Jump to content


Photo
- - - - -

CWS Infection


  • Please log in to reply
70 replies to this topic

#1 Masamune42

Masamune42

    Journeyman

  • Members
  • PipPip
  • 31 posts

Posted 07 December 2004 - 09:53 PM

Hi folks, I'm new around here, and I was wondering if I could get some help. I've got an issue with those CWS files that some other people here have reported dealing with. I can't seem to get them off my system.

SpyBot reports them as
CWS.Bootconf
CWS.Loadbat
CWS.Msconfd
CWS.Oslogo
CWS.Tapicfg
CWS.Xmlmimefilter

Same problem as others have reported. Not able to remove them through normal means. CWS.bootconf reappears instantly after CWS Shredder theoretically kills it. I've tried to follow through other threads here and on other forums that have dealt with this, but to no avail. Hopefully someone here can give me a hand.

I'm running a computer with Windows XP SP1 (SP2 makes my mouse not work, so that stays far away). I've got SpyBot, Ad-Aware, HijackThis, CWS Shredder, Kill2me, VX2finder, and KillBox installed. I'll post the Hijack This log in a bit. Please, I'm desperate to get this cleared up. If there's any other information I should post, let me know. Thanks in advance to anyone who helps!

Logfile of HijackThis v1.97.7
Scan saved at 11:02:44 PM, on 12/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\vkqrrc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} - http://download.micr...C4D/mp43dmo.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094141079170
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v6.cab

I know it's a little short, but that's all of it. There are some things in there (the O1's for example) that come back on reboot. Any advice?

#2 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 07 December 2004 - 11:17 PM

Sorry Masamune42, I just popped in to see that you have a new nasty infection

Let's get some tools to identify the hijacker

I also need you to disable Spybot's TeaTimer and Spyware Guard until we are done
I may not see your response until tomorrow, but do what you can

Open Spybot>>Click Mode>>Advanced Mode>>Tools>>System Startup
Uncheck
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
and
C:\Program Files\SpywareGuard\sgmain.exe

Restart your computer afterwards to ensure there not running

Download a few tools please
Download Findit.zip
Unzip the contents to your desktop
Double click on Find.bat, a new text document should open
Copy and Paste the Whole contents back here
After that close out the text document and hit a key on your keyboard to exit find.bat

Download and save to desktop VX2 Finder (126)
Open VX2 Finder and press the "Click to Find VX2.BetterInternet
Press the "Make log"
Copy and paste the entire contents of the log back here

Can you Download DLLCompare

Start the Program and click the Run Locate.com
Default settings should work---C:\Windows\System32 directory
Let it complete the SCAN, which won't take long
Click the Compare button to start the next process.This will take a bit longer.

When it's done click the Make a log of what was found button and post it back here

We need the above tools to help identify the hijacker and then we can go from there

Could you also delete your copy of Hijackthis and download the newest version
Important: Create a Permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT

Now you will have C:\HJT

Download Hijackthis from HERE or HERE
Save it to that new folder

Do a SCAN----Scan will change to SAVE LOG----copy and paste the WHOLE contents of the log
here... Don't try and fix anything yet----It is all important

If you can post back all those logs I'll have a chance to look at them tomorrow

If you post them back tomorrow sometime, try not restarting your computer again until we have applied a fix, this may cause some files to be added for removal

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#3 Masamune42

Masamune42

    Journeyman

  • Members
  • PipPip
  • 31 posts

Posted 08 December 2004 - 10:29 PM

Hi Guestolo, I really appreciate your attempt to help. Thanks for your time.
I made the changes to my system you told me to. Here are the log files you asked for:

FindIt:

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

12/07/2004 10:37 PM <DIR> dllcache
12/05/2004 11:55 PM 512 Yfl8.cu6
11/30/2004 01:54 PM 7,305 mvhkr.log
11/29/2004 09:03 AM 389,120 l?ass.exe
11/27/2004 06:14 AM 29,696 appbj.exe
11/15/2004 08:46 PM 56,320 xciqe.dll
11/15/2004 07:24 AM 3,347 ewzpt.txt
11/12/2004 02:14 AM 7,305 ipmyy.dat
11/11/2004 08:49 AM 3,347 tryrm.dat
09/02/2004 10:09 AM 488 WindowsLogon.manifest
09/02/2004 10:09 AM 488 logonui.exe.manifest
09/02/2004 10:09 AM 749 cdplayer.exe.manifest
09/02/2004 10:09 AM 749 wuaucpl.cpl.manifest
09/02/2004 10:09 AM 749 sapi.cpl.manifest
09/02/2004 10:09 AM 749 nwc.cpl.manifest
09/02/2004 10:09 AM 749 ncpa.cpl.manifest
15 File(s) 501,673 bytes
1 Dir(s) 54,067,716,096 bytes free
Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

07/16/2003 03:25 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 54,067,712,000 bytes free
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\ShellScrap]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mvl2l93o1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001



VX2 Finder:

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
igfxcui
ScCertProp
Schedule
sclgntfy
SensLogn
ShellScrap
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
{03436F64-12CC-486B-82B5-6E1D8717A291}


Now, I might be doing something wrong, but CompareDLL doesn't seem to be
working. When I hit 'Run Locate.com' I get the following message titled "16
bit MS-DOS Subsystem" that says "C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications.
Choose 'Close' to terminate the application." That strikes me as bad. Am I doing something wrong here?

And here's the HijackThis log:

Logfile of HijackThis v1.98.2
Scan saved at 11:36:38 PM, on 12/8/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\vkqrrc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\HJT\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: SpywareGuard.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM
Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094141079170
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v6.cab


I'll try not to restart the computer until tomorrow night, but it seems to
have developed a fun tendency to reboot itself randomly. So we'll just hope
it behaves. Thank you.

#4 Masamune42

Masamune42

    Journeyman

  • Members
  • PipPip
  • 31 posts

Posted 08 December 2004 - 10:31 PM

Double Post. Sorry.

#5 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 08 December 2004 - 10:32 PM

Just checked in and saw your reply, can I please see the DllCompare log too, thanks

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#6 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 08 December 2004 - 10:51 PM

Just reread what you posted about DLLCompare
Try this from Microsoft to fix the files
http://support.micro...kb;en-us;324767

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#7 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 08 December 2004 - 11:10 PM

If you can't possibly get DllCompare to run
Could you download this version of Findit.Zip
Again, extract to desktop
Double click on Find.bat, a new text document should open---Give this time to complete It's scan, even if you see File not found
Copy and Paste the Whole contents back here

I prefer to see this version of Findit.zip with the Dllcompare, but do what you can

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#8 Masamune42

Masamune42

    Journeyman

  • Members
  • PipPip
  • 31 posts

Posted 09 December 2004 - 06:22 PM

Ahh... excellent, the fix you linked me to appears to have worked perfectly.

Here's the log from CompareDLL:

* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\azau0g~1.dll Wed Dec 8 2004 11:10:54p ..S.R 223,958 218.71 K
C:\WINDOWS\SYSTEM32\en0ml1~1.dll Tue Dec 7 2004 9:02:06p ..S.R 224,333 219.07 K
C:\WINDOWS\SYSTEM32\en6ml1~1.dll Wed Dec 8 2004 11:20:36p ..S.R 222,686 217.46 K
C:\WINDOWS\SYSTEM32\gprml3~1.dll Wed Dec 8 2004 11:28:06p ..S.R 225,118 219.84 K
C:\WINDOWS\SYSTEM32\mvl2l9~1.dll Wed Dec 8 2004 11:17:36p ..S.R 223,925 218.68 K
C:\WINDOWS\SYSTEM32\xciqe.dll Mon Nov 15 2004 8:46:02p A.SH. 56,320 55.00 K
________________________________________________

1,302 items found: 1,302 files (6 H/S), 0 directories.
Total of file sizes: 265,303,622 bytes 253.01 M

Administrator Account = True

--------------------End log---------------------

#9 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 09 December 2004 - 11:04 PM

Sorry for the delay, been busy

Download Pocket Killbox from here:
http://www.downloads...org/KillBox.zip
Unzip the files to the folder of your choice.

Disconnect from the Internet completely
Double-click on Killbox.exe to run it

click on Tools->Delete Temp Files

When that finishes, copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those in a minute:

C:\WINDOWS\SYSTEM32\azau0g~.dll

C:\WINDOWS\SYSTEM32\en0ml1~1.dll

C:\WINDOWS\SYSTEM32\en6ml1~1.dll

C:\WINDOWS\SYSTEM32\gprml3~1.dll

C:\WINDOWS\SYSTEM32\mvl2l9~1.dll

C:\WINDOWS\SYSTEM32\Guard.tmp


For the files that it either couldn't find or couldn't delete, run killbox again, but this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer