Author Topic: enn4l15q1.dll...grrr. (Read 1206 times)

acidpoupon · « **on:** November 07, 2005, 02:07:53 AM »

hi everyone. i have tried and read many topics to help me remove these annoying pop ups so i resorted to asking

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' /> . if anyone would be nice enough to help me through this pesky problem.

Logfile of HijackThis v1.99.1
Scan saved at 1:50:35 AM, on 11/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\T-Clock\tclock.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Archive\hijackthis\HijackThis.exe

O4 - Startup: Tclock.lnk = C:\Program Files\T-Clock\tclock.exe
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\enn4l15q1.dll

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 2CAF-3063

Directory of C:\WINDOWS\System32

11/07/2005 01:48 AM 235,514 saellstyle.dll
11/07/2005 01:48 AM 236,664 i0nmla511d.dll
11/07/2005 01:43 AM 235,514 enn4l15q1.dll
11/07/2005 01:32 AM 237,005 nhprint.dll
11/07/2005 01:27 AM 235,664 wmbvw.dll
11/07/2005 01:22 AM 236,694 dmmclien.dll
11/07/2005 01:19 AM 235,664 ohedlg.dll
11/07/2005 12:48 AM 234,123 cfadmin.dll
11/07/2005 12:05 AM 233,903 wjaueng1.dll
11/06/2005 11:40 PM 237,308 kddsf.dll
11/06/2005 11:20 PM 234,206 nulsapi.dll
11/06/2005 11:08 PM 237,080 vdoy.dll
11/06/2005 10:32 PM 235,308 spbcsp.dll
11/06/2005 10:11 PM 233,933 ncmsmgr.dll
11/06/2005 10:06 PM 234,704 wknntbbu.dll
11/06/2005 11:15 AM 234,041 mjdxmlc.dll
11/05/2005 11:57 PM 236,342 m0ls0a37ed.dll
11/05/2005 02:32 PM 236,342 fclemgmt.dll
11/05/2005 02:29 PM 235,487 ir0ml5d11.dll
11/04/2005 12:38 PM 233,911 dndskmgr.dll
11/04/2005 12:15 PM 233,911 lt4027hmg.dll
11/04/2005 11:35 AM 236,257 i6lolg3316.dll
11/04/2005 10:01 AM 236,257 rIcpldlg.dll
11/04/2005 10:01 AM 233,911 h62olgf3162.dll
10/24/2005 02:03 AM <DIR> dllcache
06/27/2005 12:02 AM 10,856 KGyGaAvL.sys
08/03/2004 09:30 AM <DIR> Microsoft
25 File(s) 5,660,599 bytes
2 Dir(s) 137,777,729,536 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 2CAF-3063

Directory of C:\WINDOWS\System32

10/24/2005 02:03 AM <DIR> dllcache
06/27/2005 12:02 AM 10,856 KGyGaAvL.sys
08/03/2004 09:24 AM 488 WindowsLogon.manifest
08/03/2004 09:24 AM 488 logonui.exe.manifest
08/03/2004 09:24 AM 749 nwc.cpl.manifest
08/03/2004 09:24 AM 749 sapi.cpl.manifest
08/03/2004 09:24 AM 749 ncpa.cpl.manifest
08/03/2004 09:24 AM 749 cdplayer.exe.manifest
08/03/2004 09:24 AM 749 wuaucpl.cpl.manifest
8 File(s) 15,577 bytes
1 Dir(s) 137,777,729,536 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 2CAF-3063

Directory of C:\WINDOWS\System32

11/07/2005 01:48 AM 237,315 guard.tmp
1 File(s) 237,315 bytes
0 Dir(s) 137,777,725,440 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 2CAF-3063

Directory of C:\WINDOWS\System32

11/07/2005 01:48 AM 237,315 guard.tmp
1 File(s) 237,315 bytes
0 Dir(s) 137,777,725,440 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F929E098-9D19-A515-B96A-B2FD49788061}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\enn4l15q1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

---------------- Xfind Results -----------------

-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
cfadmin.dll Mon Nov 7 2005 12:48:10a ..S.R 234,123 228.63 K
dmmclien.dll Mon Nov 7 2005 1:22:48a ..S.R 236,694 231.14 K
dndskmgr.dll Fri Nov 4 2005 12:38:10p ..S.R 233,911 228.43 K
fclemgmt.dll Sat Nov 5 2005 2:32:46p ..S.R 236,342 230.80 K
kddsf.dll Sun Nov 6 2005 11:40:04p ..S.R 237,308 231.75 K
mjdxmlc.dll Sun Nov 6 2005 11:15:32a ..S.R 234,041 228.55 K
ncmsmgr.dll Sun Nov 6 2005 10:11:38p ..S.R 233,933 228.45 K
nhprint.dll Mon Nov 7 2005 1:32:56a ..S.R 237,005 231.45 K
nulsapi.dll Sun Nov 6 2005 11:20:40p ..S.R 234,206 228.71 K
ohedlg.dll Mon Nov 7 2005 1:19:04a ..S.R 235,664 230.14 K
ricpldlg.dll Fri Nov 4 2005 10:01:40a ..S.R 236,257 230.72 K
spbcsp.dll Sun Nov 6 2005 10:32:50p ..S.R 235,308 229.79 K
vdoy.dll Sun Nov 6 2005 11:08:30p ..S.R 237,080 231.52 K
wjaueng1.dll Mon Nov 7 2005 12:05:20a ..S.R 233,903 228.42 K
wknntbbu.dll Sun Nov 6 2005 10:06:32p ..S.R 234,704 229.20 K
wmbvw.dll Mon Nov 7 2005 1:27:50a ..S.R 235,664 230.14 K

16 items found: 16 files, 0 directories.
Total of file sizes: 3,766,143 bytes 3.59 M

i know it has to do with that enn4l15q1.dll

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' /> thank you.

acidpoupon · « **Reply #1 on:** November 07, 2005, 11:05:16 AM »

bump?

guestolo · « **Reply #2 on:** November 07, 2005, 08:37:26 PM »

What happened to your hijackthis log?

If you tried fixing entries yourself, Open hijackthis
"View a list of backups"
RESTORE all backups

If you have anything disabled with msconfig
Go back and enable everything

Once the above is done, come back here and post a fresh hijackthis log

Also,Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

[color=\"red\"]IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so![/color]

acidpoupon · « **Reply #3 on:** November 08, 2005, 12:34:43 AM »

Logfile of HijackThis v1.99.1
Scan saved at 12:29:51 AM, on 11/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netdde.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\RefreshLock.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\T-Clock\tclock.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Archive\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: ximages.offeroptimizer.com
O1 - Hosts: 66.197.153.197 idenupdate.motorola.com
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\Run: [Systmesy] Systmesy.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RefreshLock] C:\RefreshLock.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] msoffice2.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Tclock.lnk = C:\Program Files\T-Clock\tclock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E845B7BD-1517-405D-832A-9351CBA52FD3}: NameServer = 151.198.0.38 151.197.0.38
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\enjql1151.dll (file missing)
O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\f02mlaf11d2.dll (file missing)
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\en4ql1h51.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

L2MFIX find log 1.04a
These are the registry keys present
********************************************************************************
**
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\enjql1151.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reinstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\f02mlaf11d2.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Telephony]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en4ql1h51.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

********************************************************************************
**
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F929E098-9D19-A515-B96A-B2FD49788061}"=""

********************************************************************************
**
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{B446400D-0030-457b-8F64-422A19605186}"="Logitech Gallery"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{FED7043D-346A-414D-ACD7-550D052499A7}"="dBpowerAMP Music Converter 1"
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}"="dBpowerAMP Music Converter"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{5E2121EE-0300-11D4-8D3B-444553540000}"="Catalyst Context Menu extension"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{DF4890D8-F4F2-444A-94BE-8C68513CA8E1}"=""
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{62A808F8-596E-4841-A368-BA51F247CA7B}"=""
"{2FB583E9-7FB6-4ECE-A798-7FA4F9107D2F}"=""
"{783D2719-CCAA-4CB0-9E07-B67C843563CD}"=""
"{732EE58A-4CC6-4D87-B460-77CDC894C9B1}"=""
"{6C9E77BC-F5CE-4955-9641-EFAF9B6BED5D}"=""
"{179399B4-0986-4FF6-9F9B-5478B5E93105}"=""
"{9C9B372D-169B-4D5F-BC3C-EE73474AFD21}"=""
"{2D391FDC-600E-4AF9-9F41-C6F38A324111}"=""

********************************************************************************
**
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DF4890D8-F4F2-444A-94BE-8C68513CA8E1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DF4890D8-F4F2-444A-94BE-8C68513CA8E1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DF4890D8-F4F2-444A-94BE-8C68513CA8E1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DF4890D8-F4F2-444A-94BE-8C68513CA8E1}\InprocServer32]
@="C:\\WINDOWS\\system32\\fclemgmt.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{62A808F8-596E-4841-A368-BA51F247CA7B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{62A808F8-596E-4841-A368-BA51F247CA7B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{62A808F8-596E-4841-A368-BA51F247CA7B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{62A808F8-596E-4841-A368-BA51F247CA7B}\InprocServer32]
@="C:\\WINDOWS\\system32\\saellstyle.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2FB583E9-7FB6-4ECE-A798-7FA4F9107D2F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2FB583E9-7FB6-4ECE-A798-7FA4F9107D2F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2FB583E9-7FB6-4ECE-A798-7FA4F9107D2F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2FB583E9-7FB6-4ECE-A798-7FA4F9107D2F}\InprocServer32]
@="C:\\WINDOWS\\system32\\mjdxmlc.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{783D2719-CCAA-4CB0-9E07-B67C843563CD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{783D2719-CCAA-4CB0-9E07-B67C843563CD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{783D2719-CCAA-4CB0-9E07-B67C843563CD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{783D2719-CCAA-4CB0-9E07-B67C843563CD}\InprocServer32]
@="C:\\WINDOWS\\system32\\wknntbbu.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{732EE58A-4CC6-4D87-B460-77CDC894C9B1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{732EE58A-4CC6-4D87-B460-77CDC894C9B1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{732EE58A-4CC6-4D87-B460-77CDC894C9B1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{732EE58A-4CC6-4D87-B460-77CDC894C9B1}\InprocServer32]
@="C:\\WINDOWS\\system32\\ncmsmgr.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6C9E77BC-F5CE-4955-9641-EFAF9B6BED5D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6C9E77BC-F5CE-4955-9641-EFAF9B6BED5D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6C9E77BC-F5CE-4955-9641-EFAF9B6BED5D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6C9E77BC-F5CE-4955-9641-EFAF9B6BED5D}\InprocServer32]
@="C:\\WINDOWS\\system32\\spbcsp.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{179399B4-0986-4FF6-9F9B-5478B5E93105}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{179399B4-0986-4FF6-9F9B-5478B5E93105}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{179399B4-0986-4FF6-9F9B-5478B5E93105}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{179399B4-0986-4FF6-9F9B-5478B5E93105}\InprocServer32]
@="C:\\WINDOWS\\system32\\vdoy.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9C9B372D-169B-4D5F-BC3C-EE73474AFD21}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9C9B372D-169B-4D5F-BC3C-EE73474AFD21}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9C9B372D-169B-4D5F-BC3C-EE73474AFD21}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9C9B372D-169B-4D5F-BC3C-EE73474AFD21}\InprocServer32]
@="C:\\WINDOWS\\system32\\kddsf.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2D391FDC-600E-4AF9-9F41-C6F38A324111}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2D391FDC-600E-4AF9-9F41-C6F38A324111}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2D391FDC-600E-4AF9-9F41-C6F38A324111}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2D391FDC-600E-4AF9-9F41-C6F38A324111}\InprocServer32]
@="C:\\WINDOWS\\system32\\umrvoica.dll"
"ThreadingModel"="Apartment"

********************************************************************************
**
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
ati2cqag.dll Tue Aug 30 2005 8:42:50p A.... 233,472 228.00 K
ati2dvag.dll Tue Aug 30 2005 9:42:54p A.... 238,592 233.00 K
ati2edxx.dll Tue Aug 30 2005 9:37:22p A.... 39,936 39.00 K
ati2evxx.dll Tue Aug 30 2005 9:37:12p A.... 46,080 45.00 K
ati3duag.dll Tue Aug 30 2005 9:28:36p A.... 2,429,824 2.32 M
atiddc.dll Tue Aug 30 2005 9:35:46p A.... 53,248 52.00 K
atidemgr.dll Tue Aug 30 2005 11:33:32p A.... 258,048 252.00 K
atiiiexx.dll Wed Aug 31 2005 12:08:36a A.... 307,200 300.00 K
atikvmag.dll Tue Aug 30 2005 9:10:36p A.... 147,456 144.00 K
atioglx1.dll Tue Aug 30 2005 10:57:50p A.... 6,684,672 6.38 M
atioglxx.dll Tue Aug 30 2005 9:57:00p A.... 4,718,592 4.50 M
atipdlxx.dll Tue Aug 30 2005 9:37:44p A.... 106,496 104.00 K
atitvo32.dll Tue Aug 30 2005 8:47:46p A.... 17,408 17.00 K
ativvaxx.dll Tue Aug 30 2005 9:23:04p A.... 600,672 586.59 K
atmtd.dll Fri Nov 4 2005 12:43:46a A.... 687,592 671.48 K
browseui.dll Fri Sep 2 2005 6:52:04p A.... 1,019,904 996.00 K
cdfview.dll Fri Sep 2 2005 6:52:04p A.... 151,040 147.50 K
cdosys.dll Fri Sep 9 2005 8:53:42p A.... 2,067,968 1.97 M
cfadmin.dll Mon Nov 7 2005 12:48:10a ..S.R 234,123 228.63 K
danim.dll Fri Sep 2 2005 6:52:04p A.... 1,053,696 1.00 M
dmmclien.dll Mon Nov 7 2005 1:22:48a ..S.R 236,694 231.14 K
dndskmgr.dll Fri Nov 4 2005 12:38:10p ..S.R 233,911 228.43 K
dxtrans.dll Fri Sep 2 2005 6:52:04p A.... 205,312 200.50 K
extmgr.dll Fri Sep 2 2005 6:52:04p ..... 55,808 54.50 K
fclemgmt.dll Sat Nov 5 2005 2:32:46p ..S.R 236,342 230.80 K
iepeers.dll Fri Sep 2 2005 6:52:04p A.... 251,392 245.50 K
inseng.dll Fri Sep 2 2005 6:52:04p A.... 96,256 94.00 K
kddsf.dll Sun Nov 6 2005 11:40:04p ..S.R 237,308 231.75 K
linkinfo.dll Wed Aug 31 2005 8:41:54p A.... 19,968 19.50 K
mjdxmlc.dll Sun Nov 6 2005 11:15:32a ..S.R 234,041 228.55 K
mshtml.dll Tue Oct 4 2005 4:26:00p A.... 3,015,168 2.88 M
mshtmled.dll Fri Sep 2 2005 6:52:06p A.... 448,512 438.00 K
msrating.dll Fri Sep 2 2005 6:52:06p A.... 146,432 143.00 K
mstime.dll Fri Sep 2 2005 6:52:06p A.... 530,432 518.00 K
msvcp71.dll Fri Nov 4 2005 1:25:06a A.... 499,712 488.00 K
ncmsmgr.dll Sun Nov 6 2005 10:11:38p ..S.R 233,933 228.45 K
netman.dll Mon Aug 22 2005 1:29:46p A.... 197,632 193.00 K
nhprint.dll Mon Nov 7 2005 1:32:56a ..S.R 237,005 231.45 K
nulsapi.dll Sun Nov 6 2005 11:20:40p ..S.R 234,206 228.71 K
oemdspif.dll Tue Aug 30 2005 9:37:34p A.... 73,728 72.00 K
ohedlg.dll Mon Nov 7 2005 1:19:04a ..S.R 235,664 230.14 K
pncrt.dll Sun Sep 25 2005 12:15:06a A.... 278,528 272.00 K
pndx5016.dll Sun Sep 25 2005 12:15:10a A.... 6,656 6.50 K
pndx5032.dll Sun Sep 25 2005 12:15:10a A.... 5,632 5.50 K
pngfilt.dll Fri Sep 2 2005 6:52:06p A.... 39,424 38.50 K
quartz.dll Mon Aug 29 2005 10:54:26p A.... 1,287,168 1.23 M
ricpldlg.dll Fri Nov 4 2005 10:01:40a ..S.R 236,257 230.72 K
rmoc3260.dll Sun Sep 25 2005 12:15:16a A.... 176,167 172.04 K
shdocvw.dll Fri Sep 2 2005 6:52:06p A.... 1,483,776 1.41 M
shell32.dll Thu Sep 22 2005 10:05:30p A.... 8,450,560 8.06 M
shlwapi.dll Fri Sep 2 2005 6:52:06p A.... 473,600 462.50 K
spbcsp.dll Sun Nov 6 2005 10:32:50p ..S.R 235,308 229.79 K
umpnpmgr.dll Mon Aug 22 2005 10:35:42p A.... 123,392 120.50 K
umrvoica.dll Tue Nov 8 2005 12:27:58a ..S.R 234,896 229.39 K
urlmon.dll Fri Sep 2 2005 6:52:06p A.... 608,768 594.50 K
vdoy.dll Sun Nov 6 2005 11:08:30p ..S.R 237,080 231.52 K
wininet.dll Fri Sep 2 2005 6:52:06p A.... 658,432 643.00 K
winsrv.dll Wed Aug 31 2005 8:41:54p A.... 291,840 285.00 K
wjaueng1.dll Mon Nov 7 2005 12:05:20a ..S.R 233,903 228.42 K
wknntbbu.dll Sun Nov 6 2005 10:06:32p ..S.R 234,704 229.20 K
wmbvw.dll Mon Nov 7 2005 1:27:50a ..S.R 235,664 230.14 K

61 items found: 61 files (17 H/S), 0 directories.
Total of file sizes: 44,287,230 bytes 42.23 M
Locate .tmp files:

No matches found.
********************************************************************************
**
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 2CAF-3063

Directory of C:\WINDOWS\System32

11/08/2005 12:27 AM 234,896 umrvoica.dll
11/08/2005 12:27 AM 236,707 enj8l11u1.dll
11/07/2005 11:46 PM 234,896 en4ql1h51.dll
11/07/2005 01:48 AM 235,514 saellstyle.dll
11/07/2005 01:32 AM 237,005 nhprint.dll
11/07/2005 01:27 AM 235,664 wmbvw.dll
11/07/2005 01:22 AM 236,694 dmmclien.dll
11/07/2005 01:19 AM 235,664 ohedlg.dll
11/07/2005 12:48 AM 234,123 cfadmin.dll
11/07/2005 12:05 AM 233,903 wjaueng1.dll
11/06/2005 11:40 PM 237,308 kddsf.dll
11/06/2005 11:20 PM 234,206 nulsapi.dll
11/06/2005 11:08 PM 237,080 vdoy.dll
11/06/2005 10:32 PM 235,308 spbcsp.dll
11/06/2005 10:11 PM 233,933 ncmsmgr.dll
11/06/2005 10:06 PM 234,704 wknntbbu.dll
11/06/2005 11:15 AM 234,041 mjdxmlc.dll
11/05/2005 11:57 PM 236,342 m0ls0a37ed.dll
11/05/2005 02:32 PM 236,342 fclemgmt.dll
11/05/2005 02:29 PM 235,487 ir0ml5d11.dll
11/04/2005 12:38 PM 233,911 dndskmgr.dll
11/04/2005 12:15 PM 233,911 lt4027hmg.dll
11/04/2005 11:35 AM 236,257 i6lolg3316.dll
11/04/2005 10:01 AM 236,257 rIcpldlg.dll
11/04/2005 10:01 AM 233,911 h62olgf3162.dll
10/24/2005 02:03 AM <DIR> dllcache
06/27/2005 12:02 AM 10,856 KGyGaAvL.sys
08/03/2004 09:30 AM <DIR> Microsoft
26 File(s) 5,894,920 bytes
2 Dir(s) 137,689,796,608 bytes free

thanks alot for the reply. appreciate it

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />

guestolo · « **Reply #4 on:** November 08, 2005, 01:58:00 AM »

let's try some cleanup

Download the trial version of Spy Sweeper from HERE
Click on the Free trial link

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Please print the rest of these instructions or copy and paste them too notepad for reference

Make sure you are disconnected from the internet.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #4 by typing 4 and then pressing Enter
Exit l2mfix, we'll need it later

In SpySweeper
Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

When prompted, allow Spy Sweeper to restart your computer

Back in Windows
Stay disconnected from the Net

Close any open programs running in the background, this step requires another reboot
Run L2MFix again with these instructions

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log
Post the contents of this log back here

If the L2MFix doesn't run after the restart, then go into the L2M fix folder and double click on second.bat to run it.

Additionally,
Copy and paste the SpySweeper log together with a fresh hijackthis log into this thread.

Guest · « **Reply #5 on:** November 08, 2005, 10:49:59 AM »

Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1640 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1660 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\cfadmin.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dmmclien.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dndskmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en22l1fo1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fclemgmt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\h62olgf3162.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i6lolg3316.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir0ml5d11.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kddsf.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lt4027hmg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m0ls0a37ed.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mjdxmlc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ncmsmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nhprint.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nulsapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ohedlg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rIcpldlg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\saellstyle.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\spbcsp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\vdoy.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wjaueng1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wknntbbu.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wmbvw.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\cfadmin.dll
Successfully Deleted: C:\WINDOWS\system32\cfadmin.dll
deleting: C:\WINDOWS\system32\dmmclien.dll
Successfully Deleted: C:\WINDOWS\system32\dmmclien.dll
deleting: C:\WINDOWS\system32\dndskmgr.dll
Successfully Deleted: C:\WINDOWS\system32\dndskmgr.dll
deleting: C:\WINDOWS\system32\en22l1fo1.dll
Successfully Deleted: C:\WINDOWS\system32\en22l1fo1.dll
deleting: C:\WINDOWS\system32\fclemgmt.dll
Successfully Deleted: C:\WINDOWS\system32\fclemgmt.dll
deleting: C:\WINDOWS\system32\h62olgf3162.dll
Successfully Deleted: C:\WINDOWS\system32\h62olgf3162.dll
deleting: C:\WINDOWS\system32\i6lolg3316.dll
Successfully Deleted: C:\WINDOWS\system32\i6lolg3316.dll
deleting: C:\WINDOWS\system32\ir0ml5d11.dll
Successfully Deleted: C:\WINDOWS\system32\ir0ml5d11.dll
deleting: C:\WINDOWS\system32\kddsf.dll
Successfully Deleted: C:\WINDOWS\system32\kddsf.dll
deleting: C:\WINDOWS\system32\lt4027hmg.dll
Successfully Deleted: C:\WINDOWS\system32\lt4027hmg.dll
deleting: C:\WINDOWS\system32\m0ls0a37ed.dll
Successfully Deleted: C:\WINDOWS\system32\m0ls0a37ed.dll
deleting: C:\WINDOWS\system32\mjdxmlc.dll
Successfully Deleted: C:\WINDOWS\system32\mjdxmlc.dll
deleting: C:\WINDOWS\system32\ncmsmgr.dll
Successfully Deleted: C:\WINDOWS\system32\ncmsmgr.dll
deleting: C:\WINDOWS\system32\nhprint.dll
Successfully Deleted: C:\WINDOWS\system32\nhprint.dll
deleting: C:\WINDOWS\system32\nulsapi.dll
Successfully Deleted: C:\WINDOWS\system32\nulsapi.dll
deleting: C:\WINDOWS\system32\ohedlg.dll
Successfully Deleted: C:\WINDOWS\system32\ohedlg.dll
deleting: C:\WINDOWS\system32\rIcpldlg.dll
Successfully Deleted: C:\WINDOWS\system32\rIcpldlg.dll
deleting: C:\WINDOWS\system32\saellstyle.dll
Successfully Deleted: C:\WINDOWS\system32\saellstyle.dll
deleting: C:\WINDOWS\system32\spbcsp.dll
Successfully Deleted: C:\WINDOWS\system32\spbcsp.dll
deleting: C:\WINDOWS\system32\vdoy.dll
Successfully Deleted: C:\WINDOWS\system32\vdoy.dll
deleting: C:\WINDOWS\system32\wjaueng1.dll
Successfully Deleted: C:\WINDOWS\system32\wjaueng1.dll
deleting: C:\WINDOWS\system32\wknntbbu.dll
Successfully Deleted: C:\WINDOWS\system32\wknntbbu.dll
deleting: C:\WINDOWS\system32\wmbvw.dll
Successfully Deleted: C:\WINDOWS\system32\wmbvw.dll

Zipping up files for submission:
adding: cfadmin.dll (188 bytes security) (deflated 4%)
adding: dmmclien.dll (188 bytes security) (deflated 5%)
adding: dndskmgr.dll (188 bytes security) (deflated 4%)
adding: en22l1fo1.dll (188 bytes security) (deflated 4%)
adding: fclemgmt.dll (188 bytes security) (deflated 5%)
adding: FL Studio VSTi (Multi).dll (188 bytes security) (deflated 48%)
adding: FL Studio VSTi.dll (188 bytes security) (deflated 48%)
adding: h62olgf3162.dll (188 bytes security) (deflated 4%)
adding: i6lolg3316.dll (188 bytes security) (deflated 5%)
adding: ir0ml5d11.dll (188 bytes security) (deflated 5%)
adding: kddsf.dll (188 bytes security) (deflated 6%)
adding: lt4027hmg.dll (188 bytes security) (deflated 4%)
adding: m0ls0a37ed.dll (188 bytes security) (deflated 5%)
adding: mjdxmlc.dll (188 bytes security) (deflated 4%)
adding: ncmsmgr.dll (188 bytes security) (deflated 4%)
adding: nhprint.dll (188 bytes security) (deflated 6%)
adding: nulsapi.dll (188 bytes security) (deflated 4%)
adding: ohedlg.dll (188 bytes security) (deflated 5%)
adding: rIcpldlg.dll (188 bytes security) (deflated 5%)
adding: saellstyle.dll (188 bytes security) (deflated 5%)
adding: spbcsp.dll (188 bytes security) (deflated 5%)
adding: vdoy.dll (188 bytes security) (deflated 6%)
adding: wjaueng1.dll (188 bytes security) (deflated 4%)
adding: wknntbbu.dll (188 bytes security) (deflated 5%)
adding: wmbvw.dll (188 bytes security) (deflated 5%)
adding: clear.reg (188 bytes security) (deflated 63%)
adding: EULA.txt (188 bytes security) (deflated 54%)
adding: FAQ.txt (188 bytes security) (deflated 60%)
adding: Instruct.txt (188 bytes security) (deflated 55%)
adding: lo2.txt (188 bytes security) (deflated 85%)
adding: palsound.txt (188 bytes security) (stored 0%)
adding: test.txt (188 bytes security) (deflated 80%)
adding: test2.txt (188 bytes security) (deflated 44%)
adding: test3.txt (188 bytes security) (deflated 44%)
adding: test5.txt (188 bytes security) (deflated 44%)
adding: VerHist.txt (188 bytes security) (deflated 55%)
adding: vx2logs.txt (188 bytes security) (stored 0%)
adding: xfind.txt (188 bytes security) (deflated 74%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: cfadmin.dll
deleting local copy: dmmclien.dll
deleting local copy: dndskmgr.dll
deleting local copy: en22l1fo1.dll
deleting local copy: fclemgmt.dll
deleting local copy: h62olgf3162.dll
deleting local copy: i6lolg3316.dll
deleting local copy: ir0ml5d11.dll
deleting local copy: kddsf.dll
deleting local copy: lt4027hmg.dll
deleting local copy: m0ls0a37ed.dll
deleting local copy: mjdxmlc.dll
deleting local copy: ncmsmgr.dll
deleting local copy: nhprint.dll
deleting local copy: nulsapi.dll
deleting local copy: ohedlg.dll
deleting local copy: rIcpldlg.dll
deleting local copy: saellstyle.dll
deleting local copy: spbcsp.dll
deleting local copy: vdoy.dll
deleting local copy: wjaueng1.dll
deleting local copy: wknntbbu.dll
deleting local copy: wmbvw.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\enjql1151.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reinstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\f02mlaf11d2.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\cfadmin.dll
C:\WINDOWS\system32\dmmclien.dll
C:\WINDOWS\system32\dndskmgr.dll
C:\WINDOWS\system32\en22l1fo1.dll
C:\WINDOWS\system32\fclemgmt.dll
C:\WINDOWS\system32\h62olgf3162.dll
C:\WINDOWS\system32\i6lolg3316.dll
C:\WINDOWS\system32\ir0ml5d11.dll
C:\WINDOWS\system32\kddsf.dll
C:\WINDOWS\system32\lt4027hmg.dll
C:\WINDOWS\system32\m0ls0a37ed.dll
C:\WINDOWS\system32\mjdxmlc.dll
C:\WINDOWS\system32\ncmsmgr.dll
C:\WINDOWS\system32\nhprint.dll
C:\WINDOWS\system32\nulsapi.dll
C:\WINDOWS\system32\ohedlg.dll
C:\WINDOWS\system32\rIcpldlg.dll
C:\WINDOWS\system32\saellstyle.dll
C:\WINDOWS\system32\spbcsp.dll
C:\WINDOWS\system32\vdoy.dll
C:\WINDOWS\system32\wjaueng1.dll
C:\WINDOWS\system32\wknntbbu.dll
C:\WINDOWS\system32\wmbvw.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{DF4890D8-F4F2-444A-94BE-8C68513CA8E1}"=-
"{62A808F8-596E-4841-A368-BA51F247CA7B}"=-
"{2FB583E9-7FB6-4ECE-A798-7FA4F9107D2F}"=-
"{783D2719-CCAA-4CB0-9E07-B67C843563CD}"=-
"{732EE58A-4CC6-4D87-B460-77CDC894C9B1}"=-
"{6C9E77BC-F5CE-4955-9641-EFAF9B6BED5D}"=-
"{179399B4-0986-4FF6-9F9B-5478B5E93105}"=-
"{9C9B372D-169B-4D5F-BC3C-EE73474AFD21}"=-
"{2D391FDC-600E-4AF9-9F41-C6F38A324111}"=-
[-HKEY_CLASSES_ROOT\CLSID\{DF4890D8-F4F2-444A-94BE-8C68513CA8E1}]
[-HKEY_CLASSES_ROOT\CLSID\{62A808F8-596E-4841-A368-BA51F247CA7B}]
[-HKEY_CLASSES_ROOT\CLSID\{2FB583E9-7FB6-4ECE-A798-7FA4F9107D2F}]
[-HKEY_CLASSES_ROOT\CLSID\{783D2719-CCAA-4CB0-9E07-B67C843563CD}]
[-HKEY_CLASSES_ROOT\CLSID\{732EE58A-4CC6-4D87-B460-77CDC894C9B1}]
[-HKEY_CLASSES_ROOT\CLSID\{6C9E77BC-F5CE-4955-9641-EFAF9B6BED5D}]
[-HKEY_CLASSES_ROOT\CLSID\{179399B4-0986-4FF6-9F9B-5478B5E93105}]
[-HKEY_CLASSES_ROOT\CLSID\{9C9B372D-169B-4D5F-BC3C-EE73474AFD21}]
[-HKEY_CLASSES_ROOT\CLSID\{2D391FDC-600E-4AF9-9F41-C6F38A324111}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

********
10:16 AM: | Start of Session, Tuesday, November 08, 2005 |
10:16 AM: Spy Sweeper started
10:16 AM: Sweep initiated using definitions version 569
10:16 AM: Starting Memory Sweep
10:16 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:16 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:16 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:16 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:17 AM: Found Adware: icannnews
10:17 AM: Detected running threat: C:\WINDOWS\system32\enj8l11u1.dll (ID = 83)
10:17 AM: Detected running threat: C:\WINDOWS\system32\kxdtuf.dll (ID = 83)
10:17 AM: Memory Sweep Complete, Elapsed Time: 00:01:50
10:17 AM: Starting Registry Sweep
10:18 AM: Found Trojan Horse: sdbot
10:18 AM: HKU\.default\software\microsoft\windows\currentversion\run\ || microsoft windows update (ID = 140586)
10:18 AM: HKU\.default\software\microsoft\windows\currentversion\run\ || win32 usb2 driver (ID = 140589)
10:18 AM: HKU\.default\software\microsoft\windows\currentversion\runonce\ || win32 usb2 driver (ID = 140594)
10:18 AM: HKLM\software\microsoft\windows\currentversion\run\ || microsoft windows update (ID = 140617)
10:18 AM: HKLM\software\microsoft\windows\currentversion\run\ || win32 usb2 driver (ID = 140622)
10:18 AM: Found Adware: search helping wizard
10:18 AM: HKCR\ngsh35.clsdw\ (1 subtraces) (ID = 958369)
10:18 AM: HKCR\ngsh35.clsis\ (1 subtraces) (ID = 958373)
10:18 AM: HKLM\software\classes\ngsh35.clsdw\ (1 subtraces) (ID = 958516)
10:18 AM: HKLM\software\classes\ngsh35.clsis\ (1 subtraces) (ID = 958520)
10:18 AM: HKU\S-1-5-18\software\microsoft\windows\currentversion\run\ || microsoft windows update (ID = 140604)
10:18 AM: HKU\S-1-5-18\software\microsoft\windows\currentversion\run\ || win32 usb2 driver (ID = 140608)
10:18 AM: HKU\S-1-5-18\software\microsoft\windows\currentversion\runonce\ || win32 usb2 driver (ID = 140631)
10:18 AM: Registry Sweep Complete, Elapsed Time:00:00:12
10:18 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:18 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:18 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:18 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:18 AM: Starting Cookie Sweep
10:18 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:18 AM: Starting File Sweep
10:18 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:18 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:18 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:18 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:19 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:19 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:19 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:19 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:19 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:19 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:19 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:19 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:20 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:20 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:20 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:20 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:20 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:20 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:20 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:20 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:21 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:21 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:21 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:21 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:22 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:22 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:22 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:22 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:22 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:22 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:22 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:22 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:23 AM: Found Adware: apropos
10:23 AM: wingenerics.dll (ID = 50187)
10:23 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:23 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:23 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:23 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:24 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:24 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:24 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:24 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:24 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:24 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:24 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:24 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:25 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:25 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:25 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:25 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:25 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:25 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:25 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:25 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:26 AM: Found Adware: targetsaver
10:26 AM: 113_dollarrevenue_4_0_3_9.exe (ID = 166444)
10:26 AM: contextplus.exe (ID = 185940)
10:26 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:26 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:26 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:26 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:26 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:26 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:26 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:26 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:27 AM: installer_1.exe (ID = 185727)
10:27 AM: atmtd.dll (ID = 166754)
10:27 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:27 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:27 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:27 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:27 AM: atmtd.dll._ (ID = 166754)
10:28 AM: Found System Monitor: potentially rootkit-masked files
10:28 AM: syntmsft.exe (ID = 0)
10:28 AM: ace.dll (ID = 0)
10:28 AM: data.bin (ID = 0)
10:28 AM: 00007ff5_436efcdf_0002a291 (ID = 0)
10:28 AM: updarvdm.sys (ID = 0)
10:28 AM: 00000822_436eff25_00099dce (ID = 0)
10:28 AM: 00000bdb_436efd8d_00022dfe (ID = 0)
10:28 AM: 00003bf6_436efe26_0001dfc4 (ID = 0)
10:28 AM: 0000491c_436efc6b_0008083e (ID = 0)
10:28 AM: 00004d06_436efc6b_0009b68c (ID = 0)
10:28 AM: 00003a9e_436efe26_00042a8c (ID = 0)
10:28 AM: 00005991_436eff25_0009ec0b (ID = 0)
10:28 AM: 00000f3e_436efc27_000c0a04 (ID = 0)
10:28 AM: 00004db7_436efc6b_000aa143 (ID = 0)
10:28 AM: 00002350_436efd8f_0000b20e (ID = 0)
10:28 AM: 00001547_436efc6c_00001bb1 (ID = 0)
10:28 AM: 0000323b_436efd4c_000d20fc (ID = 0)
10:28 AM: 00005f49_436efe2a_000d6c2c (ID = 0)
10:28 AM: 00003d6c_436efaf7_00018a0c (ID = 0)
10:28 AM: 000054de_436efc77_00014448 (ID = 0)
10:28 AM: 0000366b_436efeb1_000402ee (ID = 0)
10:28 AM: 00002213_436efd4d_0002744c (ID = 0)
10:28 AM: 00004823_436efaea_000dc8a9 (ID = 0)
10:28 AM: 000039b3_436efc77_0002a459 (ID = 0)
10:28 AM: 00006b89_436efd89_00039eae (ID = 0)
10:28 AM: 000066c4_436efeb1_00049f68 (ID = 0)
10:28 AM: 00000ddc_436efe2a_000e08a6 (ID = 0)
10:28 AM: 0000030a_436efd89_00048964 (ID = 0)
10:28 AM: 00006e5d_436efcbd_000baaeb (ID = 0)
10:28 AM: 0000074d_436efc7f_0001230b (ID = 0)
10:28 AM: 00004dc8_436efc7f_00025bfe (ID = 0)
10:28 AM: 00004cad_436efe3a_000e62a6 (ID = 0)
10:28 AM: 0000301c_436efd8c_000ed739 (ID = 0)
10:28 AM: 000026e9_436efbe8_00068770 (ID = 0)
10:28 AM: 00005cfd_436efdc1_00092101 (ID = 0)
10:28 AM: 00000099_436efc29_00031143 (ID = 0)
10:28 AM: 00006443_436efc7f_00031f96 (ID = 0)
10:28 AM: 00000124_436efc29_00042318 (ID = 0)
10:28 AM: 0000314f_436efe3a_000ed801 (ID = 0)
10:28 AM: 00003e12_436efdc2_0000bf19 (ID = 0)
10:28 AM: 00006df1_436efb12_0003f759 (ID = 0)
10:28 AM: 00001ad4_436efcbd_000cbcc0 (ID = 0)
10:28 AM: 000001eb_436efbe8_000e2b60 (ID = 0)
10:28 AM: 000066bb_436efc80_000b3e81 (ID = 0)
10:28 AM: 00005e14_436efe3b_0002cb40 (ID = 0)
10:28 AM: 00000bb3_436efbf4_00051ca1 (ID = 0)
10:28 AM: 00000732_436efd8e_000148e8 (ID = 0)
10:28 AM: 0000428b_436efc80_000db068 (ID = 0)
10:28 AM: 0000409d_436eff3f_00026500 (ID = 0)
10:28 AM: 0000440d_436efc2e_0004b493 (ID = 0)
10:28 AM: 00005f90_436efb03_0008116b (ID = 0)
10:28 AM: 00004230_436efeb2_000828c3 (ID = 0)
10:28 AM: 00004b40_436efdb5_000d4bf3 (ID = 0)
10:28 AM: 00007eb7_436efeb6_000690f4 (ID = 0)
10:28 AM: 000026a6_436efc80_000e9b1e (ID = 0)
10:28 AM: 00004944_436efe80_000c8fc9 (ID = 0)
10:28 AM: 00000120_436efd8e_00031e54 (ID = 0)
10:28 AM: 000012e1_436eff42_000add68 (ID = 0)
10:28 AM: 00002ea6_436efc12_000501c9 (ID = 0)
10:28 AM: 0000759a_436efd8e_00067af1 (ID = 0)
10:28 AM: 00002e40_436efe80_000cde06 (ID = 0)
10:28 AM: 00006032_436efeb6_000b9be0 (ID = 0)
10:28 AM: 00002c3b_436efeb6_000c3859 (ID = 0)
10:28 AM: 0000798b_436eff61_00014ed3 (ID = 0)
10:28 AM: 000018be_436efaf4_00054b24 (ID = 0)
10:28 AM: 0000121f_436eff70_000a8016 (ID = 0)
10:28 AM: 00001a49_436efdce_0008f4c6 (ID = 0)
10:28 AM: 000012db_436efc14_0003d416 (ID = 0)
10:28 AM: 000015a1_436efeb9_0007b3a9 (ID = 0)
10:28 AM: 0000701f_436efc87_00085781 (ID = 0)
10:28 AM: 00005f32_436efdce_000bb4e9 (ID = 0)
10:28 AM: 00006bfc_436efcd3_0000ff00 (ID = 0)
10:28 AM: 00007f96_436efcdf_000190bc (ID = 0)
10:28 AM: 00005422_436efeb9_00085023 (ID = 0)
10:28 AM: 00003ef6_436efeb9_000a2590 (ID = 0)
10:28 AM: 00005d03_436efc87_0008a5be (ID = 0)
10:28 AM: dns (ID = 0)
10:28 AM: 00006952_436efb03_0006631c (ID = 0)
10:28 AM: 000073da_436eff7b_000df374 (ID = 0)
10:28 AM: 00007a5a_436efca4_00072534 (ID = 0)
10:28 AM: 000058b0_436eff7b_000e68d0 (ID = 0)
10:28 AM: 0000767d_436efca4_0007e8cc (ID = 0)
10:28 AM: 00004509_436efcb8_000aa414 (ID = 0)
10:28 AM: 00004e45_436efd4c_000555ee (ID = 0)
10:28 AM: 000026ca_436eff8f_00086e53 (ID = 0)
10:28 AM: 00007e87_436efc20_000810ac (ID = 0)
10:28 AM: 00003699_436eff8f_000a6ade (ID = 0)
10:28 AM: 00006b36_436efdc1_000687fc (ID = 0)
10:28 AM: index (ID = 0)
10:28 AM: 0000390c_436efc24_000b0e6e (ID = 0)
10:28 AM: spumsapi.exe (ID = 0)
10:28 AM: 00001238_436efcb8_000c2b44 (ID = 0)
10:28 AM: 00001cd0_436efeb1_0002a2dc (ID = 0)
10:28 AM: imeprddm.exe (ID = 0)
10:28 AM: 00003b25_436efcb9_00010939 (ID = 0)
10:28 AM: ai_08-11-2005.log (ID = 0)
10:28 AM: ai_07-11-2005.log (ID = 0)
10:28 AM: 000056ae_436efd8d_00058a9b (ID = 0)
10:28 AM: 00006784_436efaf6_00013630 (ID = 0)
10:28 AM: 00004ae1_436efaf6_000380f8 (ID = 0)
10:28 AM: 00002cd6_436efafd_00088c24 (ID = 0)
10:28 AM: 00001649_436efb07_00036b3c (ID = 0)
10:28 AM: 00001366_436efeb0_000f24f9 (ID = 0)
10:28 AM: 00005af1_436efbe6_00096371 (ID = 0)
10:28 AM: 000041bb_436efbe7_000a53c8 (ID = 0)
10:28 AM: ai_04-11-2005.log (ID = 0)
10:28 AM: ai_06-11-2005.log (ID = 0)
10:28 AM: ai_05-11-2005.log (ID = 0)
10:28 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:28 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:28 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:28 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:28 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:28 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:28 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:28 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:29 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:29 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:29 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:29 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:29 AM: File Sweep Complete, Elapsed Time: 00:11:15
10:29 AM: Full Sweep has completed. Elapsed time 00:13:20
10:29 AM: Traces Found: 132
10:30 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:30 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:30 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:30 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:30 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:30 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:30 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:30 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:31 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:31 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:31 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:31 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:32 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:32 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:32 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:32 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:32 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:32 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:32 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:32 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:33 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:33 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:33 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:33 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:33 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:33 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:33 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:33 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:34 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:34 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:34 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:34 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:34 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:34 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:34 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:34 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:35 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:35 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:35 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:35 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:35 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:35 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:35 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:35 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:36 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:36 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:36 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:36 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:36 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:36 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:36 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:36 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:37 AM: Removal process initiated
10:37 AM: Quarantining All Traces: icannnews
10:37 AM: icannnews is in use. It will be removed on reboot.
10:37 AM: C:\WINDOWS\system32\enj8l11u1.dll is in use. It will be removed on reboot.
10:37 AM: C:\WINDOWS\system32\kxdtuf.dll is in use. It will be removed on reboot.
10:37 AM: Quarantining All Traces: potentially rootkit-masked files
10:38 AM: potentially rootkit-masked files is in use. It will be removed on reboot.
10:38 AM: syntmsft.exe is in use. It will be removed on reboot.
10:38 AM: ace.dll is in use. It will be removed on reboot.
10:38 AM: data.bin is in use. It will be removed on reboot.
10:38 AM: 00007ff5_436efcdf_0002a291 is in use. It will be removed on reboot.
10:38 AM: updarvdm.sys is in use. It will be removed on reboot.
10:38 AM: 00000822_436eff25_00099dce is in use. It will be removed on reboot.
10:38 AM: 00000bdb_436efd8d_00022dfe is in use. It will be removed on reboot.
10:38 AM: 00003bf6_436efe26_0001dfc4 is in use. It will be removed on reboot.
10:38 AM: 0000491c_436efc6b_0008083e is in use. It will be removed on reboot.
10:38 AM: 00004d06_436efc6b_0009b68c is in use. It will be removed on reboot.
10:38 AM: 00003a9e_436efe26_00042a8c is in use. It will be removed on reboot.
10:38 AM: 00005991_436eff25_0009ec0b is in use. It will be removed on reboot.
10:38 AM: 00000f3e_436efc27_000c0a04 is in use. It will be removed on reboot.
10:38 AM: 00004db7_436efc6b_000aa143 is in use. It will be removed on reboot.
10:38 AM: 00002350_436efd8f_0000b20e is in use. It will be removed on reboot.
10:38 AM: 00001547_436efc6c_00001bb1 is in use. It will be removed on reboot.
10:38 AM: 0000323b_436efd4c_000d20fc is in use. It will be removed on reboot.
10:38 AM: 00005f49_436efe2a_000d6c2c is in use. It will be removed on reboot.
10:38 AM: 00003d6c_436efaf7_00018a0c is in use. It will be removed on reboot.
10:38 AM: 000054de_436efc77_00014448 is in use. It will be removed on reboot.
10:38 AM: 0000366b_436efeb1_000402ee is in use. It will be removed on reboot.
10:38 AM: 00002213_436efd4d_0002744c is in use. It will be removed on reboot.
10:38 AM: 00004823_436efaea_000dc8a9 is in use. It will be removed on reboot.
10:38 AM: 000039b3_436efc77_0002a459 is in use. It will be removed on reboot.
10:38 AM: 00006b89_436efd89_00039eae is in use. It will be removed on reboot.
10:38 AM: 000066c4_436efeb1_00049f68 is in use. It will be removed on reboot.
10:38 AM: 00000ddc_436efe2a_000e08a6 is in use. It will be removed on reboot.
10:38 AM: 0000030a_436efd89_00048964 is in use. It will be removed on reboot.
10:38 AM: 00006e5d_436efcbd_000baaeb is in use. It will be removed on reboot.
10:38 AM: 0000074d_436efc7f_0001230b is in use. It will be removed on reboot.
10:38 AM: 00004dc8_436efc7f_00025bfe is in use. It will be removed on reboot.
10:38 AM: 00004cad_436efe3a_000e62a6 is in use. It will be removed on reboot.
10:38 AM: 0000301c_436efd8c_000ed739 is in use. It will be removed on reboot.
10:38 AM: 000026e9_436efbe8_00068770 is in use. It will be removed on reboot.
10:38 AM: 00005cfd_436efdc1_00092101 is in use. It will be removed on reboot.
10:38 AM: 00000099_436efc29_00031143 is in use. It will be removed on reboot.
10:38 AM: 00006443_436efc7f_00031f96 is in use. It will be removed on reboot.
10:38 AM: 00000124_436efc29_00042318 is in use. It will be removed on reboot.
10:38 AM: 0000314f_436efe3a_000ed801 is in use. It will be removed on reboot.
10:38 AM: 00003e12_436efdc2_0000bf19 is in use. It will be removed on reboot.
10:38 AM: 00006df1_436efb12_0003f759 is in use. It will be removed on reboot.
10:38 AM: 00001ad4_436efcbd_000cbcc0 is in use. It will be removed on reboot.
10:38 AM: 000001eb_436efbe8_000e2b60 is in use. It will be removed on reboot.
10:38 AM: 000066bb_436efc80_000b3e81 is in use. It will be removed on reboot.
10:38 AM: 00005e14_436efe3b_0002cb40 is in use. It will be removed on reboot.
10:38 AM: 00000bb3_436efbf4_00051ca1 is in use. It will be removed on reboot.
10:38 AM: 00000732_436efd8e_000148e8 is in use. It will be removed on reboot.
10:38 AM: 0000428b_436efc80_000db068 is in use. It will be removed on reboot.
10:38 AM: 0000409d_436eff3f_00026500 is in use. It will be removed on reboot.
10:38 AM: 0000440d_436efc2e_0004b493 is in use. It will be removed on reboot.
10:38 AM: 00005f90_436efb03_0008116b is in use. It will be removed on reboot.
10:38 AM: 00004230_436efeb2_000828c3 is in use. It will be removed on reboot.
10:38 AM: 00004b40_436efdb5_000d4bf3 is in use. It will be removed on reboot.
10:38 AM: 00007eb7_436efeb6_000690f4 is in use. It will be removed on reboot.
10:38 AM: 000026a6_436efc80_000e9b1e is in use. It will be removed on reboot.
10:38 AM: 00004944_436efe80_000c8fc9 is in use. It will be removed on reboot.
10:38 AM: 00000120_436efd8e_00031e54 is in use. It will be removed on reboot.
10:38 AM: 000012e1_436eff42_000add68 is in use. It will be removed on reboot.
10:38 AM: 00002ea6_436efc12_000501c9 is in use. It will be removed on reboot.
10:38 AM: 0000759a_436efd8e_00067af1 is in use. It will be removed on reboot.
10:38 AM: 00002e40_436efe80_000cde06 is in use. It will be removed on reboot.
10:38 AM: 00006032_436efeb6_000b9be0 is in use. It will be removed on reboot.
10:38 AM: 00002c3b_436efeb6_000c3859 is in use. It will be removed on reboot.
10:38 AM: 0000798b_436eff61_00014ed3 is in use. It will be removed on reboot.
10:38 AM: 000018be_436efaf4_00054b24 is in use. It will be removed on reboot.
10:38 AM: 0000121f_436eff70_000a8016 is in use. It will be removed on reboot.
10:38 AM: 00001a49_436efdce_0008f4c6 is in use. It will be removed on reboot.
10:38 AM: 000012db_436efc14_0003d416 is in use. It will be removed on reboot.
10:38 AM: 000015a1_436efeb9_0007b3a9 is in use. It will be removed on reboot.
10:38 AM: 0000701f_436efc87_00085781 is in use. It will be removed on reboot.
10:38 AM: 00005f32_436efdce_000bb4e9 is in use. It will be removed on reboot.
10:38 AM: 00006bfc_436efcd3_0000ff00 is in use. It will be removed on reboot.
10:38 AM: 00007f96_436efcdf_000190bc is in use. It will be removed on reboot.
10:38 AM: 00005422_436efeb9_00085023 is in use. It will be removed on reboot.
10:38 AM: 00003ef6_436efeb9_000a2590 is in use. It will be removed on reboot.
10:38 AM: 00005d03_436efc87_0008a5be is in use. It will be removed on reboot.
10:38 AM: dns is in use. It will be removed on reboot.
10:38 AM: 00006952_436efb03_0006631c is in use. It will be removed on reboot.
10:38 AM: 000073da_436eff7b_000df374 is in use. It will be removed on reboot.
10:38 AM: 00007a5a_436efca4_00072534 is in use. It will be removed on reboot.
10:38 AM: 000058b0_436eff7b_000e68d0 is in use. It will be removed on reboot.
10:38 AM: 0000767d_436efca4_0007e8cc is in use. It will be removed on reboot.
10:38 AM: 00004509_436efcb8_000aa414 is in use. It will be removed on reboot.
10:38 AM: 00004e45_436efd4c_000555ee is in use. It will be removed on reboot.
10:38 AM: 000026ca_436eff8f_00086e53 is in use. It will be removed on reboot.
10:38 AM: 00007e87_436efc20_000810ac is in use. It will be removed on reboot.
10:38 AM: 00003699_436eff8f_000a6ade is in use. It will be removed on reboot.
10:38 AM: 00006b36_436efdc1_000687fc is in use. It will be removed on reboot.
10:38 AM: index is in use. It will be removed on reboot.
10:38 AM: 0000390c_436efc24_000b0e6e is in use. It will be removed on reboot.
10:38 AM: spumsapi.exe is in use. It will be removed on reboot.
10:38 AM: 00001238_436efcb8_000c2b44 is in use. It will be removed on reboot.
10:38 AM: 00001cd0_436efeb1_0002a2dc is in use. It will be removed on reboot.
10:38 AM: imeprddm.exe is in use. It will be removed on reboot.
10:38 AM: 00003b25_436efcb9_00010939 is in use. It will be removed on reboot.
10:38 AM: ai_08-11-2005.log is in use. It will be removed on reboot.
10:38 AM: ai_07-11-2005.log is in use. It will be removed on reboot.
10:38 AM: 000056ae_436efd8d_00058a9b is in use. It will be removed on reboot.
10:38 AM: 00006784_436efaf6_00013630 is in use. It will be removed on reboot.
10:38 AM: 00004ae1_436efaf6_000380f8 is in use. It will be removed on reboot.
10:38 AM: 00002cd6_436efafd_00088c24 is in use. It will be removed on reboot.
10:38 AM: 00001649_436efb07_00036b3c is in use. It will be removed on reboot.
10:38 AM: 00001366_436efeb0_000f24f9 is in use. It will be removed on reboot.
10:38 AM: 00005af1_436efbe6_00096371 is in use. It will be removed on reboot.
10:38 AM: 000041bb_436efbe7_000a53c8 is in use. It will be removed on reboot.
10:38 AM: ai_04-11-2005.log is in use. It will be removed on reboot.
10:38 AM: ai_06-11-2005.log is in use. It will be removed on reboot.
10:38 AM: ai_05-11-2005.log is in use. It will be removed on reboot.
10:38 AM: Quarantining All Traces: sdbot
10:38 AM: Quarantining All Traces: apropos
10:38 AM: apropos is in use. It will be removed on reboot.
10:38 AM: wingenerics.dll is in use. It will be removed on reboot.
10:38 AM: Quarantining All Traces: search helping wizard
10:38 AM: Quarantining All Traces: targetsaver
10:38 AM: Preparing to restart your computer. Please wait...
10:38 AM: Removal process completed. Elapsed time 00:01:22
********
10:14 AM: | Start of Session, Tuesday, November 08, 2005 |
10:14 AM: Spy Sweeper started
10:14 AM: Your spyware definitions have been updated.
10:14 AM: Processing Hosts File Alerts
10:14 AM: Fixed Hosts File entry: idenupdate.motorola.com
10:14 AM: Fixed Hosts File entry: idenupdate.motorola.com
10:14 AM: Updating spyware definitions
10:14 AM: Your definitions are up to date.
10:14 AM: Updating spyware definitions
10:14 AM: Your definitions are up to date.
10:16 AM: | End of Session, Tuesday, November 08, 2005 |

Logfile of HijackThis v1.99.1
Scan saved at 10:47:44 AM, on 11/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Archive\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
R3 - URLSearchHook: (no name) - - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Systmesy] Systmesy.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RefreshLock] C:\RefreshLock.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Tclock.lnk = C:\Program Files\T-Clock\tclock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\enjql1151.dll (file missing)
O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\f02mlaf11d2.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

thank you so much!

guestolo · « **Reply #6 on:** November 09, 2005, 12:14:04 AM »

I still want to see what else may be lurking

Can you do the following please
==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0
Don't run this yet, we'll need it in a bit

==Download and then Install
Ewido Security Suite

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

Please Print this out or save these instructions to a Notepad file and save it to your Desktop

Do another scan with Hijackthis and put a check next to these entries:

R3 - URLSearchHook: (no name) - - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Systmesy] Systmesy.exe

O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\enjql1151.dll (file missing)
O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\f02mlaf11d2.dll (file missing)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for an alternative method

Find and delete this file if it exists
C:\WINDOWS\system32\Systmesy.exe <-this file

Stay in safe mode

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

Reboot back to Normal mode

Post a fresh hijackthis log
Also post the whole report from Ewidos
We may have to reinstall AVG, it looks corrupt, do you still have it installed?

Note: Do you have Refreshlock installed? I'm just making sure

Guest · « **Reply #7 on:** November 09, 2005, 11:09:31 AM »

Nope, I don't have Refreshlock. I also uninstalled AVG, because yes, it was corrupt. Here's the log. I'm sorry, I had forgotten to save the report from ewido. It did although find 32 infected files.

Logfile of HijackThis v1.99.1
Scan saved at 11:05:03 AM, on 11/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\T-Clock\tclock.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Archive\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\Spyware Doctor\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - Startup: Tclock.lnk = C:\Program Files\T-Clock\tclock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

guestolo · « **Reply #8 on:** November 09, 2005, 07:31:36 PM »

Why is your log so short again?

Are you fixing entries with hijackthis or using msconfig to disable entries??
Please don't do this until we are done!!!!!

Can you go to this site
Jotti's Online Malware scan
Give this site time to load if busy

Use the browse button and navigate to the file on your hard drive
C:\RefreshLock.exe <-this file

Right click on it and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scans back here please

Afterwards, I suggest you reinstall AVG
If you don't prefer AVG, and need a free solution
Use either AVAST or BitDefender
Click here for the links
Only run one AV, more than one can cause more harm than good
After you have an AV reinstalled run a full system scan

Could you also enable everything on startup in msconfig again, leave it this way until we are done
Post back a fresh hijackthis log

Guest · « **Reply #9 on:** November 10, 2005, 01:10:41 AM »

Sorry about that. It's that I've never had anything checked in startup in MsConfig except T-Clock, that's why. I'll install AVG sometime later. Here's the logs:

File: RefreshLock.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
MD5 81473c1f639010a0be2835967e7686c6
Packers detected: UPX
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

Logfile of HijackThis v1.99.1
Scan saved at 12:55:13 AM, on 11/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\RefreshLock.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\T-Clock\tclock.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archive\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\Spyware Doctor\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O4 - HKLM\..\Run: [Systmesy] Systmesy.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RefreshLock] C:\RefreshLock.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Tclock.lnk = C:\Program Files\T-Clock\tclock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Guest · « **Reply #10 on:** November 11, 2005, 07:39:39 PM »

bump...if you forgot about me

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' /> im incredibly grateful for the help you've given me nonetheless.

guestolo · « **Reply #11 on:** November 12, 2005, 03:16:49 AM »

I would think you would remember installing Refreshlock

Let's see if you need it on startup

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [RefreshLock] C:\RefreshLock.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer

Please redownload and install AVG
Make sure you check for updates and run a full system scan

Post one last hijackthis log and let me know how things are

Guest · « **Reply #12 on:** November 12, 2005, 12:01:55 PM »

Instaleld and ran AVG. everything is good. the computer is running great. thank you so much. here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 12:00:37 PM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\T-Clock\tclock.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Archive\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\Spyware Doctor\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O4 - HKLM\..\Run: [Systmesy] Systmesy.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Tclock.lnk = C:\Program Files\T-Clock\tclock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E845B7BD-1517-405D-832A-9351CBA52FD3}: NameServer = 151.198.0.38 151.197.0.38
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

guestolo · « **Reply #13 on:** November 12, 2005, 12:06:12 PM »

I'll assume everything is enabled on startup now

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Systmesy] Systmesy.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer

Find this file and delete it if found
C:\WINDOWS\system32\Systmesy.exe

Come back here and post one last hijackthis log

Guest · « **Reply #14 on:** November 12, 2005, 01:15:45 PM »

Logfile of HijackThis v1.99.1
Scan saved at 1:15:28 PM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\T-Clock\tclock.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archive\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\Spyware Doctor\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Tclock.lnk = C:\Program Files\T-Clock\tclock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E845B7BD-1517-405D-832A-9351CBA52FD3}: NameServer = 151.198.0.38 151.197.0.38
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

guestolo · « **Reply #15 on:** November 12, 2005, 01:23:43 PM »

OK, can you do this one more time please

Go to start>>run>>type in msconfig
Hit OK
Under the General tab do a Normal startup

Click apply and close but don't restart yet

Post back a fresh hijackthis log

Guest · « **Reply #16 on:** November 12, 2005, 01:40:30 PM »

Logfile of HijackThis v1.99.1
Scan saved at 1:40:21 PM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\T-Clock\tclock.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archive\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\Spyware Doctor\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Tclock.lnk = C:\Program Files\T-Clock\tclock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E845B7BD-1517-405D-832A-9351CBA52FD3}: NameServer = 151.198.0.38 151.197.0.38
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

guestolo · « **Reply #17 on:** November 12, 2005, 01:55:48 PM »

That looks better, can you do the following please

You can go back now and disable whatever you want with msconfig again

Some final cleanup
If everything is running better, please do the following
You should disable system restore>>>reboot>> and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature

Once System Restore is reenabled

You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"
IE-Spyad is compatible with SP2 as well

Hold onto SpySweeper for the duration of the trial period if you don't plan on purchasing it
Afterwards, right click it's icon by the systemtray clock and shut it down and then uninstall it

guestolo · « **Reply #18 on:** November 19, 2005, 01:37:30 AM »

Problems appear resolved
Locking this topic
Take care

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

News:

Author Topic: enn4l15q1.dll...grrr. (Read 1206 times)

Guest

Guest

Guest

Guest

Guest

Guest

Guest