TheTechGuide Forum

General Category => Tech Clinic => Topic started by: acidpoupon on November 07, 2005, 02:07:53 AM

Title: enn4l15q1.dll...grrr.
Post by: acidpoupon on November 07, 2005, 02:07:53 AM

hi everyone. i have tried and read many topics to help me remove these annoying pop ups so i resorted to asking  /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> . if anyone would be nice enough to help me through this pesky problem.





Logfile of HijackThis v1.99.1
Scan saved at 1:50:35 AM, on 11/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\T-Clock\tclock.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Archive\hijackthis\HijackThis.exe

O4 - Startup: Tclock.lnk = C:\Program Files\T-Clock\tclock.exe
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\enn4l15q1.dll









Warning! This utility will find legitimate files in addition to malware.  
Do not remove anything unless you are sure you know what you're doing.

 ------- System Files in System32 Directory -------

 Volume in drive C has no label.
 Volume Serial Number is 2CAF-3063

 Directory of C:\WINDOWS\System32

11/07/2005  01:48 AM           235,514 saellstyle.dll
11/07/2005  01:48 AM           236,664 i0nmla511d.dll
11/07/2005  01:43 AM           235,514 enn4l15q1.dll
11/07/2005  01:32 AM           237,005 nhprint.dll
11/07/2005  01:27 AM           235,664 wmbvw.dll
11/07/2005  01:22 AM           236,694 dmmclien.dll
11/07/2005  01:19 AM           235,664 ohedlg.dll
11/07/2005  12:48 AM           234,123 cfadmin.dll
11/07/2005  12:05 AM           233,903 wjaueng1.dll
11/06/2005  11:40 PM           237,308 kddsf.dll
11/06/2005  11:20 PM           234,206 nulsapi.dll
11/06/2005  11:08 PM           237,080 vdoy.dll
11/06/2005  10:32 PM           235,308 spbcsp.dll
11/06/2005  10:11 PM           233,933 ncmsmgr.dll
11/06/2005  10:06 PM           234,704 wknntbbu.dll
11/06/2005  11:15 AM           234,041 mjdxmlc.dll
11/05/2005  11:57 PM           236,342 m0ls0a37ed.dll
11/05/2005  02:32 PM           236,342 fclemgmt.dll
11/05/2005  02:29 PM           235,487 ir0ml5d11.dll
11/04/2005  12:38 PM           233,911 dndskmgr.dll
11/04/2005  12:15 PM           233,911 lt4027hmg.dll
11/04/2005  11:35 AM           236,257 i6lolg3316.dll
11/04/2005  10:01 AM           236,257 rIcpldlg.dll
11/04/2005  10:01 AM           233,911 h62olgf3162.dll
10/24/2005  02:03 AM    <DIR>          dllcache
06/27/2005  12:02 AM            10,856 KGyGaAvL.sys
08/03/2004  09:30 AM    <DIR>          Microsoft
              25 File(s)      5,660,599 bytes
               2 Dir(s)  137,777,729,536 bytes free

 ------- Hidden Files in System32 Directory -------

 Volume in drive C has no label.
 Volume Serial Number is 2CAF-3063

 Directory of C:\WINDOWS\System32

10/24/2005  02:03 AM    <DIR>          dllcache
06/27/2005  12:02 AM            10,856 KGyGaAvL.sys
08/03/2004  09:24 AM               488 WindowsLogon.manifest
08/03/2004  09:24 AM               488 logonui.exe.manifest
08/03/2004  09:24 AM               749 nwc.cpl.manifest
08/03/2004  09:24 AM               749 sapi.cpl.manifest
08/03/2004  09:24 AM               749 ncpa.cpl.manifest
08/03/2004  09:24 AM               749 cdplayer.exe.manifest
08/03/2004  09:24 AM               749 wuaucpl.cpl.manifest
               8 File(s)         15,577 bytes
               1 Dir(s)  137,777,729,536 bytes free

 ---------- Files Named "Guard" -------------

 Volume in drive C has no label.
 Volume Serial Number is 2CAF-3063

 Directory of C:\WINDOWS\System32

11/07/2005  01:48 AM           237,315 guard.tmp
               1 File(s)        237,315 bytes
               0 Dir(s)  137,777,725,440 bytes free

 --------- Temp Files in System32 Directory --------

 Volume in drive C has no label.
 Volume Serial Number is 2CAF-3063

 Directory of C:\WINDOWS\System32

11/07/2005  01:48 AM           237,315 guard.tmp
               1 File(s)        237,315 bytes
               0 Dir(s)  137,777,725,440 bytes free

 ---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F929E098-9D19-A515-B96A-B2FD49788061}"=""


 ------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\enn4l15q1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


 ---------------- Xfind Results -----------------


 -------------- Locate.com Results ---------------


C:\WINDOWS\SYSTEM32\
   cfadmin.dll    Mon Nov  7 2005  12:48:10a  ..S.R        234,123   228.63 K
   dmmclien.dll   Mon Nov  7 2005   1:22:48a  ..S.R        236,694   231.14 K
   dndskmgr.dll   Fri Nov  4 2005  12:38:10p  ..S.R        233,911   228.43 K
   fclemgmt.dll   Sat Nov  5 2005   2:32:46p  ..S.R        236,342   230.80 K
   kddsf.dll      Sun Nov  6 2005  11:40:04p  ..S.R        237,308   231.75 K
   mjdxmlc.dll    Sun Nov  6 2005  11:15:32a  ..S.R        234,041   228.55 K
   ncmsmgr.dll    Sun Nov  6 2005  10:11:38p  ..S.R        233,933   228.45 K
   nhprint.dll    Mon Nov  7 2005   1:32:56a  ..S.R        237,005   231.45 K
   nulsapi.dll    Sun Nov  6 2005  11:20:40p  ..S.R        234,206   228.71 K
   ohedlg.dll     Mon Nov  7 2005   1:19:04a  ..S.R        235,664   230.14 K
   ricpldlg.dll   Fri Nov  4 2005  10:01:40a  ..S.R        236,257   230.72 K
   spbcsp.dll     Sun Nov  6 2005  10:32:50p  ..S.R        235,308   229.79 K
   vdoy.dll       Sun Nov  6 2005  11:08:30p  ..S.R        237,080   231.52 K
   wjaueng1.dll   Mon Nov  7 2005  12:05:20a  ..S.R        233,903   228.42 K
   wknntbbu.dll   Sun Nov  6 2005  10:06:32p  ..S.R        234,704   229.20 K
   wmbvw.dll      Mon Nov  7 2005   1:27:50a  ..S.R        235,664   230.14 K

16 items found:  16 files, 0 directories.
   Total of file sizes:  3,766,143 bytes      3.59 M



i know it has to do with that enn4l15q1.dll /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> thank you.

Title: enn4l15q1.dll...grrr.
Post by: acidpoupon on November 07, 2005, 11:05:16 AM

bump?

Title: enn4l15q1.dll...grrr.
Post by: guestolo on November 07, 2005, 08:37:26 PM

What happened to your hijackthis log????
If you tried fixing entries yourself, Open hijackthis
"View a list of backups"
RESTORE all backups

If you have anything disabled with msconfig
Go back and enable everything

Once the above is done, come back here and post a fresh hijackthis log

Also,Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

[color=\"red\"]IMPORTANT:  Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so![/color]

Title: enn4l15q1.dll...grrr.
Post by: acidpoupon on November 08, 2005, 12:34:43 AM

Logfile of HijackThis v1.99.1
Scan saved at 12:29:51 AM, on 11/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netdde.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\RefreshLock.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\T-Clock\tclock.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Archive\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
R3 - URLSearchHook: (no name) -  - (no file)
O1 - Hosts: ximages.offeroptimizer.com
O1 - Hosts: 66.197.153.197 idenupdate.motorola.com
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\Run: [Systmesy] Systmesy.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RefreshLock] C:\RefreshLock.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] msoffice2.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Tclock.lnk = C:\Program Files\T-Clock\tclock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E845B7BD-1517-405D-832A-9351CBA52FD3}: NameServer = 151.198.0.38 151.197.0.38
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\enjql1151.dll (file missing)
O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\f02mlaf11d2.dll (file missing)
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\en4ql1h51.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe









L2MFIX find log 1.04a
These are the registry keys present
********************************************************************************
**
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\enjql1151.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reinstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\f02mlaf11d2.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Telephony]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en4ql1h51.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read           BUILTIN\Users
(ID-IO) ALLOW  Read           BUILTIN\Users
(ID-NI) ALLOW  Full access    BUILTIN\Administrators
(ID-IO) ALLOW  Full access    BUILTIN\Administrators
(ID-NI) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    CREATOR OWNER


********************************************************************************
**
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F929E098-9D19-A515-B96A-B2FD49788061}"=""

********************************************************************************
**
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{B446400D-0030-457b-8F64-422A19605186}"="Logitech Gallery"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{FED7043D-346A-414D-ACD7-550D052499A7}"="dBpowerAMP Music Converter 1"
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}"="dBpowerAMP Music Converter"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{5E2121EE-0300-11D4-8D3B-444553540000}"="Catalyst Context Menu extension"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{DF4890D8-F4F2-444A-94BE-8C68513CA8E1}"=""
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{62A808F8-596E-4841-A368-BA51F247CA7B}"=""
"{2FB583E9-7FB6-4ECE-A798-7FA4F9107D2F}"=""
"{783D2719-CCAA-4CB0-9E07-B67C843563CD}"=""
"{732EE58A-4CC6-4D87-B460-77CDC894C9B1}"=""
"{6C9E77BC-F5CE-4955-9641-EFAF9B6BED5D}"=""
"{179399B4-0986-4FF6-9F9B-5478B5E93105}"=""
"{9C9B372D-169B-4D5F-BC3C-EE73474AFD21}"=""
"{2D391FDC-600E-4AF9-9F41-C6F38A324111}"=""

********************************************************************************
**
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DF4890D8-F4F2-444A-94BE-8C68513CA8E1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DF4890D8-F4F2-444A-94BE-8C68513CA8E1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DF4890D8-F4F2-444A-94BE-8C68513CA8E1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DF4890D8-F4F2-444A-94BE-8C68513CA8E1}\InprocServer32]
@="C:\\WINDOWS\\system32\\fclemgmt.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{62A808F8-596E-4841-A368-BA51F247CA7B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{62A808F8-596E-4841-A368-BA51F247CA7B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{62A808F8-596E-4841-A368-BA51F247CA7B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{62A808F8-596E-4841-A368-BA51F247CA7B}\InprocServer32]
@="C:\\WINDOWS\\system32\\saellstyle.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2FB583E9-7FB6-4ECE-A798-7FA4F9107D2F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2FB583E9-7FB6-4ECE-A798-7FA4F9107D2F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2FB583E9-7FB6-4ECE-A798-7FA4F9107D2F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2FB583E9-7FB6-4ECE-A798-7FA4F9107D2F}\InprocServer32]
@="C:\\WINDOWS\\system32\\mjdxmlc.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{783D2719-CCAA-4CB0-9E07-B67C843563CD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{783D2719-CCAA-4CB0-9E07-B67C843563CD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{783D2719-CCAA-4CB0-9E07-B67C843563CD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{783D2719-CCAA-4CB0-9E07-B67C843563CD}\InprocServer32]
@="C:\\WINDOWS\\system32\\wknntbbu.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{732EE58A-4CC6-4D87-B460-77CDC894C9B1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{732EE58A-4CC6-4D87-B460-77CDC894C9B1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{732EE58A-4CC6-4D87-B460-77CDC894C9B1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{732EE58A-4CC6-4D87-B460-77CDC894C9B1}\InprocServer32]
@="C:\\WINDOWS\\system32\\ncmsmgr.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6C9E77BC-F5CE-4955-9641-EFAF9B6BED5D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6C9E77BC-F5CE-4955-9641-EFAF9B6BED5D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6C9E77BC-F5CE-4955-9641-EFAF9B6BED5D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6C9E77BC-F5CE-4955-9641-EFAF9B6BED5D}\InprocServer32]
@="C:\\WINDOWS\\system32\\spbcsp.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{179399B4-0986-4FF6-9F9B-5478B5E93105}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{179399B4-0986-4FF6-9F9B-5478B5E93105}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{179399B4-0986-4FF6-9F9B-5478B5E93105}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{179399B4-0986-4FF6-9F9B-5478B5E93105}\InprocServer32]
@="C:\\WINDOWS\\system32\\vdoy.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9C9B372D-169B-4D5F-BC3C-EE73474AFD21}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9C9B372D-169B-4D5F-BC3C-EE73474AFD21}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9C9B372D-169B-4D5F-BC3C-EE73474AFD21}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9C9B372D-169B-4D5F-BC3C-EE73474AFD21}\InprocServer32]
@="C:\\WINDOWS\\system32\\kddsf.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2D391FDC-600E-4AF9-9F41-C6F38A324111}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2D391FDC-600E-4AF9-9F41-C6F38A324111}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2D391FDC-600E-4AF9-9F41-C6F38A324111}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2D391FDC-600E-4AF9-9F41-C6F38A324111}\InprocServer32]
@="C:\\WINDOWS\\system32\\umrvoica.dll"
"ThreadingModel"="Apartment"

********************************************************************************
**
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
   ati2cqag.dll   Tue Aug 30 2005   8:42:50p  A....        233,472   228.00 K
   ati2dvag.dll   Tue Aug 30 2005   9:42:54p  A....        238,592   233.00 K
   ati2edxx.dll   Tue Aug 30 2005   9:37:22p  A....         39,936    39.00 K
   ati2evxx.dll   Tue Aug 30 2005   9:37:12p  A....         46,080    45.00 K
   ati3duag.dll   Tue Aug 30 2005   9:28:36p  A....      2,429,824     2.32 M
   atiddc.dll     Tue Aug 30 2005   9:35:46p  A....         53,248    52.00 K
   atidemgr.dll   Tue Aug 30 2005  11:33:32p  A....        258,048   252.00 K
   atiiiexx.dll   Wed Aug 31 2005  12:08:36a  A....        307,200   300.00 K
   atikvmag.dll   Tue Aug 30 2005   9:10:36p  A....        147,456   144.00 K
   atioglx1.dll   Tue Aug 30 2005  10:57:50p  A....      6,684,672     6.38 M
   atioglxx.dll   Tue Aug 30 2005   9:57:00p  A....      4,718,592     4.50 M
   atipdlxx.dll   Tue Aug 30 2005   9:37:44p  A....        106,496   104.00 K
   atitvo32.dll   Tue Aug 30 2005   8:47:46p  A....         17,408    17.00 K
   ativvaxx.dll   Tue Aug 30 2005   9:23:04p  A....        600,672   586.59 K
   atmtd.dll      Fri Nov  4 2005  12:43:46a  A....        687,592   671.48 K
   browseui.dll   Fri Sep  2 2005   6:52:04p  A....      1,019,904   996.00 K
   cdfview.dll    Fri Sep  2 2005   6:52:04p  A....        151,040   147.50 K
   cdosys.dll     Fri Sep  9 2005   8:53:42p  A....      2,067,968     1.97 M
   cfadmin.dll    Mon Nov  7 2005  12:48:10a  ..S.R        234,123   228.63 K
   danim.dll      Fri Sep  2 2005   6:52:04p  A....      1,053,696     1.00 M
   dmmclien.dll   Mon Nov  7 2005   1:22:48a  ..S.R        236,694   231.14 K
   dndskmgr.dll   Fri Nov  4 2005  12:38:10p  ..S.R        233,911   228.43 K
   dxtrans.dll    Fri Sep  2 2005   6:52:04p  A....        205,312   200.50 K
   extmgr.dll     Fri Sep  2 2005   6:52:04p  .....         55,808    54.50 K
   fclemgmt.dll   Sat Nov  5 2005   2:32:46p  ..S.R        236,342   230.80 K
   iepeers.dll    Fri Sep  2 2005   6:52:04p  A....        251,392   245.50 K
   inseng.dll     Fri Sep  2 2005   6:52:04p  A....         96,256    94.00 K
   kddsf.dll      Sun Nov  6 2005  11:40:04p  ..S.R        237,308   231.75 K
   linkinfo.dll   Wed Aug 31 2005   8:41:54p  A....         19,968    19.50 K
   mjdxmlc.dll    Sun Nov  6 2005  11:15:32a  ..S.R        234,041   228.55 K
   mshtml.dll     Tue Oct  4 2005   4:26:00p  A....      3,015,168     2.88 M
   mshtmled.dll   Fri Sep  2 2005   6:52:06p  A....        448,512   438.00 K
   msrating.dll   Fri Sep  2 2005   6:52:06p  A....        146,432   143.00 K
   mstime.dll     Fri Sep  2 2005   6:52:06p  A....        530,432   518.00 K
   msvcp71.dll    Fri Nov  4 2005   1:25:06a  A....        499,712   488.00 K
   ncmsmgr.dll    Sun Nov  6 2005  10:11:38p  ..S.R        233,933   228.45 K
   netman.dll     Mon Aug 22 2005   1:29:46p  A....        197,632   193.00 K
   nhprint.dll    Mon Nov  7 2005   1:32:56a  ..S.R        237,005   231.45 K
   nulsapi.dll    Sun Nov  6 2005  11:20:40p  ..S.R        234,206   228.71 K
   oemdspif.dll   Tue Aug 30 2005   9:37:34p  A....         73,728    72.00 K
   ohedlg.dll     Mon Nov  7 2005   1:19:04a  ..S.R        235,664   230.14 K
   pncrt.dll      Sun Sep 25 2005  12:15:06a  A....        278,528   272.00 K
   pndx5016.dll   Sun Sep 25 2005  12:15:10a  A....          6,656     6.50 K
   pndx5032.dll   Sun Sep 25 2005  12:15:10a  A....          5,632     5.50 K
   pngfilt.dll    Fri Sep  2 2005   6:52:06p  A....         39,424    38.50 K
   quartz.dll     Mon Aug 29 2005  10:54:26p  A....      1,287,168     1.23 M
   ricpldlg.dll   Fri Nov  4 2005  10:01:40a  ..S.R        236,257   230.72 K
   rmoc3260.dll   Sun Sep 25 2005  12:15:16a  A....        176,167   172.04 K
   shdocvw.dll    Fri Sep  2 2005   6:52:06p  A....      1,483,776     1.41 M
   shell32.dll    Thu Sep 22 2005  10:05:30p  A....      8,450,560     8.06 M
   shlwapi.dll    Fri Sep  2 2005   6:52:06p  A....        473,600   462.50 K
   spbcsp.dll     Sun Nov  6 2005  10:32:50p  ..S.R        235,308   229.79 K
   umpnpmgr.dll   Mon Aug 22 2005  10:35:42p  A....        123,392   120.50 K
   umrvoica.dll   Tue Nov  8 2005  12:27:58a  ..S.R        234,896   229.39 K
   urlmon.dll     Fri Sep  2 2005   6:52:06p  A....        608,768   594.50 K
   vdoy.dll       Sun Nov  6 2005  11:08:30p  ..S.R        237,080   231.52 K
   wininet.dll    Fri Sep  2 2005   6:52:06p  A....        658,432   643.00 K
   winsrv.dll     Wed Aug 31 2005   8:41:54p  A....        291,840   285.00 K
   wjaueng1.dll   Mon Nov  7 2005  12:05:20a  ..S.R        233,903   228.42 K
   wknntbbu.dll   Sun Nov  6 2005  10:06:32p  ..S.R        234,704   229.20 K
   wmbvw.dll      Mon Nov  7 2005   1:27:50a  ..S.R        235,664   230.14 K

61 items found:  61 files (17 H/S), 0 directories.
   Total of file sizes:  44,287,230 bytes     42.23 M
Locate .tmp files:

No matches found.
********************************************************************************
**
Directory Listing of system files:
 Volume in drive C has no label.
 Volume Serial Number is 2CAF-3063

 Directory of C:\WINDOWS\System32

11/08/2005  12:27 AM           234,896 umrvoica.dll
11/08/2005  12:27 AM           236,707 enj8l11u1.dll
11/07/2005  11:46 PM           234,896 en4ql1h51.dll
11/07/2005  01:48 AM           235,514 saellstyle.dll
11/07/2005  01:32 AM           237,005 nhprint.dll
11/07/2005  01:27 AM           235,664 wmbvw.dll
11/07/2005  01:22 AM           236,694 dmmclien.dll
11/07/2005  01:19 AM           235,664 ohedlg.dll
11/07/2005  12:48 AM           234,123 cfadmin.dll
11/07/2005  12:05 AM           233,903 wjaueng1.dll
11/06/2005  11:40 PM           237,308 kddsf.dll
11/06/2005  11:20 PM           234,206 nulsapi.dll
11/06/2005  11:08 PM           237,080 vdoy.dll
11/06/2005  10:32 PM           235,308 spbcsp.dll
11/06/2005  10:11 PM           233,933 ncmsmgr.dll
11/06/2005  10:06 PM           234,704 wknntbbu.dll
11/06/2005  11:15 AM           234,041 mjdxmlc.dll
11/05/2005  11:57 PM           236,342 m0ls0a37ed.dll
11/05/2005  02:32 PM           236,342 fclemgmt.dll
11/05/2005  02:29 PM           235,487 ir0ml5d11.dll
11/04/2005  12:38 PM           233,911 dndskmgr.dll
11/04/2005  12:15 PM           233,911 lt4027hmg.dll
11/04/2005  11:35 AM           236,257 i6lolg3316.dll
11/04/2005  10:01 AM           236,257 rIcpldlg.dll
11/04/2005  10:01 AM           233,911 h62olgf3162.dll
10/24/2005  02:03 AM    <DIR>          dllcache
06/27/2005  12:02 AM            10,856 KGyGaAvL.sys
08/03/2004  09:30 AM    <DIR>          Microsoft
              26 File(s)      5,894,920 bytes
               2 Dir(s)  137,689,796,608 bytes free




thanks alot for the reply. appreciate it  /cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />

Title: enn4l15q1.dll...grrr.
Post by: guestolo on November 08, 2005, 01:58:00 AM

let's try some cleanup

Download the trial version of Spy Sweeper from HERE (http://\"http://www.webroot.com/consumer/downloads/\")
Click on the Free trial link

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Please print the rest of these instructions or copy and paste them too notepad for reference

Make sure you are disconnected from the internet.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #4 by typing 4 and then pressing Enter
Exit l2mfix, we'll need it later

In SpySweeper
Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

When prompted, allow Spy Sweeper to restart your computer

Back in Windows
Stay disconnected from the Net

Close any open programs running in the background, this step requires another reboot
Run L2MFix again with these instructions

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log
Post the contents of this log back here

 If the L2MFix doesn't run after the restart, then go into the L2M fix folder and double click on second.bat to run it.

Additionally,
Copy and paste the SpySweeper log together with a fresh hijackthis log into this thread.

Title: enn4l15q1.dll...grrr.
Post by: Guest on November 08, 2005, 10:49:59 AM

Setting Directory
C:\
C:\
System Rebooted!
 
Running From:
C:\
 
killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1640 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1660 'rundll32.exe'
 
Scanning First Pass. Please Wait!
 
First Pass Completed
 
Second Pass Scanning
 
Second pass Completed!
Backing Up: C:\WINDOWS\system32\cfadmin.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dmmclien.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dndskmgr.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en22l1fo1.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fclemgmt.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\h62olgf3162.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i6lolg3316.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir0ml5d11.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kddsf.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lt4027hmg.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m0ls0a37ed.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mjdxmlc.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ncmsmgr.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nhprint.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nulsapi.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ohedlg.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rIcpldlg.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\saellstyle.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\spbcsp.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\vdoy.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wjaueng1.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wknntbbu.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wmbvw.dll
        1 file(s) copied.
deleting: C:\WINDOWS\system32\cfadmin.dll  
Successfully Deleted: C:\WINDOWS\system32\cfadmin.dll
deleting: C:\WINDOWS\system32\dmmclien.dll  
Successfully Deleted: C:\WINDOWS\system32\dmmclien.dll
deleting: C:\WINDOWS\system32\dndskmgr.dll  
Successfully Deleted: C:\WINDOWS\system32\dndskmgr.dll
deleting: C:\WINDOWS\system32\en22l1fo1.dll  
Successfully Deleted: C:\WINDOWS\system32\en22l1fo1.dll
deleting: C:\WINDOWS\system32\fclemgmt.dll  
Successfully Deleted: C:\WINDOWS\system32\fclemgmt.dll
deleting: C:\WINDOWS\system32\h62olgf3162.dll  
Successfully Deleted: C:\WINDOWS\system32\h62olgf3162.dll
deleting: C:\WINDOWS\system32\i6lolg3316.dll  
Successfully Deleted: C:\WINDOWS\system32\i6lolg3316.dll
deleting: C:\WINDOWS\system32\ir0ml5d11.dll  
Successfully Deleted: C:\WINDOWS\system32\ir0ml5d11.dll
deleting: C:\WINDOWS\system32\kddsf.dll  
Successfully Deleted: C:\WINDOWS\system32\kddsf.dll
deleting: C:\WINDOWS\system32\lt4027hmg.dll  
Successfully Deleted: C:\WINDOWS\system32\lt4027hmg.dll
deleting: C:\WINDOWS\system32\m0ls0a37ed.dll  
Successfully Deleted: C:\WINDOWS\system32\m0ls0a37ed.dll
deleting: C:\WINDOWS\system32\mjdxmlc.dll  
Successfully Deleted: C:\WINDOWS\system32\mjdxmlc.dll
deleting: C:\WINDOWS\system32\ncmsmgr.dll  
Successfully Deleted: C:\WINDOWS\system32\ncmsmgr.dll
deleting: C:\WINDOWS\system32\nhprint.dll  
Successfully Deleted: C:\WINDOWS\system32\nhprint.dll
deleting: C:\WINDOWS\system32\nulsapi.dll  
Successfully Deleted: C:\WINDOWS\system32\nulsapi.dll
deleting: C:\WINDOWS\system32\ohedlg.dll  
Successfully Deleted: C:\WINDOWS\system32\ohedlg.dll
deleting: C:\WINDOWS\system32\rIcpldlg.dll  
Successfully Deleted: C:\WINDOWS\system32\rIcpldlg.dll
deleting: C:\WINDOWS\system32\saellstyle.dll  
Successfully Deleted: C:\WINDOWS\system32\saellstyle.dll
deleting: C:\WINDOWS\system32\spbcsp.dll  
Successfully Deleted: C:\WINDOWS\system32\spbcsp.dll
deleting: C:\WINDOWS\system32\vdoy.dll  
Successfully Deleted: C:\WINDOWS\system32\vdoy.dll
deleting: C:\WINDOWS\system32\wjaueng1.dll  
Successfully Deleted: C:\WINDOWS\system32\wjaueng1.dll
deleting: C:\WINDOWS\system32\wknntbbu.dll  
Successfully Deleted: C:\WINDOWS\system32\wknntbbu.dll
deleting: C:\WINDOWS\system32\wmbvw.dll  
Successfully Deleted: C:\WINDOWS\system32\wmbvw.dll
 
 
Zipping up files for submission:
  adding: cfadmin.dll (188 bytes security) (deflated 4%)
  adding: dmmclien.dll (188 bytes security) (deflated 5%)
  adding: dndskmgr.dll (188 bytes security) (deflated 4%)
  adding: en22l1fo1.dll (188 bytes security) (deflated 4%)
  adding: fclemgmt.dll (188 bytes security) (deflated 5%)
  adding: FL Studio VSTi (Multi).dll (188 bytes security) (deflated 48%)
  adding: FL Studio VSTi.dll (188 bytes security) (deflated 48%)
  adding: h62olgf3162.dll (188 bytes security) (deflated 4%)
  adding: i6lolg3316.dll (188 bytes security) (deflated 5%)
  adding: ir0ml5d11.dll (188 bytes security) (deflated 5%)
  adding: kddsf.dll (188 bytes security) (deflated 6%)
  adding: lt4027hmg.dll (188 bytes security) (deflated 4%)
  adding: m0ls0a37ed.dll (188 bytes security) (deflated 5%)
  adding: mjdxmlc.dll (188 bytes security) (deflated 4%)
  adding: ncmsmgr.dll (188 bytes security) (deflated 4%)
  adding: nhprint.dll (188 bytes security) (deflated 6%)
  adding: nulsapi.dll (188 bytes security) (deflated 4%)
  adding: ohedlg.dll (188 bytes security) (deflated 5%)
  adding: rIcpldlg.dll (188 bytes security) (deflated 5%)
  adding: saellstyle.dll (188 bytes security) (deflated 5%)
  adding: spbcsp.dll (188 bytes security) (deflated 5%)
  adding: vdoy.dll (188 bytes security) (deflated 6%)
  adding: wjaueng1.dll (188 bytes security) (deflated 4%)
  adding: wknntbbu.dll (188 bytes security) (deflated 5%)
  adding: wmbvw.dll (188 bytes security) (deflated 5%)
  adding: clear.reg (188 bytes security) (deflated 63%)
  adding: EULA.txt (188 bytes security) (deflated 54%)
  adding: FAQ.txt (188 bytes security) (deflated 60%)
  adding: Instruct.txt (188 bytes security) (deflated 55%)
  adding: lo2.txt (188 bytes security) (deflated 85%)
  adding: palsound.txt (188 bytes security) (stored 0%)
  adding: test.txt (188 bytes security) (deflated 80%)
  adding: test2.txt (188 bytes security) (deflated 44%)
  adding: test3.txt (188 bytes security) (deflated 44%)
  adding: test5.txt (188 bytes security) (deflated 44%)
  adding: VerHist.txt (188 bytes security) (deflated 55%)
  adding: vx2logs.txt (188 bytes security) (stored 0%)
  adding: xfind.txt (188 bytes security) (deflated 74%)
 
Restoring Registry Permissions:
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

 
Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read           BUILTIN\Users
(ID-IO) ALLOW  Read           BUILTIN\Users
(ID-NI) ALLOW  Full access    BUILTIN\Administrators
(ID-IO) ALLOW  Full access    BUILTIN\Administrators
(ID-NI) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    CREATOR OWNER


Restoring Sedebugprivilege:
 
 Granting SeDebugPrivilege to Administrators   ... successful
 
Restoring Windows Update Certificates.:
 
deleting local copy: cfadmin.dll  
deleting local copy: dmmclien.dll  
deleting local copy: dndskmgr.dll  
deleting local copy: en22l1fo1.dll  
deleting local copy: fclemgmt.dll  
deleting local copy: h62olgf3162.dll  
deleting local copy: i6lolg3316.dll  
deleting local copy: ir0ml5d11.dll  
deleting local copy: kddsf.dll  
deleting local copy: lt4027hmg.dll  
deleting local copy: m0ls0a37ed.dll  
deleting local copy: mjdxmlc.dll  
deleting local copy: ncmsmgr.dll  
deleting local copy: nhprint.dll  
deleting local copy: nulsapi.dll  
deleting local copy: ohedlg.dll  
deleting local copy: rIcpldlg.dll  
deleting local copy: saellstyle.dll  
deleting local copy: spbcsp.dll  
deleting local copy: vdoy.dll  
deleting local copy: wjaueng1.dll  
deleting local copy: wknntbbu.dll  
deleting local copy: wmbvw.dll  
 
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\enjql1151.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reinstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\f02mlaf11d2.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

 
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\cfadmin.dll
C:\WINDOWS\system32\dmmclien.dll
C:\WINDOWS\system32\dndskmgr.dll
C:\WINDOWS\system32\en22l1fo1.dll
C:\WINDOWS\system32\fclemgmt.dll
C:\WINDOWS\system32\h62olgf3162.dll
C:\WINDOWS\system32\i6lolg3316.dll
C:\WINDOWS\system32\ir0ml5d11.dll
C:\WINDOWS\system32\kddsf.dll
C:\WINDOWS\system32\lt4027hmg.dll
C:\WINDOWS\system32\m0ls0a37ed.dll
C:\WINDOWS\system32\mjdxmlc.dll
C:\WINDOWS\system32\ncmsmgr.dll
C:\WINDOWS\system32\nhprint.dll
C:\WINDOWS\system32\nulsapi.dll
C:\WINDOWS\system32\ohedlg.dll
C:\WINDOWS\system32\rIcpldlg.dll
C:\WINDOWS\system32\saellstyle.dll
C:\WINDOWS\system32\spbcsp.dll
C:\WINDOWS\system32\vdoy.dll
C:\WINDOWS\system32\wjaueng1.dll
C:\WINDOWS\system32\wknntbbu.dll
C:\WINDOWS\system32\wmbvw.dll
 
Registry Entries that were Deleted:
Please verify that the listing looks ok.  
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{DF4890D8-F4F2-444A-94BE-8C68513CA8E1}"=-
"{62A808F8-596E-4841-A368-BA51F247CA7B}"=-
"{2FB583E9-7FB6-4ECE-A798-7FA4F9107D2F}"=-
"{783D2719-CCAA-4CB0-9E07-B67C843563CD}"=-
"{732EE58A-4CC6-4D87-B460-77CDC894C9B1}"=-
"{6C9E77BC-F5CE-4955-9641-EFAF9B6BED5D}"=-
"{179399B4-0986-4FF6-9F9B-5478B5E93105}"=-
"{9C9B372D-169B-4D5F-BC3C-EE73474AFD21}"=-
"{2D391FDC-600E-4AF9-9F41-C6F38A324111}"=-
[-HKEY_CLASSES_ROOT\CLSID\{DF4890D8-F4F2-444A-94BE-8C68513CA8E1}]
[-HKEY_CLASSES_ROOT\CLSID\{62A808F8-596E-4841-A368-BA51F247CA7B}]
[-HKEY_CLASSES_ROOT\CLSID\{2FB583E9-7FB6-4ECE-A798-7FA4F9107D2F}]
[-HKEY_CLASSES_ROOT\CLSID\{783D2719-CCAA-4CB0-9E07-B67C843563CD}]
[-HKEY_CLASSES_ROOT\CLSID\{732EE58A-4CC6-4D87-B460-77CDC894C9B1}]
[-HKEY_CLASSES_ROOT\CLSID\{6C9E77BC-F5CE-4955-9641-EFAF9B6BED5D}]
[-HKEY_CLASSES_ROOT\CLSID\{179399B4-0986-4FF6-9F9B-5478B5E93105}]
[-HKEY_CLASSES_ROOT\CLSID\{9C9B372D-169B-4D5F-BC3C-EE73474AFD21}]
[-HKEY_CLASSES_ROOT\CLSID\{2D391FDC-600E-4AF9-9F41-C6F38A324111}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************






********
10:16 AM: |       Start of Session, Tuesday, November 08, 2005       |
10:16 AM: Spy Sweeper started
10:16 AM: Sweep initiated using definitions version 569
10:16 AM: Starting Memory Sweep
10:16 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:16 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:16 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:16 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:17 AM:   Found Adware: icannnews
10:17 AM:   Detected running threat: C:\WINDOWS\system32\enj8l11u1.dll (ID = 83)
10:17 AM:   Detected running threat: C:\WINDOWS\system32\kxdtuf.dll (ID = 83)
10:17 AM: Memory Sweep Complete, Elapsed Time: 00:01:50
10:17 AM: Starting Registry Sweep
10:18 AM:   Found Trojan Horse: sdbot
10:18 AM:   HKU\.default\software\microsoft\windows\currentversion\run\ || microsoft windows update (ID = 140586)
10:18 AM:   HKU\.default\software\microsoft\windows\currentversion\run\ || win32 usb2 driver (ID = 140589)
10:18 AM:   HKU\.default\software\microsoft\windows\currentversion\runonce\ || win32 usb2 driver (ID = 140594)
10:18 AM:   HKLM\software\microsoft\windows\currentversion\run\ || microsoft windows update (ID = 140617)
10:18 AM:   HKLM\software\microsoft\windows\currentversion\run\ || win32 usb2 driver (ID = 140622)
10:18 AM:   Found Adware: search helping wizard
10:18 AM:   HKCR\ngsh35.clsdw\  (1 subtraces) (ID = 958369)
10:18 AM:   HKCR\ngsh35.clsis\  (1 subtraces) (ID = 958373)
10:18 AM:   HKLM\software\classes\ngsh35.clsdw\  (1 subtraces) (ID = 958516)
10:18 AM:   HKLM\software\classes\ngsh35.clsis\  (1 subtraces) (ID = 958520)
10:18 AM:   HKU\S-1-5-18\software\microsoft\windows\currentversion\run\ || microsoft windows update (ID = 140604)
10:18 AM:   HKU\S-1-5-18\software\microsoft\windows\currentversion\run\ || win32 usb2 driver (ID = 140608)
10:18 AM:   HKU\S-1-5-18\software\microsoft\windows\currentversion\runonce\ || win32 usb2 driver (ID = 140631)
10:18 AM: Registry Sweep Complete, Elapsed Time:00:00:12
10:18 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:18 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:18 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:18 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:18 AM: Starting Cookie Sweep
10:18 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:18 AM: Starting File Sweep
10:18 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:18 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:18 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:18 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:19 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:19 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:19 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:19 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:19 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:19 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:19 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:19 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:20 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:20 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:20 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:20 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:20 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:20 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:20 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:20 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:21 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:21 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:21 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:21 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:22 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:22 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:22 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:22 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:22 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:22 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:22 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:22 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:23 AM:   Found Adware: apropos
10:23 AM:   wingenerics.dll (ID = 50187)
10:23 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:23 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:23 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:23 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:24 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:24 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:24 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:24 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:24 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:24 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:24 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:24 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:25 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:25 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:25 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:25 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:25 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:25 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:25 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:25 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:26 AM:   Found Adware: targetsaver
10:26 AM:   113_dollarrevenue_4_0_3_9.exe (ID = 166444)
10:26 AM:   contextplus.exe (ID = 185940)
10:26 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:26 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:26 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:26 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:26 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:26 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:26 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:26 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:27 AM:   installer_1.exe (ID = 185727)
10:27 AM:   atmtd.dll (ID = 166754)
10:27 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:27 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:27 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:27 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:27 AM:   atmtd.dll._ (ID = 166754)
10:28 AM:   Found System Monitor: potentially rootkit-masked files
10:28 AM:   syntmsft.exe (ID = 0)
10:28 AM:   ace.dll (ID = 0)
10:28 AM:   data.bin (ID = 0)
10:28 AM:   00007ff5_436efcdf_0002a291 (ID = 0)
10:28 AM:   updarvdm.sys (ID = 0)
10:28 AM:   00000822_436eff25_00099dce (ID = 0)
10:28 AM:   00000bdb_436efd8d_00022dfe (ID = 0)
10:28 AM:   00003bf6_436efe26_0001dfc4 (ID = 0)
10:28 AM:   0000491c_436efc6b_0008083e (ID = 0)
10:28 AM:   00004d06_436efc6b_0009b68c (ID = 0)
10:28 AM:   00003a9e_436efe26_00042a8c (ID = 0)
10:28 AM:   00005991_436eff25_0009ec0b (ID = 0)
10:28 AM:   00000f3e_436efc27_000c0a04 (ID = 0)
10:28 AM:   00004db7_436efc6b_000aa143 (ID = 0)
10:28 AM:   00002350_436efd8f_0000b20e (ID = 0)
10:28 AM:   00001547_436efc6c_00001bb1 (ID = 0)
10:28 AM:   0000323b_436efd4c_000d20fc (ID = 0)
10:28 AM:   00005f49_436efe2a_000d6c2c (ID = 0)
10:28 AM:   00003d6c_436efaf7_00018a0c (ID = 0)
10:28 AM:   000054de_436efc77_00014448 (ID = 0)
10:28 AM:   0000366b_436efeb1_000402ee (ID = 0)
10:28 AM:   00002213_436efd4d_0002744c (ID = 0)
10:28 AM:   00004823_436efaea_000dc8a9 (ID = 0)
10:28 AM:   000039b3_436efc77_0002a459 (ID = 0)
10:28 AM:   00006b89_436efd89_00039eae (ID = 0)
10:28 AM:   000066c4_436efeb1_00049f68 (ID = 0)
10:28 AM:   00000ddc_436efe2a_000e08a6 (ID = 0)
10:28 AM:   0000030a_436efd89_00048964 (ID = 0)
10:28 AM:   00006e5d_436efcbd_000baaeb (ID = 0)
10:28 AM:   0000074d_436efc7f_0001230b (ID = 0)
10:28 AM:   00004dc8_436efc7f_00025bfe (ID = 0)
10:28 AM:   00004cad_436efe3a_000e62a6 (ID = 0)
10:28 AM:   0000301c_436efd8c_000ed739 (ID = 0)
10:28 AM:   000026e9_436efbe8_00068770 (ID = 0)
10:28 AM:   00005cfd_436efdc1_00092101 (ID = 0)
10:28 AM:   00000099_436efc29_00031143 (ID = 0)
10:28 AM:   00006443_436efc7f_00031f96 (ID = 0)
10:28 AM:   00000124_436efc29_00042318 (ID = 0)
10:28 AM:   0000314f_436efe3a_000ed801 (ID = 0)
10:28 AM:   00003e12_436efdc2_0000bf19 (ID = 0)
10:28 AM:   00006df1_436efb12_0003f759 (ID = 0)
10:28 AM:   00001ad4_436efcbd_000cbcc0 (ID = 0)
10:28 AM:   000001eb_436efbe8_000e2b60 (ID = 0)
10:28 AM:   000066bb_436efc80_000b3e81 (ID = 0)
10:28 AM:   00005e14_436efe3b_0002cb40 (ID = 0)
10:28 AM:   00000bb3_436efbf4_00051ca1 (ID = 0)
10:28 AM:   00000732_436efd8e_000148e8 (ID = 0)
10:28 AM:   0000428b_436efc80_000db068 (ID = 0)
10:28 AM:   0000409d_436eff3f_00026500 (ID = 0)
10:28 AM:   0000440d_436efc2e_0004b493 (ID = 0)
10:28 AM:   00005f90_436efb03_0008116b (ID = 0)
10:28 AM:   00004230_436efeb2_000828c3 (ID = 0)
10:28 AM:   00004b40_436efdb5_000d4bf3 (ID = 0)
10:28 AM:   00007eb7_436efeb6_000690f4 (ID = 0)
10:28 AM:   000026a6_436efc80_000e9b1e (ID = 0)
10:28 AM:   00004944_436efe80_000c8fc9 (ID = 0)
10:28 AM:   00000120_436efd8e_00031e54 (ID = 0)
10:28 AM:   000012e1_436eff42_000add68 (ID = 0)
10:28 AM:   00002ea6_436efc12_000501c9 (ID = 0)
10:28 AM:   0000759a_436efd8e_00067af1 (ID = 0)
10:28 AM:   00002e40_436efe80_000cde06 (ID = 0)
10:28 AM:   00006032_436efeb6_000b9be0 (ID = 0)
10:28 AM:   00002c3b_436efeb6_000c3859 (ID = 0)
10:28 AM:   0000798b_436eff61_00014ed3 (ID = 0)
10:28 AM:   000018be_436efaf4_00054b24 (ID = 0)
10:28 AM:   0000121f_436eff70_000a8016 (ID = 0)
10:28 AM:   00001a49_436efdce_0008f4c6 (ID = 0)
10:28 AM:   000012db_436efc14_0003d416 (ID = 0)
10:28 AM:   000015a1_436efeb9_0007b3a9 (ID = 0)
10:28 AM:   0000701f_436efc87_00085781 (ID = 0)
10:28 AM:   00005f32_436efdce_000bb4e9 (ID = 0)
10:28 AM:   00006bfc_436efcd3_0000ff00 (ID = 0)
10:28 AM:   00007f96_436efcdf_000190bc (ID = 0)
10:28 AM:   00005422_436efeb9_00085023 (ID = 0)
10:28 AM:   00003ef6_436efeb9_000a2590 (ID = 0)
10:28 AM:   00005d03_436efc87_0008a5be (ID = 0)
10:28 AM:   dns (ID = 0)
10:28 AM:   00006952_436efb03_0006631c (ID = 0)
10:28 AM:   000073da_436eff7b_000df374 (ID = 0)
10:28 AM:   00007a5a_436efca4_00072534 (ID = 0)
10:28 AM:   000058b0_436eff7b_000e68d0 (ID = 0)
10:28 AM:   0000767d_436efca4_0007e8cc (ID = 0)
10:28 AM:   00004509_436efcb8_000aa414 (ID = 0)
10:28 AM:   00004e45_436efd4c_000555ee (ID = 0)
10:28 AM:   000026ca_436eff8f_00086e53 (ID = 0)
10:28 AM:   00007e87_436efc20_000810ac (ID = 0)
10:28 AM:   00003699_436eff8f_000a6ade (ID = 0)
10:28 AM:   00006b36_436efdc1_000687fc (ID = 0)
10:28 AM:   index (ID = 0)
10:28 AM:   0000390c_436efc24_000b0e6e (ID = 0)
10:28 AM:   spumsapi.exe (ID = 0)
10:28 AM:   00001238_436efcb8_000c2b44 (ID = 0)
10:28 AM:   00001cd0_436efeb1_0002a2dc (ID = 0)
10:28 AM:   imeprddm.exe (ID = 0)
10:28 AM:   00003b25_436efcb9_00010939 (ID = 0)
10:28 AM:   ai_08-11-2005.log (ID = 0)
10:28 AM:   ai_07-11-2005.log (ID = 0)
10:28 AM:   000056ae_436efd8d_00058a9b (ID = 0)
10:28 AM:   00006784_436efaf6_00013630 (ID = 0)
10:28 AM:   00004ae1_436efaf6_000380f8 (ID = 0)
10:28 AM:   00002cd6_436efafd_00088c24 (ID = 0)
10:28 AM:   00001649_436efb07_00036b3c (ID = 0)
10:28 AM:   00001366_436efeb0_000f24f9 (ID = 0)
10:28 AM:   00005af1_436efbe6_00096371 (ID = 0)
10:28 AM:   000041bb_436efbe7_000a53c8 (ID = 0)
10:28 AM:   ai_04-11-2005.log (ID = 0)
10:28 AM:   ai_06-11-2005.log (ID = 0)
10:28 AM:   ai_05-11-2005.log (ID = 0)
10:28 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:28 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:28 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:28 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:28 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:28 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:28 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:28 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:29 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:29 AM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:29 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:29 AM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:29 AM: File Sweep Complete, Elapsed Time: 00:11:15
10:29 AM: Full Sweep has completed.  Elapsed time 00:13:20
10:29 AM: Traces Found: 132
10:30 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:30 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:30 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:30 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:30 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:30 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:30 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:30 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:31 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:31 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:31 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:31 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:32 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:32 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:32 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:32 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:32 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:32 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:32 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:32 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:33 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:33 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:33 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:33 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:33 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:33 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:33 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:33 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:34 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:34 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:34 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:34 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:34 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:34 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:34 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:34 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:35 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:35 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:35 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:35 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:35 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:35 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:35 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:35 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:36 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:36 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:36 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:36 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:36 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:36 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:36 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:36 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:37 AM: Removal process initiated
10:37 AM:   Quarantining All Traces: icannnews
10:37 AM:   icannnews is in use.  It will be removed on reboot.
10:37 AM:     C:\WINDOWS\system32\enj8l11u1.dll is in use.  It will be removed on reboot.
10:37 AM:     C:\WINDOWS\system32\kxdtuf.dll is in use.  It will be removed on reboot.
10:37 AM:   Quarantining All Traces: potentially rootkit-masked files
10:38 AM:   potentially rootkit-masked files is in use.  It will be removed on reboot.
10:38 AM:     syntmsft.exe is in use.  It will be removed on reboot.
10:38 AM:     ace.dll is in use.  It will be removed on reboot.
10:38 AM:     data.bin is in use.  It will be removed on reboot.
10:38 AM:     00007ff5_436efcdf_0002a291 is in use.  It will be removed on reboot.
10:38 AM:     updarvdm.sys is in use.  It will be removed on reboot.
10:38 AM:     00000822_436eff25_00099dce is in use.  It will be removed on reboot.
10:38 AM:     00000bdb_436efd8d_00022dfe is in use.  It will be removed on reboot.
10:38 AM:     00003bf6_436efe26_0001dfc4 is in use.  It will be removed on reboot.
10:38 AM:     0000491c_436efc6b_0008083e is in use.  It will be removed on reboot.
10:38 AM:     00004d06_436efc6b_0009b68c is in use.  It will be removed on reboot.
10:38 AM:     00003a9e_436efe26_00042a8c is in use.  It will be removed on reboot.
10:38 AM:     00005991_436eff25_0009ec0b is in use.  It will be removed on reboot.
10:38 AM:     00000f3e_436efc27_000c0a04 is in use.  It will be removed on reboot.
10:38 AM:     00004db7_436efc6b_000aa143 is in use.  It will be removed on reboot.
10:38 AM:     00002350_436efd8f_0000b20e is in use.  It will be removed on reboot.
10:38 AM:     00001547_436efc6c_00001bb1 is in use.  It will be removed on reboot.
10:38 AM:     0000323b_436efd4c_000d20fc is in use.  It will be removed on reboot.
10:38 AM:     00005f49_436efe2a_000d6c2c is in use.  It will be removed on reboot.
10:38 AM:     00003d6c_436efaf7_00018a0c is in use.  It will be removed on reboot.
10:38 AM:     000054de_436efc77_00014448 is in use.  It will be removed on reboot.
10:38 AM:     0000366b_436efeb1_000402ee is in use.  It will be removed on reboot.
10:38 AM:     00002213_436efd4d_0002744c is in use.  It will be removed on reboot.
10:38 AM:     00004823_436efaea_000dc8a9 is in use.  It will be removed on reboot.
10:38 AM:     000039b3_436efc77_0002a459 is in use.  It will be removed on reboot.
10:38 AM:     00006b89_436efd89_00039eae is in use.  It will be removed on reboot.
10:38 AM:     000066c4_436efeb1_00049f68 is in use.  It will be removed on reboot.
10:38 AM:     00000ddc_436efe2a_000e08a6 is in use.  It will be removed on reboot.
10:38 AM:     0000030a_436efd89_00048964 is in use.  It will be removed on reboot.
10:38 AM:     00006e5d_436efcbd_000baaeb is in use.  It will be removed on reboot.
10:38 AM:     0000074d_436efc7f_0001230b is in use.  It will be removed on reboot.
10:38 AM:     00004dc8_436efc7f_00025bfe is in use.  It will be removed on reboot.
10:38 AM:     00004cad_436efe3a_000e62a6 is in use.  It will be removed on reboot.
10:38 AM:     0000301c_436efd8c_000ed739 is in use.  It will be removed on reboot.
10:38 AM:     000026e9_436efbe8_00068770 is in use.  It will be removed on reboot.
10:38 AM:     00005cfd_436efdc1_00092101 is in use.  It will be removed on reboot.
10:38 AM:     00000099_436efc29_00031143 is in use.  It will be removed on reboot.
10:38 AM:     00006443_436efc7f_00031f96 is in use.  It will be removed on reboot.
10:38 AM:     00000124_436efc29_00042318 is in use.  It will be removed on reboot.
10:38 AM:     0000314f_436efe3a_000ed801 is in use.  It will be removed on reboot.
10:38 AM:     00003e12_436efdc2_0000bf19 is in use.  It will be removed on reboot.
10:38 AM:     00006df1_436efb12_0003f759 is in use.  It will be removed on reboot.
10:38 AM:     00001ad4_436efcbd_000cbcc0 is in use.  It will be removed on reboot.
10:38 AM:     000001eb_436efbe8_000e2b60 is in use.  It will be removed on reboot.
10:38 AM:     000066bb_436efc80_000b3e81 is in use.  It will be removed on reboot.
10:38 AM:     00005e14_436efe3b_0002cb40 is in use.  It will be removed on reboot.
10:38 AM:     00000bb3_436efbf4_00051ca1 is in use.  It will be removed on reboot.
10:38 AM:     00000732_436efd8e_000148e8 is in use.  It will be removed on reboot.
10:38 AM:     0000428b_436efc80_000db068 is in use.  It will be removed on reboot.
10:38 AM:     0000409d_436eff3f_00026500 is in use.  It will be removed on reboot.
10:38 AM:     0000440d_436efc2e_0004b493 is in use.  It will be removed on reboot.
10:38 AM:     00005f90_436efb03_0008116b is in use.  It will be removed on reboot.
10:38 AM:     00004230_436efeb2_000828c3 is in use.  It will be removed on reboot.
10:38 AM:     00004b40_436efdb5_000d4bf3 is in use.  It will be removed on reboot.
10:38 AM:     00007eb7_436efeb6_000690f4 is in use.  It will be removed on reboot.
10:38 AM:     000026a6_436efc80_000e9b1e is in use.  It will be removed on reboot.
10:38 AM:     00004944_436efe80_000c8fc9 is in use.  It will be removed on reboot.
10:38 AM:     00000120_436efd8e_00031e54 is in use.  It will be removed on reboot.
10:38 AM:     000012e1_436eff42_000add68 is in use.  It will be removed on reboot.
10:38 AM:     00002ea6_436efc12_000501c9 is in use.  It will be removed on reboot.
10:38 AM:     0000759a_436efd8e_00067af1 is in use.  It will be removed on reboot.
10:38 AM:     00002e40_436efe80_000cde06 is in use.  It will be removed on reboot.
10:38 AM:     00006032_436efeb6_000b9be0 is in use.  It will be removed on reboot.
10:38 AM:     00002c3b_436efeb6_000c3859 is in use.  It will be removed on reboot.
10:38 AM:     0000798b_436eff61_00014ed3 is in use.  It will be removed on reboot.
10:38 AM:     000018be_436efaf4_00054b24 is in use.  It will be removed on reboot.
10:38 AM:     0000121f_436eff70_000a8016 is in use.  It will be removed on reboot.
10:38 AM:     00001a49_436efdce_0008f4c6 is in use.  It will be removed on reboot.
10:38 AM:     000012db_436efc14_0003d416 is in use.  It will be removed on reboot.
10:38 AM:     000015a1_436efeb9_0007b3a9 is in use.  It will be removed on reboot.
10:38 AM:     0000701f_436efc87_00085781 is in use.  It will be removed on reboot.
10:38 AM:     00005f32_436efdce_000bb4e9 is in use.  It will be removed on reboot.
10:38 AM:     00006bfc_436efcd3_0000ff00 is in use.  It will be removed on reboot.
10:38 AM:     00007f96_436efcdf_000190bc is in use.  It will be removed on reboot.
10:38 AM:     00005422_436efeb9_00085023 is in use.  It will be removed on reboot.
10:38 AM:     00003ef6_436efeb9_000a2590 is in use.  It will be removed on reboot.
10:38 AM:     00005d03_436efc87_0008a5be is in use.  It will be removed on reboot.
10:38 AM:     dns is in use.  It will be removed on reboot.
10:38 AM:     00006952_436efb03_0006631c is in use.  It will be removed on reboot.
10:38 AM:     000073da_436eff7b_000df374 is in use.  It will be removed on reboot.
10:38 AM:     00007a5a_436efca4_00072534 is in use.  It will be removed on reboot.
10:38 AM:     000058b0_436eff7b_000e68d0 is in use.  It will be removed on reboot.
10:38 AM:     0000767d_436efca4_0007e8cc is in use.  It will be removed on reboot.
10:38 AM:     00004509_436efcb8_000aa414 is in use.  It will be removed on reboot.
10:38 AM:     00004e45_436efd4c_000555ee is in use.  It will be removed on reboot.
10:38 AM:     000026ca_436eff8f_00086e53 is in use.  It will be removed on reboot.
10:38 AM:     00007e87_436efc20_000810ac is in use.  It will be removed on reboot.
10:38 AM:     00003699_436eff8f_000a6ade is in use.  It will be removed on reboot.
10:38 AM:     00006b36_436efdc1_000687fc is in use.  It will be removed on reboot.
10:38 AM:     index is in use.  It will be removed on reboot.
10:38 AM:     0000390c_436efc24_000b0e6e is in use.  It will be removed on reboot.
10:38 AM:     spumsapi.exe is in use.  It will be removed on reboot.
10:38 AM:     00001238_436efcb8_000c2b44 is in use.  It will be removed on reboot.
10:38 AM:     00001cd0_436efeb1_0002a2dc is in use.  It will be removed on reboot.
10:38 AM:     imeprddm.exe is in use.  It will be removed on reboot.
10:38 AM:     00003b25_436efcb9_00010939 is in use.  It will be removed on reboot.
10:38 AM:     ai_08-11-2005.log is in use.  It will be removed on reboot.
10:38 AM:     ai_07-11-2005.log is in use.  It will be removed on reboot.
10:38 AM:     000056ae_436efd8d_00058a9b is in use.  It will be removed on reboot.
10:38 AM:     00006784_436efaf6_00013630 is in use.  It will be removed on reboot.
10:38 AM:     00004ae1_436efaf6_000380f8 is in use.  It will be removed on reboot.
10:38 AM:     00002cd6_436efafd_00088c24 is in use.  It will be removed on reboot.
10:38 AM:     00001649_436efb07_00036b3c is in use.  It will be removed on reboot.
10:38 AM:     00001366_436efeb0_000f24f9 is in use.  It will be removed on reboot.
10:38 AM:     00005af1_436efbe6_00096371 is in use.  It will be removed on reboot.
10:38 AM:     000041bb_436efbe7_000a53c8 is in use.  It will be removed on reboot.
10:38 AM:     ai_04-11-2005.log is in use.  It will be removed on reboot.
10:38 AM:     ai_06-11-2005.log is in use.  It will be removed on reboot.
10:38 AM:     ai_05-11-2005.log is in use.  It will be removed on reboot.
10:38 AM:   Quarantining All Traces: sdbot
10:38 AM:   Quarantining All Traces: apropos
10:38 AM:   apropos is in use.  It will be removed on reboot.
10:38 AM:     wingenerics.dll is in use.  It will be removed on reboot.
10:38 AM:   Quarantining All Traces: search helping wizard
10:38 AM:   Quarantining All Traces: targetsaver
10:38 AM:   Preparing to restart your computer. Please wait...
10:38 AM: Removal process completed.  Elapsed time 00:01:22
********
10:14 AM: |       Start of Session, Tuesday, November 08, 2005       |
10:14 AM: Spy Sweeper started
10:14 AM: Your spyware definitions have been updated.
10:14 AM: Processing Hosts File Alerts
10:14 AM:   Fixed Hosts File entry: idenupdate.motorola.com
10:14 AM:   Fixed Hosts File entry: idenupdate.motorola.com
10:14 AM: Updating spyware definitions
10:14 AM: Your definitions are up to date.
10:14 AM: Updating spyware definitions
10:14 AM: Your definitions are up to date.
10:16 AM: |       End of Session, Tuesday, November 08, 2005       |







Logfile of HijackThis v1.99.1
Scan saved at 10:47:44 AM, on 11/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Archive\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
R3 - URLSearchHook: (no name) -  - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Systmesy] Systmesy.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RefreshLock] C:\RefreshLock.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Tclock.lnk = C:\Program Files\T-Clock\tclock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\enjql1151.dll (file missing)
O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\f02mlaf11d2.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe





thank you so much!

Title: enn4l15q1.dll...grrr.
Post by: guestolo on November 09, 2005, 12:14:04 AM

I still want to see what else may be lurking

Can you do the following please
==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0 (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Don't run this yet, we'll need it in a bit

==Download and then Install
Ewido Security Suite (http://\"http://www.ewido.net/en/download/\")

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")

Please Print this out or save these instructions to a Notepad file and save it to your Desktop

Do another scan with Hijackthis and put a check next to these entries:

R3 - URLSearchHook: (no name) - - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Systmesy] Systmesy.exe

O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\enjql1151.dll (file missing)
O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\f02mlaf11d2.dll (file missing)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for an alternative method

Find and delete this file if it exists
C:\WINDOWS\system32\Systmesy.exe <-this file

Stay in safe mode

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

    * Empty Recycle Bins
    * Delete Cookies
    * Delete Prefetch files
    * Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
  *1. Perform Action = Remove
  *2. Create Encrypted Backup in Quarantine (Recommended)
  *3. Perform action with all infections
  Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

Reboot back to Normal mode

Post a fresh hijackthis log
Also post the whole report from Ewidos
We may have to reinstall AVG, it looks corrupt, do you still have it installed?

Note: Do you have Refreshlock installed? I'm just making sure

Title: enn4l15q1.dll...grrr.
Post by: Guest on November 09, 2005, 11:09:31 AM

Nope, I don't have Refreshlock. I also uninstalled AVG, because yes, it was corrupt. Here's the log. I'm sorry, I had forgotten to save the report from ewido. It did although find 32 infected files.

Logfile of HijackThis v1.99.1
Scan saved at 11:05:03 AM, on 11/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\T-Clock\tclock.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Archive\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\Spyware Doctor\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - Startup: Tclock.lnk = C:\Program Files\T-Clock\tclock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Title: enn4l15q1.dll...grrr.
Post by: guestolo on November 09, 2005, 07:31:36 PM

Why is your log so short again????
Are you fixing entries with hijackthis or using msconfig to disable entries??
Please don't do this until we are done!!!!!

Can you go to this site
Jotti's Online Malware scan (http://\"http://virusscan.jotti.org/\")
Give this site time to load if busy

Use the browse button and navigate to the file on your hard drive
C:\RefreshLock.exe <-this file

Right click on it  and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scans back here please

Afterwards, I suggest you reinstall AVG
If you don't prefer AVG, and need a free solution
Use either AVAST or BitDefender
Click here for the links (http://\"http://www.thetechguide.com/forum/index.php?showtopic=15894\")
Only run one AV, more than one can cause more harm than good
After you have an AV reinstalled run a full system scan

Could you also enable everything on startup in msconfig again, leave it this way until we are done
Post back a fresh hijackthis log

Title: enn4l15q1.dll...grrr.
Post by: Guest on November 10, 2005, 01:10:41 AM

Sorry about that. It's that I've never had anything checked in startup in MsConfig except T-Clock, that's why. I'll install AVG sometime later. Here's the logs:

File:  RefreshLock.exe  
Status:  MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)  
MD5  81473c1f639010a0be2835967e7686c6  
Packers detected:  UPX
Scanner results  
AntiVir  Found nothing
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
Fortinet  Found nothing
Kaspersky Anti-Virus  Found nothing
NOD32  Found nothing
Norman Virus Control  Found nothing
UNA  Found nothing
VBA32  Found nothing


Logfile of HijackThis v1.99.1
Scan saved at 12:55:13 AM, on 11/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\RefreshLock.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\T-Clock\tclock.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archive\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\Spyware Doctor\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O4 - HKLM\..\Run: [Systmesy] Systmesy.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RefreshLock] C:\RefreshLock.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Tclock.lnk = C:\Program Files\T-Clock\tclock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Title: enn4l15q1.dll...grrr.
Post by: Guest on November 11, 2005, 07:39:39 PM

bump...if you forgot about me /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> im incredibly grateful for the help you've given me nonetheless.

Title: enn4l15q1.dll...grrr.
Post by: guestolo on November 12, 2005, 03:16:49 AM

I would think you would remember installing Refreshlock

Let's see if you need it on startup

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [RefreshLock] C:\RefreshLock.exe


After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer

Please redownload and install AVG
Make sure you check for updates and run a full system scan

Post one last hijackthis log and let me know how things are

Title: enn4l15q1.dll...grrr.
Post by: Guest on November 12, 2005, 12:01:55 PM

Instaleld and ran AVG. everything is good. the computer is running great. thank you so much. here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 12:00:37 PM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\T-Clock\tclock.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Archive\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\Spyware Doctor\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O4 - HKLM\..\Run: [Systmesy] Systmesy.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Tclock.lnk = C:\Program Files\T-Clock\tclock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E845B7BD-1517-405D-832A-9351CBA52FD3}: NameServer = 151.198.0.38 151.197.0.38
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Title: enn4l15q1.dll...grrr.
Post by: guestolo on November 12, 2005, 12:06:12 PM

I'll assume everything is enabled on startup now

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Systmesy] Systmesy.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer

Find this file and delete it if found
C:\WINDOWS\system32\Systmesy.exe

Come back here and post one last hijackthis log

Title: enn4l15q1.dll...grrr.
Post by: Guest on November 12, 2005, 01:15:45 PM

Logfile of HijackThis v1.99.1
Scan saved at 1:15:28 PM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\T-Clock\tclock.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archive\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\Spyware Doctor\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Tclock.lnk = C:\Program Files\T-Clock\tclock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E845B7BD-1517-405D-832A-9351CBA52FD3}: NameServer = 151.198.0.38 151.197.0.38
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Title: enn4l15q1.dll...grrr.
Post by: guestolo on November 12, 2005, 01:23:43 PM

OK, can you do this one more time please

Go to start>>run>>type in msconfig
Hit OK
Under the General tab do a Normal startup

Click apply and close but don't restart yet

Post back a fresh hijackthis log

Title: enn4l15q1.dll...grrr.
Post by: Guest on November 12, 2005, 01:40:30 PM

Logfile of HijackThis v1.99.1
Scan saved at 1:40:21 PM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\T-Clock\tclock.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archive\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\Spyware Doctor\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Tclock.lnk = C:\Program Files\T-Clock\tclock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E845B7BD-1517-405D-832A-9351CBA52FD3}: NameServer = 151.198.0.38 151.197.0.38
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Title: enn4l15q1.dll...grrr.
Post by: guestolo on November 12, 2005, 01:55:48 PM

That looks better, can you do the following please

You can go back now and disable whatever you want with msconfig again

Some final cleanup
If everything is running better, please do the following
You should disable system restore>>>reboot>> and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")

Once System Restore is reenabled

You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"
IE-Spyad is compatible with SP2 as well

Hold onto SpySweeper for the duration of the trial period if you don't plan on purchasing it
Afterwards, right click it's icon by the systemtray clock and shut it down and then uninstall it

Title: enn4l15q1.dll...grrr.
Post by: guestolo on November 19, 2005, 01:37:30 AM

Problems appear resolved
Locking this topic
Take care /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />