Author Topic: Win32.P2P-Worm.Alcan.a complications (Read 1551 times)

MJ SPANNER · « **on:** October 25, 2005, 06:51:34 PM »

I'm having some complications ridding myself of this worm.

It started with the task manager not working and limewire starting itself every 30 seconds.

I ran adaware and saw the Win32.P2P-Worm.Alcan.a in there somewhere.

I did my best to get rid of it myself - found some online help for it - but there are still lingering effects.

The task manager is working again and the limewire problem is gone, but I'm still getting some strange popups and overall poor system performance so I'm sure I didn't get it all.

Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 7:42:12 PM, on 10/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\TWlrZSBC\command.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Windows\services32.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [CreateCD_Reminder] C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [msresearch] C:\windows\msresearch.exe
O4 - HKLM\..\Run: [System service78] C:\WINDOWS\\\etb\\pokapoka78.exe
O4 - HKLM\..\Run: [System service76] C:\WINDOWS\etb\pokapoka76.exe
O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update00.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000137.exe
O4 - Global Startup: active.dpt
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...64/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100929247942
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\k6620gjoe6oc0.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWlrZSBC\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: System Idle Service (sysidleserv) - Unknown owner - c:\windows\system32\adprot.exe (file missing)
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)

guestolo · « **Reply #1 on:** October 25, 2005, 10:52:42 PM »

==Download and save WinPFind.zip
UNZIP the contents to your desktop
Don't run it yet

Restart to
SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation

Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
Click START SCAN
This could take some time as it will scan your drive
Close out after

Restart back to Normal mode
Post the results of the WindPFind.txt located in the WinPFind folder

Can you do the following please
Open Hijackthis>>Open Misc tools section
Open Uninstall Manager
Click the SAVE LIST button
Save this list to desktop and then copy and paste the contents back here

MJ SPANNER · « **Reply #2 on:** October 26, 2005, 11:59:27 AM »

WinPFind file:

-----------------

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 10/25/2005 5:07:38 PM 25105 C:\mte3ndi6odoxng.exe
UPX! 10/25/2005 5:05:42 PM 6656 C:\ysbinstall_1003585.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
FSG! 2/21/2003 2:40:50 PM 5351256 C:\WINDOWS\msjavwu.exe

Checking %System% folder...
WinShutDown 10/25/2005 6:54:38 PM R S 235425 C:\WINDOWS\SYSTEM32\demap.dll
ad-w-a-r-e.com 10/25/2005 6:54:38 PM R S 235425 C:\WINDOWS\SYSTEM32\demap.dll
PEC2 8/29/2002 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 10/26/2004 6:38:24 PM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 10/26/2004 6:38:24 PM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
WinShutDown 10/25/2005 6:16:38 PM R S 235159 C:\WINDOWS\SYSTEM32\k8800ilme8qa0.dll
ad-w-a-r-e.com 10/25/2005 6:16:38 PM R S 235159 C:\WINDOWS\SYSTEM32\k8800ilme8qa0.dll
WinShutDown 10/25/2005 6:36:46 PM R S 236521 C:\WINDOWS\SYSTEM32\l26olcj31fo.dll
ad-w-a-r-e.com 10/25/2005 6:36:46 PM R S 236521 C:\WINDOWS\SYSTEM32\l26olcj31fo.dll
PTech 8/29/2005 1:27:12 PM 520968 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PTech 11/16/2004 4:50:40 PM 1310546 C:\WINDOWS\SYSTEM32\lmdv.bin
WinShutDown 10/25/2005 6:09:42 PM R S 234430 C:\WINDOWS\SYSTEM32\msg4dmod.dll
ad-w-a-r-e.com 10/25/2005 6:09:42 PM R S 234430 C:\WINDOWS\SYSTEM32\msg4dmod.dll
WinShutDown 10/25/2005 5:17:08 PM R S 234430 C:\WINDOWS\SYSTEM32\nwtplwiz.dll
ad-w-a-r-e.com 10/25/2005 5:17:08 PM R S 234430 C:\WINDOWS\SYSTEM32\nwtplwiz.dll
Umonitor 8/29/2002 8:00:00 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
qoologic 3/25/2005 4:28:46 PM 10050208 C:\WINDOWS\SYSTEM32\saie_kyf.dat
aspack 3/25/2005 4:28:46 PM 10050208 C:\WINDOWS\SYSTEM32\saie_kyf.dat
PTech 3/25/2005 4:28:46 PM 10050208 C:\WINDOWS\SYSTEM32\saie_kyf.dat
winsync 8/29/2002 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/26/2005 12:15:30 PM S 2048 C:\WINDOWS\bootstat.dat
10/26/2005 12:14:20 PM H 24 C:\WINDOWS\p5YqZ
10/25/2005 8:24:24 PM H 54156 C:\WINDOWS\QTFont.qfn
9/25/2005 1:14:42 AM H 27136 C:\WINDOWS\x74ca5e40.tmp
10/25/2005 6:54:38 PM R S 235425 C:\WINDOWS\system32\demap.dll
10/26/2005 12:14:40 PM R S 235425 C:\WINDOWS\system32\j04olah31d4.dll
10/25/2005 6:16:38 PM R S 235159 C:\WINDOWS\system32\k8800ilme8qa0.dll
10/25/2005 6:36:46 PM R S 236521 C:\WINDOWS\system32\l26olcj31fo.dll
10/25/2005 6:53:30 PM R S 235159 C:\WINDOWS\system32\m8640ijqe8oe0.dll
10/25/2005 6:09:42 PM R S 234430 C:\WINDOWS\system32\msg4dmod.dll
10/25/2005 5:17:08 PM R S 234430 C:\WINDOWS\system32\nwtplwiz.dll
10/26/2005 12:15:44 PM R S 235159 C:\WINDOWS\system32\sxe.dll
10/4/2005 1:16:36 PM S 20086 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688-IE6SP1-20051004.130236.cat
9/28/2005 11:53:30 AM S 17402 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
9/9/2005 7:15:08 PM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB901017.cat
8/30/2005 11:10:00 AM S 7711 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB904706.cat
10/26/2005 12:15:46 PM H 24576 C:\WINDOWS\system32\config\default.LOG
10/26/2005 12:15:42 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
10/26/2005 12:15:32 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
10/26/2005 12:18:02 PM H 196608 C:\WINDOWS\system32\config\software.LOG
10/26/2005 12:15:34 PM H 946176 C:\WINDOWS\system32\config\system.LOG
9/1/2005 9:09:26 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\425411ad-9883-44ea-80f9-0c9d4b5afb70
9/1/2005 9:09:28 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
10/26/2005 12:14:38 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/29/2002 8:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 4/25/2005 10:31:44 AM 77824 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 4/13/2005 3:48:52 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 11/1/2002 11:15:54 PM 45175 C:\WINDOWS\SYSTEM32\plugincpl140_03.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 9/23/2004 6:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Sony Corporation 12/4/1999 7:11:30 AM 151552 C:\WINDOWS\SYSTEM32\UILib.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 3:41:00 AM 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Intel Corporation 4/25/2005 10:31:44 AM 77824 C:\WINDOWS\SYSTEM32\ReinstallBackups\0021\DriverFiles\igfxcpl.cpl
Intel Corporation 3/11/2003 2:18:48 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0025\DriverFiles\igfxcpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
11/20/2004 1:43:26 AM 43 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\active.dpt
4/11/2003 5:59:50 AM 1647 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
4/9/2003 9:47:46 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
1/19/2005 1:02:46 AM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
4/11/2003 5:59:50 AM 675 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
4/11/2003 5:59:50 AM 675 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
4/9/2003 2:42:46 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
4/9/2003 9:47:46 PM HS 84 C:\Documents and Settings\Mike B\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
4/9/2003 2:42:46 PM HS 62 C:\Documents and Settings\Mike B\Application Data\desktop.ini
11/30/2004 8:45:54 PM 0 C:\Documents and Settings\Mike B\Application Data\dm.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
       =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
   {687E845C-FDCB-4ECE-8D8D-ED12DA7F3990}    = C:\WINDOWS\system32\sxe.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   Start Menu Pin    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
       = c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
       = c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
   {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}    = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
   {8E718888-423F-11D2-876E-00A0C9082467}    = &Radio   : C:\WINDOWS\System32\msdxm.ocx
   {2318C2B1-4965-11d4-9B18-009027A5CD4F}    = &Google   : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
   ButtonText    = AIM   : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
   ButtonText    = PartyPoker.com   : C:\Program Files\PartyPoker\PartyPoker.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
   ButtonText    = MoneySide   :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
   Media Band = %SystemRoot%\System32\browseui.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
   {2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google   : c:\program files\google\googletoolbar1.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {0494D0D9-F8E0-41AD-92A3-14154ECE70AC} =    :
   {2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google   : c:\program files\google\googletoolbar1.dll
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   NvCplDaemon   RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
   nwiz   nwiz.exe /installquiet
   ATIModeChange   Ati2mdxx.exe
   ATIPTA   C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
   IgfxTray   C:\WINDOWS\System32\igfxtray.exe
   HotKeysCmds   C:\WINDOWS\System32\hkcmd.exe
   ezShieldProtector for Px   C:\WINDOWS\System32\ezSP_Px.exe
   ZTgServerSwitch   c:\program files\support.com\client\lserver\server.vbs
   CreateCD_Reminder   C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
   AGRSMMSG   AGRSMMSG.exe
   StorageGuard   "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
   MCAgentExe   c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
   MCUpdateExe   C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
   VirusScan Online   "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
   VAIO Recovery   C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
   VSOCheckTask   "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
   ViewMgr   C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
   AltnetPointsManager   c:\program files\altnet\points manager\points manager.exe -s
   Persistence   C:\WINDOWS\System32\igfxpers.exe
   QuickTime Task   "C:\Program Files\QuickTime\qttask.exe" -atboottime
   SunJavaUpdateSched   C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
   SurfAccuracy   C:\Program Files\SurfAccuracy\SAcc.exe
   msresearch   C:\windows\msresearch.exe
   System service78   C:\WINDOWS\\\etb\\pokapoka78.exe
   System service76   C:\WINDOWS\etb\pokapoka76.exe
   sp2update   C:\windows\sp2update00.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
   IMAIL   Installed = 1
   MAPI   Installed = 1
   MSFS   Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   Mozilla Quick Launch   "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
   AIM   C:\Program Files\AIM\aim.exe -cnetwait.odl
   MSMSGS   "C:\Program Files\Messenger\msmsgs.exe" /background
   services32   C:\Program Files\Common Files\Windows\mc-58-12-0000137.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
   system.ini   0
   win.ini   0
   bootini   0
   services   0
   startup   0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
   {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
   {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
   {0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption
   legalnoticetext
   shutdownwithoutlogon   1
   undockwithoutlogon   1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   PostBootReminder    {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
   CDBurn    {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
   WebCheck    {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
   SysTray     {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   UserInit   = C:\WINDOWS\system32\userinit.exe,
   Shell      = Explorer.exe
   System      =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
    = igfxdev.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Unimodem
    = C:\WINDOWS\system32\m8640ijqe8oe0.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/26/2005 12:23:17 PM

---------------------------------

uninstall list:

-------------------------------

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager 1.2 (Remove Only)
Adobe Reader 6.0.1
Age of Empires II
Age of Empires III Trial
Age of Mythology
Agere Systems AC'97 Modem
AOL Instant Messenger
ATI Control Panel
ATI Display Driver
Click to DVD 1.2
Command
DivX
DivX Player
DVD Creation
DVgate Plus
Experience VAIO
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Home Office Page for Experience VAIO
ImageStation Tour
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
Internet Explorer Q903235
iPod for Windows 2005-06-26
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.0_03
Java Web Start
Kazaa 3.0
Kazaa Lite K++ v2.4.2
LimeWire 4.9.33
Linksys Wireless-G PCI Network Adapter with SpeedBooster
Macromedia Shockwave Player
McAfee SecurityCenter
McAfee VirusScan
Memory Stick Formatter
Microsoft Learning and Research Plus Support Files
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft Office XP Professional with FrontPage
Microsoft Picture It! Express 7.0
Microsoft Upgrade Offer
Microsoft Works 7.0
MoodLogic
MSN Internet Software
MSN Messenger 5.0
MSN Music Assistant
MSXML4 Parser
Music Visualizer Library 1.4.00
Netscape (7.02)
Network Smart Capture
NVIDIA Windows 2000/XP Display Drivers
OpenMG Limited Patch 3.2-03-02-21-08
OpenMG Limited Patch 3.2-03-02-25-01
OpenMG Secure Module 3.2
OrCAD 10.0 Demo
Panda ActiveScan
PartyPoker
PictureGear Studio 1.0
PowerDVD
Quicken 2003 New User Edition
QuickLinks
QuickTime
RealOne Player
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896426)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Shockwave
SimCity 2000® Special Edition
SonicStage 1.5.50
Sony Certificate PCH
Sony on Yahoo! Essentials
Sony Video Shared Library
Star Wars®: Knights of the Old Republic (tm)
Surf Accuracy
Survival of the Phoenix
TSA
Turbo Tax Offer
Update for Windows XP (KB898461)
VAIO DeepSea Wallpaper
VAIO Help and Support
VAIO Media 2.5
VAIO Media Music Server 2.5
VAIO Media Photo Server 2.5
VAIO Media Platform 2.5
VAIO Media Redistribution 2.5
VAIO Media Setup 2.5
VAIO Registration
VAIO Support
VAIO Survey Standalone
VAIO System Information
VERITAS RecordNow
VERITAS RecordNow Update Manager
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB883939
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887811
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889293
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Hotfix - KB896688
Windows XP Hotfix - KB896727
Windows XP Hotfix - KB897715
WinRAR archiver

----------------------------

guestolo · « **Reply #3 on:** October 26, 2005, 12:45:21 PM »

Let's try some cleanup on this machine, we'll do this in steps

Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- Command Service

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled

Access your Add/Remove programs via Control Panel

Remove all the following if you can
Viewpoint Manager (Remove Only)
Viewpoint Media Player
TSA
Surf Accuracy
Command

If you didn't intentionally install Party Poker, I would remove it too

Restart your computer afterwards

Back in Windows
Download L2mfix from here

http://www.atribune.org/downloads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

[color=\"red\"]IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so![/color]

MJ SPANNER · « **Reply #4 on:** October 26, 2005, 01:26:05 PM »

L2MFIX find log 1.04a
These are the registry keys present
********************************************************************************
**
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\l08m0al1edq.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxdev.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

********************************************************************************
**
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{93F19EDD-44C1-169A-7F90-459B8DD5AD4E}"=""

********************************************************************************
**
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{687E845C-FDCB-4ECE-8D8D-ED12DA7F3990}"=""

********************************************************************************
**
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{687E845C-FDCB-4ECE-8D8D-ED12DA7F3990}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{687E845C-FDCB-4ECE-8D8D-ED12DA7F3990}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{687E845C-FDCB-4ECE-8D8D-ED12DA7F3990}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{687E845C-FDCB-4ECE-8D8D-ED12DA7F3990}\InprocServer32]
@="C:\\WINDOWS\\system32\\mmndex.dll"
"ThreadingModel"="Apartment"

********************************************************************************
**
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
cdosys.dll Fri Sep 9 2005 10:04:32p A.... 2,025,984 1.93 M
cmdlin~1.dll Wed Aug 10 2005 4:25:22p A.... 43,520 42.50 K
danim.dll Fri Sep 2 2005 11:06:58a A.... 986,112 963.00 K
demap.dll Tue Oct 25 2005 6:54:38p ..S.R 235,425 229.91 K
dxtrans.dll Fri Sep 2 2005 4:35:16p A.... 192,000 187.50 K
gwfspi~1.dll Mon Aug 29 2005 1:27:06p A.... 23,304 22.76 K
k8800i~1.dll Tue Oct 25 2005 6:16:38p ..S.R 235,159 229.64 K
k8lqli~1.dll Wed Oct 26 2005 2:19:46p ..S.R 235,425 229.91 K
l08m0a~1.dll Wed Oct 26 2005 12:38:46p ..S.R 235,605 230.08 K
l26olc~1.dll Tue Oct 25 2005 6:36:46p ..S.R 236,521 230.98 K
legitc~1.dll Mon Aug 29 2005 1:27:12p A.... 520,968 508.76 K
linkinfo.dll Wed Aug 31 2005 9:49:30p A.... 16,384 16.00 K
mmndex.dll Wed Oct 26 2005 2:20:52p ..S.R 235,605 230.08 K
msg4dmod.dll Tue Oct 25 2005 6:09:42p ..S.R 234,430 228.93 K
mshtml.dll Tue Oct 4 2005 12:19:14p A.... 2,700,288 2.57 M
msieftp.dll Fri Aug 5 2005 1:23:28p A.... 230,400 225.00 K
mstime.dll Fri Sep 2 2005 4:35:12p A.... 496,128 484.50 K
netman.dll Mon Aug 22 2005 2:36:34p A.... 154,624 151.00 K
nwtplwiz.dll Tue Oct 25 2005 5:17:08p ..S.R 234,430 228.93 K
qllib.dll Mon Oct 10 2005 6:33:56p A.... 200,704 196.00 K
qosdocvw.dll Tue Oct 25 2005 5:05:10p A.... 45,056 44.00 K
quartz.dll Tue Aug 30 2005 9:14:00a A.... 1,227,776 1.17 M
shell32.dll Thu Sep 22 2005 11:27:32p A.... 8,348,672 7.96 M
shlwapi.dll Wed Aug 31 2005 6:49:30p A.... 409,088 399.50 K
umpnpmgr.dll Mon Aug 22 2005 11:51:10p A.... 111,104 108.50 K
urlmon.dll Fri Sep 2 2005 3:19:16p A.... 457,216 446.50 K
winsrv.dll Wed Aug 31 2005 9:49:32p A.... 278,016 271.50 K
xpsp2res.dll Mon Sep 26 2005 8:40:50p A.... 594,432 580.50 K

28 items found: 28 files (8 H/S), 0 directories.
Total of file sizes: 20,944,376 bytes 19.97 M
Locate .tmp files:

No matches found.
********************************************************************************
**
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is F034-6802

Directory of C:\WINDOWS\System32

10/26/2005 02:20 PM 235,605 mmndex.dll
10/26/2005 02:19 PM 235,425 k8lqli3518.dll
10/26/2005 12:38 PM 235,605 l08m0al1edq.dll
10/25/2005 06:54 PM 235,425 demap.dll
10/25/2005 06:36 PM 236,521 l26olcj31fo.dll
10/25/2005 06:16 PM 235,159 k8800ilme8qa0.dll
10/25/2005 06:09 PM 234,430 msg4dmod.dll
10/25/2005 05:17 PM 234,430 nwtplwiz.dll
04/09/2003 10:21 PM <DIR> Microsoft
8 File(s) 1,882,600 bytes
1 Dir(s) 845,078,528 bytes free

guestolo · « **Reply #5 on:** October 26, 2005, 01:44:55 PM »

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread.

[color=\"red\"]IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so![/color]

NOTE:After restart and L2MFIX finishes scanning for files>>give this time to finish
If a text doesn't open, run the "second.bat" located inside the L2mfix folder

Also post a fresh hijackthis log

MJ SPANNER · « **Reply #6 on:** October 26, 2005, 06:42:01 PM »

L2Mfix 1.04a

Running From:
C:\Documents and Settings\Mike B\Desktop\New Folder (2)\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C-------    BUILTIN\Administrators
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Setting up for Reboot

Starting Reboot!

Setting Directory
C:\Documents and Settings\Mike B\Desktop\New Folder (2)\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Mike B\Desktop\New Folder (2)\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 768 'explorer.exe'
Killing PID 768 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 484 'rundll32.exe'
Killing PID 484 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\demap.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k8800ilme8qa0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l26olcj31fo.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\msg4dmod.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nwtplwiz.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\demap.dll
Successfully Deleted: C:\WINDOWS\system32\demap.dll
deleting: C:\WINDOWS\system32\k8800ilme8qa0.dll
Successfully Deleted: C:\WINDOWS\system32\k8800ilme8qa0.dll
deleting: C:\WINDOWS\system32\l26olcj31fo.dll
Successfully Deleted: C:\WINDOWS\system32\l26olcj31fo.dll
deleting: C:\WINDOWS\system32\msg4dmod.dll
Successfully Deleted: C:\WINDOWS\system32\msg4dmod.dll
deleting: C:\WINDOWS\system32\nwtplwiz.dll
Successfully Deleted: C:\WINDOWS\system32\nwtplwiz.dll
deleting: C:\WINDOWS\system32\guard.tmp

Zipping up files for submission:
adding: demap.dll (164 bytes security) (deflated 5%)
adding: k8800ilme8qa0.dll (164 bytes security) (deflated 5%)
adding: l26olcj31fo.dll (164 bytes security) (deflated 5%)
adding: msg4dmod.dll (164 bytes security) (deflated 4%)
adding: nwtplwiz.dll (164 bytes security) (deflated 4%)
adding: guard.tmp (164 bytes security) (deflated 5%)
adding: clear.reg (164 bytes security) (deflated 22%)
adding: echo.reg (164 bytes security) (deflated 12%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 77%)
adding: readme.txt (164 bytes security) (deflated 52%)
adding: report.txt (164 bytes security) (deflated 64%)
adding: test.txt (164 bytes security) (deflated 61%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: xfind.txt (164 bytes security) (deflated 54%)
adding: backregs/687E845C-FDCB-4ECE-8D8D-ED12DA7F3990.reg (164 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Warning (option /rga:(ci)) - There is no ACE to remove!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: demap.dll
deleting local copy: k8800ilme8qa0.dll
deleting local copy: l26olcj31fo.dll
deleting local copy: msg4dmod.dll
deleting local copy: nwtplwiz.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxdev.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Uninstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\k8lqli3518.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\demap.dll
C:\WINDOWS\system32\k8800ilme8qa0.dll
C:\WINDOWS\system32\l26olcj31fo.dll
C:\WINDOWS\system32\msg4dmod.dll
C:\WINDOWS\system32\nwtplwiz.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{687E845C-FDCB-4ECE-8D8D-ED12DA7F3990}"=-
[-HKEY_CLASSES_ROOT\CLSID\{687E845C-FDCB-4ECE-8D8D-ED12DA7F3990}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

--------------------------

Hijack this

-------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:41:31 PM, on 10/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000137.exe
O4 - Global Startup: active.dpt
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...64/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100929247942
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\k8lqli3518.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: System Idle Service (sysidleserv) - Unknown owner - c:\windows\system32\adprot.exe (file missing)
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)

guestolo · « **Reply #7 on:** October 26, 2005, 10:12:59 PM »

Sorry for the delay, we need another tool to help you out

Can you do the following please
Download Webroots SpySweeper

* Click the Free Trial link under to "SpySweeper" to download the program.
* Install it.
* Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed
Don't run a scan yet, but ensure definitions are updated

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - Default URLSearchHook is missing

O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000137.exe

If you don't know what the next one is related too, fix it also
O4 - Global Startup: active.dpt

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart back in safe mode

Find and delete the following files or folders if found
C:\Program Files\Common Files\Windows\mc-58-12-0000137.exe <-file
C:\Program Files\Common Files\Windows\services32.exe <-file
C:\windows\sp2update00.exe <-file

C:\WINDOWS\etb <-folder

Sign into safe mode with Administrator account
Open SpySweeper
# click Sweep Now on the left side.
# Click the Start button.
# When it's done scanning, click the Next button.
# Make sure everything has a check next to it, then click the Next button.
# It will remove all of the items found.
# Click Session Log in the upper right corner, copy everything in that window.
Save it too a notepad(text) file to the desktop

Restart back to Normal mode

Back in Windows

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread.

[color=\"red\"]IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so![/color]

NOTE:After restart and L2MFIX finishes scanning for files>>give this time to finish
If a text doesn't open, run the "second.bat" located inside the L2mfix folder

Also post a fresh hijackthis log
Could you additionally include the saved log from SpySweeper

MJ SPANNER · « **Reply #8 on:** October 26, 2005, 11:37:36 PM »

L2Mfix 1.04a

Running From:
C:\Documents and Settings\Mike B\Desktop\New Folder (2)\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C-------    BUILTIN\Administrators
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Setting up for Reboot

Starting Reboot!

Setting Directory
C:\Documents and Settings\Mike B\Desktop\New Folder (2)\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Mike B\Desktop\New Folder (2)\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1092 'explorer.exe'
Killing PID 1092 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 540 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\dwvoice.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i642lgho164c.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir82l5lo1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\qydit.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wlnnls.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\dwvoice.dll
Successfully Deleted: C:\WINDOWS\system32\dwvoice.dll
deleting: C:\WINDOWS\system32\i642lgho164c.dll
Successfully Deleted: C:\WINDOWS\system32\i642lgho164c.dll
deleting: C:\WINDOWS\system32\ir82l5lo1.dll
Successfully Deleted: C:\WINDOWS\system32\ir82l5lo1.dll
deleting: C:\WINDOWS\system32\qydit.dll
Successfully Deleted: C:\WINDOWS\system32\qydit.dll
deleting: C:\WINDOWS\system32\wlnnls.dll
Successfully Deleted: C:\WINDOWS\system32\wlnnls.dll

Zipping up files for submission:
adding: dwvoice.dll (164 bytes security) (deflated 5%)
adding: i642lgho164c.dll (164 bytes security) (deflated 4%)
adding: ir82l5lo1.dll (164 bytes security) (deflated 4%)
adding: qydit.dll (164 bytes security) (deflated 5%)
adding: wlnnls.dll (164 bytes security) (deflated 5%)
updating: clear.reg (164 bytes security) (deflated 46%)
updating: echo.reg (164 bytes security) (deflated 12%)
updating: direct.txt (164 bytes security) (stored 0%)
updating: lo2.txt (164 bytes security) (deflated 76%)
updating: readme.txt (164 bytes security) (deflated 52%)
updating: report.txt (164 bytes security) (deflated 64%)
updating: test.txt (164 bytes security) (deflated 61%)
updating: test2.txt (164 bytes security) (deflated 27%)
updating: test3.txt (164 bytes security) (deflated 27%)
updating: test5.txt (164 bytes security) (deflated 27%)
updating: xfind.txt (164 bytes security) (deflated 55%)
adding: log.txt (164 bytes security) (deflated 80%)
updating: backregs/687E845C-FDCB-4ECE-8D8D-ED12DA7F3990.reg (164 bytes security) (deflated 70%)
updating: backregs/notibac.reg (164 bytes security) (deflated 88%)
updating: backregs/shell.reg (164 bytes security) (deflated 73%)
adding: backregs/279B161E-3ABF-4999-AE99-8AEE735AE0D0.reg (164 bytes security) (deflated 70%)
adding: backregs/D691A32D-1F54-4989-9B8A-817894615F9A.reg (164 bytes security) (deflated 70%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Warning (option /rga:(ci)) - There is no ACE to remove!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: dwvoice.dll
deleting local copy: i642lgho164c.dll
deleting local copy: ir82l5lo1.dll
deleting local copy: qydit.dll
deleting local copy: wlnnls.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\plwma.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxdev.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\dwvoice.dll
C:\WINDOWS\system32\i642lgho164c.dll
C:\WINDOWS\system32\ir82l5lo1.dll
C:\WINDOWS\system32\qydit.dll
C:\WINDOWS\system32\wlnnls.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{D691A32D-1F54-4989-9B8A-817894615F9A}"=-
"{279B161E-3ABF-4999-AE99-8AEE735AE0D0}"=-
"{570D7B09-A354-48BB-8163-826E8A0AD657}"=-
[-HKEY_CLASSES_ROOT\CLSID\{D691A32D-1F54-4989-9B8A-817894615F9A}]
[-HKEY_CLASSES_ROOT\CLSID\{279B161E-3ABF-4999-AE99-8AEE735AE0D0}]
[-HKEY_CLASSES_ROOT\CLSID\{570D7B09-A354-48BB-8163-826E8A0AD657}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

---------------------------

HJT

---------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:31:39 AM, on 10/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...64/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100929247942
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\plwma.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: System Idle Service (sysidleserv) - Unknown owner - c:\windows\system32\adprot.exe (file missing)
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)

----------------

Spy Sweeper

------------------

********
12:02 AM: | Start of Session, Thursday, October 27, 2005 |
12:02 AM: Spy Sweeper started
12:02 AM: Sweep initiated using definitions version 562
12:02 AM: Starting Memory Sweep
12:02 AM: Found Adware: icannnews
12:02 AM: Detected running threat: C:\WINDOWS\system32\n4p40e7qeh.dll (ID = 83)
12:03 AM: Detected running threat: C:\WINDOWS\system32\dfmclien.dll (ID = 83)
12:03 AM: Memory Sweep Complete, Elapsed Time: 00:01:00
12:03 AM: Starting Registry Sweep
12:03 AM: Found Adware: altnet
12:03 AM: HKCR\clsid\{3f4d4f88-0198-4921-b630-957f3eb814e0}\ (1 subtraces) (ID = 103460)
12:03 AM: HKCR\clsid\{3646c2bd-3554-49ca-8125-44deefb881de}\ (1 subtraces) (ID = 103462)
12:03 AM: HKLM\software\classes\clsid\{b7156514-a76c-4545-9d5b-a4e1d02c7aec}\ (23 subtraces) (ID = 103494)
12:03 AM: Found Adware: targetsoft
12:03 AM: HKLM\software\microsoft\windows\currentversion\uninstall\tsl installer\ (1 subtraces) (ID = 143608)
12:03 AM: Found Adware: targetsaver
12:03 AM: HKLM\software\microsoft\windows\currentversion\uninstall\tsl installer\ (1 subtraces) (ID = 143608)
12:03 AM: Found Adware: topsearch
12:03 AM: HKCR\clsid\{b7156514-a76c-4545-9d5b-a4e1d02c7aec}\ (23 subtraces) (ID = 143925)
12:03 AM: HKLM\software\classes\topsearch.tslink\ (5 subtraces) (ID = 143926)
12:03 AM: HKLM\software\classes\topsearch.tslink.1\ (3 subtraces) (ID = 143927)
12:03 AM: HKLM\software\classes\typelib\{edd3b3e9-3ffd-4836-a6de-d4a9c473a971}\ (9 subtraces) (ID = 143928)
12:03 AM: HKCR\topsearch.tslink\ (5 subtraces) (ID = 143929)
12:03 AM: HKCR\typelib\{edd3b3e9-3ffd-4836-a6de-d4a9c473a971}\ (9 subtraces) (ID = 143930)
12:03 AM: Found Adware: quicklink search toolbar
12:03 AM: HKCR\qlink.qlfilter\ (3 subtraces) (ID = 890588)
12:03 AM: HKCR\qlink.qlfilter.1\ (3 subtraces) (ID = 890592)
12:03 AM: HKCR\qlink.qlhelper\ (3 subtraces) (ID = 890596)
12:03 AM: HKCR\qlink.qlhelper.1\ (3 subtraces) (ID = 890600)
12:03 AM: HKCR\clsid\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (8 subtraces) (ID = 890604)
12:03 AM: HKCR\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\ (10 subtraces) (ID = 890613)
12:03 AM: HKCR\typelib\{090712ed-1622-4227-94d3-f573a9c2577f}\ (9 subtraces) (ID = 890624)
12:03 AM: HKLM\software\classes\qlink.qlfilter\ (3 subtraces) (ID = 890661)
12:03 AM: HKLM\software\classes\qlink.qlfilter.1\ (3 subtraces) (ID = 890665)
12:03 AM: HKLM\software\classes\qlink.qlhelper\ (3 subtraces) (ID = 890669)
12:03 AM: HKLM\software\classes\qlink.qlhelper.1\ (3 subtraces) (ID = 890673)
12:03 AM: HKLM\software\classes\clsid\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (8 subtraces) (ID = 890677)
12:03 AM: HKLM\software\classes\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\ (10 subtraces) (ID = 890686)
12:03 AM: Found Adware: instant access
12:03 AM: HKLM\software\classes\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\progid\ (1 subtraces) (ID = 890691)
12:03 AM: HKLM\software\classes\typelib\{090712ed-1622-4227-94d3-f573a9c2577f}\ (9 subtraces) (ID = 890697)
12:03 AM: HKLM\software\microsoft\windows\currentversion\uninstall\quicklinks\ (2 subtraces) (ID = 909558)
12:03 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser qlhelper objects\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (ID = 909564)
12:03 AM: Found Adware: cydoor peer-to-peer dependency
12:03 AM: HKU\WRSS_Profile_S-1-5-21-630620334-398432482-2331515877-1005\software\kazaa\promotions\cydoor\ (2861 subtraces) (ID = 124527)
12:03 AM: HKU\WRSS_Profile_S-1-5-21-630620334-398432482-2331515877-1005\software\tsl2\ (1 subtraces) (ID = 143616)
12:03 AM: Found Adware: findthewebsiteyouneed hijacker
12:03 AM: HKU\WRSS_Profile_S-1-5-21-630620334-398432482-2331515877-1005\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
12:03 AM: Registry Sweep Complete, Elapsed Time:00:00:23
12:03 AM: Starting Cookie Sweep
12:04 AM: Found Spy Cookie: 382 cookie
12:04 AM: mike b@382[1].txt (ID = 1965)
12:04 AM: Found Spy Cookie: 3 cookie
12:04 AM: mike b@3[2].txt (ID = 1959)
12:04 AM: mike b@3[3].txt (ID = 1959)
12:04 AM: Found Spy Cookie: 412 cookie
12:04 AM: mike b@412[1].txt (ID = 1969)
12:04 AM: Found Spy Cookie: 447 cookie
12:04 AM: mike b@447[1].txt (ID = 1973)
12:04 AM: Found Spy Cookie: 64.62.232 cookie
12:04 AM: mike [email protected][1].txt (ID = 1987)
12:04 AM: mike [email protected][2].txt (ID = 1987)
12:04 AM: Found Spy Cookie: 66.246.209 cookie
12:04 AM: mike [email protected][1].txt (ID = 1997)
12:04 AM: Found Spy Cookie: 69.28.210 cookie
12:04 AM: mike [email protected][1].txt (ID = 2003)
12:04 AM: Found Spy Cookie: 735 cookie
12:04 AM: mike b@735[1].txt (ID = 2009)
12:04 AM: Found Spy Cookie: 888 cookie
12:04 AM: mike b@888[2].txt (ID = 2019)
12:04 AM: Found Spy Cookie: websponsors cookie
12:04 AM: mike [email protected][2].txt (ID = 3665)
12:04 AM: Found Spy Cookie: aa cookie
12:04 AM: mike b@aa[2].txt (ID = 2029)
12:04 AM: Found Spy Cookie: abetterinternet cookie
12:04 AM: mike b@abetterinternet[2].txt (ID = 2035)
12:04 AM: Found Spy Cookie: about cookie
12:04 AM: mike b@about[1].txt (ID = 2037)
12:04 AM: mike [email protected][1].txt (ID = 2038)
12:04 AM: Found Spy Cookie: yieldmanager cookie
12:04 AM: mike [email protected][1].txt (ID = 3751)
12:04 AM: Found Spy Cookie: adecn cookie
12:04 AM: mike b@adecn[1].txt (ID = 2063)
12:04 AM: Found Spy Cookie: adknowledge cookie
12:04 AM: mike b@adknowledge[1].txt (ID = 2072)
12:04 AM: Found Spy Cookie: adlegend cookie
12:04 AM: mike b@adlegend[1].txt (ID = 2074)
12:04 AM: Found Spy Cookie: hbmediapro cookie
12:04 AM: mike [email protected][1].txt (ID = 2768)
12:04 AM: Found Spy Cookie: hotbar cookie
12:04 AM: mike [email protected][2].txt (ID = 4207)
12:04 AM: Found Spy Cookie: precisead cookie
12:04 AM: mike [email protected][2].txt (ID = 3182)
12:04 AM: Found Spy Cookie: specificclick.com cookie
12:04 AM: mike [email protected][1].txt (ID = 3400)
12:04 AM: Found Spy Cookie: adorigin cookie
12:04 AM: mike b@adorigin[2].txt (ID = 2082)
12:04 AM: Found Spy Cookie: belointeractive cookie
12:04 AM: mike [email protected][1].txt (ID = 2295)
12:04 AM: Found Spy Cookie: ads.businessweek cookie
12:04 AM: mike [email protected][2].txt (ID = 2113)
12:04 AM: Found Spy Cookie: cc214142 cookie
12:04 AM: mike [email protected][1].txt (ID = 2367)
12:04 AM: Found Spy Cookie: joetec.net cookie
12:04 AM: mike [email protected][1].txt (ID = 2890)
12:04 AM: Found Spy Cookie: bpath cookie
12:04 AM: mike [email protected][1].txt (ID = 2321)
12:04 AM: Found Spy Cookie: advertising cookie
12:04 AM: mike b@advertising[2].txt (ID = 2175)
12:04 AM: mike [email protected][2].txt (ID = 2038)
12:04 AM: Found Spy Cookie: ask cookie
12:04 AM: mike b@ask[1].txt (ID = 2245)
12:04 AM: Found Spy Cookie: belnk cookie
12:04 AM: mike [email protected][2].txt (ID = 2293)
12:04 AM: Found Spy Cookie: atwola cookie
12:04 AM: mike b@atwola[2].txt (ID = 2255)
12:04 AM: Found Spy Cookie: azjmp cookie
12:04 AM: mike b@azjmp[2].txt (ID = 2270)
12:04 AM: Found Spy Cookie: inet-traffic.com cookie
12:04 AM: mike [email protected][1].txt (ID = 2856)
12:04 AM: Found Spy Cookie: bannerspace cookie
12:04 AM: mike b@bannerspace[1].txt (ID = 2284)
12:04 AM: Found Spy Cookie: banner cookie
12:04 AM: mike b@banner[2].txt (ID = 2276)
12:04 AM: mike b@belnk[2].txt (ID = 2292)
12:04 AM: mike b@belointeractive[1].txt (ID = 2294)
12:04 AM: Found Spy Cookie: btgrab cookie
12:04 AM: mike [email protected][2].txt (ID = 2333)
12:04 AM: Found Spy Cookie: burstnet cookie
12:04 AM: mike b@burstnet[2].txt (ID = 2336)
12:04 AM: Found Spy Cookie: enhance cookie
12:04 AM: mike [email protected][2].txt (ID = 2614)
12:04 AM: mike [email protected][1].txt (ID = 2286)
12:04 AM: Found Spy Cookie: gostats cookie
12:04 AM: mike [email protected][2].txt (ID = 2748)
12:04 AM: Found Spy Cookie: 2o7.net cookie
12:04 AM: mike [email protected][1].txt (ID = 1958)
12:04 AM: Found Spy Cookie: ccbill cookie
12:04 AM: mike b@ccbill[1].txt (ID = 2369)
12:04 AM: Found Spy Cookie: centralmedia cookie
12:04 AM: mike b@centralmedia[2].txt (ID = 2373)
12:04 AM: mike [email protected][1].txt (ID = 2038)
12:04 AM: Found Spy Cookie: cliks cookie
12:04 AM: mike b@cliks[2].txt (ID = 2414)
12:04 AM: mike [email protected][2].txt (ID = 1958)
12:04 AM: Found Spy Cookie: cnt cookie
12:04 AM: mike b@cnt[1].txt (ID = 2422)
12:04 AM: mike [email protected][1].txt (ID = 2038)
12:04 AM: Found Spy Cookie: tickle cookie
12:04 AM: mike [email protected][1].txt (ID = 3530)
12:04 AM: Found Spy Cookie: coolsavings cookie
12:04 AM: mike b@coolsavings[1].txt (ID = 2465)
12:04 AM: Found Spy Cookie: 360i cookie
12:04 AM: mike [email protected][2].txt (ID = 1962)
12:04 AM: Found Spy Cookie: clickzs cookie
12:04 AM: mike [email protected][1].txt (ID = 2413)
12:04 AM: mike [email protected][1].txt (ID = 2413)
12:04 AM: mike [email protected][1].txt (ID = 2413)
12:04 AM: mike [email protected][2].txt (ID = 2413)
12:04 AM: mike [email protected][2].txt (ID = 2413)
12:04 AM: mike [email protected][1].txt (ID = 2413)
12:04 AM: mike [email protected][2].txt (ID = 2413)
12:04 AM: mike [email protected][1].txt (ID = 2413)
12:04 AM: Found Spy Cookie: desktop kazaa cookie
12:04 AM: mike [email protected][2].txt (ID = 2515)
12:04 AM: Found Spy Cookie: did-it cookie
12:04 AM: mike b@did-it[1].txt (ID = 2523)
12:04 AM: Found Spy Cookie: go.com cookie
12:04 AM: mike [email protected][1].txt (ID = 2729)
12:04 AM: mike [email protected][1].txt (ID = 2293)
12:04 AM: Found Spy Cookie: empnads cookie
12:04 AM: mike b@empnads[2].txt (ID = 5012)
12:04 AM: mike [email protected][1].txt (ID = 1958)
12:04 AM: mike [email protected][2].txt (ID = 2729)
12:04 AM: Found Spy Cookie: exitexchange cookie
12:04 AM: mike b@exitexchange[2].txt (ID = 2633)
12:04 AM: mike [email protected][2].txt (ID = 2729)
12:04 AM: Found Spy Cookie: fe.lea.lycos.com cookie
12:04 AM: mike [email protected][1].txt (ID = 2660)
12:04 AM: mike [email protected][1].txt (ID = 2038)
12:04 AM: mike [email protected][2].txt (ID = 2729)
12:04 AM: mike [email protected][1].txt (ID = 2729)
12:04 AM: Found Spy Cookie: gamespy cookie
12:04 AM: mike b@gamespy[2].txt (ID = 2719)
12:04 AM: mike b@go[1].txt (ID = 2728)
12:04 AM: mike [email protected][1].txt (ID = 2038)
12:04 AM: Found Spy Cookie: clickandtrack cookie
12:04 AM: mike [email protected][2].txt (ID = 2397)
12:04 AM: Found Spy Cookie: screensavers.com cookie
12:04 AM: mike [email protected][1].txt (ID = 3298)
12:04 AM: Found Spy Cookie: ic-live cookie
12:04 AM: mike b@ic-live[1].txt (ID = 2821)
12:04 AM: mike [email protected][1].txt (ID = 2729)
12:04 AM: Found Spy Cookie: touchclarity cookie
12:04 AM: mike [email protected][1].txt (ID = 3566)
12:04 AM: Found Spy Cookie: kinghost cookie
12:04 AM: mike b@kinghost[2].txt (ID = 2903)
12:04 AM: Found Spy Cookie: kmpads cookie
12:04 AM: mike b@kmpads[2].txt (ID = 2909)
12:04 AM: Found Spy Cookie: kount cookie
12:04 AM: mike b@kount[2].txt (ID = 2911)
12:04 AM: Found Spy Cookie: mx-targeting cookie
12:04 AM: mike [email protected][2].txt (ID = 3024)
12:04 AM: Found Spy Cookie: top-banners cookie
12:04 AM: mike [email protected][1].txt (ID = 3548)
12:04 AM: Found Spy Cookie: ugo cookie
12:04 AM: mike [email protected][1].txt (ID = 3609)
12:04 AM: Found Spy Cookie: military cookie
12:04 AM: mike b@military[2].txt (ID = 2996)
12:04 AM: mike [email protected][2].txt (ID = 1958)
12:04 AM: Found Spy Cookie: nextag cookie
12:04 AM: mike b@nextag[1].txt (ID = 5014)
12:04 AM: Found Spy Cookie: offeroptimizer cookie
12:04 AM: mike b@offeroptimizer[2].txt (ID = 3087)
12:04 AM: mike [email protected][2].txt (ID = 3567)
12:04 AM: Found Spy Cookie: partypoker cookie
12:04 AM: mike b@partypoker[2].txt (ID = 3111)
12:04 AM: Found Spy Cookie: paypopup cookie
12:04 AM: mike b@paypopup[1].txt (ID = 3119)
12:04 AM: Found Spy Cookie: pokerroom cookie
12:04 AM: mike b@pokerroom[2].txt (ID = 3149)
12:04 AM: mike [email protected][1].txt (ID = 2038)
12:04 AM: mike [email protected][1].txt (ID = 2038)
12:04 AM: mike [email protected][2].txt (ID = 2729)
12:04 AM: Found Spy Cookie: rc cookie
12:04 AM: mike b@rc[1].txt (ID = 3231)
12:04 AM: Found Spy Cookie: reunion cookie
12:04 AM: mike b@reunion[2].txt (ID = 3255)
12:04 AM: Found Spy Cookie: rightmedia cookie
12:04 AM: mike b@rightmedia[1].txt (ID = 3259)
12:04 AM: Found Spy Cookie: rn11 cookie
12:04 AM: mike b@rn11[2].txt (ID = 3261)
12:04 AM: Found Spy Cookie: adjuggler cookie
12:04 AM: mike [email protected][2].txt (ID = 2071)
12:04 AM: mike [email protected][1].txt (ID = 2729)
12:04 AM: Found Spy Cookie: tvguide cookie
12:04 AM: mike [email protected][1].txt (ID = 3600)
12:04 AM: mike [email protected][1].txt (ID = 2466)
12:04 AM: mike [email protected][1].txt (ID = 3600)
12:04 AM: mike [email protected][1].txt (ID = 2729)
12:04 AM: Found Spy Cookie: searchfst cookie
12:04 AM: mike b@searchfst[1].txt (ID = 3319)
12:04 AM: Found Spy Cookie: adscpm cookie
12:04 AM: mike [email protected][1].txt (ID = 2137)
12:04 AM: Found Spy Cookie: servedby advertising cookie
12:04 AM: mike [email protected][1].txt (ID = 3335)
12:04 AM: Found Spy Cookie: serving-sys cookie
12:04 AM: mike b@serving-sys[1].txt (ID = 3343)
12:04 AM: Found Spy Cookie: servlet cookie
12:04 AM: mike b@servlet[2].txt (ID = 3345)
12:04 AM: Found Spy Cookie: shop@home cookie
12:04 AM: mike b@shopathomeselect[2].txt (ID = 3367)
12:04 AM: mike [email protected][1].txt (ID = 1958)
12:04 AM: mike [email protected][1].txt (ID = 2729)
12:04 AM: mike [email protected][2].txt (ID = 2729)
12:04 AM: Found Spy Cookie: spywarestormer cookie
12:04 AM: mike b@spywarestormer[1].txt (ID = 3417)
12:04 AM: Found Spy Cookie: statstracking cookie
12:04 AM: mike b@stats-tracking[2].txt (ID = 3453)
12:04 AM: Found Spy Cookie: reliablestats cookie
12:04 AM: mike [email protected][1].txt (ID = 3254)
12:04 AM: Found Spy Cookie: promaxtraffic cookie
12:04 AM: mike [email protected][1].txt (ID = 3200)
12:04 AM: Found Spy Cookie: toplist cookie
12:04 AM: mike b@toplist[2].txt (ID = 3557)
12:04 AM: Found Spy Cookie: trb.com cookie
12:04 AM: mike b@trb[1].txt (ID = 3587)
12:04 AM: mike b@tvguide[1].txt (ID = 3599)
12:04 AM: mike b@ugo[1].txt (ID = 3608)
12:04 AM: mike [email protected][1].txt (ID = 2038)
12:04 AM: mike [email protected][1].txt (ID = 2413)
12:04 AM: mike [email protected][1].txt (ID = 2413)
12:04 AM: Found Spy Cookie: webpower cookie
12:04 AM: mike b@webpower[1].txt (ID = 3660)
12:04 AM: Found Spy Cookie: brazilwelcomesyou cookie
12:04 AM: mike [email protected][2].txt (ID = 2325)
12:04 AM: Found Spy Cookie: burstbeacon cookie
12:04 AM: mike [email protected][2].txt (ID = 2335)
12:04 AM: mike [email protected][1].txt (ID = 2337)
12:04 AM: Found Spy Cookie: eadexchange cookie
12:04 AM: mike [email protected][2].txt (ID = 2556)
12:04 AM: Found Spy Cookie: myaffiliateprogram.com cookie
12:04 AM: mike [email protected][2].txt (ID = 3032)
12:04 AM: mike [email protected][1].txt (ID = 3298)
12:04 AM: Found Spy Cookie: xiti cookie
12:04 AM: mike b@xiti[1].txt (ID = 3717)
12:04 AM: Found Spy Cookie: yadro cookie
12:04 AM: mike b@yadro[2].txt (ID = 3743)
12:04 AM: mike b@yieldmanager[2].txt (ID = 3749)
12:04 AM: Found Spy Cookie: ysbweb cookie
12:04 AM: mike b@ysbweb[1].txt (ID = 3756)
12:04 AM: system@adlegend[2].txt (ID = 2074)
12:04 AM: [email protected][1].txt (ID = 2614)
12:04 AM: Found Spy Cookie: searchadnetwork cookie
12:04 AM: system@searchadnetwork[2].txt (ID = 3311)
12:04 AM: Found Spy Cookie: epilot cookie
12:04 AM: [email protected][1].txt (ID = 2622)
12:04 AM: [email protected][1].txt (ID = 3312)
12:04 AM: Cookie Sweep Complete, Elapsed Time: 00:00:16
12:04 AM: Starting File Sweep
12:04 AM: Found Adware: bullguard popup ad
12:04 AM: c:\windows\temp\bullguard (1 subtraces) (ID = -2147476409)
12:04 AM: c:\program files\common files\tsa (ID = -2147480171)
12:04 AM: c:\program files\quicklinks (2 subtraces) (ID = -2147468660)
12:04 AM: Found Adware: commonname
12:04 AM: c:\windows\temp\adware (ID = -2147481214)
12:04 AM: Found Adware: virtualbouncer
12:04 AM: c:\program files\vbouncer (1 subtraces) (ID = -2147477376)
12:04 AM: Found Adware: addestroyer
12:04 AM: c:\program files\addestroyer (2 subtraces) (ID = -2147476862)
12:04 AM: Found Adware: gain-supported software
12:04 AM: c:\program files\common files\gmt (688 subtraces) (ID = -2147480945)
12:04 AM: c:\program files\common files\cmeii (15 subtraces) (ID = -2147480946)
12:04 AM: c:\documents and settings\all users\application data\vbouncer (5 subtraces) (ID = -2147480097)
12:04 AM: Found Adware: abcsearch
12:04 AM: c:\documents and settings\all users\application data\msw (2 subtraces) (ID = -2147481510)
12:04 AM: Found Adware: isearch desktop search
12:04 AM: c:\windows\isrvs (1 subtraces) (ID = -2147480807)
12:04 AM: Found Adware: sp2ms
12:04 AM: msresearch.exe (ID = 148760)
12:04 AM: appmgrgui.zip (ID = 61281)
12:04 AM: 113_dollarrevenue_4_0_3_9.exe (ID = 166444)
12:04 AM: glf92glf92.exe (ID = 78225)
12:04 AM: dc8.exe (ID = 148759)
12:04 AM: Found Adware: elitebar
12:04 AM: protector_update[1].exe (ID = 59978)
12:04 AM: pokapoka78.exe (ID = 179560)
12:04 AM: drsmartload.exe (ID = 178567)
12:04 AM: mte3ndi6odoxng.exe (ID = 178687)
12:04 AM: Found Trojan Horse: trojan-downloader-nextern
12:04 AM: drin.exe (ID = 168231)
12:05 AM: Found Adware: azsearch toolbar
12:05 AM: efefdfddfsdh.tmp (ID = 135133)
12:05 AM: fillin.wav (ID = 61352)
12:05 AM: Found Adware: 180search assistant/zango
12:05 AM: saie_gdf.dat (ID = 70626)
12:05 AM: guninstaller.exe (ID = 61468)
12:06 AM: gmt.exe.manifest (ID = 61434)
12:06 AM: bulldownload.exe (ID = 52017)
12:06 AM: Found Trojan Horse: 2nd-thought
12:06 AM: old7b.tmp (ID = 48229)
12:06 AM: hfixcfg (ID = 61483)
12:06 AM: Found Adware: look2me
12:06 AM: installer.exe (ID = 168558)
12:06 AM: Found Adware: apropos
12:06 AM: wingenerics.dll (ID = 50187)
12:06 AM: Found Adware: effective-i toolbar
12:06 AM: ucmoreiex.exe (ID = 59853)
12:06 AM: Found Adware: ist yoursitebar
12:06 AM: ysbinstall_1003585.exe (ID = 166206)
12:06 AM: tsupdate_4_0_3_9_b2.exe (ID = 78281)
12:07 AM: ucmtsaie.dll (ID = 106574)
12:07 AM: isearch.xpi (ID = 114627)
12:07 AM: b2d1e0.tmp (ID = 168162)
12:07 AM: glf1e5glf1e5.exe (ID = 166444)
12:08 AM: egieengine.dll (ID = 61343)
12:08 AM: qllib.dll (ID = 168233)
12:08 AM: qlutility.exe (ID = 168232)
12:08 AM: uninst.exe (ID = 73428)
12:08 AM: saieau.dat (ID = 70623)
12:08 AM: gatorstubsetup.exe (ID = 61412)
12:08 AM: Found Adware: isearch toolbar
12:08 AM: cmdinst.exe (ID = 154747)
12:08 AM: build3.exe (ID = 64314)
12:08 AM: tsinstall_4_0_3_8_b17.exe (ID = 78267)
12:08 AM: ztoolbar.bmp (ID = 107200)
12:08 AM: ztoolbar.xml (ID = 50365)
12:09 AM: Found Adware: surf accuracy
12:09 AM: uninstall.exe (ID = 180136)
12:09 AM: Found Adware: clearsearch
12:09 AM: 36127196.bin (ID = 52519)
12:09 AM: Found Adware: daosearch
12:09 AM: 99967440.bin (ID = 57424)
12:09 AM: 77725432.txt (ID = 57421)
12:09 AM: 37306632.bin (ID = 52544)
12:09 AM: 48275170.dat (ID = 52532)
12:09 AM: Found Adware: topnetsearch hijacker
12:09 AM: blank.mht (ID = 135135)
12:09 AM: Found Adware: adlogix
12:09 AM: killp2_722.exe (ID = 49184)
12:09 AM: randremove.exe (ID = 49225)
12:09 AM: Found Trojan Horse: trojan downloader matcash
12:09 AM: autoit3.exe (ID = 119348)
12:09 AM: 43970950.dat (ID = 52529)
12:09 AM: toc_0011.exe (ID = 48356)
12:09 AM: 42053428.bin (ID = 52539)
12:09 AM: glf34glf34.exe (ID = 78275)
12:09 AM: command.exe (ID = 144946)
12:09 AM: tsuninst.exe (ID = 78275)
12:09 AM: swsettings.xml (ID = 82815)
12:09 AM: Found Adware: linkmaker
12:09 AM: lmdv.bin (ID = 65588)
12:09 AM: cmediagnostics.log (ID = 61291)
12:09 AM: Found Adware: directrevenue-abetterinternet
12:09 AM: farmmext.ini (ID = 83282)
12:09 AM: gator.log (ID = 61386)
12:09 AM: user.xml (ID = 82817)
12:09 AM: odm.cfg (ID = 61553)
12:09 AM: bundle.inf (ID = 61287)
12:09 AM: farmmext.inf (ID = 83281)
12:09 AM: mepcme.dat (ID = 61517)
12:09 AM: gatorsupportinfo.txt (ID = 61414)
12:09 AM: q0tasjbqbgaaaleq-tobgnpj.gdt2 (ID = 61574)
12:09 AM: 20115586.txt (ID = 52512)
12:09 AM: 9561174.txt (ID = 57422)
12:09 AM: 86975017.bin (ID = 52531)
12:09 AM: 25362800.bin (ID = 52517)
12:09 AM: 85908502.dat (ID = 52523)
12:09 AM: 68576313.txt (ID = 52536)
12:09 AM: 5705172.bin (ID = 52520)
12:09 AM: 91328202.dat (ID = 57426)
12:09 AM: 48208944.dat (ID = 57423)
12:09 AM: 21442652.dat (ID = 52541)
12:11 AM: File Sweep Complete, Elapsed Time: 00:07:10
12:11 AM: Full Sweep has completed. Elapsed time 00:08:55
12:11 AM: Traces Found: 4012
12:12 AM: Removal process initiated
12:12 AM: Quarantining All Traces: directrevenue-abetterinternet
12:12 AM: Quarantining All Traces: elitebar
12:12 AM: Quarantining All Traces: look2me
12:12 AM: Quarantining All Traces: 2nd-thought
12:12 AM: Quarantining All Traces: clearsearch
12:12 AM: Quarantining All Traces: daosearch
12:12 AM: Quarantining All Traces: 180search assistant/zango
12:12 AM: Quarantining All Traces: abcsearch
12:12 AM: Quarantining All Traces: addestroyer
12:12 AM: Quarantining All Traces: adlogix
12:12 AM: Quarantining All Traces: altnet
12:12 AM: Quarantining All Traces: apropos
12:12 AM: Quarantining All Traces: azsearch toolbar
12:12 AM: Quarantining All Traces: bullguard popup ad
12:12 AM: Quarantining All Traces: commonname
12:14 AM: Quarantining All Traces: cydoor peer-to-peer dependency
12:14 AM: Quarantining All Traces: effective-i toolbar
12:14 AM: Quarantining All Traces: findthewebsiteyouneed hijacker
12:14 AM: Quarantining All Traces: gain-supported software
12:14 AM: Quarantining All Traces: icannnews
12:14 AM: icannnews is in use. It will be removed on reboot.
12:14 AM: C:\WINDOWS\system32\n4p40e7qeh.dll is in use. It will be removed on reboot.
12:14 AM: C:\WINDOWS\system32\dfmclien.dll is in use. It will be removed on reboot.
12:14 AM: Quarantining All Traces: instant access
12:14 AM: Quarantining All Traces: isearch desktop search
12:14 AM: Quarantining All Traces: isearch toolbar
12:14 AM: Quarantining All Traces: ist yoursitebar
12:14 AM: Quarantining All Traces: linkmaker
12:14 AM: Quarantining All Traces: quicklink search toolbar
12:14 AM: Quarantining All Traces: sp2ms
12:14 AM: Quarantining All Traces: surf accuracy
12:14 AM: Quarantining All Traces: targetsaver
12:14 AM: Quarantining All Traces: targetsoft
12:15 AM: Quarantining All Traces: topsearch
12:15 AM: Quarantining All Traces: trojan downloader matcash
12:15 AM: Quarantining All Traces: trojan-downloader-nextern
12:15 AM: Quarantining All Traces: virtualbouncer
12:15 AM: Quarantining All Traces: 2o7.net cookie
12:15 AM: Quarantining All Traces: 3 cookie
12:15 AM: Quarantining All Traces: 360i cookie
12:15 AM: Quarantining All Traces: 382 cookie
12:15 AM: Quarantining All Traces: 412 cookie
12:15 AM: Quarantining All Traces: 447 cookie
12:15 AM: Quarantining All Traces: 64.62.232 cookie
12:15 AM: Quarantining All Traces: 66.246.209 cookie
12:15 AM: Quarantining All Traces: 69.28.210 cookie
12:15 AM: Quarantining All Traces: 735 cookie
12:15 AM: Quarantining All Traces: 888 cookie
12:15 AM: Quarantining All Traces: aa cookie
12:15 AM: Quarantining All Traces: abetterinternet cookie
12:15 AM: Quarantining All Traces: about cookie
12:15 AM: Quarantining All Traces: adecn cookie
12:15 AM: Quarantining All Traces: adjuggler cookie
12:15 AM: Quarantining All Traces: adknowledge cookie
12:15 AM: Quarantining All Traces: adlegend cookie
12:15 AM: Quarantining All Traces: adorigin cookie
12:15 AM: Quarantining All Traces: ads.businessweek cookie
12:15 AM: Quarantining All Traces: adscpm cookie
12:15 AM: Quarantining All Traces: advertising cookie
12:15 AM: Quarantining All Traces: ask cookie
12:15 AM: Quarantining All Traces: atwola cookie
12:15 AM: Quarantining All Traces: azjmp cookie
12:15 AM: Quarantining All Traces: banner cookie
12:15 AM: Quarantining All Traces: bannerspace cookie
12:15 AM: Quarantining All Traces: belnk cookie
12:15 AM: Quarantining All Traces: belointeractive cookie
12:15 AM: Quarantining All Traces: bpath cookie
12:15 AM: Quarantining All Traces: brazilwelcomesyou cookie
12:15 AM: Quarantining All Traces: btgrab cookie
12:15 AM: Quarantining All Traces: burstbeacon cookie
12:15 AM: Quarantining All Traces: burstnet cookie
12:15 AM: Quarantining All Traces: cc214142 cookie
12:15 AM: Quarantining All Traces: ccbill cookie
12:15 AM: Quarantining All Traces: centralmedia cookie
12:15 AM: Quarantining All Traces: clickandtrack cookie
12:15 AM: Quarantining All Traces: clickzs cookie
12:15 AM: Quarantining All Traces: cliks cookie
12:15 AM: Quarantining All Traces: cnt cookie
12:15 AM: Quarantining All Traces: coolsavings cookie
12:15 AM: Quarantining All Traces: desktop kazaa cookie
12:15 AM: Quarantining All Traces: did-it cookie
12:15 AM: Quarantining All Traces: eadexchange cookie
12:15 AM: Quarantining All Traces: empnads cookie
12:15 AM: Quarantining All Traces: enhance cookie
12:15 AM: Quarantining All Traces: epilot cookie
12:15 AM: Quarantining All Traces: exitexchange cookie
12:15 AM: Quarantining All Traces: fe.lea.lycos.com cookie
12:15 AM: Quarantining All Traces: gamespy cookie
12:15 AM: Quarantining All Traces: go.com cookie
12:15 AM: Quarantining All Traces: gostats cookie
12:15 AM: Quarantining All Traces: hbmediapro cookie
12:15 AM: Quarantining All Traces: hotbar cookie
12:15 AM: Quarantining All Traces: ic-live cookie
12:15 AM: Quarantining All Traces: inet-traffic.com cookie
12:15 AM: Quarantining All Traces: joetec.net cookie
12:15 AM: Quarantining All Traces: kinghost cookie
12:15 AM: Quarantining All Traces: kmpads cookie
12:15 AM: Quarantining All Traces: kount cookie
12:15 AM: Quarantining All Traces: military cookie
12:15 AM: Quarantining All Traces: mx-targeting cookie
12:15 AM: Quarantining All Traces: myaffiliateprogram.com cookie
12:15 AM: Quarantining All Traces: nextag cookie
12:15 AM: Quarantining All Traces: offeroptimizer cookie
12:15 AM: Quarantining All Traces: partypoker cookie
12:15 AM: Quarantining All Traces: paypopup cookie
12:15 AM: Quarantining All Traces: pokerroom cookie
12:15 AM: Quarantining All Traces: precisead cookie
12:15 AM: Quarantining All Traces: promaxtraffic cookie
12:15 AM: Quarantining All Traces: rc cookie
12:15 AM: Quarantining All Traces: reliablestats cookie
12:15 AM: Quarantining All Traces: reunion cookie
12:15 AM: Quarantining All Traces: rightmedia cookie
12:15 AM: Quarantining All Traces: rn11 cookie
12:15 AM: Quarantining All Traces: screensavers.com cookie
12:15 AM: Quarantining All Traces: searchadnetwork cookie
12:15 AM: Quarantining All Traces: searchfst cookie
12:15 AM: Quarantining All Traces: servedby advertising cookie
12:15 AM: Quarantining All Traces: serving-sys cookie
12:15 AM: Quarantining All Traces: servlet cookie
12:15 AM: Quarantining All Traces: shop@home cookie
12:15 AM: Quarantining All Traces: specificclick.com cookie
12:15 AM: Quarantining All Traces: spywarestormer cookie
12:15 AM: Quarantining All Traces: statstracking cookie
12:15 AM: Quarantining All Traces: tickle cookie
12:15 AM: Quarantining All Traces: top-banners cookie
12:15 AM: Quarantining All Traces: toplist cookie
12:15 AM: Quarantining All Traces: topnetsearch hijacker
12:15 AM: Quarantining All Traces: touchclarity cookie
12:15 AM: Quarantining All Traces: trb.com cookie
12:15 AM: Quarantining All Traces: tvguide cookie
12:15 AM: Quarantining All Traces: ugo cookie
12:15 AM: Quarantining All Traces: webpower cookie
12:15 AM: Quarantining All Traces: websponsors cookie
12:15 AM: Quarantining All Traces: xiti cookie
12:15 AM: Quarantining All Traces: yadro cookie
12:15 AM: Quarantining All Traces: yieldmanager cookie
12:15 AM: Quarantining All Traces: ysbweb cookie
12:15 AM: Removal process completed. Elapsed time 00:03:25
********
11:48 PM: | Start of Session, Wednesday, October 26, 2005 |
11:48 PM: Spy Sweeper started

guestolo · « **Reply #9 on:** October 26, 2005, 11:52:19 PM »

Make sure Spysweepers right up to date
We're going to try this one more time
Close any unnecessary programs running in the background

Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- System Idle Service

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled

Disconnect completely from the Internet

Run a scan with SpySweeper again, Fix everything and then Allow it to reboot the computer if prompted immediately after it is done, or reboot manually

Come back here and post a fresh hijackthis log

MJ SPANNER · « **Reply #10 on:** October 28, 2005, 01:04:34 PM »

Logfile of HijackThis v1.99.1
Scan saved at 2:04:03 PM, on 10/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...64/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100929247942
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)

guestolo · « **Reply #11 on:** October 28, 2005, 05:20:16 PM »

That's looking good, can I have you run another free scanner and a batch file
after you do the following

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Save the log to your desktop, I'll want to see it later.

NOTE:After restart and L2MFIX finishes scanning for files>>give this time to finish
If a text doesn't open, run the "second.bat" located inside the L2mfix folder

Back in Windows
Please download miekiemoes' LQfix batch from here:
http://users.telenet.be/bluepatchy/miekiem...tools/LQfix.zip
Unzip it to the desktop but do NOT run it yet.

==Download and then Install
Ewido Security Suite

When installing, under "Additional Options" Uncheck
"Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/
Don't run a scan yet, instead

Print this out again or save too a notepad file for reference
Reboot back to Safe mode

Go to START>>Run>>copy and paste the following line in bold into the open field and then hit OK

sc delete sysidleserv

Run LQFix.bat, a window will open and close, this is normal

Open Ewido
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

==Open the WinPFind folder
Double click on WinPFind.exe
Click START SCAN
This could take some time as it will scan your drive
Close out after

Reboot back to normal mode

Post back a few logs please, just to make sure we got everything

1. A new Hijackthis log
2. The report you saved from Ewido's
3. The log you saved from L2MFix
4. The new WindPFind.txt located in the WinPFind folder

Use more than one reply if you have to, I would like to see all the logs, thanks
Let me know how everythings running

MJ SPANNER · « **Reply #12 on:** October 30, 2005, 09:28:04 PM »

Everything is running smoothly now. It's running much faster and nothing seems out of the ordinary.

--------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:20:02 PM, on 10/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...64/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100929247942
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)

--------------------------------

--------------------------------

C:\
C:\
Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 564 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 700 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\gpnsl3571.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mnxml.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rbgwizc.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\gpnsl3571.dll
Successfully Deleted: C:\WINDOWS\system32\gpnsl3571.dll
deleting: C:\WINDOWS\system32\mnxml.dll
Successfully Deleted: C:\WINDOWS\system32\mnxml.dll
deleting: C:\WINDOWS\system32\rbgwizc.dll
Successfully Deleted: C:\WINDOWS\system32\rbgwizc.dll

Zipping up files for submission:
adding: gpnsl3571.dll (188 bytes security) (deflated 4%)
adding: mnxml.dll (188 bytes security) (deflated 4%)
adding: rbgwizc.dll (188 bytes security) (deflated 5%)
adding: clear.reg (188 bytes security) (deflated 22%)
adding: AILog.txt (188 bytes security) (stored 0%)
adding: lo2.txt (188 bytes security) (deflated 66%)
adding: test.txt (188 bytes security) (deflated 49%)
adding: test2.txt (188 bytes security) (stored 0%)
adding: test3.txt (188 bytes security) (stored 0%)
adding: test5.txt (188 bytes security) (stored 0%)
adding: xfind.txt (188 bytes security) (deflated 44%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: gpnsl3571.dll
deleting local copy: mnxml.dll
deleting local copy: rbgwizc.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxdev.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\gpnsl3571.dll
C:\WINDOWS\system32\mnxml.dll
C:\WINDOWS\system32\rbgwizc.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{F440DF1A-6070-488C-8BC1-6B46EA46E220}"=-
[-HKEY_CLASSES_ROOT\CLSID\{F440DF1A-6070-488C-8BC1-6B46EA46E220}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

-------------------------------

-------------------------------

L2Mfix 1.04a

Running From:
C:\Documents and Settings\Mike B\Desktop\New Folder (2)\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C-------    BUILTIN\Administrators
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Setting up for Reboot

Starting Reboot!

Setting Directory
C:\Documents and Settings\Mike B\Desktop\New Folder (2)\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Mike B\Desktop\New Folder (2)\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1092 'explorer.exe'
Killing PID 1092 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 540 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\dwvoice.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i642lgho164c.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir82l5lo1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\qydit.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wlnnls.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\dwvoice.dll
Successfully Deleted: C:\WINDOWS\system32\dwvoice.dll
deleting: C:\WINDOWS\system32\i642lgho164c.dll
Successfully Deleted: C:\WINDOWS\system32\i642lgho164c.dll
deleting: C:\WINDOWS\system32\ir82l5lo1.dll
Successfully Deleted: C:\WINDOWS\system32\ir82l5lo1.dll
deleting: C:\WINDOWS\system32\qydit.dll
Successfully Deleted: C:\WINDOWS\system32\qydit.dll
deleting: C:\WINDOWS\system32\wlnnls.dll
Successfully Deleted: C:\WINDOWS\system32\wlnnls.dll

Zipping up files for submission:
adding: dwvoice.dll (164 bytes security) (deflated 5%)
adding: i642lgho164c.dll (164 bytes security) (deflated 4%)
adding: ir82l5lo1.dll (164 bytes security) (deflated 4%)
adding: qydit.dll (164 bytes security) (deflated 5%)
adding: wlnnls.dll (164 bytes security) (deflated 5%)
updating: clear.reg (164 bytes security) (deflated 46%)
updating: echo.reg (164 bytes security) (deflated 12%)
updating: direct.txt (164 bytes security) (stored 0%)
updating: lo2.txt (164 bytes security) (deflated 76%)
updating: readme.txt (164 bytes security) (deflated 52%)
updating: report.txt (164 bytes security) (deflated 64%)
updating: test.txt (164 bytes security) (deflated 61%)
updating: test2.txt (164 bytes security) (deflated 27%)
updating: test3.txt (164 bytes security) (deflated 27%)
updating: test5.txt (164 bytes security) (deflated 27%)
updating: xfind.txt (164 bytes security) (deflated 55%)
adding: log.txt (164 bytes security) (deflated 80%)
updating: backregs/687E845C-FDCB-4ECE-8D8D-ED12DA7F3990.reg (164 bytes security) (deflated 70%)
updating: backregs/notibac.reg (164 bytes security) (deflated 88%)
updating: backregs/shell.reg (164 bytes security) (deflated 73%)
adding: backregs/279B161E-3ABF-4999-AE99-8AEE735AE0D0.reg (164 bytes security) (deflated 70%)
adding: backregs/D691A32D-1F54-4989-9B8A-817894615F9A.reg (164 bytes security) (deflated 70%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Warning (option /rga:(ci)) - There is no ACE to remove!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: dwvoice.dll
deleting local copy: i642lgho164c.dll
deleting local copy: ir82l5lo1.dll
deleting local copy: qydit.dll
deleting local copy: wlnnls.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\plwma.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxdev.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\dwvoice.dll
C:\WINDOWS\system32\i642lgho164c.dll
C:\WINDOWS\system32\ir82l5lo1.dll
C:\WINDOWS\system32\qydit.dll
C:\WINDOWS\system32\wlnnls.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{D691A32D-1F54-4989-9B8A-817894615F9A}"=-
"{279B161E-3ABF-4999-AE99-8AEE735AE0D0}"=-
"{570D7B09-A354-48BB-8163-826E8A0AD657}"=-
[-HKEY_CLASSES_ROOT\CLSID\{D691A32D-1F54-4989-9B8A-817894615F9A}]
[-HKEY_CLASSES_ROOT\CLSID\{279B161E-3ABF-4999-AE99-8AEE735AE0D0}]
[-HKEY_CLASSES_ROOT\CLSID\{570D7B09-A354-48BB-8163-826E8A0AD657}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

---------------------------------------

---------------------------------------

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
FSG! 2/21/2003 1:40:50 PM 5351256 C:\WINDOWS\msjavwu.exe

Checking %System% folder...
PEC2 8/29/2002 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 10/26/2004 5:38:24 PM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 10/26/2004 5:38:24 PM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
PTech 8/29/2005 12:27:12 PM 520968 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
Umonitor 8/29/2002 7:00:00 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
qoologic 3/25/2005 3:28:46 PM 10050208 C:\WINDOWS\SYSTEM32\saie_kyf.dat
aspack 3/25/2005 3:28:46 PM 10050208 C:\WINDOWS\SYSTEM32\saie_kyf.dat
PTech 3/25/2005 3:28:46 PM 10050208 C:\WINDOWS\SYSTEM32\saie_kyf.dat
winsync 8/29/2002 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/30/2005 7:54:02 PM S 2048 C:\WINDOWS\bootstat.dat
10/30/2005 7:52:48 PM H 24 C:\WINDOWS\p5YqZ
10/25/2005 7:24:24 PM H 54156 C:\WINDOWS\QTFont.qfn
9/25/2005 12:14:42 AM H 27136 C:\WINDOWS\x74ca5e40.tmp
10/4/2005 12:16:36 PM S 20086 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688-IE6SP1-20051004.130236.cat
9/28/2005 10:53:30 AM S 17402 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
9/9/2005 6:15:08 PM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB901017.cat
10/30/2005 7:54:24 PM H 1024 C:\WINDOWS\system32\config\default.LOG
10/30/2005 7:54:20 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
10/30/2005 7:54:24 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
10/30/2005 8:42:50 PM H 147456 C:\WINDOWS\system32\config\software.LOG
10/30/2005 7:55:08 PM H 929792 C:\WINDOWS\system32\config\system.LOG
9/1/2005 8:09:26 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\425411ad-9883-44ea-80f9-0c9d4b5afb70
9/1/2005 8:09:28 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
10/30/2005 7:53:10 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/29/2002 7:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 4/25/2005 9:31:44 AM 77824 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 4/13/2005 2:48:52 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 11/1/2002 10:15:54 PM 45175 C:\WINDOWS\SYSTEM32\plugincpl140_03.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 9/23/2004 5:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Sony Corporation 12/4/1999 6:11:30 AM 151552 C:\WINDOWS\SYSTEM32\UILib.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 2:41:00 AM 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Intel Corporation 4/25/2005 9:31:44 AM 77824 C:\WINDOWS\SYSTEM32\ReinstallBackups\0021\DriverFiles\igfxcpl.cpl
Intel Corporation 3/11/2003 1:18:48 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0025\DriverFiles\igfxcpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
4/11/2003 4:59:50 AM 1647 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
4/9/2003 8:47:46 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
1/19/2005 12:02:46 AM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
4/11/2003 4:59:50 AM 675 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
4/11/2003 4:59:50 AM 675 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
4/9/2003 1:42:46 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
4/9/2003 8:47:46 PM HS 84 C:\Documents and Settings\Mike B\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
4/9/2003 1:42:46 PM HS 62 C:\Documents and Settings\Mike B\Application Data\desktop.ini
11/30/2004 7:45:54 PM 0 C:\Documents and Settings\Mike B\Application Data\dm.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
   SV1    =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   Start Menu Pin    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
       = c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
   {7C9D5882-CB4A-4090-96C8-430BFE8B795B}    = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
       = c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
   {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}    = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
   {8E718888-423F-11D2-876E-00A0C9082467}    = &Radio   : C:\WINDOWS\System32\msdxm.ocx
   {2318C2B1-4965-11d4-9B18-009027A5CD4F}    = &Google   : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
   ButtonText    = AIM   : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
   ButtonText    = PartyPoker.com   : C:\Program Files\PartyPoker\PartyPoker.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
   ButtonText    = MoneySide   :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
   Media Band = %SystemRoot%\System32\browseui.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
   {2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google   : c:\program files\google\googletoolbar1.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google   : c:\program files\google\googletoolbar1.dll
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   ezShieldProtector for Px   C:\WINDOWS\System32\ezSP_Px.exe
   MCUpdateExe   C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
   SpySweeper   "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   AIM   C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
   system.ini   0
   win.ini   0
   bootini   0
   services   0
   startup   0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
   {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
   {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
   {0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption
   legalnoticetext
   shutdownwithoutlogon   1
   undockwithoutlogon   1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   PostBootReminder    {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
   CDBurn    {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
   WebCheck    {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
   SysTray     {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   UserInit   = C:\WINDOWS\system32\userinit.exe,
   Shell      = Explorer.exe
   System      =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
    = igfxdev.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
    = WRLogonNTF.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
    = wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/30/2005 8:56:53 PM

guestolo · « **Reply #13 on:** October 30, 2005, 09:37:08 PM »

You didn't post me the Ewido report, if you can do that now please
I would just like to have a look at it

It also appears you may of posted a new and old log from L2MFix
By the looks of the Winpfind.txt, I think I know which one of the L2M logs is the latest

We just have some minor cleanup and you should be good to go

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

MJ SPANNER · « **Reply #14 on:** October 31, 2005, 02:14:12 PM »

Ahh, sorry about that.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         8:49:46 PM, 10/30/2005
+ Report-Checksum:      B8D2F19E

+ Scan result:

   HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{258A3625-183B-4477-AEE2-EA54DF6D878D} -> Spyware.TOPicks : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{258A3625-183B-4477-AEE2-EA54DF6D878D}\TypeLib\\ -> Spyware.Altnet : Cleaned with backup
   HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
   HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
   HKU\S-1-5-21-630620334-398432482-2331515877-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC} -> Spyware.MyWay : Cleaned with backup
   C:\backup.zip/gpnsl3571.dll -> Spyware.Look2Me : Cleaned with backup
   C:\backup.zip/mnxml.dll -> Spyware.Look2Me : Cleaned with backup
   C:\backup.zip/rbgwizc.dll -> Spyware.Look2Me : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike b@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike [email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike [email protected][2].txt -> Spyware.Cookie.Clickhype : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike [email protected][1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike [email protected][1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike [email protected][1].txt -> Spyware.Cookie.Com : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike [email protected][1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike b@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike [email protected][2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike b@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike b@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike b@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike b@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike [email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike b@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike [email protected][1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike [email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike b@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike [email protected][2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike b@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike [email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike [email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike [email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike [email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike [email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike b@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike [email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike b@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike [email protected][1].txt -> Spyware.Cookie.Itrack : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike [email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike b@ivwbox[2].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike b@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike b@mysearch[1].txt -> Spyware.Cookie.Mysearch : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike b@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike b@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike b@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike [email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike b@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike b@tradedoubler[2].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike b@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike b@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike [email protected][1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike b@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
   C:\Documents and Settings\Mike B\Cookies\mike [email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
   C:\Documents and Settings\Mike B\Desktop\New Folder (2)\l2mfix\backup.zip/demap.dll -> Spyware.Look2Me : Cleaned with backup
   C:\Documents and Settings\Mike B\Desktop\New Folder (2)\l2mfix\backup.zip/k8800ilme8qa0.dll -> Spyware.Look2Me : Cleaned with backup
   C:\Documents and Settings\Mike B\Desktop\New Folder (2)\l2mfix\backup.zip/l26olcj31fo.dll -> Spyware.Look2Me : Cleaned with backup
   C:\Documents and Settings\Mike B\Desktop\New Folder (2)\l2mfix\backup.zip/msg4dmod.dll -> Spyware.Look2Me : Cleaned with backup
   C:\Documents and Settings\Mike B\Desktop\New Folder (2)\l2mfix\backup.zip/nwtplwiz.dll -> Spyware.Look2Me : Cleaned with backup
   C:\Documents and Settings\Mike B\Desktop\New Folder (2)\l2mfix\backup.zip/guard.tmp -> Spyware.Look2Me : Cleaned with backup
   C:\Documents and Settings\Mike B\Desktop\New Folder (2)\l2mfix\backup.zip/dwvoice.dll -> Spyware.Look2Me : Cleaned with backup
   C:\Documents and Settings\Mike B\Desktop\New Folder (2)\l2mfix\backup.zip/i642lgho164c.dll -> Spyware.Look2Me : Cleaned with backup
   C:\Documents and Settings\Mike B\Desktop\New Folder (2)\l2mfix\backup.zip/ir82l5lo1.dll -> Spyware.Look2Me : Cleaned with backup
   C:\Documents and Settings\Mike B\Desktop\New Folder (2)\l2mfix\backup.zip/qydit.dll -> Spyware.Look2Me : Cleaned with backup
   C:\Documents and Settings\Mike B\Desktop\New Folder (2)\l2mfix\backup.zip/wlnnls.dll -> Spyware.Look2Me : Cleaned with backup
   C:\Documents and Settings\Mike B\Local Settings\Temp\10748790_2408_2060_2324_76.41.tmp -> Trojan.EliteBar.a : Cleaned with backup
   C:\Documents and Settings\Mike B\Local Settings\Temp\10748790_2408_2060_2348_76.41.tmp -> Trojan.EliteBar.a : Cleaned with backup
   C:\Documents and Settings\Mike B\Local Settings\Temp\11142094_2408_2060_1520_76.41.tmp -> Trojan.EliteBar.a : Cleaned with backup
   C:\Documents and Settings\Mike B\Local Settings\Temp\17695124_3844_2060_3260_76.41.tmp -> Trojan.EliteBar.a : Cleaned with backup
   C:\Documents and Settings\Mike B\Local Settings\Temp\7603208_2408_2060_1604_76.41.tmp -> Trojan.EliteBar.a : Cleaned with backup
   C:\Documents and Settings\Mike B\Local Settings\Temp\lcgl.exe -> Backdoor.Spyboter : Cleaned with backup
   C:\Documents and Settings\Mike B\Local Settings\Temp\p2psetup.exe -> Spyware.P2PNetworking : Cleaned with backup
   C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
   C:\Program Files\Common Files\Download\mc-58-12-0000137.exe -> Spyware.Maxifiles : Cleaned with backup
   C:\Program Files\Common Files\InetGet\mc-58-12-0000137.exe -> Spyware.Maxifiles : Cleaned with backup
   C:\Program Files\Common Files\Sony Shared\Visualizer\ExlGen.dll -> Dialer.Generic : Cleaned with backup
   C:\Program Files\Vieffice\Cache\00005af1_435e9fbe_000e1113 -> TrojanDownloader.IstBar.j : Cleaned with backup
   C:\WINDOWS\drsmartload105a.exe -> TrojanDownloader.VB.qr : Cleaned with backup
   C:\WINDOWS\system32\AdCache -> Adware.Cydoor : Cleaned with backup
   C:\WINDOWS\TWlrZSBC\asappsrv.dll -> Spyware.CommAd : Cleaned with backup

::Report End

guestolo · « **Reply #15 on:** October 31, 2005, 11:34:39 PM »

Find and delete these files if found
C:\WINDOWS\x74ca5e40.tmp
C:\WINDOWS\SYSTEM32\saie_kyf.dat <-file
C:\WINDOWS\msjavwu.exe <-file

C:\WINDOWS\p5YqZ <-file with no extension, or may be a folder, take a look please

and the following folder
C:\WINDOWS\TWlrZSBC <-folder

If everything is running better, please do the following
You should disable system restore>>Reboot your computer>>and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature

Once System Restore is reenabled

You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"
IE-Spyad is compatible with SP2

Which you should consider updating to, it's important keeping up on all windows updates
http://www.microsoft.com/windowsxp/sp2/default.mspx

TheTechGuide Forum

News:

Author Topic: Win32.P2P-Worm.Alcan.a complications (Read 1551 times)

MJ SPANNER

Win32.P2P-Worm.Alcan.a complications

guestolo

Win32.P2P-Worm.Alcan.a complications

MJ SPANNER

Win32.P2P-Worm.Alcan.a complications

guestolo

Win32.P2P-Worm.Alcan.a complications

MJ SPANNER

Win32.P2P-Worm.Alcan.a complications

guestolo

Win32.P2P-Worm.Alcan.a complications

MJ SPANNER

Win32.P2P-Worm.Alcan.a complications

guestolo

Win32.P2P-Worm.Alcan.a complications

MJ SPANNER

Win32.P2P-Worm.Alcan.a complications

guestolo

Win32.P2P-Worm.Alcan.a complications

MJ SPANNER

Win32.P2P-Worm.Alcan.a complications

guestolo

Win32.P2P-Worm.Alcan.a complications

MJ SPANNER

Win32.P2P-Worm.Alcan.a complications

guestolo

Win32.P2P-Worm.Alcan.a complications

MJ SPANNER

Win32.P2P-Worm.Alcan.a complications

guestolo

Win32.P2P-Worm.Alcan.a complications