Post by: skyline on October 21, 2005, 11:42:12 PM
logfile of HijackThis v1.99.1
Scan saved at 9:37:35 PM, on 10/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
F:\Program Files\winupdates\winupdates.exe
F:\WINDOWS\RUNDLL16.EXE
F:\Program Files\MsMovies\MsMovies.exe
F:\WINDOWS\System32\winlogi.exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\Digital Line Detect\DLG.exe
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\WINDOWS\System32\packet.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\wwSecure.exe
F:\Program Files\AIM\aim.exe
C:\firefox.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CD23G56J\hijackthis[1].exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com\")
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {AFEE564B-00AC-7030-0E3C-0C3FC8D51CC8} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "F:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [winupdates] F:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [WebrootDesktopFirewall] F:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
O4 - HKLM\..\Run: [Windows DLL Loader] F:\WINDOWS\RUNDLL16.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MsMovies] F:\Program Files\MsMovies\MsMovies.exe /auto
O4 - HKLM\..\Run: [virtual-ie] winlogi.exe
O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe
O4 - HKCU\..\Run: [Window Washer] F:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpySweeper] "F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - Startup: LimeWire On Startup.lnk = F:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O23 - Service: Windows Packet Driver (packet) - Unknown owner - F:\WINDOWS\System32\packet.exe
O23 - Service: Webroot Desktop Firewall Data Service (WebrootDesktopFirewallDataService) - Unknown owner - F:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe (file missing)
O23 - Service: Webroot Desktop Firewall (WebrootFirewall) - Unknown owner - F:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe (file missing)
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - F:\WINDOWS\System32\wwSecure.exe
Post by: guestolo on October 22, 2005, 12:52:45 PM
To your F:drive
==Download and UNZIP to desktop
BFU.zip (http://\"http://castlecops.com/zx/Merijn/bfu.zip\")
So you now have BFU.exe extracted to desktop
Please Download and UNZIP to desktop
p2pnetwork.zip (http://\"http://www.thetechguide.com/forum/index.php?act=Attach&type=post&id=400\")
Make sure you unzip this so you now have p2pnetwork.bfu extracted to desktop
==Download and then Install
Ewido Security Suite (http://\"http://www.ewido.net/en/download/\")
When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")
Please print this out or save these instructions to notepad for reference
In safe mode
Double click to run BFU.exe
Use the "Open Script file" button (the folder icon next to Scriptfile to execute)
Navigate to p2pnetwork.bfu on your desktop
Right click p2pnetwork.bfu and choose Select
In Brute Force Uninstaller select Execute
Let it finish then Exit
==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
Restart back to Normal mode
Download hijackthis from my signature below and save it too a permanent folder on your drive
Only run hijackthis from this new location
Run hijackthis again and post a fresh log, also include the Report from Ewido's
Post by: Guest on October 22, 2005, 11:25:53 PM
Post by: skyline on October 22, 2005, 11:27:08 PM
I did all u have told me. but in ewido after the scan i had to delete everything manually meaning i had to delte 16000 files all by clicking yes. is there another way to fix the problem? has anyone else have the problem?
Logfile of HijackThis v1.99.1
Scan saved at 11:57:33 PM, on 10/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
F:\WINDOWS\RUNDLL16.EXE
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\wwSecure.exe
F:\Program Files\AIM\aim.exe
F:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ewido\security suite\securitysuite.exe
F:\WINDOWS\System32\wuauclt.exe
F:\Documents and Settings\Owner\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com\")
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {AFEE564B-00AC-7030-0E3C-0C3FC8D51CC8} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "F:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WebrootDesktopFirewall] F:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
O4 - HKLM\..\Run: [Windows DLL Loader] F:\WINDOWS\RUNDLL16.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Window Washer] F:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpySweeper] "F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - Startup: LimeWire On Startup.lnk = F:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Windows Packet Driver (packet) - Unknown owner - F:\WINDOWS\System32\packet.exe (file missing)
O23 - Service: Webroot Desktop Firewall Data Service (WebrootDesktopFirewallDataService) - Unknown owner - F:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe (file missing)
O23 - Service: Webroot Desktop Firewall (WebrootFirewall) - Unknown owner - F:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe (file missing)
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - F:\WINDOWS\System32\wwSecure.exe
Post by: guestolo on October 23, 2005, 11:04:27 AM
Could you also disable Ewido's guard feature under the main window
then close it, we'll need it later
Follow all instructions closely, if you noticed I mentioned the following
Quote
When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
Also, when running Ewido, you did the following
Quote
but in ewido after the scan i had to delete everything manually meaning i had to delte 16000 files all by clicking yes. is there another way to fix the problem?I asked you to do this
Quote
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0 (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Give the link time to load or try it twice, it may be busy
Don't run this yet, we'll need it in a bit
==Download and save WinPFind.zip (http://\"http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip\")
UNZIP the contents to your desktop
Don't run it yet
I'm serious,
Please save these instructions to notepad for reference
Start>>run>>type in notepad
Hit OK
Save this too your desktop
I would like you to follow all the next instructions very closely
Please disable SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable SpySweeper:
Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".
==Download the Killbox by Option^Explicit (http://\"http://www.atribune.org/downloads/KillBox.exe\"). [color=\"red\"]*In the event you already have Killbox, this is a new version that I need you to download[/color].
* Save it to your desktop or a folder
Run Pocket KillBox.exe
In the killbox program, select the Delete on Reboot option.
Copy the file names below to the clipboard by highlighting them and pressing
Control + C
Killbox files to highlight between dotted lines
===================================================
F:\Program Files\MsConfigs\MsConfigs.exe
F:\WINDOWS\system32\p2pnetwork.exe
F:\WINDOWS\system32\CMD.COM
F:\WINDOWS\system32\netstat.com
F:\WINDOWS\system32\ping.com
F:\WINDOWS\system32\regedit.com
F:\WINDOWS\system32\tasklist.com
F:\WINDOWS\system32\taskkill.com
F:\WINDOWS\system32\taskmgr.com
F:\WINDOWS\system32\tracert.com
F:\WINDOWS\System32\bszip.dll
F:\WINDOWS\RUNDLL16.EXE
F:\Program Files\winupdates\winupdates.exe
===================================================
*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer doesn't restart
Please Restart it now manually into
SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation
In safe mode
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Go to START>>Run>>copy and paste the following lines in bold into the open field, then hit OK
Copy and paste this next line
sc stop packet
Hit OK
and then the next one
sc delete packet
Hit ok
Afterwards
Double click to run BFU.exe
Use the "Open Script file" button (the folder icon next to Scriptfile to execute)
Navigate to p2pnetwork.bfu on your desktop
Right click p2pnetwork.bfu and choose Select
In Brute Force Uninstaller select Execute
Let it finish then Exit
Find and delete the following files or folders if they exist
Look carefully, don't delete something because it looks similiar
F:\WINDOWS\System32\packet.exe <-this file
F:\Program Files\MsConfigs <-folder
F:\Program Files\winupdates <-folder
F:\Program Files\winupdate <-folder
F:\Program Files\winsupdater <-folder
F:\Program Files\MsUpdate <-folder
F:\Program Files\MsMovies <-folder
Stay in safe mode
==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off or Restart when scan is done.
==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/...//www.yahoo.com\")
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {AFEE564B-00AC-7030-0E3C-0C3FC8D51CC8} - (no file)
O4 - HKLM\..\Run: [Windows DLL Loader] F:\WINDOWS\RUNDLL16.EXE
O4 - Startup: LimeWire On Startup.lnk = F:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: PowerReg Scheduler V3.exe
After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
Click START SCAN
This could take some time as it will scan your drive
Close out after
Restart back to Normal mode
I need to see a few logs
Post the results of the WindPFind.txt located in the WinPFind folder
Also post a fresh hijackthis log
Post the report you saved earlier from Ewido
Post by: skyline on October 23, 2005, 04:34:23 PM
Scan saved at 12:51:20 PM, on 10/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\Documents and Settings\Owner\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com\")
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {AFEE564B-00AC-7030-0E3C-0C3FC8D51CC8} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "F:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WebrootDesktopFirewall] F:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
O4 - HKLM\..\Run: [Windows DLL Loader] F:\WINDOWS\RUNDLL16.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Window Washer] F:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - Startup: LimeWire On Startup.lnk = F:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Webroot Desktop Firewall Data Service (WebrootDesktopFirewallDataService) - Unknown owner - F:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe (file missing)
O23 - Service: Webroot Desktop Firewall (WebrootFirewall) - Unknown owner - F:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe (file missing)
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - F:\WINDOWS\System32\wwSecure.exe
--------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 1:11:32 PM, 10/23/2005
+ Report-Checksum: A8F76DD3
+ Scan result:
F:\WINDOWS\lsass.exe -> Backdoor.SdBot.xd : Cleaned with backup
F:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet : Cleaned with backup
F:\WINDOWS\system32\213vmVnzH.exe -> Spyware.WinFetcher : Cleaned with backup
F:\WINDOWS\system32\31.exe -> Spyware.WinFetcher : Cleaned with backup
F:\WINDOWS\system32\7.exe -> Spyware.WinFetcher : Cleaned with backup
F:\WINDOWS\system32\aim.exe -> Backdoor.SdBot.yn : Cleaned with backup
F:\WINDOWS\system32\brbOBV6M.exe -> Spyware.WinFetcher : Cleaned with backup
F:\WINDOWS\system32\CVo.exe -> Spyware.WinFetcher : Cleaned with backup
F:\WINDOWS\system32\E.exe -> Spyware.WinFetcher : Cleaned with backup
F:\WINDOWS\system32\fUc6.exe -> Spyware.WinFetcher : Cleaned with backup
F:\WINDOWS\system32\ib3.exe -> Spyware.WinFetcher : Cleaned with backup
F:\WINDOWS\system32\J.exe -> Spyware.WinFetcher : Cleaned with backup
F:\WINDOWS\system32\JFms8.exe -> Spyware.WinFetcher : Cleaned with backup
F:\WINDOWS\system32\K22lffm.exe -> Spyware.WinFetcher : Cleaned with backup
F:\WINDOWS\system32\K7ygoCr3.exe -> Spyware.WinFetcher : Cleaned with backup
F:\WINDOWS\system32\L7.exe -> Spyware.WinFetcher : Cleaned with backup
F:\WINDOWS\system32\lASkrLeLj.exe -> Spyware.WinFetcher : Cleaned with backup
F:\WINDOWS\system32\M2FbUOI6f.exe -> Spyware.WinFetcher : Cleaned with backup
F:\WINDOWS\system32\qOPgLxF.exe -> Spyware.WinFetcher : Cleaned with backup
F:\WINDOWS\system32\rdriv.sys -> Trojan.Rootkit.k : Cleaned with backup
F:\WINDOWS\system32\uAbmzn.exe -> Spyware.WinFetcher : Cleaned with backup
F:\WINDOWS\system32\zBLMJ1Yo.exe -> Spyware.WinFetcher : Cleaned with backup
F:\WINDOWS\temp.bat -> Trojan.Zapchast : Cleaned with backup
::Report End
the ewido report is from fast scan because in system scan. after scanning all of teh files, an error message pops up for all of the infected files which is about 16000.It says:F/Documents and Settings/Owner/complete...... cannot be removed because it is enbedded in the archive...... Do you want to remove the whole archive? and this is for all of the files inside of complete. I get an error message that says file not found when i run winpfind.exe. thanks for your help so far.
Post by: guestolo on October 23, 2005, 05:49:42 PM
We're not going to get you clean unless you do
You posted a Hijackthis log from safe mode
I asked you to reboot to normal mode then run hijackthis again and post the log
/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' /> Please do the following
Ensure windows is set to show hidden files and folders
Also, You MUST unzip Wpfind.zip
The only way I can match this error message
Quote
I get an error message that says file not found when i run winpfind.exeIs if I don't unzip the contents
If your unsure how to extract the contents
Use THIS LINK (http://\"http://metallica.geekstogo.com/xpcompressedexplanation.html\")
for instructions
Afterwards
Reboot back to safe mode
Navigate to the following folder
F/Documents and Settings/Owner/complete <-this folder
Delete the Whole contents of the "Complete" folder
then delete the complete folder itself
Afterwards
==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off or Restart when scan is done.
==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
Click START SCAN
This could take some time as it will scan your drive
Close out after
RESTART BACK TO NORMAL MODE
Then run hijackthis again with the scan and save logfile button
Post the new log back here
Also include the report from Ewidos
Additionally, Post the results of the WindPFind.txt located in the WinPFind folder
Post by: skyline on October 23, 2005, 08:01:26 PM
um by the way when i un hid the folders my XP toolbar went back to teh classic one and i cant change it what shalll i do?
Logfile of HijackThis v1.99.1
Scan saved at 5:58:54 PM, on 10/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\wwSecure.exe
F:\WINDOWS\System32\imapi.exe
F:\Documents and Settings\Owner\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl (http://\"http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl\")
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "F:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WebrootDesktopFirewall] F:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Window Washer] F:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Webroot Desktop Firewall Data Service (WebrootDesktopFirewallDataService) - Unknown owner - F:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe (file missing)
O23 - Service: Webroot Desktop Firewall (WebrootFirewall) - Unknown owner - F:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe (file missing)
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - F:\WINDOWS\System32\wwSecure.exe
--------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 5:52:51 PM, 10/23/2005
+ Report-Checksum: A8352EA3
+ Scan result:
:mozilla.6:F:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m14j8t8q.dsfg\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.8:F:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m14j8t8q.dsfg\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.9:F:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m14j8t8q.dsfg\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.18:F:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m14j8t8q.dsfg\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.19:F:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m14j8t8q.dsfg\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
F:\Program Files\Yahoo!\YPSR\Quarantine\20050615212940.zip/thin-85-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup
F:\Program Files\Yahoo!\YPSR\Quarantine\20050616175032.zip/thin-85-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup
F:\Program Files\Yahoo!\YPSR\Quarantine\20050618100547.zip/thin-85-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup
F:\Program Files\Yahoo!\YPSR\Quarantine\20050618113440.zip/thin-85-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup
F:\Program Files\Yahoo!\YPSR\Quarantine\20050618124343.zip/thin-85-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup
F:\Program Files\Yahoo!\YPSR\Quarantine\20050618142625.zip/thin-85-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup
F:\Program Files\Yahoo!\YPSR\Quarantine\20050618150918.zip/thin-85-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup
::Report End
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.
If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
Checking %System% folder...
PEC2 9/3/2002 9:30:40 AM 41397 F:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 6/9/2005 1:32:28 PM 692736 F:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 6/9/2005 1:32:28 PM 692736 F:\WINDOWS\SYSTEM32\DivX.dll
Umonitor 9/3/2002 9:54:44 AM 631808 F:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 9/3/2002 10:10:48 AM 1309184 F:\WINDOWS\SYSTEM32\wbdbase.deu
Checking %System%\Drivers folder and sub-folders...
Items found in F:\WINDOWS\SYSTEM32\drivers\etc\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/23/2005 3:13:12 PM S 2048 F:\WINDOWS\bootstat.dat
10/16/2005 10:44:54 AM H 54156 F:\WINDOWS\QTFont.qfn
10/23/2005 9:57:04 AM H 0 F:\WINDOWS\inf\oem2.inf
9/10/2005 3:33:50 PM H 65536 F:\WINDOWS\Minidump\Mini091005-01.dmp
9/10/2005 3:36:24 PM H 65536 F:\WINDOWS\Minidump\Mini091005-02.dmp
9/22/2005 6:32:10 PM H 65536 F:\WINDOWS\Minidump\Mini092205-01.dmp
10/18/2005 7:36:52 PM H 65536 F:\WINDOWS\Minidump\Mini101805-01.dmp
10/23/2005 3:45:50 PM H 1024 F:\WINDOWS\system32\config\default.LOG
10/23/2005 3:13:14 PM H 1024 F:\WINDOWS\system32\config\SAM.LOG
10/23/2005 4:13:18 PM H 1024 F:\WINDOWS\system32\config\SECURITY.LOG
10/23/2005 4:11:56 PM H 1024 F:\WINDOWS\system32\config\software.LOG
10/23/2005 4:13:20 PM H 1024 F:\WINDOWS\system32\config\system.LOG
10/7/2005 1:36:12 PM HS 388 F:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\657d97a4-7f06-4ce9-b3ad-633af9e86cfb
10/7/2005 1:36:12 PM HS 24 F:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
10/23/2005 3:13:14 PM H 6 F:\WINDOWS\Tasks\SA.DAT
Checking for CPL files...
Microsoft Corporation 9/3/2002 9:26:48 AM 66048 F:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 9/3/2002 9:27:24 AM 578560 F:\WINDOWS\SYSTEM32\appwiz.cpl
Broadcom Corporation 9/10/2002 4:07:54 PM 716800 F:\WINDOWS\SYSTEM32\B57exp.cpl
Microsoft Corporation 9/3/2002 9:30:36 AM 129024 F:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 9/3/2002 9:34:00 AM 150016 F:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 1/13/2003 3:01:10 PM 94208 F:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 9/3/2002 9:35:14 AM 292352 F:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 9/3/2002 9:35:24 AM 121856 F:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 9/3/2002 9:37:12 AM 65536 F:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 12/6/2004 10:31:48 PM 49265 F:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 9/3/2002 9:40:02 AM 187904 F:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 9/3/2002 9:42:08 AM 559616 F:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 9/3/2002 9:47:04 AM 35840 F:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 9/3/2002 9:50:26 AM 256000 F:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 9/3/2002 9:50:44 AM 36864 F:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 9/3/2002 9:52:44 AM 109056 F:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 9/23/2004 7:57:40 PM 323072 F:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 9/3/2002 10:05:50 AM 268288 F:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 9/3/2002 10:06:38 AM 28160 F:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 9/3/2002 10:06:48 AM 90112 F:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 F:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 9/3/2002 9:26:48 AM 66048 F:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 9/3/2002 9:27:24 AM 578560 F:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 9/3/2002 9:30:36 AM 129024 F:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 9/3/2002 9:34:00 AM 150016 F:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 9/3/2002 9:35:14 AM 292352 F:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 9/3/2002 9:35:24 AM 121856 F:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 9/3/2002 9:37:12 AM 65536 F:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 9/3/2002 9:40:02 AM 187904 F:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 9/3/2002 9:42:08 AM 559616 F:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 9/3/2002 9:47:04 AM 35840 F:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 9/3/2002 9:50:26 AM 256000 F:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 9/3/2002 9:50:44 AM 36864 F:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 9/3/2002 9:52:44 AM 109056 F:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 9/3/2002 9:57:12 AM 147456 F:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 9/3/2002 10:05:50 AM 268288 F:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 9/3/2002 10:06:38 AM 28160 F:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 9/3/2002 10:06:48 AM 90112 F:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Intel Corporation 1/13/2003 3:01:10 PM 94208 F:\WINDOWS\SYSTEM32\ReinstallBackups\0006\DriverFiles\igfxcpl.cpl
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
2/24/2005 6:34:44 PM 986 F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
1/9/2005 10:07:12 PM 1757 F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
1/9/2005 6:51:08 PM HS 84 F:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
1/9/2005 7:08:26 PM 493 F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
7/9/2005 3:08:00 PM 1730 F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
Checking files in %ALLUSERSPROFILE%\Application Data folder...
1/9/2005 10:41:40 AM HS 62 F:\Documents and Settings\All Users\Application Data\desktop.ini
2/15/2005 7:13:10 PM 5 F:\Documents and Settings\All Users\Application Data\DirectCDUserNameE.txt
Checking files in %USERPROFILE%\Startup folder...
1/9/2005 6:51:08 PM HS 84 F:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini
Checking files in %USERPROFILE%\Application Data folder...
1/9/2005 10:06:04 PM 1215 F:\Documents and Settings\Owner\Application Data\AdobeDLM.log
1/9/2005 10:41:40 AM HS 62 F:\Documents and Settings\Owner\Application Data\desktop.ini
1/9/2005 10:06:04 PM 0 F:\Documents and Settings\Owner\Application Data\dm.ini
5/22/2005 2:55:04 PM 65720 F:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{063FDFED-6FD9-407C-8E6A-1EFA75CBCCD5} =
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Washer
{6EE51AA0-77A0-11D7-B4E1-000347126E46} = F:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = F:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = F:\WINDOWS\Downloaded Program Files\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = F:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = F:\Program Files\WinRAR\rarext.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Washer
{6EE51AA0-77A0-11D7-B4E1-000347126E46} = F:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = F:\Program Files\WinRAR\rarext.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= F:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
Yahoo! Companion BHO = F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : F:\WINDOWS\System32\msdxm.ocx
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : F:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : F:\Program Files\Messenger\MSMSGS.EXE
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AdaptecDirectCD "F:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
WebrootDesktopFirewall F:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
KernelFaultCheck %systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Window Washer F:\Program Files\Webroot\Washer\wwDisp.exe
ctfmon.exe F:\WINDOWS\System32\ctfmon.exe
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BJCFD
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CFD
hkey HKLM
command F:\Program Files\BroadJump\Client Foundation\CFD.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CFD
hkey HKLM
command F:\Program Files\BroadJump\Client Foundation\CFD.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Microsoft Update Service 2005
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item csrsssvc
hkey HKLM
command csrsssvc.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item csrsssvc
hkey HKLM
command csrsssvc.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "F:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "F:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command F:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command F:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = F:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = F:\WINDOWS\System32\stobject.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = F:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/23/2005 4:13:55 PM
Post by: guestolo on October 23, 2005, 08:57:02 PM
We still have a bit more cleaning to do
Download and Save to desktop AimFix.exe (http://\"http://jayloden.com/AIMFix.exe\")
Download and UNZIP to your desktop
RdrivRem.zip (http://\"http://www.geekstogo.com/forum/index.php?act=Attach&type=post&id=1778\")
Print this out or save to a notepad for reference
Run the Aimfix.exe>>Follow the prompts
Reboot into Safe mode
Run AimFix.exe again
Open the rdrivRem folder you extracted earlier
Please double-click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder.
Reboot back to normal mode
Access the following link
http://free.grisoft.com/doc/2/lng/us/tpl/v5 (http://\"http://free.grisoft.com/doc/2/lng/us/tpl/v5\")
Scroll down near the bottom
AVG Free Edition installation files
File Version
avg71free_361a651.exe <-click this link, or similiar
Save the installer to desktop
Double click to Install
After AVG7 is installed, make sure you have Checked for updates and it is right up to date
Run a complete system scan with AVG7, let it fix what it finds
Restart the computer one more time
Back in Windows
Post the contents of the rdriv.txt in the rdrivRem folder.
Could you also
Download: Registry Search Tool from this link
http://billsway.com/vbspage/ (http://\"http://billsway.com/vbspage/\")
Unzip and double-click "RegSrch.vbs"
Note: if your Antivirus or another program prompts about running a ".vbs" file, allow the script to run
In the open field copy and paste the below in bold then hit OK
csrsssvc.exe
Wait for the results and post them back here
Post by: skyline on October 24, 2005, 08:21:00 AM
; RegSrch.vbs © Bill James
; Registry search results for string "csrsssvc.exe" 10/24/2005 6:20:07 AM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Microsoft Update Service 2005]
"command"="csrsssvc.exe"
[HKEY_USERS\.DEFAULT\Software\Microsoft\OLE]
"Microsoft Update Service 2005"="csrsssvc.exe"
[HKEY_USERS\S-1-5-21-1757981266-1383384898-682003330-1003\Software\Microsoft\OLE]
"Microsoft Update Service 2005"="csrsssvc.exe"
[HKEY_USERS\S-1-5-21-1757981266-1383384898-682003330-1003\Software\Webroot\SpySweeper\Startup\2_Microsoft Update Service 2005]
"path"="csrsssvc.exe"
[HKEY_USERS\S-1-5-21-1757981266-1383384898-682003330-1003\Software\Webroot\SpySweeper\Startup\2_Microsoft Update Service 2005]
"command"="csrsssvc.exe"
[HKEY_USERS\S-1-5-18\Software\Microsoft\OLE]
"Microsoft Update Service 2005"="csrsssvc.exe"
Post by: guestolo on October 24, 2005, 10:43:28 PM
Quote
Post the contents of the rdriv.txt in the rdrivRem folder.
Post by: skyline on October 24, 2005, 11:54:25 PM
Post by: guestolo on October 24, 2005, 11:57:31 PM
Ok, let me tell you what I said again
Quote
Restart the computer one more time
Back in Windows
Post the contents of the rdriv.txt in the rdrivRem folder.
Could you also
Download: Registry Search Tool from this link
http://billsway.com/vbspage/ (http://\"http://billsway.com/vbspage/\")
Unzip and double-click "RegSrch.vbs"
Note: if your Antivirus or another program prompts about running a ".vbs" file, allow the script to run
In the open field copy and paste the below in bold then hit OK
csrsssvc.exe
Wait for the results and post them back here
I see the results from Registry search tool, but I don't see rdriv.txt in the rdrivRem folder
Post by: skyline on October 25, 2005, 07:51:12 PM
; RegSrch.vbs © Bill James
; Registry search results for string "csrsssvc.exe" 10/25/2005 5:50:29 PM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Microsoft Update Service 2005]
"command"="csrsssvc.exe"
[HKEY_USERS\.DEFAULT\Software\Microsoft\OLE]
"Microsoft Update Service 2005"="csrsssvc.exe"
[HKEY_USERS\S-1-5-21-1757981266-1383384898-682003330-1003\Software\Microsoft\OLE]
"Microsoft Update Service 2005"="csrsssvc.exe"
[HKEY_USERS\S-1-5-21-1757981266-1383384898-682003330-1003\Software\Webroot\SpySweeper\Startup\2_Microsoft Update Service 2005]
"path"="csrsssvc.exe"
[HKEY_USERS\S-1-5-21-1757981266-1383384898-682003330-1003\Software\Webroot\SpySweeper\Startup\2_Microsoft Update Service 2005]
"command"="csrsssvc.exe"
[HKEY_USERS\S-1-5-18\Software\Microsoft\OLE]
"Microsoft Update Service 2005"="csrsssvc.exe"
Post by: guestolo on October 25, 2005, 08:24:12 PM
I don't want to see the results from the registry search tool right now
I want to see the above I asked for
/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />
Post by: skyline on October 25, 2005, 09:43:56 PM
rdriv.sys NOT PRESENT!
ItunesMusic.exe NOT PRESENT!
wkssvc.exe NOT PRESENT!
Post by: guestolo on October 25, 2005, 11:05:26 PM
Download and UNZIP to desktop Fix.zip from below
so you now have Fix.reg on your desktop
create a new restore point
Start>>all programs>>accessories>>System tools>>System restore
Click Create a new restore point>>Name it and click create
Afterwards, double click on fix.reg and allow to merge to the registry
Reboot your computer
Come back here and post one last hijackthis log, let me know how things are running
Post by: skyline on October 26, 2005, 12:06:15 AM
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com\")
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WebrootDesktopFirewall] F:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Window Washer] F:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~2\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SpySweeper] "F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Webroot Desktop Firewall Data Service (WebrootDesktopFirewallDataService) - Unknown owner - F:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe (file missing)
O23 - Service: Webroot Desktop Firewall (WebrootFirewall) - Unknown owner - F:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe (file missing)
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - F:\WINDOWS\System32\wwSecure.exe
Things are running smoothly but i still have the classic windows toolbar because teh XP option is now non existant!
Post by: guestolo on October 26, 2005, 11:16:51 AM
Can you do a SEARCH on your computer for
Luna.msstyles
Make sure you type that in properly or copy and paste it
Also in Search under the Advanced options ensure the top 3 entries are selected which includes Search Hidden Files and folders
If Luna.msstyles is found
Let me know the exact location and size
Additionally, Download find.zip (http://\"http://www.thetechguide.com/forum/index.php?act=Attach&type=post&id=327\")
and UNZIP the contents too desktop
Double click on Find.bat and post the contents
Do the Same with Find1.bat
Post by: skyline on October 26, 2005, 07:37:04 PM
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"WCreatedUser"="1"
"ThemeActive"="0"
Volume in drive F has no label.
Volume Serial Number is DCD8-C4C7
Directory of F:\Documents and Settings\Owner\Desktop
10/26/2005 05:35 PM <DIR> .
10/26/2005 05:35 PM <DIR> ..
06/19/2005 11:43 AM 332 find.bat
10/26/2005 05:35 PM 450 find.zip
05/09/2005 09:51 AM 115 Find1.bat
01/14/2005 08:26 PM 2,429 Microsoft Publisher.lnk
10/25/2005 07:49 PM <DIR> rdrivRem
10/26/2005 06:21 AM 3,704,147 Skyline_GTR_R34.zip
01/09/2005 11:11 PM 739 Spy Sweeper.lnk
6 File(s) 3,708,212 bytes
Directory of F:\Documents and Settings\Owner\Desktop\rdrivRem
10/25/2005 07:49 PM <DIR> .
10/25/2005 07:49 PM <DIR> ..
10/25/2005 05:49 PM 279 rdriv.txt
06/21/2005 10:40 PM 10,378 rdrivRem.bat
12/15/2001 11:27 AM 3,254 RegSrch.vbs
3 File(s) 13,911 bytes
Total Files Listed:
9 File(s) 3,722,123 bytes
5 Dir(s) 9,712,807,936 bytes free
THe program was not found on my computer through search.
Post by: guestolo on October 26, 2005, 08:08:41 PM
Do you see the following folder
C:\WINDOWS\Resources <-this folder
If you do, do you see the following folder
C:\WINDOWS\Resources\Themes <-this folder
Post by: skyline on October 28, 2005, 07:44:31 PM
/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' /> /blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' /> /wacko.gif\' class=\'bbc_emoticon\' alt=\':wacko:\' /> /huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' /> /huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' /> /huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' /> /huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' /> /huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' /> /huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' />
Post by: skyline on October 28, 2005, 10:03:52 PM
/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />
Post by: guestolo on October 29, 2005, 03:02:41 AM
What other file do you see in the "Resources" folder
Removed my comment, was a bit on the irritable side last night
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> Give me every file name and every name you see in the Resources folder and we'll go from there
Post by: skyline on October 29, 2005, 05:20:07 PM
Files: 521,Blade, Eclipse, GEm, Luna, Panther, Watercolor, WIsp
WIndows Theme Files: 521-advance4-2, 521-minus4-2, blade, current, eclipse, gem, luna, panther, pantherg, watercolor blue, Watercolor egonomic, watercolor olive green, watercolor silver, windows classic, wisp
PROGRAMS: chronos.logonxp, sorrow logon.logonxp
RESOURCE FOLDER
files: boot, cursors, exploerer bar, icons, screensavers, themes
Post by: guestolo on October 29, 2005, 06:58:34 PM
Can you do this one more time skyline
Download and UNZIP to desktop Find2.zip from below so you now have Find2.bat extracted
Double click on Find2.bat and post the contents of the text file that opens
Post by: skyline on October 29, 2005, 08:27:50 PM
Volume Serial Number is DCD8-C4C7
Directory of F:\WINDOWS\Resources\Themes
07/12/2005 07:48 PM <DIR> .
07/12/2005 07:48 PM <DIR> ..
07/12/2005 07:01 PM <DIR> 521
01/10/2005 03:12 PM 432 521-advance4-2.theme
01/10/2005 03:12 PM 545 521-minus4-2.theme
07/12/2005 07:01 PM <DIR> Blade
01/10/2005 03:12 PM 1,091 Blade.Theme
01/10/2005 03:12 PM 937,299 Chronos.logonxp
07/12/2005 07:51 PM 1,212 Current.theme
07/12/2005 07:01 PM <DIR> Eclipse
01/10/2005 03:12 PM 549 Eclipse.Theme
07/12/2005 07:01 PM <DIR> Gem
01/10/2005 03:12 PM 2,915 Gem.Theme
10/23/2005 11:04 AM <DIR> Luna
09/03/2002 09:39 AM 1,222 Luna.theme
07/12/2005 07:01 PM <DIR> Panther
01/10/2005 03:12 PM 551 Panther.theme
01/10/2005 03:12 PM 552 Pantherg.theme
01/10/2005 03:12 PM 1,224,203 Sorrow Logon.logonxp
10/29/2005 03:15 PM <DIR> WaterColor
01/10/2005 03:12 PM 905 Watercolor Blue.theme
01/10/2005 03:12 PM 3,887 Watercolor Ergonomic.theme
01/10/2005 03:12 PM 899 Watercolor Olive Green.theme
01/10/2005 03:12 PM 3,884 Watercolor Silver.theme
09/03/2002 09:28 AM 3,025 Windows Classic.theme
07/12/2005 07:01 PM <DIR> Wisp
01/10/2005 03:12 PM 1,065 Wisp.Theme
17 File(s) 2,184,236 bytes
Directory of F:\WINDOWS\Resources\Themes\521
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 839,824 521.msstyles
01/10/2005 03:12 PM 52 521design.url
01/10/2005 03:12 PM 61 futuregraphicdesign.url
01/10/2005 03:12 PM 397 readme.txt
07/12/2005 07:01 PM <DIR> shell
07/12/2005 07:01 PM <DIR> wp
4 File(s) 840,334 bytes
Directory of F:\WINDOWS\Resources\Themes\521\shell
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
07/12/2005 07:01 PM <DIR> minus2
07/12/2005 07:01 PM <DIR> normalcolor
0 File(s) 0 bytes
Directory of F:\WINDOWS\Resources\Themes\521\shell\minus2
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 25,600 shellstyle.dll
1 File(s) 25,600 bytes
Directory of F:\WINDOWS\Resources\Themes\521\shell\normalcolor
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 26,112 shellstyle.dll
1 File(s) 26,112 bytes
Directory of F:\WINDOWS\Resources\Themes\521\wp
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 3,140 minus4-2.gif
1 File(s) 3,140 bytes
Directory of F:\WINDOWS\Resources\Themes\Blade
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 1,753,232 Blade.msstyles
07/12/2005 07:01 PM <DIR> Icons
07/12/2005 07:01 PM <DIR> shell
07/12/2005 07:01 PM <DIR> User Icon
07/12/2005 07:01 PM <DIR> Wallpaper
1 File(s) 1,753,232 bytes
Directory of F:\WINDOWS\Resources\Themes\Blade\Icons
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 159,990 BIN Empty.ico
01/10/2005 03:12 PM 159,990 BIN Full.ico
01/10/2005 03:12 PM 162,566 Internet Explorer.ico
01/10/2005 03:12 PM 162,566 My Computer.ico
01/10/2005 03:12 PM 162,566 My Documents.ico
01/10/2005 03:12 PM 162,566 My Network.ico
01/10/2005 03:12 PM 516 Permission.txt
7 File(s) 970,760 bytes
Directory of F:\WINDOWS\Resources\Themes\Blade\shell
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
07/12/2005 07:01 PM <DIR> normalcolor
0 File(s) 0 bytes
Directory of F:\WINDOWS\Resources\Themes\Blade\shell\normalcolor
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 400,384 shellstyle.dll
1 File(s) 400,384 bytes
Directory of F:\WINDOWS\Resources\Themes\Blade\User Icon
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 6,966 Blade User Icon.bmp
1 File(s) 6,966 bytes
Directory of F:\WINDOWS\Resources\Themes\Blade\Wallpaper
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 61,239 Blade.jpg
1 File(s) 61,239 bytes
Directory of F:\WINDOWS\Resources\Themes\Eclipse
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 1,912,976 Eclipse.msstyles
07/12/2005 07:01 PM <DIR> shell
07/12/2005 07:01 PM <DIR> Wallpaper
1 File(s) 1,912,976 bytes
Directory of F:\WINDOWS\Resources\Themes\Eclipse\shell
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
07/12/2005 07:01 PM <DIR> normalcolor
0 File(s) 0 bytes
Directory of F:\WINDOWS\Resources\Themes\Eclipse\shell\normalcolor
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 924,672 shellstyle.dll
1 File(s) 924,672 bytes
Directory of F:\WINDOWS\Resources\Themes\Eclipse\Wallpaper
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 113,897 Eclipse.jpg
1 File(s) 113,897 bytes
Directory of F:\WINDOWS\Resources\Themes\Gem
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 1,704,080 Gem.msstyles
07/12/2005 07:01 PM <DIR> Icons
07/12/2005 07:01 PM <DIR> shell
07/12/2005 07:01 PM <DIR> Wallpaper
1 File(s) 1,704,080 bytes
Directory of F:\WINDOWS\Resources\Themes\Gem\Icons
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 176,134 BIN Empty.ico
01/10/2005 03:12 PM 176,134 BIN Full.ico
01/10/2005 03:12 PM 176,134 Internet Explorer.ico
01/10/2005 03:12 PM 176,134 My Computer.ico
01/10/2005 03:12 PM 176,134 My Documents.ico
01/10/2005 03:12 PM 176,134 My Network.ico
01/10/2005 03:12 PM 307 Permission.txt
7 File(s) 1,057,111 bytes
Directory of F:\WINDOWS\Resources\Themes\Gem\shell
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
07/12/2005 07:01 PM <DIR> normalcolor
0 File(s) 0 bytes
Directory of F:\WINDOWS\Resources\Themes\Gem\shell\normalcolor
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 282,624 shellstyle.dll
1 File(s) 282,624 bytes
Directory of F:\WINDOWS\Resources\Themes\Gem\Wallpaper
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 54,703 Gem.jpg
1 File(s) 54,703 bytes
Directory of F:\WINDOWS\Resources\Themes\Luna
10/23/2005 11:04 AM <DIR> .
10/23/2005 11:04 AM <DIR> ..
01/09/2005 10:37 AM <DIR> Shell
0 File(s) 0 bytes
Directory of F:\WINDOWS\Resources\Themes\Luna\Shell
01/09/2005 10:37 AM <DIR> .
01/09/2005 10:37 AM <DIR> ..
01/09/2005 10:38 AM <DIR> Homestead
01/09/2005 10:38 AM <DIR> Metallic
01/09/2005 10:37 AM <DIR> NormalColor
0 File(s) 0 bytes
Directory of F:\WINDOWS\Resources\Themes\Luna\Shell\Homestead
01/09/2005 10:38 AM <DIR> .
01/09/2005 10:38 AM <DIR> ..
09/03/2002 09:34 AM 362,496 shellstyle.dll
1 File(s) 362,496 bytes
Directory of F:\WINDOWS\Resources\Themes\Luna\Shell\Metallic
01/09/2005 10:38 AM <DIR> .
01/09/2005 10:38 AM <DIR> ..
09/03/2002 09:41 AM 362,496 shellstyle.dll
1 File(s) 362,496 bytes
Directory of F:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor
01/09/2005 10:37 AM <DIR> .
01/09/2005 10:37 AM <DIR> ..
09/03/2002 09:28 AM 361,472 shellstyle.dll
1 File(s) 361,472 bytes
Directory of F:\WINDOWS\Resources\Themes\Panther
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 2,801,808 Panther.msstyles
07/12/2005 07:01 PM <DIR> shell
07/12/2005 07:01 PM <DIR> Wallpaper
1 File(s) 2,801,808 bytes
Directory of F:\WINDOWS\Resources\Themes\Panther\shell
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
07/12/2005 07:01 PM <DIR> normalcolor
07/12/2005 07:01 PM <DIR> pantherb
07/12/2005 07:01 PM <DIR> pantherg
0 File(s) 0 bytes
Directory of F:\WINDOWS\Resources\Themes\Panther\shell\normalcolor
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 939,008 shellstyle.dll
1 File(s) 939,008 bytes
Directory of F:\WINDOWS\Resources\Themes\Panther\shell\pantherb
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 939,008 shellstyle.dll
1 File(s) 939,008 bytes
Directory of F:\WINDOWS\Resources\Themes\Panther\shell\pantherg
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 939,008 shellstyle.dll
1 File(s) 939,008 bytes
Directory of F:\WINDOWS\Resources\Themes\Panther\Wallpaper
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 133,256 Aqua_Blue.jpg
01/10/2005 03:12 PM 115,821 Aqua_Graphite.jpg
2 File(s) 249,077 bytes
Directory of F:\WINDOWS\Resources\Themes\WaterColor
10/29/2005 03:15 PM <DIR> .
10/29/2005 03:15 PM <DIR> ..
01/10/2005 03:12 PM 5,358 ReadMe.html
01/10/2005 03:12 PM 25,214 RecycleBinEmpty.ico
01/10/2005 03:12 PM 25,214 RecycleBinFull.ico
07/12/2005 07:01 PM <DIR> shell
10/29/2005 03:15 PM 5,120 Thumbs.db
01/10/2005 03:12 PM 11,502 watercolor.ico
01/10/2005 03:12 PM 63,304 Watercolor.jpg
01/10/2005 03:12 PM 2,715,792 Watercolor.msstyles
7 File(s) 2,851,504 bytes
Directory of F:\WINDOWS\Resources\Themes\WaterColor\shell
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
07/12/2005 07:01 PM <DIR> Ergonomic
07/12/2005 07:01 PM <DIR> normalcolor
07/12/2005 07:01 PM <DIR> Olive
07/12/2005 07:01 PM <DIR> Silver
0 File(s) 0 bytes
Directory of F:\WINDOWS\Resources\Themes\WaterColor\shell\Ergonomic
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 395,776 shellstyle.dll
1 File(s) 395,776 bytes
Directory of F:\WINDOWS\Resources\Themes\WaterColor\shell\normalcolor
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 397,312 shellstyle.dll
1 File(s) 397,312 bytes
Directory of F:\WINDOWS\Resources\Themes\WaterColor\shell\Olive
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 397,312 shellstyle.dll
1 File(s) 397,312 bytes
Directory of F:\WINDOWS\Resources\Themes\WaterColor\shell\Silver
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 390,656 shellstyle.dll
1 File(s) 390,656 bytes
Directory of F:\WINDOWS\Resources\Themes\Wisp
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
07/12/2005 07:01 PM <DIR> Icons
07/12/2005 07:01 PM <DIR> shell
07/12/2005 07:01 PM <DIR> User Icon
07/12/2005 07:01 PM <DIR> Wallpaper
01/10/2005 03:12 PM 1,716,368 Wisp.msstyles
1 File(s) 1,716,368 bytes
Directory of F:\WINDOWS\Resources\Themes\Wisp\Icons
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 159,990 BIN Empty.ico
01/10/2005 03:12 PM 159,990 BIN Full.ico
01/10/2005 03:12 PM 159,990 Internet Explorer.ico
01/10/2005 03:12 PM 159,990 My Computer.ico
01/10/2005 03:12 PM 159,990 My Documents.ico
01/10/2005 03:12 PM 159,990 My Network.ico
01/10/2005 03:12 PM 518 Permission.txt
7 File(s) 960,458 bytes
Directory of F:\WINDOWS\Resources\Themes\Wisp\shell
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
07/12/2005 07:01 PM <DIR> normalcolor
0 File(s) 0 bytes
Directory of F:\WINDOWS\Resources\Themes\Wisp\shell\normalcolor
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 458,240 shellstyle.dll
1 File(s) 458,240 bytes
Directory of F:\WINDOWS\Resources\Themes\Wisp\User Icon
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 7,654 Wisp User Icon.bmp
1 File(s) 7,654 bytes
Directory of F:\WINDOWS\Resources\Themes\Wisp\Wallpaper
07/12/2005 07:01 PM <DIR> .
07/12/2005 07:01 PM <DIR> ..
01/10/2005 03:12 PM 54,845 Wisp.jpg
1 File(s) 54,845 bytes
Total Files Listed:
79 File(s) 26,906,564 bytes
131 Dir(s) 9,463,525,376 bytes free
Post by: guestolo on October 29, 2005, 08:46:11 PM
From below download and save too desktop
Luna.zip
Don't unzip it yet, just save it to your desktop for now
Let's try and get you fixed up
Download and Unzip to desktop Fix.zip (http://\"http://www.thetechguide.com/forum/index.php?act=Attach&type=post&id=328\")
so you now have Fix.reg on the desktop
Double click on Fix.reg and allow to add or merge to the registry
Restart your computer
Back in Windows
UNZIP Luna.zip only to the following folder
F:\WINDOWS\Resources\Themes\Luna <-this folder
So you now have luna.msstyle extracted to the Luna folder
Now open your Display Properties and see if you can change to Windows XP Under the Themes and Appearance tabs
Could you also do this, I missed an entry earlier
Download L2mfix from here
http://www.atribune.org/downloads/l2mfix.exe (http://\"http://www.atribune.org/downloads/l2mfix.exe\")
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so![/color
Post by: skyline on October 30, 2005, 12:57:58 PM
These are the registry keys present
********************************************************************************
**
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
********************************************************************************
**
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{A470D353-BFC3-CD9D-F4C7-914EC5B08072}"=""
********************************************************************************
**
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{063FDFED-6FD9-407C-8E6A-1EFA75CBCCD5}"=""
"{6EE51AA0-77A0-11D7-B4E1-000347126E46}"="Window Washer Shredding Utility"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{BB7DF450-F119-11CD-8465-00AA00425D90}"="Microsoft Access Custom Icon Handler"
********************************************************************************
**
HKEY ROOT CLASSIDS:
********************************************************************************
**
Files Found are not all bad files:
F:\WINDOWS\SYSTEM32\
cmdlin~1.dll Mon Oct 3 2005 7:21:06p A.... 43,520 42.50 K
cmdlin~2.dll Thu Sep 29 2005 5:36:32p A.... 98,304 96.00 K
msssc.dll Sat Oct 15 2005 8:42:00p A.... 44 0.04 K
sporder.dll Sat Sep 24 2005 3:17:28p A.... 8,464 8.27 K
4 items found: 4 files, 0 directories.
Total of file sizes: 150,332 bytes 146.81 K
Locate .tmp files:
No matches found.
********************************************************************************
**
Directory Listing of system files:
Volume in drive F has no label.
Volume Serial Number is DCD8-C4C7
Directory of F:\WINDOWS\System32
10/30/2005 09:52 AM <DIR> dllcache
06/18/2005 02:01 PM 475 oqjsiiz.dll
06/18/2005 01:23 PM 475 orokg.dll
06/18/2005 11:40 AM 475 jrdei.dll
06/18/2005 10:11 AM 475 glarjx.dll
06/17/2005 08:56 PM 475 vluoug.dll
06/17/2005 08:00 PM 475 nvip.dll
06/16/2005 10:08 PM 475 foit.dll
06/13/2005 05:51 AM 475 qzicfkb.dll
06/12/2005 06:38 PM 475 azcefal.dll
04/22/2005 10:45 PM 56 BECECFD760.sys
01/09/2005 06:02 PM <DIR> Microsoft
10 File(s) 4,331 bytes
2 Dir(s) 9,485,897,728 bytes free
Post by: guestolo on October 30, 2005, 02:54:52 PM
Close down all unnecessary programs running in the background, this will require a reboot
Run L2MFix again with these instructions
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log
If the L2MFix doesn't run after the restart, then go into the L2M fix folder and double click on second.bat to run it.