Author Topic: Spy Sherrif (Read 5119 times)

Mrs_Music · « **Reply #20 on:** December 26, 2005, 11:22:20 PM »

Lol I don't know what's up with my copying and pasting tonight but here's the rest of the spysweeper log and the other stuff u need...

1:07 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
1:07 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
1:07 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:07 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:07 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:07 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:15 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
1:15 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
1:15 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:15 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:15 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:15 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:23 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
1:23 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
1:23 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:23 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:23 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:23 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:31 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
1:31 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
1:31 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:31 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:31 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:31 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:39 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
1:39 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
1:39 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:39 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:39 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:39 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:47 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
1:47 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
1:47 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:47 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:47 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:47 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:55 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
1:55 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
1:55 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:55 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:55 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:55 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:03 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
2:03 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
2:03 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:03 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:03 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:03 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:11 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
2:11 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
2:11 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:11 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:11 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:11 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:19 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
2:19 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
2:19 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:19 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:19 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:19 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:27 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
2:27 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
2:27 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:27 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:27 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:27 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:35 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
2:35 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
2:35 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:35 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:35 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:35 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:43 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
2:43 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
2:43 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:43 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:43 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:43 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:51 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
2:51 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
2:51 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:51 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:51 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:51 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:54 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
2:54 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
2:54 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
2:54 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
2:54 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
2:54 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
2:59 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
2:59 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
2:59 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:59 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:59 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
2:59 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
3:07 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
3:07 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
3:07 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
3:07 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
3:07 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
3:07 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
8:39 PM: Memory Shield: Found: Memory-resident threat trojan-downloader-infectedhost, version 1.0.0.0
8:39 PM: Ignored memory-resident threat: trojan-downloader-infectedhost
3:25 PM: Memory Shield: Found: Memory-resident threat trojan-downloader-infectedhost, version 1.0.0.0
3:25 PM: Ignored memory-resident threat: trojan-downloader-infectedhost
5:22 PM: Memory Shield: Found: Memory-resident threat trojan-downloader-infectedhost, version 1.0.0.0
5:22 PM: Ignored memory-resident threat: trojan-downloader-infectedhost
10:03 PM: Memory Shield: Found: Memory-resident threat trojan-downloader-infectedhost, version 1.0.0.0
10:03 PM: Ignored memory-resident threat: trojan-downloader-infectedhost
5:32 PM: Memory Shield: Found: Memory-resident threat trojan-downloader-infectedhost, version 1.0.0.0
5:32 PM: Ignored memory-resident threat: trojan-downloader-infectedhost
6:00 PM: Memory Shield: Found: Memory-resident threat trojan-downloader-infectedhost, version 1.0.0.0
6:00 PM: Ignored memory-resident threat: trojan-downloader-infectedhost
10:32 PM: Memory Shield: Found: Memory-resident threat trojan-downloader-infectedhost, version 1.0.0.0
10:32 PM: Ignored memory-resident threat: trojan-downloader-infectedhost
10:40 PM: Processing Startup Alerts
10:40 PM: Removed Startup entry: winsync
10:40 PM: Removed Startup entry: WindowsUpdate
10:40 PM: Removed Startup entry: System
10:41 PM: | End of Session, Wednesday, December 21, 2005 |
********
11:10 PM: | Start of Session, Thursday, December 15, 2005 |
11:10 PM: Spy Sweeper started
11:11 PM: Your spyware definitions have been updated.
11:12 PM: | End of Session, Thursday, December 15, 2005 |

________________________________________________________________________________
_

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe files\\mcafee.com\\agent\\mcagent.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"YBrowser"="C:\\PROGRA~1\\Yahoo!\\browser\\ybrwicon.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\SBCSEL~1\\SMARTB~1\\MotiveSB.exe"
"YOP"="C:\\PROGRA~1\\Yahoo!\\YOP\\yop.exe /autostart"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1135391434\\EE\\AOLHostManager.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortEmail Removedexe\" -Run"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

Subkey --- LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C}
C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- qgmnssxm
{9facfe73-8660-4d5f-80ed-e6ba58c857dd}
C:\WINDOWS\system32\lgkeq.dll

Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\Program Files\WinRAR\rarext.dll

Subkey --- Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499}
C:\Program Files\Yahoo!\Common\ymmapi.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers

Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

desktop.ini
hp psc 1000 series.lnk
hpoddt01.exe.lnk
SBC Self Support Tool.lnk
==============================
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup

desktop.ini
hp psc 1000 series.lnk
hpoddt01.exe.lnk
SBC Self Support Tool.lnk
Clean Access Agent.lnk
desktop.ini
==============================
C:\WINDOWS\system32 cpl files

ac3filter.cpl
access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
B57exp.cpl Broadcom Corporation
bdeadmin.cpl Borland Software Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
igfxcpl.cpl Intel Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation

________________________________________________________________________________
_______

Check for missing files
.....
C:\WINDOWS\system32\AUTOEXEC.NT not there
.....
End check for missing files
.....
VXD Check
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers]
"VDD"=hex(7):43,3a,5c,50,52,4f,47,52,41,7e,31,5c,53,79,6d,61,6e,74,65,63,5c,53,\
33,32,45,56,4e,54,31,2e,44,4c,4c,00,00
.....
End vxd check
Please post this in the forum

________________________________________________________________________________
_

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 12/26/2005
The current time is: 17:43:27.50

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

Install.dat

~~~ Favorites ~~~

~~~ system32 folder ~~~

zlbw.dll

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 848 'explorer.exe'

Starting registry repairs

Deleting files

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #21 on:** December 26, 2005, 11:59:10 PM »

Can you do the following please

If you have Windows XP Home edition
Use this download and save it to your desktop
http://homepage.ntlworld.com/spencer.greys...XPHomeFiles.exe

If you have Windows XP Pro edition
Use this download and save it to your desktop
http://homepage.ntlworld.com/spencer.greys.../XPProfiles.exe

If your unsure go to START>>RUN>>type in winver
Hit OK

Once the correct file is saved
Double click on the file that you placed on your desktop and Run it
Let it self extract needed files to the
C:\WINDOWS\system32 folder
By clicking the UNZIP button
Which should be set by default

Now try running FindQoologic again with the instructions I posted earlier and post the new log

Mrs_Music · « **Reply #22 on:** December 27, 2005, 12:24:40 AM »

Find Qoologic last edited 11/28/2005
Running from
C:\Documents and Settings\Administrator\Desktop\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»» Search by size and name»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

C:\WINDOWS\SYSTEM32\CKJSVVD.EXE
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu]
@="{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

--
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\qgmnssxm]
@="{9facfe73-8660-4d5f-80ed-e6ba58c857dd}"

[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebNexus]
.....
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]

guestolo · « **Reply #23 on:** December 27, 2005, 12:56:39 AM »

Let's do a bit more cleaning, then let me know how things are running

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
But make sure to include REGEDIT4 and below in the code box
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop, we'll need it in a bit

Code: [Select]

REGEDIT4

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\qgmnssxm]

[-HKEY_CLASSES_ROOT\CLSID\{9facfe73-8660-4d5f-80ed-e6ba58c857dd}]

[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]

[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebNexus]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]

Open Hijackthis>>Open Misc tools section>>Open "Delete File on Reboot"
In the File name field
Copy and paste the following path to the file in bold below

C:\WINDOWS\SYSTEM32\CKJSVVD.EXE
Then click the OPEN button
Hijackthis should prompt you that the file will be deleted on Reboot and to restart the computer
Don't restart yet

Double click on fix.reg and allow to add/merge to the registry

Reboot your computer

Back in Windows
Can you run FindQoologic again and post the new log
After you have done that

Can you do the following again please
Delete your L2Mfix folder and L2Mfix.exe

Make sure that Symantec's Script blocking is disabled for this fix to work
I previously instructed you how to do this

Redownload L2mfix from one of these locations

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

Mrs_Music · « **Reply #24 on:** December 27, 2005, 01:41:10 AM »

Qoologic

Find Qoologic last edited 11/28/2005
Running from
C:\Documents and Settings\Administrator\Desktop\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»» Search by size and name»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu]
@="{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebNexus]
.....
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]

L2mfix

L2mfix Beta 121605
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.

Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 420 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 684 'winlogon.exe'
Killing PID 684 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 524 'explorer.exe'
Killing PID 524 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
Granting SeDebugPrivilege to Administrateurs ... failed (GetAccountSid(Administrateurs)=1332
Granting SeDebugPrivilege to Administrat÷rer ... failed (GetAccountSid(Administrat÷rer)=1332
Granting SeDebugPrivilege to Administradores ... failed (GetAccountSid(Administradores)=1332
Granting SeDebugPrivilege to Amministratore ... failed (GetAccountSid(Amministratore)=1332
Granting SeDebugPrivilege to Administratoren ... failed (GetAccountSid(Administratoren)=1332

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A97B1750-D844-46E6-A4D7-3804EB6214FB}]

[HKEY_CLASSES_ROOT\CLSID\{A97B1750-D844-46E6-A4D7-3804EB6214FB}\InprocServer32]

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{19ED0577-73C1-4F56-BE1C-1CEE029CB1C5}]

[HKEY_CLASSES_ROOT\CLSID\{19ED0577-73C1-4F56-BE1C-1CEE029CB1C5}\InprocServer32]

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A0906CB6-C457-4264-A6B0-D324960078EA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A0906CB6-C457-4264-A6B0-D324960078EA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A0906CB6-C457-4264-A6B0-D324960078EA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A0906CB6-C457-4264-A6B0-D324960078EA}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{33042924-C3A0-42EA-9E42-8D0795F0DF63}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{33042924-C3A0-42EA-9E42-8D0795F0DF63}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{33042924-C3A0-42EA-9E42-8D0795F0DF63}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{33042924-C3A0-42EA-9E42-8D0795F0DF63}\InprocServer32]
@="C:\\WINDOWS\\system32\\nldll.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{31E430B5-10C3-40C8-A1CB-18C94B3DD3A5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{31E430B5-10C3-40C8-A1CB-18C94B3DD3A5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{31E430B5-10C3-40C8-A1CB-18C94B3DD3A5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{31E430B5-10C3-40C8-A1CB-18C94B3DD3A5}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{FE2E1812-471E-445F-AD57-CB98B00224B3}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{FE2E1812-471E-445F-AD57-CB98B00224B3}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FE2E1812-471E-445F-AD57-CB98B00224B3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FE2E1812-471E-445F-AD57-CB98B00224B3}\InprocServer32]
@="C:\\WINDOWS\\system32\\mfacm32.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{A97B1750-D844-46E6-A4D7-3804EB6214FB}"=-
"{19ED0577-73C1-4F56-BE1C-1CEE029CB1C5}"=-
"{83587047-71D2-4AF9-94B4-771BBC28F995}"=-
"{6EC7C68A-4D6B-4E96-95D6-A0AC1660B3C8}"=-
"{A0906CB6-C457-4264-A6B0-D324960078EA}"=-
"{33042924-C3A0-42EA-9E42-8D0795F0DF63}"=-
"{31E430B5-10C3-40C8-A1CB-18C94B3DD3A5}"=-
"{FE2E1812-471E-445F-AD57-CB98B00224B3}"=-
[-HKEY_CLASSES_ROOT\CLSID\{A97B1750-D844-46E6-A4D7-3804EB6214FB}]
[-HKEY_CLASSES_ROOT\CLSID\{19ED0577-73C1-4F56-BE1C-1CEE029CB1C5}]
[-HKEY_CLASSES_ROOT\CLSID\{83587047-71D2-4AF9-94B4-771BBC28F995}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC7C68A-4D6B-4E96-95D6-A0AC1660B3C8}]
[-HKEY_CLASSES_ROOT\CLSID\{A0906CB6-C457-4264-A6B0-D324960078EA}]
[-HKEY_CLASSES_ROOT\CLSID\{33042924-C3A0-42EA-9E42-8D0795F0DF63}]
[-HKEY_CLASSES_ROOT\CLSID\{31E430B5-10C3-40C8-A1CB-18C94B3DD3A5}]
[-HKEY_CLASSES_ROOT\CLSID\{FE2E1812-471E-445F-AD57-CB98B00224B3}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/19ED0577-73C1-4F56-BE1C-1CEE029CB1C5.reg (212 bytes security) (deflated 55%)
adding: backregs/31E430B5-10C3-40C8-A1CB-18C94B3DD3A5.reg (212 bytes security) (deflated 70%)
adding: backregs/33042924-C3A0-42EA-9E42-8D0795F0DF63.reg (212 bytes security) (deflated 70%)
adding: backregs/A0906CB6-C457-4264-A6B0-D324960078EA.reg (212 bytes security) (deflated 70%)
adding: backregs/A97B1750-D844-46E6-A4D7-3804EB6214FB.reg (212 bytes security) (deflated 54%)
adding: backregs/FE2E1812-471E-445F-AD57-CB98B00224B3.reg (212 bytes security) (deflated 69%)
adding: backregs/notibac.reg (140 bytes security) (deflated 87%)

HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 12:39:59 AM, on 12/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\America Online 9.0\wEmail Removedexe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\PROGRA~1\COMMON~1\AOL\113539~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\113539~1\EE\AOLServiceHost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: B-H toolbar - {00b8fd76-519d-4889-95b3-d55dce8f003d} - C:\Program Files\B-H\tbB-H.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135391434\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortEmail Removedexe" -Run
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\Email RemovedEXE" -b
O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: WMP10ctrl - http://www.cinemanow.com/WMP10ctrl.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - <a href='http://aolcc.Email Removed/computercheckup/qdiagcc.cab' target='_blank' rel='nofollow'>http://aolcc.Email Removed/computercheckup/qdiagcc.cab</a>
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...463/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DB704F3-7900-4C1C-B0FD-4A079AB8748F}: NameServer = 205.188.146.145
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

It seems like it's back to normal, thanks for al your help!

guestolo · « **Reply #25 on:** December 27, 2005, 10:59:10 PM »

Sounds good
If you don't want/need the B-H toolbar installed, I would opt to uninstall it from add/remove programs

I don't like the entries related too Sony Rootkit infection
It appears that SpySweeper together with Windows Malicious Software Removal Tool
Have made this rootkit totally visible, may of fixed the vulnerability too
Google Sony Rootkit infection and you will find lot's of info about it
I can't believe Sony stooped this low to make computers very vulnerable

The old uninstaller that Sony supplied, left security risks
The new tool that they have made public appears to remove most of it, will leave behind some entries more than likely
But it seems to be the best method I can find at the moment

I would choose to try Sony's uninstaller,
They give you a choice to use the "Update the XCP software on your computer."

or "Completely uninstall the XCP software and associated content protection files."
Here's the link
http://cp.sonybmg.com/xcp/english/updates.html

The uninstaller is at the bottom of the page
The XCP software tool is available for download here as an EXECUTABLE (2.3 MB
Save this exe to your desktop
If you choose to download the zip file, make sure to extract it first to the desktop
Then close all other windows and run the tool
Reboot the computer afterwards

I would choose to do the complete uninstall
Then take advantage of
SONY BMG XCP
EXCHANGE PROGRAM
The link is found on the same page
Sony's removing, or has removed all CD's from stores, including online store with this protection on it
Lawsuits are pending against them!
This is something you don't want on your computer

Here's some more info about it
http://news.com.com/Sony+offers+new+CDs,+M..._3-5960987.html
Keep in mind, I believe they are still directing their comments about the first uninstaller by Sony
Which did a poor job of patching this

NOTE: I hope you choose to Uninstall completely
If you do, don't put the CD's with this protection on it back into your computer
The exchange program will supply you with a link to MP3 downloads and ship your new CD's at a later time

Quote

Please allow 3-6 weeks for delivery of the replacement(s). Consumers who choose to receive MP3 files in addition to replacement CD(s) will receive an e-mail with a link to the MP3 downloads upon our receipt and verification of your XCP CD(s)

After you have done the above
Go over to Windows updates and make sure your right up to date on all HighPriority updates
If any too download, do so and reboot the computer again if prompted

Let me know how it goes, can you post a fresh hijackthis log afterwards, thanks

In addition, I just want to check on something
Can you also
Open l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

Mrs_Music · « **Reply #26 on:** December 30, 2005, 04:43:19 PM »

Thanks for info!!
HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 3:39:44 PM, on 12/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\America Online 9.0\wEmail Removedexe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\PROGRA~1\COMMON~1\AOL\113539~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\113539~1\EE\AOLServiceHost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: B-H toolbar - {00b8fd76-519d-4889-95b3-d55dce8f003d} - C:\Program Files\B-H\tbB-H.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135391434\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortEmail Removedexe" -Run
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\Email RemovedEXE" -b
O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: WMP10ctrl - http://www.cinemanow.com/WMP10ctrl.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email Removed/computercheckup/qdiagcc.cab\' target=\'_blank\' rel=\'nofollow\'>http://aolcc.Email Removed/computercheckup/qdiagcc.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135972823515
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...463/mcfscan.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

L2MFIX
L2MFIX find log 121605
These are the registry keys present
********************************************************************************
**
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

********************************************************************************
**
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

********************************************************************************
**
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"

********************************************************************************
**
HKEY ROOT CLASSIDS:
********************************************************************************
**
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Wed Nov 23 2005 7:06:34p A.... 1,022,464 998.50 K
cdfview.dll Thu Oct 20 2005 9:39:26p A.... 151,040 147.50 K
danim.dll Fri Nov 4 2005 9:16:24p A.... 1,054,208 1.00 M
dpl100.dll Thu Oct 27 2005 1:37:46p A.... 86,016 84.00 K
dpu10.dll Thu Oct 27 2005 1:37:44p A.... 294,912 288.00 K
dpu11.dll Thu Oct 27 2005 1:37:44p A.... 294,912 288.00 K
dpugui10.dll Thu Oct 27 2005 1:37:48p A.... 53,248 52.00 K
dpugui11.dll Thu Oct 27 2005 1:37:46p A.... 593,920 580.00 K
dpus11.dll Thu Oct 27 2005 1:37:44p A.... 339,968 332.00 K
dpv11.dll Thu Oct 27 2005 1:37:44p A.... 57,344 56.00 K
dtu100.dll Thu Oct 27 2005 1:37:44p A.... 200,704 196.00 K
dxtrans.dll Thu Oct 20 2005 9:39:28p A.... 205,312 200.50 K
esent.dll Thu Oct 20 2005 4:20:04p A.... 1,082,368 1.03 M
extmgr.dll Thu Oct 20 2005 9:39:28p ..... 55,808 54.50 K
gdi32.dll Wed Oct 5 2005 9:09:36p A.... 280,064 273.50 K
iepeers.dll Thu Oct 20 2005 9:39:28p A.... 251,392 245.50 K
inseng.dll Thu Oct 20 2005 9:39:28p A.... 96,256 94.00 K
islzma.dll Fri Oct 21 2005 3:50:14p A.... 102,912 100.50 K
mshtml.dll Wed Nov 23 2005 7:06:34p A.... 3,015,680 2.88 M
mshtmled.dll Thu Oct 20 2005 9:39:30p A.... 448,512 438.00 K
msrating.dll Thu Oct 20 2005 9:39:30p A.... 146,432 143.00 K
mstime.dll Thu Oct 20 2005 9:39:30p A.... 530,944 518.50 K
msupda~1.dll Fri Dec 23 2005 8:46:28p ..... 36,864 36.00 K
pngfilt.dll Thu Oct 20 2005 9:39:30p A.... 39,424 38.50 K
shdocvw.dll Wed Nov 30 2005 9:59:30p A.... 1,492,480 1.42 M
shlwapi.dll Thu Oct 20 2005 9:39:30p A.... 473,600 462.50 K
spmsg.dll Wed Oct 12 2005 5:12:26p ..... 14,048 13.72 K
urlmon.dll Fri Nov 4 2005 9:16:28p A.... 609,280 595.00 K
wininet.dll Thu Oct 20 2005 9:39:30p A.... 658,432 643.00 K
wrlogo~1.dll Mon Oct 24 2005 12:20:36p A.... 492,544 481.00 K
wrlzma.dll Mon Oct 24 2005 12:20:32p A.... 17,920 17.50 K

31 items found: 31 files, 0 directories.
Total of file sizes: 14,199,008 bytes 13.54 M
Locate .tmp files:

No matches found.
********************************************************************************
**
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is FC8B-72C2

Directory of C:\WINDOWS\System32

12/30/2005 03:38 PM <DIR> dllcache
06/21/2004 06:10 PM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 10,811,641,856 bytes free

guestolo · « **Reply #27 on:** December 30, 2005, 10:31:54 PM »

Thank you for removing that infection<<sorry I mean to call it that
But that's what it is, take advantage of Sony's Exchange program
Don't put those CD's back in your computer again
They can be played on your home stereo or vehicle, but not on your comp.

Let's make sure this doesn't happen again
Thanks for your support in this problem

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Can you do me favor please before we do some final cleanup
This file found by L2Mfix
msupda~1.dll Fri Dec 23 2005 8:46:28p ..... 36,864 36.00 K
I suspect it may still be bad

Can you go to this site
Jotti's Online Malware scan
Give this site time to load if busy

Use the browse button and navigate to this file on your hard drive
C:\WINDOWS\SYSTEM32\msupdate32.dll <-this file
I assume that is the name of the file, can you take a close look please

Right click on it and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scans back here please

If you can't see them on your harddrive
You may have to
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Mrs_Music · « **Reply #28 on:** December 31, 2005, 12:45:39 AM »

I wont be using those cds in my pc anymore!

Here are the results...

File: msupdate32.dll
Status: INFECTED/MALWARE
MD5 04c5bb461bdcb47ffdfe3b1dcae542a8
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found Trojan.Delf.Ald
Avast Found Win32:Trojano-2997
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.Proxy.636
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Backdoor.Win32.Delf.ald
NOD32 Found nothing
Norman Virus Control Found W32/DLoader.NUJ
UNA Found nothing
VBA32 Found nothing

guestolo · « **Reply #29 on:** December 31, 2005, 01:09:21 AM »

Can you do the following please

Start Killbox
Click on Tools in the menu bar and then click "Delete Temp Files"
In the Full path to file to delete, copy and paste the next line in bold

C:\WINDOWS\SYSTEM32\msupdate32.dll

Select the radio button to "Delete File on Reboot"
Additionally select "Unregister .dll before deleting"

Click the Red Circle with the White X

OK the prompts to delete on reboot and allow the computer to reboot
If the computer doesn't reboot, please do so manually

Back in Windows
Make sure that msupdate32.dll is gone

Let me know how everythings running

EDIT>>I know I mentioned this a couple times already

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />
Please, make sure you take advantage of the exchange program if you want to play the CD's on your computer
That way you get to download the MP3's almost immediately, you just have to wait for your new CD's

Mrs_Music · « **Reply #30 on:** December 31, 2005, 03:19:56 AM »

[quote name=\'guestolo\' post=\'79345\' date=\'Dec 31 2005, 12:09 AM\']Can you do the following please

Start Killbox
Click on Tools in the menu bar and then click "Delete Temp Files"
In the Full path to file to delete, copy and paste the next line in bold

C:\WINDOWS\SYSTEM32\msupdate32.dll

Select the radio button to "Delete File on Reboot"
Additionally select "Unregister .dll before deleting"

Click the Red Circle with the White X

OK the prompts to delete on reboot and allow the computer to reboot
If the computer doesn't reboot, please do so manually

Back in Windows
Make sure that msupdate32.dll is gone

Let me know how everythings running

Please, make sure you take advantage of the exchange program if you want to play the CD's on your computer
That way you get to download the MP3's almost immediately, you just have to wait for your new CD's[/quote]

msupdate32.dll is gone and everything seems to be back to normal. I will most definitely be taking advantage of the exchange program. Thanks for all your help, I really appreciate it

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #31 on:** December 31, 2005, 02:51:40 PM »

Can you do the following for final cleanup please

Do a "System scan only" with Hijackthis and put a check next to these entries:

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

After you have ticked the above entry, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

If everything is running better, please do the following
You should disable system restore>>Reboot your computer>>and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature
Make sure you reenable system restore feature

Afterwards, For added protections
You should install this free tool
SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

Check for updates every couple of weeks
after every update just simply click the "enable protection on all unprotected items"

You can go back and reenble the protections you disabled earlier with Microsoft AntiSpyware
If you haven't do so yet

SpySweeper is fully functional for a couple weeks from download
After which time you can uninstall it

Another great scanner for malware
Download and Install Spybot 1.4 from
HERE
or HERE

After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and then download all updates
After update is complete
Click the "Immunize" button on the left>>>OK at the prompt>>Immunzine at the top green cross
Do that after every update
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED

RESTART the computer to finish any cleaning process

Stay safe

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Mrs_Music · « **Reply #32 on:** January 03, 2006, 03:39:30 PM »

Done! Thanks for all your help!!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #33 on:** January 03, 2006, 09:52:59 PM »

I'll lock this topic as your problems appear resolved
Take care

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

TheTechGuide Forum

News:

Author Topic: Spy Sherrif (Read 5119 times)

Mrs_Music

Spy Sherrif

guestolo

Spy Sherrif

Mrs_Music

Spy Sherrif

guestolo

Spy Sherrif

Mrs_Music

Spy Sherrif

guestolo

Spy Sherrif

Mrs_Music

Spy Sherrif

guestolo

Spy Sherrif

Mrs_Music

Spy Sherrif

guestolo

Spy Sherrif

Mrs_Music

Spy Sherrif

guestolo

Spy Sherrif

Mrs_Music

Spy Sherrif

guestolo

Spy Sherrif