Post by: monica_ian_ralliart on February 22, 2006, 12:15:06 AM
I have been getting many pop ups and everytime i clicked on internet explorer, the default website would be www.findthewebsiteyouneed.com. It's so damn F**king annoying. I tried running HijackThis, everytime it loads, 5 seconds later, the program disappear.
I am also using a CWSshredder, can anyone tell me if C:\WINDOWS\winsysban5.exe, C:\WINDOWS\winsysban6.exe and C:\WINDOWS\winsysban7.exe is removable?
Monica
Post by: birdman on February 22, 2006, 09:36:07 PM
winsysban6.exe
winsysban7.exe
is Trojan/Backdoor and should be removed,use Killbox if you cannot remove it.
Post by: guestolo on February 22, 2006, 11:47:44 PM
But the best thing you could do
From my signature below, download and save too a permanent folder on your harddrive
Hijackthis 1.99.1
Open Hijackthis.exe
Do a SCAN and Save a Log file---Save the log----copy and paste the WHOLE contents of the log here... Don't try and fix anything yet----It is all important
Post by: monica_ian_ralliart on February 23, 2006, 11:50:21 PM
Post by: guestolo on February 23, 2006, 11:53:30 PM
Download and save WinPFind.zip (http://\"http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip\")
UNZIP the contents to your desktop
Don't run it yet
RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter
In safe mode
Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
Click START SCAN
This could take some time as it will scan your drive
Close out after
I don't normally want to see a Hijackthis log from safe mode, but see if you can run a Scan and save logfile in safe mode
Reboot back to Normal mode
Back in Windows
Post the results of the WindPFind.txt located in the WinPFind folder
Also hijackthis log if you were able to run it
Post by: monica_ian_ralliart on February 24, 2006, 03:01:08 AM
here are the results from WinPFind:
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.
If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
UPX! 23/01/2006 9:51:30 AM 12288 C:\drsmartload1.exe
UPX! 23/01/2006 10:51:02 AM 10624 C:\drsmartload419a.exe
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
Items found in C:\WINDOWS\hosts
UPX! 01/02/2006 10:20:56 AM 19968 C:\WINDOWS\winsysban4.exe
UPX! 27/01/2006 4:16:30 PM 10752 C:\WINDOWS\winsysupd3.exe
UPX! 01/02/2006 10:20:44 AM 11264 C:\WINDOWS\winsysupd4.exe
Checking %System% folder...
PEC2 29/08/2002 9:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
WinShutDown 22/02/2006 1:44:00 PM R S 236615 C:\WINDOWS\SYSTEM32\en0ml1d11.dll
ad-w-a-r-e.com 22/02/2006 1:44:00 PM R S 236615 C:\WINDOWS\SYSTEM32\en0ml1d11.dll
WinShutDown 17/02/2006 6:17:20 PM R S 234374 C:\WINDOWS\SYSTEM32\g0040adqed0e0.dll
ad-w-a-r-e.com 17/02/2006 6:17:20 PM R S 234374 C:\WINDOWS\SYSTEM32\g0040adqed0e0.dll
WinShutDown 14/02/2006 2:28:12 PM R S 236891 C:\WINDOWS\SYSTEM32\i6jq0g15e6.dll
ad-w-a-r-e.com 14/02/2006 2:28:12 PM R S 236891 C:\WINDOWS\SYSTEM32\i6jq0g15e6.dll
WinShutDown 15/02/2006 5:57:20 PM R S 237327 C:\WINDOWS\SYSTEM32\ir2sl5f71.dll
ad-w-a-r-e.com 15/02/2006 5:57:20 PM R S 237327 C:\WINDOWS\SYSTEM32\ir2sl5f71.dll
WinShutDown 22/02/2006 2:21:02 PM R S 233820 C:\WINDOWS\SYSTEM32\ir4ml5h11.dll
ad-w-a-r-e.com 22/02/2006 2:21:02 PM R S 233820 C:\WINDOWS\SYSTEM32\ir4ml5h11.dll
WinShutDown 14/02/2006 6:25:16 PM R S 236693 C:\WINDOWS\SYSTEM32\irp6l57s1.dll
ad-w-a-r-e.com 14/02/2006 6:25:16 PM R S 236693 C:\WINDOWS\SYSTEM32\irp6l57s1.dll
WinShutDown 24/02/2006 12:33:06 PM R S 236917 C:\WINDOWS\SYSTEM32\k6lqlg3516.dll
ad-w-a-r-e.com 24/02/2006 12:33:06 PM R S 236917 C:\WINDOWS\SYSTEM32\k6lqlg3516.dll
WinShutDown 19/03/2006 2:54:32 PM R S 234374 C:\WINDOWS\SYSTEM32\k8no0i53e8.dll
ad-w-a-r-e.com 19/03/2006 2:54:32 PM R S 234374 C:\WINDOWS\SYSTEM32\k8no0i53e8.dll
WinShutDown 17/02/2006 4:39:46 PM R S 234423 C:\WINDOWS\SYSTEM32\ktj6l71s1.dll
ad-w-a-r-e.com 17/02/2006 4:39:46 PM R S 234423 C:\WINDOWS\SYSTEM32\ktj6l71s1.dll
WinShutDown 04/02/2006 6:33:36 PM R S 236662 C:\WINDOWS\SYSTEM32\ktlul7391.dll
ad-w-a-r-e.com 04/02/2006 6:33:36 PM R S 236662 C:\WINDOWS\SYSTEM32\ktlul7391.dll
WinShutDown 03/02/2006 7:46:44 PM R S 236049 C:\WINDOWS\SYSTEM32\l06o0aj3edo.dll
ad-w-a-r-e.com 03/02/2006 7:46:44 PM R S 236049 C:\WINDOWS\SYSTEM32\l06o0aj3edo.dll
WinShutDown 15/02/2006 10:49:56 AM R S 237069 C:\WINDOWS\SYSTEM32\m6po0g73e6.dll
ad-w-a-r-e.com 15/02/2006 10:49:56 AM R S 237069 C:\WINDOWS\SYSTEM32\m6po0g73e6.dll
PEC2 25/11/2005 11:41:50 AM 75264 C:\WINDOWS\SYSTEM32\mswindtc.exe
WinShutDown 22/02/2006 3:32:20 PM R S 236408 C:\WINDOWS\SYSTEM32\mvl4l93q1.dll
ad-w-a-r-e.com 22/02/2006 3:32:20 PM R S 236408 C:\WINDOWS\SYSTEM32\mvl4l93q1.dll
WinShutDown 18/02/2006 12:20:32 PM R S 234374 C:\WINDOWS\SYSTEM32\n08o0al3edq.dll
ad-w-a-r-e.com 18/02/2006 12:20:32 PM R S 234374 C:\WINDOWS\SYSTEM32\n08o0al3edq.dll
Umonitor 29/08/2002 9:00:00 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
WinShutDown 01/02/2006 2:08:50 PM R S 235978 C:\WINDOWS\SYSTEM32\SvnthCore11Resources.dll
ad-w-a-r-e.com 01/02/2006 2:08:50 PM R S 235978 C:\WINDOWS\SYSTEM32\SvnthCore11Resources.dll
WinShutDown 15/02/2006 10:24:16 AM R S 236693 C:\WINDOWS\SYSTEM32\wahisn.dll
ad-w-a-r-e.com 15/02/2006 10:24:16 AM R S 236693 C:\WINDOWS\SYSTEM32\wahisn.dll
winsync 29/08/2002 9:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
Checking %System%\Drivers folder and sub-folders...
Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
24/02/2006 3:30:48 PM S 2048 C:\WINDOWS\bootstat.dat
21/01/2006 4:11:16 PM H 54156 C:\WINDOWS\QTFont.qfn
04/02/2006 10:49:02 AM S 64 C:\WINDOWS\CSC\00000001
27/01/2006 3:34:10 PM S 64 C:\WINDOWS\CSC\00000002
24/02/2006 3:31:00 PM R S 236918 C:\WINDOWS\system32\damap.dll
24/02/2006 2:14:36 PM R S 236918 C:\WINDOWS\system32\dn0001dme.dll
22/02/2006 1:44:00 PM R S 236615 C:\WINDOWS\system32\en0ml1d11.dll
17/02/2006 6:17:20 PM R S 234374 C:\WINDOWS\system32\g0040adqed0e0.dll
14/02/2006 2:28:12 PM R S 236891 C:\WINDOWS\system32\i6jq0g15e6.dll
15/02/2006 5:57:20 PM R S 237327 C:\WINDOWS\system32\ir2sl5f71.dll
22/02/2006 2:21:02 PM R S 233820 C:\WINDOWS\system32\ir4ml5h11.dll
14/02/2006 6:25:16 PM R S 236693 C:\WINDOWS\system32\irp6l57s1.dll
24/02/2006 12:33:06 PM R S 236917 C:\WINDOWS\system32\k6lqlg3516.dll
19/03/2006 2:54:32 PM R S 234374 C:\WINDOWS\system32\k8no0i53e8.dll
17/02/2006 4:39:46 PM R S 234423 C:\WINDOWS\system32\ktj6l71s1.dll
04/02/2006 6:33:36 PM R S 236662 C:\WINDOWS\system32\ktlul7391.dll
03/02/2006 7:46:44 PM R S 236049 C:\WINDOWS\system32\l06o0aj3edo.dll
15/02/2006 10:49:56 AM R S 237069 C:\WINDOWS\system32\m6po0g73e6.dll
22/02/2006 3:32:20 PM R S 236408 C:\WINDOWS\system32\mvl4l93q1.dll
18/02/2006 12:20:32 PM R S 234374 C:\WINDOWS\system32\n08o0al3edq.dll
24/02/2006 3:29:36 PM R S 236917 C:\WINDOWS\system32\o2840clqefqe0.dll
01/02/2006 2:08:50 PM R S 235978 C:\WINDOWS\system32\SvnthCore11Resources.dll
15/02/2006 10:24:16 AM R S 236693 C:\WINDOWS\system32\wahisn.dll
24/02/2006 3:31:00 PM H 20480 C:\WINDOWS\system32\config\default.LOG
24/02/2006 3:30:56 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
24/02/2006 3:30:50 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
24/02/2006 3:32:02 PM H 188416 C:\WINDOWS\system32\config\software.LOG
24/02/2006 3:30:48 PM H 913408 C:\WINDOWS\system32\config\system.LOG
27/01/2006 4:07:36 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\31DDUENG\desktop.ini
27/01/2006 4:07:36 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W5IBO16R\desktop.ini
27/01/2006 4:07:36 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XVZY7NWB\desktop.ini
27/01/2006 4:07:36 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YZ6TKZKZ\desktop.ini
17/01/2006 6:33:46 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\e7590395-07b9-4622-a9aa-82a64bb29a0b
17/01/2006 6:33:46 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
24/02/2006 3:29:48 PM H 6 C:\WINDOWS\Tasks\SA.DAT
Checking for CPL files...
Microsoft Corporation 29/08/2002 9:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 25/01/2003 2:21:00 AM 139264 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 30/01/2001 11:21:04 AM 24683 C:\WINDOWS\SYSTEM32\plugincpl130_02.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
HP Computer Corporation 04/01/2003 2:28:38 AM 122880 C:\WINDOWS\SYSTEM32\UICONFIG.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
25/10/2005 10:33:38 AM 1824 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
27/11/2003 8:59:08 AM 1027 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
03/11/2002 7:35:32 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
22/04/2005 4:38:34 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
08/06/2005 5:33:28 PM 681 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk
12/11/2003 5:33:44 PM 1559 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
Checking files in %ALLUSERSPROFILE%\Application Data folder...
02/11/2002 11:22:58 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
25/11/2005 10:35:12 AM 1356 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
Checking files in %USERPROFILE%\Startup folder...
03/11/2002 7:35:32 AM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini
Checking files in %USERPROFILE%\Application Data folder...
02/11/2002 11:22:56 PM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini
25/10/2005 10:43:36 AM 143952 C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
24/04/2005 4:23:22 PM 22080 C:\Documents and Settings\Administrator\Application Data\Microsoft Access.ADR
04/10/2005 11:45:56 AM 38463 C:\Documents and Settings\Administrator\Application Data\Microsoft Excel.ADR
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{A2FB58C9-164D-4FB6-88C1-300F01D6BBBD} = C:\WINDOWS\system32\SvnthCore11Resources.dll
{72B9F897-78E6-4930-B4FE-80E3091794E6} = C:\WINDOWS\system32\mgiwave.dll
{71B9C6FF-B129-4672-8EC0-5A30B3917BCD} = C:\WINDOWS\system32\damap.dll
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{182EC0BE-5110-49C8-A062-BEB1D02A220B}
Adobe PDF = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
DrvLsnr C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
srmclean C:\Cpqs\Scom\srmclean.exe
CPQEASYACC C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
win msdt service mswindtc.exe
mlp C:\apace.exe
winsysupd C:\windows\winsysupd10.exe
winsysban C:\windows\winsysban10.exe
gimmygames C:\windows\gimmygames10.exe
spd C:\inp.exe
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe
Windows Firewall Monitor C:\inp.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
win msdt service mswindtc.exe
mlp C:\apace.exe
spd C:\inp.exe
Windows Firewall Monitor C:\inp.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe C:\WINDOWS\System32\ctfmon.exe
win msdt service mswindtc.exe
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
win msdt service mswindtc.exe
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winbjt32
= winbjt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate
= C:\WINDOWS\system32\dn0001dme.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 24/02/2006 3:35:21 PM
man... this is soo long.... and the next one from HijackThis. Sorry that I made u read results from HijackThis.
Logfile of HijackThis v1.99.1
Scan saved at 3:47:16 PM, on 24/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\WinPFind\WinPFind\winpfind.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp (http://\"http://go.compaq.com/1Q00CDT/0409/bl8.asp\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [win msdt service] mswindtc.exe
O4 - HKLM\..\Run: [mlp] C:\apace.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd10.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban10.exe
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames10.exe
O4 - HKLM\..\Run: [spd] C:\inp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Windows Firewall Monitor] C:\inp.exe
O4 - HKLM\..\RunServices: [win msdt service] mswindtc.exe
O4 - HKLM\..\RunServices: [mlp] C:\apace.exe
O4 - HKLM\..\RunServices: [spd] C:\inp.exe
O4 - HKLM\..\RunServices: [Windows Firewall Monitor] C:\inp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [win msdt service] mswindtc.exe
O4 - HKCU\..\RunServices: [win msdt service] mswindtc.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Personal Coach.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab (http://\"http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Teachers-Desk
O17 - HKLM\Software\..\Telephony: DomainName = Teachers-Desk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Teachers-Desk
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winbjt32 - C:\WINDOWS\SYSTEM32\winbjt32.dll
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\dn0001dme.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Many Thanks!
Monica
Sorry that I made u read results from HijackThis in safe mode.
Post by: guestolo on February 25, 2006, 10:54:17 AM
Let's get you started,
== Download Hoster.zip (http://\"http://www.funkytoad.com/download/hoster.zip\") and unzip it too a folder of it's own
Open Hoster
Click the "Backup Hosts File"
Then select the "Restore Original Hosts" button
==Download the Killbox by Option^Explicit (http://\"http://www.atribune.org/downloads/KillBox.exe\").
* Save it to desktop or a folder
==Download CWShredder.exe (http://\"http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe\") and save to your desktop, don't run yet
==Download and Install
Windows Cleanup! 4.0 (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Don't run it yet
==Download and then Install
Ewido anti-malware 3.5 (http://\"http://download.ewido.net/ewido-setup.exe\")
When installing, under "Additional Options" Uncheck
"Install background guard" and "Install scan via context menu".
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")
==If you don't have the latest version of Ad-Aware installed
Download and Install
Ad-Aware SE Personal 1.06 (http://\"ftp://ftp.download.com/pub/win95/utilities/aawsepersonal.exe\")
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Don't run a scan yet
Copy the rest of these instructions too notepad please
Go to Start>>run>>type in Notepad
Hit OK
This will open a blank notepad
Save these instructions for use in safe mode
Reboot back to safe mode
In safe mode
=Open Killbox.exe
Copy the file name below and paste it to the Full path of file to delete in Killbox
C:\WINDOWS\winsysban4.exe
Then click the Red Circle with the White X
Allow to delete the file and make backup
Do the same with the rest of these
Don't worry about any file not found messages
==================================
C:\WINDOWS\winsysupd3.exe
C:\WINDOWS\SYSTEM32\mswindtc.exe
C:\windows\gimmygames10.exe
C:\inp.exe
C:\apace.exe
=================================
==Double click to run CWShredder.exe
Click on the FIX button, let it run and fix what it finds
When it's done, close it out
==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer
==Open Ewido anti-malware
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: When Ewido is running, don't open any other Windows
Run Hoster again and "Restore Original hosts"
Do a "System scan only" with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/...//www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [win msdt service] mswindtc.exe
O4 - HKLM\..\Run: [mlp] C:\apace.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd10.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban10.exe
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames10.exe
O4 - HKLM\..\Run: [spd] C:\inp.exe
O4 - HKLM\..\Run: [Windows Firewall Monitor] C:\inp.exe
O4 - HKLM\..\RunServices: [win msdt service] mswindtc.exe
O4 - HKLM\..\RunServices: [mlp] C:\apace.exe
O4 - HKLM\..\RunServices: [spd] C:\inp.exe
O4 - HKLM\..\RunServices: [Windows Firewall Monitor] C:\inp.exe
O4 - HKCU\..\Run: [win msdt service] mswindtc.exe
O4 - HKCU\..\RunServices: [win msdt service] mswindtc.exe
After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Open Ad-Aware
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
Return to Normal mode
I'll want to see a couple logs later, but can you do this first please
Download L2mfix from one of these two locations:
http://www.atribune.org/downloads/l2mfix.exe (http://\"http://www.atribune.org/downloads/l2mfix.exe\")
http://www.downloads.subratam.org/l2mfix.exe (http://\"http://www.downloads.subratam.org/l2mfix.exe\")
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
[color=\"red\"]IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! This Fix must NOT be run in safe mode for it to work.[/color]
if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first and letting me see a log
Post by: monica_ian_ralliart on February 28, 2006, 06:04:45 AM
thats a lot of steps man, phew...
L2MFIX find log 010406
These are the registry keys present
********************************************************************************
**
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mvn6l95s1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winbjt32]
"Asynchronous"=dword:00000001
"DllName"="winbjt32.dll"
"Impersonate"=dword:00000000
"Startup"="EvtStartup"
"Shutdown"="EvtShutdown"
********************************************************************************
**
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{BD00B513-6FC7-2C3E-4A96-986C8CD6B525}"=""
********************************************************************************
**
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"="Adobe.Acrobat.ContextMenu"
"{5a61f7a0-cde1-11cf-9113-00aa00425c62}"="IIS Shell Extension"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{A2FB58C9-164D-4FB6-88C1-300F01D6BBBD}"=""
"{72B9F897-78E6-4930-B4FE-80E3091794E6}"=""
"{71B9C6FF-B129-4672-8EC0-5A30B3917BCD}"=""
********************************************************************************
**
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{A2FB58C9-164D-4FB6-88C1-300F01D6BBBD}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A2FB58C9-164D-4FB6-88C1-300F01D6BBBD}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A2FB58C9-164D-4FB6-88C1-300F01D6BBBD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A2FB58C9-164D-4FB6-88C1-300F01D6BBBD}\InprocServer32]
@="C:\\WINDOWS\\system32\\SvnthCore11Resources.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{72B9F897-78E6-4930-B4FE-80E3091794E6}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{72B9F897-78E6-4930-B4FE-80E3091794E6}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{72B9F897-78E6-4930-B4FE-80E3091794E6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{72B9F897-78E6-4930-B4FE-80E3091794E6}\InprocServer32]
@="C:\\WINDOWS\\system32\\mgiwave.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{71B9C6FF-B129-4672-8EC0-5A30B3917BCD}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{71B9C6FF-B129-4672-8EC0-5A30B3917BCD}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{71B9C6FF-B129-4672-8EC0-5A30B3917BCD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{71B9C6FF-B129-4672-8EC0-5A30B3917BCD}\InprocServer32]
@="C:\\WINDOWS\\system32\\ksdhela3.dll"
"ThreadingModel"="Apartment"
********************************************************************************
**
Files Found are not all bad files:
C:\WINDOWS\SYSTEM32\
ksdhela3.dll Tue Feb 28 2006 6:58:48p ..S.R 234,077 228.59 K
kt2ul7~1.dll Tue Feb 28 2006 6:58:46p ..S.R 236,004 230.47 K
mvn6l9~1.dll Tue Feb 28 2006 5:48:46p ..S.R 234,077 228.59 K
s32evnt1.dll Tue Jan 3 2006 3:31:44p A.... 91,904 89.75 K
4 items found: 4 files (3 H/S), 0 directories.
Total of file sizes: 796,062 bytes 777.40 K
Locate .tmp files:
No matches found.
********************************************************************************
**
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 462B-73DE
Directory of C:\WINDOWS\System32
28/02/2006 06:58 PM 234,077 ksdhela3.dll
28/02/2006 06:58 PM 236,004 kt2ul7f91.dll
28/02/2006 05:48 PM 234,077 mvn6l95s1.dll
28/02/2006 05:46 PM <DIR> dllcache
11/08/2003 03:58 PM 32 {A7D34F66-7DE2-49E8-87B9-4638E35B3056}.dat
07/08/2003 04:45 AM <DIR> Microsoft
4 File(s) 704,190 bytes
2 Dir(s) 28,136,927,232 bytes free
Thanks dude.
Post by: guestolo on February 28, 2006, 09:43:56 AM
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log.
Post this log back here please, along with a fresh hijackthis log
Could you also post the Ewido report you saved earlier please
Post by: monica_ian_ralliart on February 28, 2006, 10:47:10 PM
L2mfix 010406
Creating Account.
The command completed successfully.
Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Running From:
C:\WINDOWS\system32
Killing Processes!
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 480 'smss.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 552 'winlogon.exe'
Killing PID 552 'winlogon.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 228 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1504 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\k8jsli1718.dll
Successfully Deleted: C:\WINDOWS\system32\k8jsli1718.dll
Deleting: C:\WINDOWS\system32\kt2ul7f91.dll
Successfully Deleted: C:\WINDOWS\system32\kt2ul7f91.dll
Deleting: C:\WINDOWS\system32\nnlsapi.dll
Successfully Deleted: C:\WINDOWS\system32\nnlsapi.dll
msg11?.dll
0 file(s) copied.
Restoring Windows Update Certificates.:
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\kt2ul7f91.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winbjt32]
"Asynchronous"=dword:00000001
"DllName"="winbjt32.dll"
"Impersonate"=dword:00000000
"Startup"="EvtStartup"
"Shutdown"="EvtShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\k8jsli1718.dll
C:\WINDOWS\system32\kt2ul7f91.dll
C:\WINDOWS\system32\nnlsapi.dll
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{A2FB58C9-164D-4FB6-88C1-300F01D6BBBD}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A2FB58C9-164D-4FB6-88C1-300F01D6BBBD}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A2FB58C9-164D-4FB6-88C1-300F01D6BBBD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A2FB58C9-164D-4FB6-88C1-300F01D6BBBD}\InprocServer32]
@="C:\\WINDOWS\\system32\\SvnthCore11Resources.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{72B9F897-78E6-4930-B4FE-80E3091794E6}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{72B9F897-78E6-4930-B4FE-80E3091794E6}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{72B9F897-78E6-4930-B4FE-80E3091794E6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{72B9F897-78E6-4930-B4FE-80E3091794E6}\InprocServer32]
@="C:\\WINDOWS\\system32\\mgiwave.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{71B9C6FF-B129-4672-8EC0-5A30B3917BCD}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{71B9C6FF-B129-4672-8EC0-5A30B3917BCD}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{71B9C6FF-B129-4672-8EC0-5A30B3917BCD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{71B9C6FF-B129-4672-8EC0-5A30B3917BCD}\InprocServer32]
@="C:\\WINDOWS\\system32\\nnlsapi.dll"
"ThreadingModel"="Apartment"
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{A2FB58C9-164D-4FB6-88C1-300F01D6BBBD}"=-
"{72B9F897-78E6-4930-B4FE-80E3091794E6}"=-
"{71B9C6FF-B129-4672-8EC0-5A30B3917BCD}"=-
[-HKEY_CLASSES_ROOT\CLSID\{A2FB58C9-164D-4FB6-88C1-300F01D6BBBD}]
[-HKEY_CLASSES_ROOT\CLSID\{72B9F897-78E6-4930-B4FE-80E3091794E6}]
[-HKEY_CLASSES_ROOT\CLSID\{71B9C6FF-B129-4672-8EC0-5A30B3917BCD}]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/k8jsli1718.dll (164 bytes security) (deflated 4%)
adding: dlls/kt2ul7f91.dll (164 bytes security) (deflated 5%)
adding: dlls/nnlsapi.dll (164 bytes security) (deflated 5%)
adding: backregs/71B9C6FF-B129-4672-8EC0-5A30B3917BCD.reg (212 bytes security) (deflated 70%)
adding: backregs/72B9F897-78E6-4930-B4FE-80E3091794E6.reg (212 bytes security) (deflated 70%)
adding: backregs/A2FB58C9-164D-4FB6-88C1-300F01D6BBBD.reg (212 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 77%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)
Log file from hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 10:12:31 AM, on 01/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp (http://\"http://go.compaq.com/1Q00CDT/0409/bl8.asp\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [win msdt service] mswindtc.exe
O4 - HKCU\..\RunServices: [win msdt service] mswindtc.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Personal Coach.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab (http://\"http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Teachers-Desk
O17 - HKLM\Software\..\Telephony: DomainName = Teachers-Desk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Teachers-Desk
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\kt2ul7f91.dll (file missing)
O20 - Winlogon Notify: winbjt32 - winbjt32.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Log file from Ewido:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 6:38:16 PM, 28/02/2006
+ Report-Checksum: F89593E0
+ Scan result:
[632] C:\WINDOWS\system32\mrpmsp.dll -> Adware.Look2Me : Error during cleaning
[712] C:\WINDOWS\system32\mrpmsp.dll -> Adware.Look2Me : Error during cleaning
C:\Program Files\Yahoo!\YPSR\Quarantine\20050831170103.zip/Program Files/common files/wintools/WToolsS.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050831170103.zip/Program Files/common files/wintools/WToolsB.dll -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050831170103.zip/Program Files/common files/wintools/WToolsA.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050831170103.zip/Program Files/common files/wintools/WSup.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050831174456.zip/Program Files/common files/wintools/WToolsB.dll -> Adware.Wintol : Error during cleaning
C:\Program Files\Yahoo!\YPSR\Quarantine\20050831174456.zip/Program Files/common files/wintools/WToolsA.exe -> Adware.Wintol : Error during cleaning
C:\Program Files\Yahoo!\YPSR\Quarantine\20050831174456.zip/Program Files/common files/wintools/WSup.exe -> Adware.Wintol : Error during cleaning
C:\Program Files\Yahoo!\YPSR\Quarantine\20050831174456.zip/Program Files/common files/wintools/WToolsB.to_be_deleted -> Adware.Wintol : Error during cleaning
C:\Program Files\Yahoo!\YPSR\Quarantine\20050831180146.zip/Program Files/common files/wintools/WToolsS.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050831180146.zip/Program Files/common files/wintools/WToolsA.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050831180146.zip/Program Files/common files/wintools/WSup.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050831184122.zip/Program Files/common files/wintools/WToolsS.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050831184122.zip/Program Files/common files/wintools/WToolsB.dll -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050831184122.zip/Program Files/common files/wintools/WToolsA.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050831184122.zip/Program Files/common files/wintools/WSup.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050901113529.zip/Program Files/common files/wintools/WToolsS.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050901113529.zip/Program Files/common files/wintools/WToolsB.dll -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050901113529.zip/Program Files/common files/wintools/WToolsA.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050901113529.zip/Program Files/common files/wintools/WSup.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050901113529.zip/Program Files/common files/wintools/WToolsB.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050901113529.zip/Program Files/common files/wintools/WToolsS.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050901113940.zip/Program Files/common files/wintools/WToolsA.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050901113940.zip/Program Files/common files/wintools/WSup.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050901113940.zip/Program Files/common files/wintools/WToolsB.to_be_deleted_x -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050901113940.zip/Program Files/common files/wintools/WToolsS.to_be_deleted_x -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050901114156.zip/Program Files/common files/wintools/WToolsA.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050901114156.zip/Program Files/common files/wintools/WSup.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050902124503.zip/Program Files/common files/wintools/WToolsS.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050902124503.zip/Program Files/common files/wintools/WToolsB.dll -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050902124503.zip/Program Files/common files/wintools/WToolsA.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050902124503.zip/Program Files/common files/wintools/WSup.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050902124503.zip/Program Files/common files/wintools/WToolsB.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050903101552.zip/Program Files/common files/wintools/WToolsS.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050903101552.zip/Program Files/common files/wintools/WToolsB.dll -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050903101552.zip/Program Files/common files/wintools/WToolsA.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050903101552.zip/Program Files/common files/wintools/WSup.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050903101552.zip/Program Files/common files/wintools/WToolsB.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050903153214.zip/Program Files/common files/wintools/WToolsS.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050903153214.zip/Program Files/common files/wintools/WToolsB.dll -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050903153214.zip/Program Files/common files/wintools/WToolsA.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050903153214.zip/Program Files/common files/wintools/WSup.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050903153214.zip/Program Files/common files/wintools/WToolsB.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050904110943.zip/Program Files/common files/wintools/WToolsS.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050904110943.zip/Program Files/common files/wintools/WToolsB.dll -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050904110943.zip/Program Files/common files/wintools/WToolsA.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050904110943.zip/Program Files/common files/wintools/WSup.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050904110943.zip/Program Files/common files/wintools/WToolsB.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050905084536.zip/Program Files/common files/wintools/WToolsS.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050905084536.zip/Program Files/common files/wintools/WToolsB.dll -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050905084536.zip/Program Files/common files/wintools/WToolsA.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050905084536.zip/Program Files/common files/wintools/WSup.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050905084536.zip/Program Files/common files/wintools/WToolsB.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050906084155.zip/Program Files/common files/wintools/WToolsS.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050906084155.zip/Program Files/common files/wintools/WToolsB.dll -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050906084155.zip/Program Files/common files/wintools/WToolsA.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050906084155.zip/Program Files/common files/wintools/WSup.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050906084155.zip/Program Files/common files/wintools/WToolsB.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050907085345.zip/Program Files/common files/wintools/WToolsS.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050907085345.zip/Program Files/common files/wintools/WToolsB.dll -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050907085345.zip/Program Files/common files/wintools/WToolsA.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050907085345.zip/Program Files/common files/wintools/WSup.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050907085345.zip/Program Files/common files/wintools/WToolsB.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050908084509.zip/Program Files/common files/wintools/WToolsS.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050908084509.zip/Program Files/common files/wintools/WToolsB.dll -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050908084509.zip/Program Files/common files/wintools/WToolsA.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050908084509.zip/Program Files/common files/wintools/WSup.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050908084509.zip/Program Files/common files/wintools/WToolsB.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050908084509.zip/Program Files/common files/wintools/WToolsS.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050909090322.zip/Program Files/common files/wintools/WToolsS.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050909090322.zip/Program Files/common files/wintools/WToolsB.dll -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050909090322.zip/Program Files/common files/wintools/WToolsA.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050909090322.zip/Program Files/common files/wintools/WSup.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050909090322.zip/Program Files/common files/wintools/WToolsB.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050909090322.zip/Program Files/common files/wintools/WToolsB.to_be_deleted_x -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050909090322.zip/Program Files/common files/wintools/WToolsS.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050909090322.zip/Program Files/common files/wintools/WToolsS.to_be_deleted_x -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050910124907.zip/Program Files/common files/wintools/WToolsS.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050910124907.zip/Program Files/common files/wintools/WToolsB.dll -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050910124907.zip/Program Files/common files/wintools/WToolsA.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050910124907.zip/Program Files/common files/wintools/WSup.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050910124907.zip/Program Files/common files/wintools/WToolsB.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050910124907.zip/Program Files/common files/wintools/WToolsS.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050910124907.zip/Program Files/common files/wintools/WToolsS.to_be_deleted_x_x -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050913094059.zip/Program Files/common files/wintools/WToolsS.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050913094059.zip/Program Files/common files/wintools/WToolsB.dll -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050913094059.zip/Program Files/common files/wintools/WToolsA.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050913094059.zip/Program Files/common files/wintools/WSup.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050913094059.zip/Program Files/common files/wintools/WToolsB.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050913094059.zip/Program Files/common files/wintools/WToolsB.to_be_deleted_x -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050913094059.zip/Program Files/common files/wintools/WToolsS.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050913094059.zip/Program Files/common files/wintools/WToolsS.to_be_deleted_x -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050914103700.zip/Program Files/common files/wintools/WToolsS.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050914103700.zip/Program Files/common files/wintools/WToolsB.dll -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050914103700.zip/Program Files/common files/wintools/WToolsA.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050914103700.zip/Program Files/common files/wintools/WSup.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050914103700.zip/Program Files/common files/wintools/WToolsB.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050914103700.zip/Program Files/common files/wintools/WToolsS.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050914103700.zip/Program Files/common files/wintools/WToolsS.to_be_deleted_x_x -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050915105857.zip/Program Files/common files/wintools/WToolsS.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050915105857.zip/Program Files/common files/wintools/WToolsB.dll -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050915105857.zip/Program Files/common files/wintools/WToolsA.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050915105857.zip/Program Files/common files/wintools/WSup.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050915105857.zip/Program Files/common files/wintools/WToolsB.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050915105857.zip/Program Files/common files/wintools/WToolsB.to_be_deleted_x -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050915105857.zip/Program Files/common files/wintools/WToolsS.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050915105857.zip/Program Files/common files/wintools/WToolsS.to_be_deleted_x -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050916114543.zip/Program Files/common files/wintools/WToolsS.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050916114543.zip/Program Files/common files/wintools/WToolsB.dll -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050916114543.zip/Program Files/common files/wintools/WToolsA.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050916114543.zip/Program Files/common files/wintools/WSup.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050916114543.zip/Program Files/common files/wintools/WToolsB.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050916114543.zip/Program Files/common files/wintools/WToolsS.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050916114543.zip/Program Files/common files/wintools/WToolsS.to_be_deleted_x_x -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050917101413.zip/Program Files/common files/wintools/WToolsS.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050917101413.zip/Program Files/common files/wintools/WToolsB.dll -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050917101413.zip/Program Files/common files/wintools/WToolsA.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050917101413.zip/Program Files/common files/wintools/WSup.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050917101413.zip/Program Files/common files/wintools/WToolsB.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050917101413.zip/Program Files/common files/wintools/WToolsB.to_be_deleted_x -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050917101413.zip/Program Files/common files/wintools/WToolsS.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050917101413.zip/Program Files/common files/wintools/WToolsS.to_be_deleted_x -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050918111612.zip/Program Files/common files/wintools/WToolsS.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050918111612.zip/Program Files/common files/wintools/WToolsB.dll -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050918111612.zip/Program Files/common files/wintools/WToolsA.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050918111612.zip/Program Files/common files/wintools/WSup.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050918111612.zip/Program Files/common files/wintools/WToolsB.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050918111612.zip/Program Files/common files/wintools/WToolsS.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050918111612.zip/Program Files/common files/wintools/WToolsS.to_be_deleted_x_x -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050920094702.zip/Program Files/common files/wintools/WToolsS.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050920094702.zip/Program Files/common files/wintools/WToolsB.dll -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050920094702.zip/Program Files/common files/wintools/WToolsA.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050920094702.zip/Program Files/common files/wintools/WSup.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050920094702.zip/Program Files/common files/wintools/WToolsB.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050920094702.zip/Program Files/common files/wintools/WToolsB.to_be_deleted_x -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050920094702.zip/Program Files/common files/wintools/WToolsS.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050920094702.zip/Program Files/common files/wintools/WToolsS.to_be_deleted_x -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050921102730.zip/Program Files/common files/wintools/WToolsS.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050921102730.zip/Program Files/common files/wintools/WToolsB.dll -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050921102730.zip/Program Files/common files/wintools/WToolsA.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050921102730.zip/Program Files/common files/wintools/WSup.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050921102730.zip/Program Files/common files/wintools/WToolsB.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050921102730.zip/Program Files/common files/wintools/WToolsS.to_be_deleted -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050921102730.zip/Program Files/common files/wintools/WToolsS.to_be_deleted_x_x -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20060126184236.zip/Program Files/common files/wintools/WToolsB.to_be_deleted_x -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20060126184236.zip/Program Files/common files/wintools/WToolsS.to_be_deleted_x -> Adware.Wintol : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10D.tmp\sfbho.dll -> Adware.SideFind : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq130.tmp\common.dll -> Adware.WebSearch : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq130.tmp\nzqlihv.wzg -> Adware.WebSearch : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq130.tmp\PIB.exe -> Adware.WebSearch : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq130.tmp\TBPS.exe -> Adware.WebSearch : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq130.tmp\TBPSSvc.exe -> Adware.WebSearch : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq130.tmp\toolbar.dll -> Adware.WebSearch : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq43.tmp -> Adware.BargainBuddy : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq44.tmp -> Adware.BargainBuddy : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq45.tmp -> Adware.BargainBuddy : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5C.tmp\bin\nls.exe -> Adware.BargainBuddy : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq64.tmp\sais.exe -> Adware.180Solutions : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqA.tmp -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD.tmp -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE.tmp -> TrackingCookie.Adserver : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ysbactivex.dll -> Downloader.IstBar : Cleaned with backup
C:\WINDOWS\gimmygames.exe -> Downloader.VB.vr : Cleaned with backup
C:\WINDOWS\gimmygames9.exe -> Downloader.VB.ww : Cleaned with backup
C:\WINDOWS\system32\AdService.dll -> Trojan.Agent.og : Cleaned with backup
C:\WINDOWS\system32\en0ml1d11.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\g0040adqed0e0.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\i6jq0g15e6.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ir2sl5f71.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ir4ml5h11.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ir8sl5l71.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\irp6l57s1.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\k6lqlg3516.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\k8no0i53e8.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ktj6l71s1.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ktlul7391.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\kzdest.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\l06o0aj3edo.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\m6po0g73e6.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mvl4l93q1.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\n08o0al3edq.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\SvnthCore11Resources.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\sxsvc.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\wahisn.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\winbjt32.dll -> Trojan.Agent.og : Cleaned with backup
C:\WINDOWS\Temp\~483948.tmp -> Adware.Wintol : Error during cleaning
C:\WINDOWS\Temp\~540970.tmp -> Downloader.Wintool.a : Error during cleaning
C:\WINDOWS\Temp\~585342.tmp -> Downloader.Wintool.a : Error during cleaning
C:\WINDOWS\Temp\~615033.tmp -> Downloader.Wintool.a : Error during cleaning
C:\WINDOWS\Temp\~707015.tmp -> Downloader.Wintool.a : Error during cleaning
C:\WINDOWS\Temp\~779169.tmp -> Downloader.Wintool.a : Error during cleaning
C:\WINDOWS\Temp\~783512.tmp -> Downloader.Wintool.a : Error during cleaning
C:\WINDOWS\Temp\~785394.tmp -> Downloader.Wintool.a : Error during cleaning
C:\WINDOWS\Temp\~869831.tmp -> Downloader.Wintool.a : Error during cleaning
C:\WINDOWS\Temp\~873933.tmp -> Adware.Wintol : Error during cleaning
C:\WINDOWS\Temp\~878524.tmp -> Downloader.Wintool.a : Error during cleaning
C:\WINDOWS\winsysban10.exe -> Hijacker.VB.ld : Cleaned with backup
C:\WINDOWS\winsysban3.exe -> Hijacker.VB.kc : Cleaned with backup
C:\WINDOWS\winsysban8.exe -> Hijacker.VB.lg : Cleaned with backup
C:\WINDOWS\winsysban9.exe -> Hijacker.VB.ld : Cleaned with backup
C:\WINDOWS\winsysupd10.exe -> Downloader.VB.wg : Cleaned with backup
C:\WINDOWS\winsysupd4.exe -> Hijacker.StartPage.ahg : Cleaned with backup
C:\WINDOWS\winsysupd5.exe -> Hijacker.StartPage.ahg : Cleaned with backup
C:\WINDOWS\winsysupd6.exe -> Downloader.VB.wg : Cleaned with backup
C:\WINDOWS\winsysupd7.exe -> Downloader.VB.wg : Cleaned with backup
C:\WINDOWS\winsysupd8.exe -> Hijacker.StartPage.ahg : Cleaned with backup
C:\WINDOWS\winsysupd9.exe -> Downloader.VB.wy : Cleaned with backup
C:\winsysban5.exe -> Hijacker.VB.kc : Cleaned with backup
::Report End
Post by: guestolo on March 01, 2006, 01:00:05 AM
Do a "System scan only" with Hijackthis and put a check next to these entries:
O4 - HKCU\..\Run: [win msdt service] mswindtc.exe
O4 - HKCU\..\RunServices: [win msdt service] mswindtc.exe
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\kt2ul7f91.dll (file missing)
O20 - Winlogon Notify: winbjt32 - winbjt32.dll (file missing)
After you have ticked the above entry, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Run Windows CleanUp! on more time please
REBOOT the computer
Back in Windows post a fresh hijackthis log and let me know how things are running
Post by: monica_ian_ralliart on March 01, 2006, 04:15:05 AM
Scan saved at 5:08:55 PM, on 01/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp (http://\"http://go.compaq.com/1Q00CDT/0409/bl8.asp\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Personal Coach.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab (http://\"http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Teachers-Desk
O17 - HKLM\Software\..\Telephony: DomainName = Teachers-Desk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Teachers-Desk
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
everything is ok right now, no annoying pop ups as yet... Many thanks. any last steps? Do u recommend me to keep those programs? or can I uninstall some of them coz it's all over my desktop right now hahaha....
Post by: guestolo on March 01, 2006, 05:57:18 PM
For extra protection
*Install SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")[/url]
- *Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
I would like to see one more log again
Can you run WPFind again please
You can run it in normal mode, but after you click
Start Scan
Don't open or close any windows, let it finish, when the log opens post the contents back here please
Then we'll do some final steps and I'll let you know what you can delete or remove
Post by: monica_ian_ralliart on March 03, 2006, 02:34:35 AM
If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
Items found in C:\WINDOWS\hosts
Checking %System% folder...
PEC2 29/08/2002 9:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 29/08/2002 9:00:00 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 29/08/2002 9:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
Checking %System%\Drivers folder and sub-folders...
Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com
qoologic 28/02/2006 5:48:52 PM 1554 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.bak
urllogic 28/02/2006 5:48:52 PM 1554 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.bak
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
02/03/2006 11:11:04 AM S 2048 C:\WINDOWS\bootstat.dat
21/01/2006 4:11:16 PM H 54156 C:\WINDOWS\QTFont.qfn
02/03/2006 11:11:04 AM S 64 C:\WINDOWS\CSC\00000001
27/01/2006 3:34:10 PM S 64 C:\WINDOWS\CSC\00000002
02/03/2006 3:11:28 PM H 1024 C:\WINDOWS\system32\config\default.LOG
02/03/2006 5:14:58 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
02/03/2006 5:11:20 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
02/03/2006 5:34:34 PM H 1024 C:\WINDOWS\system32\config\software.LOG
02/03/2006 12:13:20 PM H 1024 C:\WINDOWS\system32\config\system.LOG
27/01/2006 4:07:36 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\31DDUENG\desktop.ini
27/01/2006 4:07:36 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W5IBO16R\desktop.ini
27/01/2006 4:07:36 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XVZY7NWB\desktop.ini
27/01/2006 4:07:36 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YZ6TKZKZ\desktop.ini
17/01/2006 6:33:46 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\e7590395-07b9-4622-a9aa-82a64bb29a0b
17/01/2006 6:33:46 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
02/03/2006 11:11:04 AM H 6 C:\WINDOWS\Tasks\SA.DAT
Checking for CPL files...
Microsoft Corporation 29/08/2002 9:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 25/01/2003 2:21:00 AM 139264 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 30/01/2001 11:21:04 AM 24683 C:\WINDOWS\SYSTEM32\plugincpl130_02.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
HP Computer Corporation 04/01/2003 2:28:38 AM 122880 C:\WINDOWS\SYSTEM32\UICONFIG.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 29/08/2002 9:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
25/10/2005 10:33:38 AM 1824 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
27/11/2003 8:59:08 AM 1027 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
03/11/2002 7:35:32 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
22/04/2005 4:38:34 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
08/06/2005 5:33:28 PM 681 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk
12/11/2003 5:33:44 PM 1559 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
Checking files in %ALLUSERSPROFILE%\Application Data folder...
02/11/2002 11:22:58 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
25/11/2005 10:35:12 AM 1356 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
Checking files in %USERPROFILE%\Startup folder...
03/11/2002 7:35:32 AM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini
Checking files in %USERPROFILE%\Application Data folder...
02/11/2002 11:22:56 PM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini
25/10/2005 10:43:36 AM 143952 C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
24/04/2005 4:23:22 PM 22080 C:\Documents and Settings\Administrator\Application Data\Microsoft Access.ADR
04/10/2005 11:45:56 AM 38463 C:\Documents and Settings\Administrator\Application Data\Microsoft Excel.ADR
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{182EC0BE-5110-49C8-A062-BEB1D02A220B}
Adobe PDF = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
DrvLsnr C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
srmclean C:\Cpqs\Scom\srmclean.exe
CPQEASYACC C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe C:\WINDOWS\System32\ctfmon.exe
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 02/03/2006 5:35:07 PM
Post by: guestolo on March 03, 2006, 08:31:56 PM
Click on "Restore Original Hosts"
Ok the prompt
Then open Hijackthis>>Open Misc tools section>>Open Hosts file manager
Click the "Open In Notepad" button
A text file will open, copy and paste back here the whole contents please
Let me know how things are running
Post by: monica_ian_ralliart on March 04, 2006, 04:50:48 AM
#
# This is a sample HOSTS file used by
Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP
addresses to host names. Each
# entry should be kept on an individual
line. The IP address should
# be placed in the first column followed
by the corresponding host name.
# The IP address and the host name should
be separated by at least one
# space.
#
# Additionally, comments (such as these)
may be inserted on individual
# lines or following the machine name
denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source
server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost
Post by: guestolo on March 04, 2006, 10:54:45 AM
*If everything is running better
Final Cleanup
We should clear all your restore points to ensure you don't restore any nasties that may be sitting idle
- Go to START>>RUN>>In the open field
Type in
Click OK
Click the "Launch System Restore" button
On the Left hand side click on "System Restore Settings"
Put a Check in "Turn off System Restore"
Apply it and OK out of there>>Reboot your computer
[/list]
Back in Windows, Go back and take the check out of "Turn off system restore"
This will reenable the System Restore feature and creates a new restore point
[indent][color=\"#CC0000\"]Protect yourself against Future Attacks[/color][/i][/b][/indent]
Hold onto SpywareBlaster 3.5.1
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
*Make sure your Anti-Virus software is always kept up to date and actively running in the background
*Check for updates with your anti-spyware programs and run a scan on a regular basis
A great addition to Ad-Aware
is Spybot 1.4, I recommend installing it if you don't have it
You can download it from HERE (http://\"http://www.download.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button\")
or HERE (http://\"http://www.safer-networking.org/en/download/index.html\")
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check all boxes and then download all updates
After update is complete
Click the "Immunize" button on the left>>>OK at the prompt>>Immunzine at the top green cross
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED
RESTART the computer if any Red entries were fixed
Please Immunize after every update
Now would be a good time to Defragment your system if you haven't done it in awhile
*Keep up to date on Windows updates
This is the most important step in keeping your system secure
Service Pack 2 for Windows has been out for some time now and you still haven't updated
We have done steps to prepare your system for the installation
Please read this link
http://www.microsoft.com/windowsxp/sp2/default.mspx (http://\"http://www.microsoft.com/windowsxp/sp2/default.mspx\")
Read the page>>Take note of the link What to know before you download and install
In addition: Make sure you keep up on Microsoft Office updates
You will find a link at Windows Updates named "Office Family"
*Make sure your Firewall is enabled and running
A Firewall is also very important
This provides a line of defense against someone who might try to access your computer without your permission
SP2 supplies a sufficient firewall, or you can install one from this LINK (http://\"http://www.thetechguide.com/forum/index.php?showtopic=15894\")
The ones at the link will provide a more controlled enviroment, I consider them better protection
ONLY use ONE software firewall please, this includes the one in SP2
More than one will cause conflicts
You may also choose to hold onto Ewido and CleanUp!
Ewido will become a Limited version in a couple weeks
It's still a very good scanner to update and run once a month
What to delete,
Manually delete WPFind.zip and the Folder
Remove CWShredder.exe
Delete Killbox.exe, you can also delete the folder killbox made>>C:\!Killbox
Delete Hoster.zip and the .exe
Delete L2Mfix.exe and the .zip file
If your happy with the way everything is running, remove Hijackthis from add/remove programs and then delete the Hijackthis folder on the desktop
SpywareBlaster>>Ewido>>Spybot 1.4>>Ad-Aware>>CleanUp!
The above you will never want to manually delete, they have uninstallers, but HOLD onto all of them
The installers for these programs, if they still remain on the desktop, go ahead and delete them
The Shortcuts too the programs
I suggest you create a new folder on the desktop, call it something like "Malware"
Move the shortcuts to that new folder
Stay safe
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: monica_ian_ralliart on March 07, 2006, 10:49:41 PM
Post by: guestolo on March 07, 2006, 11:51:21 PM
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> This topic is now locked as the problems appear resolved