Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - cthunter30

Pages: [1]

Tech Clinic / Need help to remove spyware!!!

« on: November 15, 2005, 11:31:24 PM »

OK, I am not sure whether I will still receive the message ..."atapi.sys is opened or in used" but I will try it out firist to install window service pack 1a again.

Thanks for all the guide and here is the latest hijiackThis log :

Logfile of HijackThis v1.99.1
Scan saved at 12:25:36 PM, on 11/16/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
J:\WINDOWS\System32\smss.exe
J:\WINDOWS\system32\winlogon.exe
J:\WINDOWS\system32\services.exe
J:\WINDOWS\system32\lsass.exe
J:\WINDOWS\system32\svchost.exe
J:\WINDOWS\System32\svchost.exe
J:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\CTsvcCDA.exe
E:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
E:\Program Files\VeriSign\NAVI\naviagent.exe
J:\WINDOWS\System32\nvsvc32.exe
J:\Program Files\Spyware Doctor\sdhelp.exe
J:\WINDOWS\system32\slserv.exe
J:\WINDOWS\System32\svchost.exe
J:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
J:\WINDOWS\System32\devldr32.exe
J:\WINDOWS\Explorer.EXE
J:\Program Files\Creative\ShareDLL\CtNotify.exe
J:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
E:\Program Files\QuickTime\qttask.exe
J:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
J:\WINDOWS\System32\ctfmon.exe
E:\Program Files\Creative\ShareDLL\Mediadet.exe
J:\WINDOWS\System32\rundll32.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Internet Explorer\iexplore.exe
J:\Program Files\BitComet\BitComet.exe
D:\Downloads\software\Antivirus and Spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R3 - URLSearchHook: i-Nav IDN SearchHook - {CE000994-A58C-4441-8938-744CD72AB27F} - J:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll
F2 - REG:system.ini: UserInit=E:\WINDOWS\system32\userinit.exe,
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\win32\pphidpad.exe
O4 - HKLM\..\Run: [Disc Detector] J:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE J:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE J:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] J:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] J:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "J:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] J:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "E:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = J:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Capture All &Flash Files by SuperCapture - E:\Program Files\SuperCapture401Pro\SCWnd.htm
O8 - Extra context menu item: Capture All &Image Files by SuperCapture - E:\Program Files\SuperCapture401Pro\SCAll.htm
O8 - Extra context menu item: Capture Image by SuperCapture - E:\Program Files\SuperCapture401Pro\SCCom.htm
O8 - Extra context menu item: Capture Web &Page to Image by SuperCapture - E:\Program Files\SuperCapture401Pro\SCDoc.htm
O8 - Extra context menu item: Download All by FlashGet - J:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - J:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: ¶«·½¿ì³µ-Ê¹ÓÃ¸öÈËÔÄ¶ÁÖúÀí·ÒëËùÑ¡ÎÄ±¾ - E:\Program Files\!Sunv\DFKC2003\ExtKW.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - J:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - J:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Instant Messenger - {0F7DE07D-BD74-4991-9D5F-ECBB8391875D} - http://cn.rd.yahoo.com/home/messenger/bjk/...nger.yahoo.com/ (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - J:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Translate - {87680762-4A83-11B4-885B-0000E8ECA40F} - E:\Program Files\LingoCom\Translator.lnk (file missing)
O9 - Extra 'Tools' menuitem: Translator - {87680762-4A83-11B4-885B-0000E8ECA40F} - E:\Program Files\LingoCom\Translator.lnk (file missing)
O9 - Extra button: (no name) - {8B5676AC-9980-4e41-8A9B-5ACD45591170} - E:\Program Files\SuperCapture401Pro\SuperCap.exe
O9 - Extra 'Tools' menuitem: Super&Capture - {8B5676AC-9980-4e41-8A9B-5ACD45591170} - E:\Program Files\SuperCapture401Pro\SuperCap.exe
O9 - Extra button: i-Nav Help - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra 'Tools' menuitem: i-Nav Help - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra button: (no name) - {CE000996-A58C-4441-8938-744CD72AB27F} - J:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll
O9 - Extra 'Tools' menuitem: i-Nav Options - {CE000996-A58C-4441-8938-744CD72AB27F} - J:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - J:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - J:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: SuperCapture - {EA0C6C8A-1815-43fc-B117-0DDF22ADC993} - E:\Program Files\SuperCapture401Pro\SuperCap.exe
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/...trolLite_EN.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_0_2_7.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4991DFA-152F-4EDA-8303-57F78115174A}: NameServer = 202.188.0.133,202.188.1.5
O20 - Winlogon Notify: WRNotifier - J:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - E:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GhostStartService - Symantec Corporation - E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: VeriSign Updater (navi) - VeriSign, Inc. - E:\Program Files\VeriSign\NAVI\naviagent.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - J:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - J:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - J:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - J:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Tech Clinic / Need help to remove spyware!!!

« on: November 15, 2005, 09:57:06 AM »

I guess I have already get rid of the annoying spyware.. I am not sure though as normally the popup will appear in less than a minute time but now I have already online for about 10 mins and still no pop up appears.

There was something different on the l2mfix part as following through your clean up instruction. After "run fix" and reboot, L2mfix did continue to run for a while and upon completion, all the desktop icons did not turn up and there was no notepad open with a log as well. End up I have to press the hard reset button to restart windows and I run the second.bat and the exact same thing happen again. Anyway, I checked back the L2mfix directory and found a file name log.txt. It should be the file that you mentioned.

So, do I still need to update the window service pack 1a?

OK, the following are all the logs that you request.

SpySweeper Log

********
8:47 PM: | Start of Session, Tuesday, November 15, 2005 |
8:47 PM: Spy Sweeper started
8:47 PM: Sweep initiated using definitions version 572
8:47 PM: Starting Memory Sweep
8:48 PM: Found Adware: icannnews
8:48 PM: Detected running threat: J:\WINDOWS\system32\hrrs0597e.dll (ID = 83)
8:48 PM: Detected running threat: J:\WINDOWS\system32\ryched32.dll (ID = 83)
8:49 PM: Memory Sweep Complete, Elapsed Time: 00:02:05
8:49 PM: Starting Registry Sweep
8:50 PM: Found Adware: redswoosh
8:50 PM: HKLM\software\microsoft\windows\currentversion\uninstall\rsnet edn\ (2 subtraces) (ID = 139312)
8:50 PM: Found Adware: virtualbouncer
8:50 PM: HKCR\clsid\{8551311d-f3bf-4718-ad66-96e302500735}\ (11 subtraces) (ID = 392235)
8:50 PM: HKLM\software\classes\clsid\{18bbdf4d-611d-41ce-a7e7-b2dd23c250d1}\ (11 subtraces) (ID = 392390)
8:50 PM: HKLM\software\classes\clsid\{8551311d-f3bf-4718-ad66-96e302500735}\ (11 subtraces) (ID = 476604)
8:50 PM: Found Adware: cnsmin
8:50 PM: HKU\S-1-5-21-527237240-1682526488-854245398-1003\software\microsoft\internet explorer\main\ || cnssearch (ID = 106227)
8:50 PM: HKU\S-1-5-21-527237240-1682526488-854245398-1003\software\red swoosh\ (18 subtraces) (ID = 139301)
8:50 PM: Registry Sweep Complete, Elapsed Time:00:00:09
8:50 PM: Starting Cookie Sweep
8:50 PM: Found Spy Cookie: yieldmanager cookie
8:50 PM: [email protected][2].txt (ID = 3751)
8:50 PM: Found Spy Cookie: azjmp cookie
8:50 PM: ct@azjmp[1].txt (ID = 2270)
8:50 PM: Found Spy Cookie: a cookie
8:50 PM: ct@a[1].txt (ID = 2027)
8:50 PM: Found Spy Cookie: belnk cookie
8:50 PM: ct@belnk[1].txt (ID = 2292)
8:50 PM: [email protected][2].txt (ID = 2293)
8:50 PM: Found Spy Cookie: starware.com cookie
8:50 PM: [email protected][2].txt (ID = 3442)
8:50 PM: Found Spy Cookie: kinghost cookie
8:50 PM: ct@kinghost[1].txt (ID = 2903)
8:50 PM: Found Spy Cookie: nextag cookie
8:50 PM: ct@nextag[1].txt (ID = 5014)
8:50 PM: Found Spy Cookie: rn11 cookie
8:50 PM: ct@rn11[2].txt (ID = 3261)
8:50 PM: [email protected][1].txt (ID = 3442)
8:50 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:50 PM: Starting File Sweep
8:50 PM: Found Adware: command
8:50 PM: mte3ndi6odoxng.exe (ID = 185985)
8:50 PM: Found Adware: bullguard popup ad
8:50 PM: bulldownload.exe (ID = 52017)
8:52 PM: bulldownload.exe (ID = 52017)
8:58 PM: cnsminaf.cab (ID = 53256)
8:59 PM: cnsminex.cab (ID = 53262)
9:00 PM: Found Adware: netsonic
9:00 PM: installdll.dll (ID = 70921)
9:04 PM: cnsmin.inf (ID = 53254)
9:04 PM: cnsmin.inf (ID = 53254)
9:04 PM: chinese keyword.url (ID = 53240)
9:04 PM: clean internet access record.url (ID = 53242)
9:04 PM: about chinese keyword.url (ID = 53218)
9:04 PM: cnsmincg.ini (ID = 53257)
9:04 PM: Found Adware: azsearch toolbar
9:04 PM: azesearch.inf (ID = 50329)
9:04 PM: j:\program files\rsnet (8 subtraces) (ID = -2147480402)
9:06 PM: azebar.xml (ID = 185679)
9:06 PM: iasada.dll_tobedeleted (ID = 50344)
9:06 PM: Found Adware: dollarrevenue
9:06 PM: drsmartload95a.exe (ID = 186203)
9:07 PM: installdll.dll (ID = 70921)
9:08 PM: azesearch4.ocx (ID = 50337)
9:09 PM: cnsmin.inf (ID = 53254)
9:09 PM: sak.vbs (ID = 185675)
9:09 PM: Warning: Unhandled Archive Type
9:10 PM: Warning: Unhandled Archive Type
9:10 PM: Warning: Invalid file - not a PKZip file
9:10 PM: Warning: Unhandled Archive Type
9:10 PM: Warning: Unhandled Archive Type
9:10 PM: Warning: Invalid file - not a PKZip file
9:11 PM: Warning: Unhandled Archive Type
9:11 PM: Warning: Invalid file - not a PKZip file
9:11 PM: Warning: Invalid file - not a PKZip file
9:11 PM: Warning: Unhandled Archive Type
9:11 PM: Warning: Unhandled Archive Type
9:11 PM: Warning: Unhandled Archive Type
9:11 PM: Warning: Unhandled Archive Type
9:12 PM: Warning: Unhandled Archive Type
9:13 PM: Warning: Unhandled Archive Type
9:14 PM: Warning: Unhandled Archive Type
9:16 PM: Warning: File not found
9:16 PM: Warning: File not found
9:16 PM: Warning: File not found
9:16 PM: Warning: File not found
9:16 PM: Warning: File not found
9:16 PM: Warning: File not found
9:16 PM: Warning: File not found
9:16 PM: Warning: File not found
9:16 PM: Warning: File not found
9:16 PM: Warning: File not found
9:17 PM: Warning: Unhandled Archive Type
9:20 PM: Warning: Unhandled Archive Type
9:22 PM: File Sweep Complete, Elapsed Time: 00:31:54
9:22 PM: Full Sweep has completed. Elapsed time 00:34:11
9:22 PM: Traces Found: 100
9:25 PM: Removal process initiated
9:26 PM: Quarantining All Traces: icannnews
9:27 PM: icannnews is in use. It will be removed on reboot.
9:27 PM: J:\WINDOWS\system32\hrrs0597e.dll is in use. It will be removed on reboot.
9:27 PM: J:\WINDOWS\system32\ryched32.dll is in use. It will be removed on reboot.
9:27 PM: Quarantining All Traces: azsearch toolbar
9:27 PM: Quarantining All Traces: bullguard popup ad
9:27 PM: Quarantining All Traces: cnsmin
9:27 PM: Quarantining All Traces: command
9:27 PM: Quarantining All Traces: dollarrevenue
9:27 PM: Quarantining All Traces: netsonic
9:27 PM: Quarantining All Traces: redswoosh
9:27 PM: Quarantining All Traces: virtualbouncer
9:27 PM: Quarantining All Traces: a cookie
9:27 PM: Quarantining All Traces: azjmp cookie
9:27 PM: Quarantining All Traces: belnk cookie
9:27 PM: Quarantining All Traces: kinghost cookie
9:27 PM: Quarantining All Traces: nextag cookie
9:27 PM: Quarantining All Traces: rn11 cookie
9:27 PM: Quarantining All Traces: starware.com cookie
9:27 PM: Quarantining All Traces: yieldmanager cookie
9:27 PM: Warning: Launched explorer.exe
9:27 PM: Warning: Quarantine process could not restart Explorer.
9:31 PM: Removal process completed. Elapsed time 00:05:32
********
8:34 PM: | Start of Session, Tuesday, November 15, 2005 |
8:34 PM: Spy Sweeper started
8:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:37 PM: Your spyware definitions have been updated.
8:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

L2Mfix Log

L2Mfix 1.04a

Running From:
D:\Downloads\software\Antivirus and Spyware\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Read     BUILTIN\Power Users
(ID-IO) ALLOW Read     BUILTIN\Power Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(IO) access for predefined group "Administrators"
- adding new ACCESS DENY entry
- changing existing entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-CI) DENY --C-------    BUILTIN\Administrators
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Read     BUILTIN\Power Users
(ID-IO) ALLOW Read     BUILTIN\Power Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Setting up for Reboot

Starting Reboot!

Setting Directory
D:\Downloads\software\Antivirus and Spyware\l2mfix

Running From:
D:\Downloads\software\Antivirus and Spyware\l2mfix

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 472 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 560 'winlogon.exe'
Killing PID 560 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1200 'explorer.exe'
Killing PID 1200 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 2096 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
   zip warning: name not matched: *.dll

zip error: Nothing to do! (backup.zip)
   zip warning: name not matched: *.tmp

zip error: Nothing to do! (backup.zip)
adding: echo.reg (deflated 13%)
adding: clear.reg (deflated 2%)
   zip warning: name not matched: *.ini

zip error: Nothing to do! (backup.zip)
adding: readme.txt (deflated 52%)
adding: direct.txt (deflated 2%)
adding: report.txt (deflated 64%)
adding: lo2.txt (deflated 76%)
adding: test2.txt (stored 0%)
adding: test3.txt (stored 0%)
adding: test5.txt (stored 0%)
adding: test.txt (stored 0%)
adding: backregs/notibac.reg (deflated 87%)
adding: backregs/shell.reg (deflated 73%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Warning (option /rga:(IO)) - There is no ACE to remove!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Read     BUILTIN\Power Users
(ID-IO) ALLOW Read     BUILTIN\Power Users
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

Tech Clinic / Need help to remove spyware!!!

« on: November 14, 2005, 06:28:59 AM »

I was able to follow the steps as instructed except on the window service pack update which prompted me error msg "..atapi.sys is already open or in used". I have already closed all the applications as well as rebooting the PC but the problem did not go away.

ANyway, here is the hijackthis log and L2MFIX log after fixing those entries as your advise.

Logfile of HijackThis v1.99.1
Scan saved at 7:06:24 PM, on 11/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
J:\WINDOWS\System32\smss.exe
J:\WINDOWS\system32\winlogon.exe
J:\WINDOWS\system32\services.exe
J:\WINDOWS\system32\lsass.exe
J:\WINDOWS\system32\svchost.exe
J:\WINDOWS\System32\svchost.exe
J:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\CTsvcCDA.exe
E:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
E:\Program Files\VeriSign\NAVI\naviagent.exe
J:\WINDOWS\System32\nvsvc32.exe
J:\Program Files\Spyware Doctor\sdhelp.exe
J:\WINDOWS\system32\slserv.exe
J:\WINDOWS\System32\svchost.exe
J:\WINDOWS\system32\rundll32.exe
J:\WINDOWS\System32\devldr32.exe
J:\WINDOWS\Explorer.EXE
J:\Program Files\Creative\ShareDLL\CtNotify.exe
J:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
E:\Program Files\QuickTime\qttask.exe
J:\WINDOWS\System32\ctfmon.exe
E:\Program Files\Creative\ShareDLL\Mediadet.exe
J:\WINDOWS\System32\rundll32.exe
E:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\Downloads\software\Antivirus and Spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R3 - URLSearchHook: i-Nav IDN SearchHook - {CE000994-A58C-4441-8938-744CD72AB27F} - J:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll
F2 - REG:system.ini: UserInit=E:\WINDOWS\system32\userinit.exe,
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\win32\pphidpad.exe
O4 - HKLM\..\Run: [Disc Detector] J:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE J:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE J:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] J:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] J:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] J:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "E:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = J:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Capture All &Flash Files by SuperCapture - E:\Program Files\SuperCapture401Pro\SCWnd.htm
O8 - Extra context menu item: Capture All &Image Files by SuperCapture - E:\Program Files\SuperCapture401Pro\SCAll.htm
O8 - Extra context menu item: Capture Image by SuperCapture - E:\Program Files\SuperCapture401Pro\SCCom.htm
O8 - Extra context menu item: Capture Web &Page to Image by SuperCapture - E:\Program Files\SuperCapture401Pro\SCDoc.htm
O8 - Extra context menu item: Download All by FlashGet - J:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - J:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: ¶«·½¿ì³µ-Ê¹ÓÃ¸öÈËÔÄ¶ÁÖúÀí·ÒëËùÑ¡ÎÄ±¾ - E:\Program Files\!Sunv\DFKC2003\ExtKW.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - J:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - J:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Instant Messenger - {0F7DE07D-BD74-4991-9D5F-ECBB8391875D} - http://cn.rd.yahoo.com/home/messenger/bjk/...nger.yahoo.com/ (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - J:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Translate - {87680762-4A83-11B4-885B-0000E8ECA40F} - E:\Program Files\LingoCom\Translator.lnk (file missing)
O9 - Extra 'Tools' menuitem: Translator - {87680762-4A83-11B4-885B-0000E8ECA40F} - E:\Program Files\LingoCom\Translator.lnk (file missing)
O9 - Extra button: (no name) - {8B5676AC-9980-4e41-8A9B-5ACD45591170} - E:\Program Files\SuperCapture401Pro\SuperCap.exe
O9 - Extra 'Tools' menuitem: Super&Capture - {8B5676AC-9980-4e41-8A9B-5ACD45591170} - E:\Program Files\SuperCapture401Pro\SuperCap.exe
O9 - Extra button: i-Nav Help - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra 'Tools' menuitem: i-Nav Help - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra button: (no name) - {CE000996-A58C-4441-8938-744CD72AB27F} - J:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll
O9 - Extra 'Tools' menuitem: i-Nav Options - {CE000996-A58C-4441-8938-744CD72AB27F} - J:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - J:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - J:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: SuperCapture - {EA0C6C8A-1815-43fc-B117-0DDF22ADC993} - E:\Program Files\SuperCapture401Pro\SuperCap.exe
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/...trolLite_EN.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_0_2_7.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4991DFA-152F-4EDA-8303-57F78115174A}: NameServer = 202.188.0.133,202.188.1.5
O20 - Winlogon Notify: IME - J:\WINDOWS\system32\l46o0ej3eho.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - E:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GhostStartService - Symantec Corporation - E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: VeriSign Updater (navi) - VeriSign, Inc. - E:\Program Files\VeriSign\NAVI\naviagent.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - J:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - J:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - J:\WINDOWS\SYSTEM32\slserv.exe

And the following is the L2MFIX log :

L2MFIX find log 1.04a
These are the registry keys present
********************************************************************************
**
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IME]
"Asynchronous"=dword:00000000
"DllName"="J:\\WINDOWS\\system32\\l46o0ej3eho.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Read     BUILTIN\Power Users
(ID-IO) ALLOW Read     BUILTIN\Power Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

********************************************************************************
**
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{70F43126-B0C4-A8DC-5F2C-916E46734649}"=""

********************************************************************************
**
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{CE000992-A58C-4441-8938-744CD72AB27F}"="i-Nav IDN Resolver"
"{CE000994-A58C-4441-8938-744CD72AB27F}"="i-Nav IDN SearchHook"
"{C14F7681-33D8-11D3-A09B-00500402F30B}"="AvxShellEx"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{B446400D-0030-457b-8F64-422A19605186}"="Logitech Gallery"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{57C51AF9-DEF7-11D3-A801-00C04F163490}"="Ghost Shell Extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{A5110426-177D-4e08-AB3F-785F10B4439C}"="My Phones"
"{00020000-0000-1011-8004-0000C06B5161}"="WIBU-SYSTEMS Shell Extension"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{984D1233-889A-4B8A-B820-97EE3AE66A79}"=""
"{23170F69-40C1-278A-1000-000100020000}"="7-Zip Shell Extension"

********************************************************************************
**
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{984D1233-889A-4B8A-B820-97EE3AE66A79}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{984D1233-889A-4B8A-B820-97EE3AE66A79}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{984D1233-889A-4B8A-B820-97EE3AE66A79}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{984D1233-889A-4B8A-B820-97EE3AE66A79}\InprocServer32]
@="J:\\WINDOWS\\system32\\iqircl.dll"
"ThreadingModel"="Apartment"

********************************************************************************
**
Files Found are not all bad files:

J:\WINDOWS\SYSTEM32\
anskyae.dll Sat Nov 5 2005 1:12:40p ..SH. 21,394 20.89 K
d80m0i~1.dll Mon Nov 14 2005 6:52:52p ..S.R 234,540 229.04 K
dcound.dll Tue Nov 8 2005 11:50:04p ..S.R 234,068 228.58 K
enn4l1~1.dll Tue Nov 8 2005 11:50:04p ..S.R 235,519 229.99 K
iasada~1.dll Sat Oct 8 2005 12:09:06p ..... 10,240 10.00 K
iqircl.dll Mon Nov 14 2005 6:52:52p ..S.R 234,432 228.94 K
iusnap.dll Tue Nov 8 2005 11:30:14p ..S.R 234,068 228.58 K
l46o0e~1.dll Mon Nov 14 2005 6:33:44p ..S.R 234,432 228.94 K

8 items found: 8 files (7 H/S), 0 directories.
Total of file sizes: 1,438,693 bytes 1.37 M
Locate .tmp files:

No matches found.
********************************************************************************
**
Directory Listing of system files:
Volume in drive J has no label.
Volume Serial Number is 5C29-94D3

Directory of J:\WINDOWS\System32

11/14/2005 06:52 PM 234,432 iqircl.dll
11/14/2005 06:52 PM 234,540 d80m0id1e80.dll
11/14/2005 06:33 PM 234,432 l46o0ej3eho.dll
11/09/2005 03:52 PM <DIR> dllcache
11/08/2005 11:50 PM 234,068 dcound.dll
11/08/2005 11:50 PM 235,519 enn4l15q1.dll
11/08/2005 11:30 PM 234,068 iUsnap.dll
11/05/2005 01:12 PM 21,394 Anskyae.DLL
03/23/2003 01:10 PM <DIR> Microsoft
12/06/2000 01:02 PM 209,608 TABCTL32.OCX
03/26/1999 12:00 AM 101,888 VB6STKIT.DLL
9 File(s) 1,739,949 bytes
2 Dir(s) 3,274,395,648 bytes free

Tech Clinic / Need help to remove spyware!!!

« on: November 13, 2005, 08:12:19 AM »

I am so frustrated with the non-stop popup IE windows. I have tried to scan my PC with Spyware doctor v3.03410, spyware bouncer v1.6, Ad-aware SE personal, stinger, bazooka, online Trend Micro.... I found a long list spywares(and trojan ocassionally) everytime I performed the scanning, and the same spywares will still appear again and again after cleaning. I have totally run out of idea and really need help to solve this annoying problem.

Below is my HijackThis log file :

Logfile of HijackThis v1.99.1
Scan saved at 8:50:42 PM, on 11/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
J:\WINDOWS\System32\smss.exe
J:\WINDOWS\system32\winlogon.exe
J:\WINDOWS\system32\services.exe
J:\WINDOWS\system32\lsass.exe
J:\WINDOWS\system32\svchost.exe
J:\WINDOWS\System32\svchost.exe
J:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\CTsvcCDA.exe
E:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
E:\Program Files\VeriSign\NAVI\naviagent.exe
J:\WINDOWS\System32\nvsvc32.exe
J:\Program Files\Spyware Doctor\sdhelp.exe
J:\WINDOWS\system32\slserv.exe
J:\WINDOWS\System32\svchost.exe
J:\WINDOWS\system32\rundll32.exe
J:\WINDOWS\System32\devldr32.exe
J:\WINDOWS\Explorer.EXE
J:\Program Files\Creative\ShareDLL\CtNotify.exe
J:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
E:\Program Files\QuickTime\qttask.exe
J:\WINDOWS\System32\ctfmon.exe
E:\Program Files\Creative\ShareDLL\Mediadet.exe
J:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
J:\WINDOWS\System32\rundll32.exe
D:\Downloads\software\Antivirus and Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = E:\WINDOWS\System32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: i-Nav IDN SearchHook - {CE000994-A58C-4441-8938-744CD72AB27F} - J:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll
F2 - REG:system.ini: UserInit=E:\WINDOWS\system32\userinit.exe,
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\win32\pphidpad.exe
O4 - HKLM\..\Run: [Disc Detector] J:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE J:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE J:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] J:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] J:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [lsass64BiT.exe] lsass64BiT.exe
O4 - HKLM\..\RunServices: [Microsoft Datalog Application] msdata.exe
O4 - HKCU\..\Run: [ctfmon.exe] J:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "E:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\RunServices: [Microsoft Datalog Application] msdata.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = J:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Capture All &Flash Files by SuperCapture - E:\Program Files\SuperCapture401Pro\SCWnd.htm
O8 - Extra context menu item: Capture All &Image Files by SuperCapture - E:\Program Files\SuperCapture401Pro\SCAll.htm
O8 - Extra context menu item: Capture Image by SuperCapture - E:\Program Files\SuperCapture401Pro\SCCom.htm
O8 - Extra context menu item: Capture Web &Page to Image by SuperCapture - E:\Program Files\SuperCapture401Pro\SCDoc.htm
O8 - Extra context menu item: Download All by FlashGet - J:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - J:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: ¶«·½¿ì³µ-Ê¹ÓÃ¸öÈËÔÄ¶ÁÖúÀí·ÒëËùÑ¡ÎÄ±¾ - E:\Program Files\!Sunv\DFKC2003\ExtKW.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - J:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - J:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Instant Messenger - {0F7DE07D-BD74-4991-9D5F-ECBB8391875D} - http://cn.rd.yahoo.com/home/messenger/bjk/...nger.yahoo.com/ (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - J:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Translate - {87680762-4A83-11B4-885B-0000E8ECA40F} - E:\Program Files\LingoCom\Translator.lnk (file missing)
O9 - Extra 'Tools' menuitem: Translator - {87680762-4A83-11B4-885B-0000E8ECA40F} - E:\Program Files\LingoCom\Translator.lnk (file missing)
O9 - Extra button: (no name) - {8B5676AC-9980-4e41-8A9B-5ACD45591170} - E:\Program Files\SuperCapture401Pro\SuperCap.exe
O9 - Extra 'Tools' menuitem: Super&Capture - {8B5676AC-9980-4e41-8A9B-5ACD45591170} - E:\Program Files\SuperCapture401Pro\SuperCap.exe
O9 - Extra button: i-Nav Help - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra 'Tools' menuitem: i-Nav Help - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra button: (no name) - {CE000996-A58C-4441-8938-744CD72AB27F} - J:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll
O9 - Extra 'Tools' menuitem: i-Nav Options - {CE000996-A58C-4441-8938-744CD72AB27F} - J:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - J:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - J:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: SuperCapture - {EA0C6C8A-1815-43fc-B117-0DDF22ADC993} - E:\Program Files\SuperCapture401Pro\SuperCap.exe
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/...trolLite_EN.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_0_2_7.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4991DFA-152F-4EDA-8303-57F78115174A}: NameServer = 202.188.0.133,202.188.1.5
O20 - Winlogon Notify: Nls - J:\WINDOWS\system32\m4nq0e55eh.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - E:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GhostStartService - Symantec Corporation - E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: VeriSign Updater (navi) - VeriSign, Inc. - E:\Program Files\VeriSign\NAVI\naviagent.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - J:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - J:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - J:\WINDOWS\SYSTEM32\slserv.exe

Pages: [1]

TheTechGuide Forum

News:

Show Posts

Messages - cthunter30

Tech Clinic / Need help to remove spyware!!!

Tech Clinic / Need help to remove spyware!!!

Tech Clinic / Need help to remove spyware!!!

Tech Clinic / Need help to remove spyware!!!