTray.Exsl - {6368D5FC-6F5C-4f5b-B164-E67214F67859} - C:\WINDOWS\system32\jhehipfd.dll * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Next, please reboot your computer in SafeMode by doing the following: 1. Restart your computer 2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3. Instead of Windows loading as normal, a menu should appear 4. Select the first option, to run Windows in Safe Mode. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Uninstall the following programs, if present, using Control Panel->Add/Remove Programs: Cram Toolbar Please note any other programs that you dont recognize in that list in your next response * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * If you have not done so already, please enable the viewing of Hidden files From Windows Explorer, go to Tools>Folder Options> View tab. Tick - Show hidden files and folder Untick - Hide file extensions for known types Untick - Hide protected operating system files Click Yes to confirm & then click OK Locate and delete the following files/folders, if present: c:\secure32.html C:\Program Files\Cram Toolbar\ C:\WINDOWS\system32\paytime.exe C:\WINDOWS\inet20003\ C:\WINDOWS\system32\igps.exe c:\windows\timessquare.exe C:\winstall.exe C:\PROGRA~1\COMMON~1\imoz C:\Program Files\SpySheriff\ C:\WINDOWS\system32\msctl32.dll C:\WINDOWS\system32\jhehipfd.dll * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider to Standard CleanUp! 3. Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Scan local drives for temporary files 4. Click OK 5. Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will not create any backups!! * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Open Ad-aware and close ALL other windows. 1. Click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window: In the General window make sure the following are selected in green: Automatically save log-file Automatically quarantine objects prior to removal Safe Mode (always request confirmation) Prompt to update outdated definitions - set the number of days = 7 Click on the Scanning button on the left and select in green: Scan Within Archives Under Select drives & folders to scan: choose all hard drives Scan Active Processes Scan Registry Deep Scan Registry Scan my IE favorites for banned URL’s Scan my Hosts file Click on the Advanced button on the left and select in green: Move deleted files to recycle bin include addtional object information DeSelect - include negligible objects information Don't log streams smaller than 0 bytes Don't log ADS with the following names: CA_INOCULATEIT Click the Tweak button: Under Scanning Engine: Unload recognized processes during scanning Ignore spanned files when scanning cab archives Scan registry for all users instead of current user only Under Cleaning Engine: Let Windows remove files in use at next reboot Under Log Files: Include basic Ad-aware SE settings in logfile Include additional Ad-aware SE settings in logfile Include computer & username in logfile Please DeSelect: Include Module list in logfile 2. Click on Proceed to save the settings. 3. Click Start 4. Choose - Perform Full System Scan 5. DeSelect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. 6. Click Next and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically. 7. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window 8. Right-click on the list and choose Select All 9. Click Next to finish removing the items that were found * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" .Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Next go to Control Panel click Display>Desktop>Customize Desktop>Website>Uncheck "Security Info" if present. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * REBOOT TO NORMAL MODE Perform an online scan with Internet Explorer with Panda ActiveScan Click Scan your PC & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Click Scan Now* Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Click on see report. Then click Save report Post the contents of the report in your next reply You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. Turn off the real time scanner of any existing antivirus program while performing the online scan * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button). Double-click the tmas-web-scan.exe icon It will say "Loading TrendMicro definitions". Click "Start Scan" After it's done scanning, click "Scan Results" Make sure all items found have a check next to them, then click "Clean Threats Now". Click Exit. Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system. It would produce a log called "Antispyware.log", please double-click that log and copy the entire contents and paste them here. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * In your next post, please include fresh logs from: HiJackThis log Online Scan Ewido Smitfile.txt L2Mfix's log Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________ Question - what have you done for the community today?

11-30-2005, 04:00 AM	#4 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Did you run any of the tools...or just the fix things with hijackthis? If you just fixed things...that won't cut it. The tools need to be run. Download them from another PC and move them to the infected PC. You'll likely have to hold off on running L2MFix as it will error out in safe mode...but run the others. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

11-30-2005, 04:23 PM	#8 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,409 OS: N/A	Please recount which part of my earlier instructions you have managed to carry out. Also let me know if all the tools are downloaded to your machine. Are you still stuck in Safe Mode? __________________ Question - what have you done for the community today?

11-30-2005, 04:43 PM	#10 (permalink)
mtporter Registered User Join Date: Jun 2005 Posts: 106 OS: XP	Not in safe mode! Sorry, forgot to mention that. Ran all the tools... I'm now running again to get fresh log files and then I'm posting in here. Yes, all tools downloaded Last edited by mtporter; 11-30-2005 at 04:50 PM.

11-30-2005, 03:32 AM	#3 (permalink)
mtporter Registered User Join Date: Jun 2005 Posts: 106 OS: XP	Ok, I did the HJT deletions, and uninstalled Cram Toobar as well found all files and deleted those except: C:\WINDOWS\system32\msctl32.dll It didn't allow me to delete. I did this all in Safe Mode and as well ran cleanup and rebooted but I still get 'Windows is starting up' and it stops there. I cannot connect to the Net via Safe Mode in order to download the other fixes.

11-30-2005, 04:13 PM	#5 (permalink)
mtporter Registered User Join Date: Jun 2005 Posts: 106 OS: XP	Incident Status Location Virus:Trj/Agent.AWK Not disinfected C:\contextplus.exe Adware:Adware/SpySheriff Not disinfected C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\Cache\59AE4C3Bd01[crack.exe] Adware:Adware/DollarRevenue Not disinfected C:\drsmartload1.exe Adware:Adware/ISearch Not disinfected C:\mte3ndi6odoxng.exe Adware:Adware/Sqwire Not disinfected C:\stub_113_4_0_4_0.exe Adware:Adware/CWS.Searchmeup Not disinfected C:\WINDOWS\ms1.exe Adware:Adware/Redswoosh Not disinfected C:\WINDOWS\RSEDNClientUninstaller.exe Adware:Adware/Secure32 Not disinfected C:\WINDOWS\secure32.html Virus:Trj/Spabot.Y Not disinfected C:\WINDOWS\SYSTEM32\child.dll Adware:Adware/CWS.Searchmeup Not disinfected C:\WINDOWS\SYSTEM32\gjcbhpan.exe Adware:Adware/Look2Me Not disinfected C:\WINDOWS\SYSTEM32\guard.tmp Adware:adware/msctl32 Not disinfected C:\WINDOWS\SYSTEM32\msctl32.dll Adware:Adware/Sqwire Not disinfected C:\WINDOWS\SYSTEM32\tsuninst.exe Adware:Adware/SpySheriff Not disinfected C:\WINDOWS\tool2.exe Virus:Bck/Galapoper.FS Not disinfected C:\WINDOWS\tool3.exe Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\tool5.exe Adware:Adware/SpySheriff Not disinfected C:\WINDOWS\toolbar.exe

11-30-2005, 04:14 PM	#6 (permalink)
mtporter Registered User Join Date: Jun 2005 Posts: 106 OS: XP	Logfile of HijackThis v1.99.1 Scan saved at 6:16:18 PM, on 11/30/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\Logitech\ImageStudio\LogiTray.exe C:\WINDOWS\System32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\PROGRA~1\COMMON~1\AOL\110495~1\EE\AOLHOS~1.EXE C:\Program Files\Yahoo!\Messenger\ypager.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\PROGRA~1\COMMON~1\AOL\110495~1\EE\AOLServiceHost.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\Program Files\a2\a2guard.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Webshots\WebshotsTray.exe C:\Program Files\Logitech\ImageStudio\LowLight.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\America Online 9.0b\waol.exe C:\Program Files\America Online 9.0b\shellmon.exe C:\Program Files\Netscape\Netscape\Netscp.exe C:\Program Files\Internet Explorer\iexplore.exe C:\downloads\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast N1 - Netscape 4: user_pref("browser.startup.homepage", "www.iwon.com"); (C:\Program Files\Netscape\Users\mporter\prefs.js) O1 - Hosts: 216.19.0.250 idenupdate.motorola.com O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1104956288\EE\AOLHostManager.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [PCShowBuzz] C:\Program Files\inKline Global\PCShowBuzz\PCShowBuzz.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4 O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe" O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: ComcastHSI - {A946A040-E5F3-11D6-9BC6-0004E237CB26} - http://www.comcast.net (file missing) (HKCU) O9 - Extra button: Help - {A946A041-E5F3-11D6-9BC6-0004E237CB26} - http://www.comcast.net/memberservices/ (file missing) (HKCU) O9 - Extra button: Support - {A946A042-E5F3-11D6-9BC6-0004E237CB26} - http://www.comcastsupport.com (file missing) (HKCU) O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1094089955781 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1130272488531 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\kt26l7fs1.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

11-30-2005, 04:18 PM	#7 (permalink)
mtporter Registered User Join Date: Jun 2005 Posts: 106 OS: XP	Every few minutes I'm getting pop ups like crazy!!! In Nescape and MSIE. I use to have Google's pop up blocker, but now they require it to be installed in Firefox.

11-30-2005, 04:42 PM	#9 (permalink)
mtporter Registered User Join Date: Jun 2005 Posts: 106 OS: XP	--------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 6:43:19 PM, 11/30/2005 + Report-Checksum: 21DE2A97 + Scan result: [1256] C:\WINDOWS\system32\wkvcore2.dll -> Spyware.Look2Me : Error during cleaning [3516] C:\WINDOWS\system32\guard.tmp -> Spyware.Look2Me : Cleaned with backup :mozilla.10:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup :mozilla.14:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup :mozilla.15:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup :mozilla.16:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup :mozilla.17:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup :mozilla.18:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup :mozilla.19:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup :mozilla.20:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup :mozilla.21:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup :mozilla.22:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup :mozilla.23:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup :mozilla.24:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup :mozilla.25:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup :mozilla.26:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup :mozilla.27:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup :mozilla.28:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup :mozilla.29:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup :mozilla.30:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup :mozilla.31:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup :mozilla.32:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup :mozilla.33:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup :mozilla.34:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup :mozilla.35:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup :mozilla.36:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup :mozilla.37:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup :mozilla.38:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup :mozilla.39:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup :mozilla.40:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup :mozilla.41:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup :mozilla.42:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup :mozilla.43:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup :mozilla.44:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup :mozilla.45:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup :mozilla.46:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup :mozilla.47:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup :mozilla.48:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup :mozilla.49:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup :mozilla.50:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup :mozilla.51:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup :mozilla.52:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup :mozilla.53:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup :mozilla.54:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup :mozilla.55:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup :mozilla.56:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup :mozilla.57:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup :mozilla.58:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup :mozilla.59:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup :mozilla.60:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup :mozilla.86:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup :mozilla.87:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup :mozilla.88:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup :mozilla.99:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup :mozilla.100:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup :mozilla.101:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup :mozilla.102:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup :mozilla.103:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup :mozilla.126:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup :mozilla.127:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup :mozilla.132:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup :mozilla.146:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup :mozilla.147:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup :mozilla.151:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup :mozilla.159:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup :mozilla.169:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Hypertracker : Cleaned with backup :mozilla.172:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup :mozilla.173:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup :mozilla.179:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup :mozilla.180:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup :mozilla.184:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup :mozilla.186:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup :mozilla.187:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup :mozilla.188:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup :mozilla.189:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup :mozilla.190:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup :mozilla.191:C:\Documents and Settings\Mark Porter\Application Data\Mozilla\Profiles\mtporter\s51p26up.slt\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup C:\Documents and Settings\Mark Porter\Local Settings\Temp\Cookies\mark porter@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup C:\Documents and Settings\Mark Porter\Local Settings\Temp\Cookies\mark porter@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup C:\Documents and Settings\Mark Porter\Local Settings\Temp\Cookies\mark porter@excite[1].txt -> Spyware.Cookie.Excite : Cleaned with backup C:\Documents and Settings\Mark Porter\Local Settings\Temp\Cookies\mark porter@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup C:\WINDOWS\SYSTEM32\guard.tmp -> Spyware.Look2Me : Cleaned with backup ::Report End

11-30-2005, 04:49 PM	#11 (permalink)
mtporter Registered User Join Date: Jun 2005 Posts: 106 OS: XP	Checking for L2MFix account(0=no 1=yes): 0 Checking for L2MFix account(0=no 1=yes): 0

11-30-2005, 04:51 PM	#12 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,409 OS: N/A	Post a new HJT log now __________________ Question - what have you done for the community today?

11-30-2005, 04:56 PM	#13 (permalink)
mtporter Registered User Join Date: Jun 2005 Posts: 106 OS: XP	Logfile of HijackThis v1.99.1 Scan saved at 6:57:55 PM, on 11/30/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Logitech\ImageStudio\LogiTray.exe C:\WINDOWS\System32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Yahoo!\Messenger\ypager.exe C:\PROGRA~1\COMMON~1\AOL\110495~1\EE\AOLHOS~1.EXE C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe C:\Program Files\a2\a2guard.exe C:\PROGRA~1\COMMON~1\AOL\110495~1\EE\AOLServiceHost.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Webshots\WebshotsTray.exe C:\Program Files\Logitech\ImageStudio\LowLight.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Netscape\Netscape\Netscp.exe C:\Program Files\Logitech\Video\AlbumDB2.exe C:\downloads\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast N1 - Netscape 4: user_pref("browser.startup.homepage", "www.iwon.com"); (C:\Program Files\Netscape\Users\mporter\prefs.js) O1 - Hosts: 216.19.0.250 idenupdate.motorola.com O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1104956288\EE\AOLHostManager.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [PCShowBuzz] C:\Program Files\inKline Global\PCShowBuzz\PCShowBuzz.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4 O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe" O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: ComcastHSI - {A946A040-E5F3-11D6-9BC6-0004E237CB26} - http://www.comcast.net (file missing) (HKCU) O9 - Extra button: Help - {A946A041-E5F3-11D6-9BC6-0004E237CB26} - http://www.comcast.net/memberservices/ (file missing) (HKCU) O9 - Extra button: Support - {A946A042-E5F3-11D6-9BC6-0004E237CB26} - http://www.comcastsupport.com (file missing) (HKCU) O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1094089955781 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1130272488531 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab O20 - Winlogon Notify: ExtShellViews - C:\WINDOWS\system32\lvju0919e.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

11-30-2005, 05:02 PM	#14 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,409 OS: N/A	Have Hijackhis fix these: R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast N1 - Netscape 4: user_pref("browser.startup.homepage", "www.iwon.com"); (C:\Program Files\Netscape\Users\mporter\prefs.js) The run L2Mfix's option #1 & post the resultant log. DO NOT REBOOT YOUR COMPUTER AFTER YOU HAVE POSTED THE LOG Did you manage to run the smitRem tool whilst in Safe Mode? If so, it should produce a log called smitfiles.txt located at Drive C __________________ Question - what have you done for the community today? Last edited by sUBs; 11-30-2005 at 05:05 PM.

11-30-2005, 05:46 PM	#16 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,409 OS: N/A	The fix which I gonna give you will not work like this. When you get back, reboot your computer & post a fresh L2Mfix option #1 log. The computer must not be rebooted after the log is obtained. This infection changes names with each reboot. __________________ Question - what have you done for the community today?

11-30-2005, 08:14 PM	#18 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,409 OS: N/A	Read through the entire passage before beginning this fix. It's a bit complicated. Download the file I've attached to this post - l2m.zip Download KillBox .zip ______________ Double-click on Killbox.exe to run the program. At the bottom right of the main screen, click on the arrow to the right of System Process (The area is to the left of the yellow triangle.) Select the following entry: rundll32.exe Now click the yellow triangle to End Task Wait a few seconds, and check again for rundll32.exe, as it may reload! If so, End Task once again. Next, open l2m.zip & doubleclick on l2m.bat ______________ Go to Killbox & select the following options: delete on Reboot Select all the filenames listed below & then right-click & select Copy C:\WINDOWS\System32\guard.tmp C:\WINDOWS\System32\vnr.dll C:\WINDOWS\System32\o0ro0a93ed.dll C:\WINDOWS\System32\lvju0919e.dll C:\WINDOWS\System32\hp2023fmg.dll C:\WINDOWS\System32\cgpbk32.dll Go to the File menu, and choose Paste from Clipboard In the Full Path of File to Delete box you should see the first entry. Make sure guard.tmp appears on the list. If not, end task for 'rundll32.exe' again. (End Task on rundll32.exe until guard.tmp is on the list!) Then, highlight the file entries once again and press the Ctrl and the C key at the same time to copy them to the clipboard: Click on the File menu of Pocket KillBox and select: Paste from Clipboard In the Full Path of File to Delete box you should see the first entry. (use the down arrow to see the rest of the files.).guard.tmp must appear on the list!! Click the RED X button. Click Yes at the Delete on Reboot prompt. Click Yes at the 'Pending Operations prompt'. ______________ If the PendingFileRenameOperations error appears , then you must reboot. Upon reboot, L2M file names may change. In that case, exit out of KillBox Run L2MFix Option 1 and post its log in your reply. >>Please wait for new instructions!!<< ______________ If the PendingFileRenameOperations error does not appear, post a fresh HJT log & a fresh L2Mfix option #1 log after you have rebooted __________________ Question - what have you done for the community today? Last edited by sUBs; 12-01-2005 at 12:00 PM.

11-30-2005, 08:51 PM	#20 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,409 OS: N/A	Do me a favor & launch Killbox. Click help & select 'About Killbox' Let me know the version number __________________ Question - what have you done for the community today?