Sponsored By

CsrLiz344

Ok, Here It Is.........

Recommended Posts

Spybot and Adaware didn't help, it's still there (XXX Dialer)...

Logfile of HijackThis v1.99.1

Scan saved at 3:30:30 PM, on 7/14/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\WINDOWS\system32\ScsiAccess.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Common Files\Stardock\SDMCP.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Yahoo!\browser\ybrwicon.exe

C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

C:\PROGRA~1\Yahoo!\PARENT~1\ypc.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\Program Files\CursorXP\CursorXP.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Program Files\Messenger\msmsgs.exe

C:\PROGRA~1\aim\aim.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Documents and Settings\Liz\My Documents\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F3 - REG:win.ini: load=C:\\spq.exe

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun

O4 - HKLM\..\Run: [hdejmk] c:\windows\system32\hdejmk.exe

O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [iPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l

O4 - HKLM\..\Run: [iPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [YPC] C:\PROGRA~1\Yahoo!\PARENT~1\ypc.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\aim\aim.exe -cnetwait.odl

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe

O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\aim\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O15 - Trusted Zone: *.media-motor.net

O15 - Trusted Zone: *.popuppers.com

O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab

O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab

O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c8.cab

O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/regis...34/sdcregie.cab

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab

O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx

O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112485673484

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cab

O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab

O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\drloader.dll

O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll

O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\mvdtclog.dll

O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\iaxrip.dll

O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\iaxrip.dll

O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\drloader.dll

O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Share this post


Link to post
Share on other sites

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe

http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Share this post


Link to post
Share on other sites

Ok. here it is. I also noticed my system restore isn't working, and now my computer is real "jerky". If I try to play hearts, it looks like the cards are skipping, and that applies to everything I do.

The system restore is turned back on, but there is no date in bold except today, I can't go back to June either. Grrr-this thing is aggravating me!!

L2MFIX find log 1.03

These are the registry keys present

********************************************************************************

**

Winlogon/notify:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

"Asynchronous"=dword:00000000

"DllName"=""

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINDOWS\\system32\\iaxrip.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCPClient]

"Asynchronous"=dword:00000000

"DllName"="C:\\Program Files\\Common Files\\Stardock\\mcpstub.dll"

"Startup"="MCPSystemStartup"

"Logon"="MCPLogonStartup"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SMDEn]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINDOWS\\system32\\iaxrip.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Themes]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINDOWS\\system32\\drloader.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Uninstall]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINDOWS\\system32\\drloader.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB]

"Asynchronous"=dword:00000000

"DllName"="C:\\PROGRA~1\\Stardock\\OBJECT~1\\WINDOW~1\\fastload.dll"

"Startup"="StartSys"

"Logon"="StartWB"

********************************************************************************

**

useragent:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"{3CFB6117-AB06-4CBB-D23B-E92DAB0565B5}"=""

********************************************************************************

**

Shell Extension key:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"

"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"

"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"

"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"

"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"

"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"

"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"

"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"

"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"

"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"

"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"

"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"

"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"

"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"

"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"

"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"

"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"

"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"

"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"

"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"

"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"

"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"

"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"

"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"

"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"

"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"

"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"

"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"

"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"

"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"

"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"

"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"

"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"

"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"

"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"

"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"

"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"

"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"

"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"

"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"

"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"

"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"

"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"

"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"

"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"

"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"

"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"

"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."

"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"

"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"

"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"

"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"

"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"

"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"

"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"

"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"

"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"

"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"

"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"

"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"

"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"

"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"

"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"

"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"

"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"

"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"

"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"

"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"

"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"

"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"

"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"

"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"

"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"

"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"

"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"

"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"

"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"

"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"

"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"

"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"

"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"

"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"

"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"

"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"

"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"

"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"

"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"

"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"

"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"

"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"

"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"

"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"

"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"

"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"

"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"

"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"

"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"

"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"

"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"

"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"

"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"

"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"

"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"

"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"

"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"

"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"

"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"

"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"

"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"

"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"

"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"

"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"

"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"

"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"

"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"

"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"

"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"

"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"

"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"

"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"

"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"

"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"

"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"

"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"

"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"

"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"

"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"

"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"

"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"

"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"

"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"

"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"

"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"

"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"

"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"

"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"

"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"

"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"

"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"

"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"

"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"

"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"

"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"

"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"

"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"

"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"

"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"

"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"

"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"

"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"

"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"

"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"

"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"

"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"

"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"

"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"

"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"

"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"

"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"

"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"

"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."

"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"

"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"

"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"

"{F802F260-519B-11D1-BB5D-0060974C6013}"="ICQ Shell Extension"

"{20082881-FC36-4E47-9A7A-644C95FF749F}"="IntelliPoint Wireless Control Panel Property Page"

"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}"="IntelliPoint Wheel Control Panel Property Page"

"{653DCCC2-13DB-45B2-A389-427885776CFE}"="IntelliPoint Activities Control Panel Property Page"

"{124597D8-850A-41AE-849C-017A4FA99CA2}"="IntelliPoint Buttons Control Panel Property Page"

"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"

"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"

"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"

"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"

"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"

"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"

"{2F5AC606-70CF-461C-BFE1-734234536262}"="WindowBlinds CPL Extension"

"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"

"{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}"="CopyToCD shell extension"

"{acb4a560-3606-11d3-aef4-00104bd0f92d}"="KodakShellExtension"

"{D251F2C0-ADC5-4A2C-9158-991DB6AF9003}"=""

"{9650F943-878D-434C-BE40-0C26BBED2679}"=""

"{A6625691-0AF7-49AB-89BF-0211D60B9275}"=""

"{1109B115-12A5-4DB3-9934-B00A89CBAD99}"=""

"{1BD1FA66-A177-4DE0-8225-F838460CF2A4}"=""

"{81E4550B-A272-4A9F-A4EC-BE8F79D2481C}"=""

"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"

********************************************************************************

**

HKEY ROOT CLASSIDS:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D251F2C0-ADC5-4A2C-9158-991DB6AF9003}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{D251F2C0-ADC5-4A2C-9158-991DB6AF9003}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{D251F2C0-ADC5-4A2C-9158-991DB6AF9003}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{D251F2C0-ADC5-4A2C-9158-991DB6AF9003}\InprocServer32]

@="C:\\WINDOWS\\system32\\cwypt32.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9650F943-878D-434C-BE40-0C26BBED2679}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{9650F943-878D-434C-BE40-0C26BBED2679}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{9650F943-878D-434C-BE40-0C26BBED2679}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{9650F943-878D-434C-BE40-0C26BBED2679}\InprocServer32]

@="C:\\WINDOWS\\system32\\idetcfg.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A6625691-0AF7-49AB-89BF-0211D60B9275}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{A6625691-0AF7-49AB-89BF-0211D60B9275}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{A6625691-0AF7-49AB-89BF-0211D60B9275}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{A6625691-0AF7-49AB-89BF-0211D60B9275}\InprocServer32]

@="C:\\WINDOWS\\system32\\drloader.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1109B115-12A5-4DB3-9934-B00A89CBAD99}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{1109B115-12A5-4DB3-9934-B00A89CBAD99}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{1109B115-12A5-4DB3-9934-B00A89CBAD99}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{1109B115-12A5-4DB3-9934-B00A89CBAD99}\InprocServer32]

@="C:\\WINDOWS\\system32\\ksdsl1.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1BD1FA66-A177-4DE0-8225-F838460CF2A4}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{1BD1FA66-A177-4DE0-8225-F838460CF2A4}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{1BD1FA66-A177-4DE0-8225-F838460CF2A4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{1BD1FA66-A177-4DE0-8225-F838460CF2A4}\InprocServer32]

@="C:\\WINDOWS\\system32\\iaxrip.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{81E4550B-A272-4A9F-A4EC-BE8F79D2481C}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{81E4550B-A272-4A9F-A4EC-BE8F79D2481C}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{81E4550B-A272-4A9F-A4EC-BE8F79D2481C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{81E4550B-A272-4A9F-A4EC-BE8F79D2481C}\InprocServer32]

@="C:\\WINDOWS\\system32\\ibcoin2.dll"

"ThreadingModel"="Apartment"

********************************************************************************

**

Files Found are not all bad files:

Locate .tmp files:

Directory Listing of system files:

Volume in drive C has no label.

Volume Serial Number is 24BA-00FB

Directory of C:\WINDOWS\System32

07/14/2005 10:53 PM 417,792 ksdsl1.dll

07/14/2005 06:27 PM 417,792 ibcoin2.dll

07/14/2005 02:44 PM 417,792 kxcp32.dll

07/14/2005 01:57 PM 417,792 dmsrslvr.dll

07/14/2005 01:57 PM 417,792 drloader.dll

07/14/2005 12:48 PM 417,792 kydhe220.dll

07/14/2005 12:42 PM 417,792 lHprxy.dll

07/14/2005 12:29 PM 417,792 mcident.dll

07/14/2005 11:38 AM 417,792 mjprivs.dll

07/14/2005 08:24 AM 417,792 lutif11n.dll

07/11/2005 06:31 PM 417,792 fedrclnr.dll

07/10/2005 06:31 PM 417,792 iaxrip.dll

07/06/2005 09:46 PM 417,792 idetcfg.dll

07/06/2005 09:44 PM 417,792 guard.tmp

07/06/2005 01:42 PM 417,792 cwypt32.dll

06/22/2005 07:37 PM <DIR> dllcache

06/17/2005 06:31 PM 5 AuxDrv32b_g.oxc

11/01/2002 12:25 PM <DIR> Microsoft

16 File(s) 6,266,885 bytes

2 Dir(s) 29,284,995,072 bytes free

Share this post


Link to post
Share on other sites

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Share this post


Link to post
Share on other sites

Fix Log

L2Mfix 1.03a

Running From:

C:\Documents and Settings\Liz\Desktop\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"

- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:

(CI) DENY --C------- BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Liz\Desktop\l2mfix

System Rebooted!

Running From:

C:\Documents and Settings\Liz\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 [email protected]

Killing PID 1920 'explorer.exe'

Killing PID 1920 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 [email protected]

Killing PID 1312 'rundll32.exe'

Killing PID 1684 'rundll32.exe'

Killing PID 196 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Backing Up: C:\WINDOWS\system32\beowser.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\beowser.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\cBbinet.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\cBbinet.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\cqutil.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\cqutil.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\cwypt32.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\cwypt32.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\dmsrslvr.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\dmsrslvr.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\doquery.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\doquery.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\dv16gt.dLL

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\dv16gt.dLL

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\dXvclnt.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\dXvclnt.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\fedrclnr.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\fedrclnr.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\ibcoin2.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\ibcoin2.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\idetcfg.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\idetcfg.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\ksdsl1.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\ksdsl1.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\kxcp32.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\kxcp32.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\kydhe220.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\kydhe220.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\lHprxy.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\lHprxy.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\lutif11n.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\lutif11n.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\mcident.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\mcident.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\mjprivs.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\mjprivs.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\mvdtclog.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\mvdtclog.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\guard.tmp

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\guard.tmp

1 file(s) copied.

deleting: C:\WINDOWS\system32\beowser.dll

Successfully Deleted: C:\WINDOWS\system32\beowser.dll

deleting: C:\WINDOWS\system32\beowser.dll

Successfully Deleted: C:\WINDOWS\system32\beowser.dll

deleting: C:\WINDOWS\system32\cBbinet.dll

Successfully Deleted: C:\WINDOWS\system32\cBbinet.dll

deleting: C:\WINDOWS\system32\cBbinet.dll

Successfully Deleted: C:\WINDOWS\system32\cBbinet.dll

deleting: C:\WINDOWS\system32\cqutil.dll

Successfully Deleted: C:\WINDOWS\system32\cqutil.dll

deleting: C:\WINDOWS\system32\cqutil.dll

Successfully Deleted: C:\WINDOWS\system32\cqutil.dll

deleting: C:\WINDOWS\system32\cwypt32.dll

Successfully Deleted: C:\WINDOWS\system32\cwypt32.dll

deleting: C:\WINDOWS\system32\cwypt32.dll

Successfully Deleted: C:\WINDOWS\system32\cwypt32.dll

deleting: C:\WINDOWS\system32\dmsrslvr.dll

Successfully Deleted: C:\WINDOWS\system32\dmsrslvr.dll

deleting: C:\WINDOWS\system32\dmsrslvr.dll

Successfully Deleted: C:\WINDOWS\system32\dmsrslvr.dll

deleting: C:\WINDOWS\system32\doquery.dll

Successfully Deleted: C:\WINDOWS\system32\doquery.dll

deleting: C:\WINDOWS\system32\doquery.dll

Successfully Deleted: C:\WINDOWS\system32\doquery.dll

deleting: C:\WINDOWS\system32\dv16gt.dLL

Successfully Deleted: C:\WINDOWS\system32\dv16gt.dLL

deleting: C:\WINDOWS\system32\dv16gt.dLL

Successfully Deleted: C:\WINDOWS\system32\dv16gt.dLL

deleting: C:\WINDOWS\system32\dXvclnt.dll

Successfully Deleted: C:\WINDOWS\system32\dXvclnt.dll

deleting: C:\WINDOWS\system32\dXvclnt.dll

Successfully Deleted: C:\WINDOWS\system32\dXvclnt.dll

deleting: C:\WINDOWS\system32\fedrclnr.dll

Successfully Deleted: C:\WINDOWS\system32\fedrclnr.dll

deleting: C:\WINDOWS\system32\fedrclnr.dll

Successfully Deleted: C:\WINDOWS\system32\fedrclnr.dll

deleting: C:\WINDOWS\system32\ibcoin2.dll

Successfully Deleted: C:\WINDOWS\system32\ibcoin2.dll

deleting: C:\WINDOWS\system32\ibcoin2.dll

Successfully Deleted: C:\WINDOWS\system32\ibcoin2.dll

deleting: C:\WINDOWS\system32\idetcfg.dll

Successfully Deleted: C:\WINDOWS\system32\idetcfg.dll

deleting: C:\WINDOWS\system32\idetcfg.dll

Successfully Deleted: C:\WINDOWS\system32\idetcfg.dll

deleting: C:\WINDOWS\system32\ksdsl1.dll

Successfully Deleted: C:\WINDOWS\system32\ksdsl1.dll

deleting: C:\WINDOWS\system32\ksdsl1.dll

Successfully Deleted: C:\WINDOWS\system32\ksdsl1.dll

deleting: C:\WINDOWS\system32\kxcp32.dll

Successfully Deleted: C:\WINDOWS\system32\kxcp32.dll

deleting: C:\WINDOWS\system32\kxcp32.dll

Successfully Deleted: C:\WINDOWS\system32\kxcp32.dll

deleting: C:\WINDOWS\system32\kydhe220.dll

Successfully Deleted: C:\WINDOWS\system32\kydhe220.dll

deleting: C:\WINDOWS\system32\kydhe220.dll

Successfully Deleted: C:\WINDOWS\system32\kydhe220.dll

deleting: C:\WINDOWS\system32\lHprxy.dll

Successfully Deleted: C:\WINDOWS\system32\lHprxy.dll

deleting: C:\WINDOWS\system32\lHprxy.dll

Successfully Deleted: C:\WINDOWS\system32\lHprxy.dll

deleting: C:\WINDOWS\system32\lutif11n.dll

Successfully Deleted: C:\WINDOWS\system32\lutif11n.dll

deleting: C:\WINDOWS\system32\lutif11n.dll

Successfully Deleted: C:\WINDOWS\system32\lutif11n.dll

deleting: C:\WINDOWS\system32\mcident.dll

Successfully Deleted: C:\WINDOWS\system32\mcident.dll

deleting: C:\WINDOWS\system32\mcident.dll

Successfully Deleted: C:\WINDOWS\system32\mcident.dll

deleting: C:\WINDOWS\system32\mjprivs.dll

Successfully Deleted: C:\WINDOWS\system32\mjprivs.dll

deleting: C:\WINDOWS\system32\mjprivs.dll

Successfully Deleted: C:\WINDOWS\system32\mjprivs.dll

deleting: C:\WINDOWS\system32\mvdtclog.dll

Successfully Deleted: C:\WINDOWS\system32\mvdtclog.dll

deleting: C:\WINDOWS\system32\mvdtclog.dll

Successfully Deleted: C:\WINDOWS\system32\mvdtclog.dll

deleting: C:\WINDOWS\system32\guard.tmp

Successfully Deleted: C:\WINDOWS\system32\guard.tmp

deleting: C:\WINDOWS\system32\guard.tmp

Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Zipping up files for submission:

adding: beowser.dll (164 bytes security) (deflated 48%)

adding: cBbinet.dll (164 bytes security) (deflated 48%)

adding: cqutil.dll (164 bytes security) (deflated 48%)

adding: cwypt32.dll (164 bytes security) (deflated 48%)

adding: dmsrslvr.dll (164 bytes security) (deflated 48%)

adding: doquery.dll (164 bytes security) (deflated 48%)

adding: dv16gt.dLL (164 bytes security) (deflated 48%)

adding: dXvclnt.dll (164 bytes security) (deflated 48%)

adding: fedrclnr.dll (164 bytes security) (deflated 48%)

adding: ibcoin2.dll (164 bytes security) (deflated 48%)

adding: idetcfg.dll (164 bytes security) (deflated 48%)

adding: ksdsl1.dll (164 bytes security) (deflated 48%)

adding: kxcp32.dll (164 bytes security) (deflated 48%)

adding: kydhe220.dll (164 bytes security) (deflated 48%)

adding: lHprxy.dll (164 bytes security) (deflated 48%)

adding: lutif11n.dll (164 bytes security) (deflated 48%)

adding: mcident.dll (164 bytes security) (deflated 48%)

adding: mjprivs.dll (164 bytes security) (deflated 48%)

adding: mvdtclog.dll (164 bytes security) (deflated 48%)

adding: guard.tmp (164 bytes security) (deflated 48%)

adding: clear.reg (164 bytes security) (deflated 58%)

adding: echo.reg (164 bytes security) (deflated 8%)

adding: direct.txt (164 bytes security) (stored 0%)

adding: lo2.txt (164 bytes security) (deflated 88%)

adding: readme.txt (164 bytes security) (deflated 49%)

adding: report.txt (164 bytes security) (deflated 66%)

adding: test.txt (164 bytes security) (deflated 88%)

adding: test2.txt (164 bytes security) (deflated 40%)

adding: test3.txt (164 bytes security) (deflated 40%)

adding: test5.txt (164 bytes security) (deflated 40%)

adding: xfind.txt (164 bytes security) (deflated 85%)

adding: backregs/1109B115-12A5-4DB3-9934-B00A89CBAD99.reg (164 bytes security) (deflated 70%)

adding: backregs/1BD1FA66-A177-4DE0-8225-F838460CF2A4.reg (164 bytes security) (deflated 70%)

adding: backregs/81E4550B-A272-4A9F-A4EC-BE8F79D2481C.reg (164 bytes security) (deflated 70%)

adding: backregs/9650F943-878D-434C-BE40-0C26BBED2679.reg (164 bytes security) (deflated 70%)

adding: backregs/A6625691-0AF7-49AB-89BF-0211D60B9275.reg (164 bytes security) (deflated 70%)

adding: backregs/D251F2C0-ADC5-4A2C-9158-991DB6AF9003.reg (164 bytes security) (deflated 70%)

adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"

Inherited ACE can not be revoked here!

Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: beowser.dll

deleting local copy: beowser.dll

deleting local copy: cBbinet.dll

deleting local copy: cBbinet.dll

deleting local copy: cqutil.dll

deleting local copy: cqutil.dll

deleting local copy: cwypt32.dll

deleting local copy: cwypt32.dll

deleting local copy: dmsrslvr.dll

deleting local copy: dmsrslvr.dll

deleting local copy: doquery.dll

deleting local copy: doquery.dll

deleting local copy: dv16gt.dLL

deleting local copy: dv16gt.dLL

deleting local copy: dXvclnt.dll

deleting local copy: dXvclnt.dll

deleting local copy: fedrclnr.dll

deleting local copy: fedrclnr.dll

deleting local copy: ibcoin2.dll

deleting local copy: ibcoin2.dll

deleting local copy: idetcfg.dll

deleting local copy: idetcfg.dll

deleting local copy: ksdsl1.dll

deleting local copy: ksdsl1.dll

deleting local copy: kxcp32.dll

deleting local copy: kxcp32.dll

deleting local copy: kydhe220.dll

deleting local copy: kydhe220.dll

deleting local copy: lHprxy.dll

deleting local copy: lHprxy.dll

deleting local copy: lutif11n.dll

deleting local copy: lutif11n.dll

deleting local copy: mcident.dll

deleting local copy: mcident.dll

deleting local copy: mjprivs.dll

deleting local copy: mjprivs.dll

deleting local copy: mvdtclog.dll

deleting local copy: mvdtclog.dll

deleting local copy: guard.tmp

deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:

****************************************************************************

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

"Asynchronous"=dword:00000000

"DllName"=""

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCPClient]

"Asynchronous"=dword:00000000

"DllName"="C:\\Program Files\\Common Files\\Stardock\\mcpstub.dll"

"Startup"="MCPSystemStartup"

"Logon"="MCPLogonStartup"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB]

"Asynchronous"=dword:00000000

"DllName"="C:\\PROGRA~1\\Stardock\\OBJECT~1\\WINDOW~1\\fastload.dll"

"Startup"="StartSys"

"Logon"="StartWB"

The following are the files found:

****************************************************************************

C:\WINDOWS\system32\beowser.dll

C:\WINDOWS\system32\beowser.dll

C:\WINDOWS\system32\cBbinet.dll

C:\WINDOWS\system32\cBbinet.dll

C:\WINDOWS\system32\cqutil.dll

C:\WINDOWS\system32\cqutil.dll

C:\WINDOWS\system32\cwypt32.dll

C:\WINDOWS\system32\cwypt32.dll

C:\WINDOWS\system32\dmsrslvr.dll

C:\WINDOWS\system32\dmsrslvr.dll

C:\WINDOWS\system32\doquery.dll

C:\WINDOWS\system32\doquery.dll

C:\WINDOWS\system32\dv16gt.dLL

C:\WINDOWS\system32\dv16gt.dLL

C:\WINDOWS\system32\dXvclnt.dll

C:\WINDOWS\system32\dXvclnt.dll

C:\WINDOWS\system32\fedrclnr.dll

C:\WINDOWS\system32\fedrclnr.dll

C:\WINDOWS\system32\ibcoin2.dll

C:\WINDOWS\system32\ibcoin2.dll

C:\WINDOWS\system32\idetcfg.dll

C:\WINDOWS\system32\idetcfg.dll

C:\WINDOWS\system32\ksdsl1.dll

C:\WINDOWS\system32\ksdsl1.dll

C:\WINDOWS\system32\kxcp32.dll

C:\WINDOWS\system32\kxcp32.dll

C:\WINDOWS\system32\kydhe220.dll

C:\WINDOWS\system32\kydhe220.dll

C:\WINDOWS\system32\lHprxy.dll

C:\WINDOWS\system32\lHprxy.dll

C:\WINDOWS\system32\lutif11n.dll

C:\WINDOWS\system32\lutif11n.dll

C:\WINDOWS\system32\mcident.dll

C:\WINDOWS\system32\mcident.dll

C:\WINDOWS\system32\mjprivs.dll

C:\WINDOWS\system32\mjprivs.dll

C:\WINDOWS\system32\mvdtclog.dll

C:\WINDOWS\system32\mvdtclog.dll

C:\WINDOWS\system32\guard.tmp

C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:

Please verify that the listing looks ok.

If there was something deleted wrongly there are backups in the backreg folder.

****************************************************************************

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{D251F2C0-ADC5-4A2C-9158-991DB6AF9003}"=-

"{9650F943-878D-434C-BE40-0C26BBED2679}"=-

"{A6625691-0AF7-49AB-89BF-0211D60B9275}"=-

"{1109B115-12A5-4DB3-9934-B00A89CBAD99}"=-

"{1BD1FA66-A177-4DE0-8225-F838460CF2A4}"=-

"{81E4550B-A272-4A9F-A4EC-BE8F79D2481C}"=-

[-HKEY_CLASSES_ROOT\CLSID\{D251F2C0-ADC5-4A2C-9158-991DB6AF9003}]

[-HKEY_CLASSES_ROOT\CLSID\{9650F943-878D-434C-BE40-0C26BBED2679}]

[-HKEY_CLASSES_ROOT\CLSID\{A6625691-0AF7-49AB-89BF-0211D60B9275}]

[-HKEY_CLASSES_ROOT\CLSID\{1109B115-12A5-4DB3-9934-B00A89CBAD99}]

[-HKEY_CLASSES_ROOT\CLSID\{1BD1FA66-A177-4DE0-8225-F838460CF2A4}]

[-HKEY_CLASSES_ROOT\CLSID\{81E4550B-A272-4A9F-A4EC-BE8F79D2481C}]

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"SV1"=""

****************************************************************************

Desktop.ini Contents:

****************************************************************************

****************************************************************************

HJT Log

Logfile of HijackThis v1.99.1

Scan saved at 12:26:26 AM, on 7/15/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\Program Files\Common Files\Stardock\SDMCP.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\WINDOWS\system32\ScsiAccess.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Yahoo!\browser\ybrwicon.exe

C:\Program Files\CursorXP\CursorXP.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\WINDOWS\System32\imapi.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Yahoo!\browser\ybrowser.exe

C:\Documents and Settings\Liz\My Documents\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe

O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\aim\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab

O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab

O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c8.cab

O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/regis...34/sdcregie.cab

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab

O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112485673484

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cab

O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab

O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll

O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Share this post


Link to post
Share on other sites

CsrLiz344,

-

You may wish to print out a copy of these instructions to follow while you complete this procedure.

===============

Go to Add/Remove programs and remove(uninstall) the following, if present:

Viewpoint Toolbar

===============

Go to www.trendmicro.com, if your using Firefox or Netscape go to be.trendmicro-europe.com and then:

1. Click "Free Online Scan".

2. Click "Scan now, it's free".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's done:

1. Select all available drives.

2. Check(tick) "Auto Clean".

3. Click "Scan".

When it completes, copy the full filename of any files that cannot be cleaned or deleted and post them when your done with the following fix. If you encounter problems during this step, please move on to the next step.

==============

Run HiJackThis and click "Scan", then check(tick) the following, if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c8.cab

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?

O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx

Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to"view system and hidden files/folders":

folders...

C:\Program Files\Viewpoint

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".

===============

Reboot your computer.

Post back a new log, report any problems and let me know how everything goes.

IMPORTANT! PLEASE do not restart your computer unless asked, restarting can reinfect your computer resulting in us starting the cleaning up process all over!

-

~Njustice~

Share this post


Link to post
Share on other sites

Ok, did all that. My original problem, which is on the support forum, is still there! UGH! It's the XXX Dialer on hubbys screen. I ran HJT on that one, and didn't see anything different than mine. The red app for Yahoo is still on his, but that's about it. ::sigh::

Decided to d/l a 30 day trial of PC_Cillin while I was waiting for the trend scan, but it kept making my computer reboot by itself. Needless to say, it's gone :wacko:

Anyway, here's the latest log. And, BTW, I appreciate everybody's help, you guys rock!

Logfile of HijackThis v1.99.1

Scan saved at 9:45:17 AM, on 7/15/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\WINDOWS\system32\ScsiAccess.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Common Files\Stardock\SDMCP.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Yahoo!\browser\ybrwicon.exe

C:\Program Files\CursorXP\CursorXP.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\aim\aim.exe

C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe

C:\Program Files\Yahoo!\browser\ybrowser.exe

C:\Documents and Settings\Liz\My Documents\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe

O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl

O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab

O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab

O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/regis...34/sdcregie.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112485673484

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cab

O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab

O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll

O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\drloader.dll

O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Share this post


Link to post
Share on other sites

Liz....did you run l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter on hubby's account? If not, please do so and tell me which account is setup as Administrator/Owner.

Also....do the following under Admin/Owner account:

Download rkfiles.zip and unzip it to its own permanent folder.

Important! Reboot in SAFE MODE !!

Start in Safe Mode Using the F8 method:

  • Restart the computer in Safe Mode.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.

Locate the rkfiles.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.

Post the contents of C:\log.txt back here and I will review it when it comes in.

Share this post


Link to post
Share on other sites

Did the rkfiles thing, copied the log, hit paste, and when I got back here, there's nothing there. There wasn't a whole lot on it, I can do it again and write it down if you need it.

We are all admins, and I rebooted into his screen and that dialer didn't come up (woohoo)!!!!!

As far as how the comp is running, it's fine. Seems faster now then it was (DSL), maybe cause all that crap is gone.

The one thing I noticed, and I think I mentioned it earlier, is my system restore is whacked. I don't plan on restoring it, but the only date available is yesterday's. Nothing else is bold, and I can't switch months.

Share this post


Link to post
Share on other sites

Okie dokie, here ya go:

C:\Documents and Settings\Liz\Desktop\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Files Found in system Folder............

------------------------

C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

C:\WINDOWS\system32\oembios.bin: peC2"y)Q

Files Found in all users startup Folder............

------------------------

Files Found in all users windows Folder............

------------------------

C:\WINDOWS\imgurla.exe: UPX!

C:\WINDOWS\RMAgentOutput.dll: UPX!

C:\WINDOWS\tsc.exe: UPX!

C:\WINDOWS\vsapi32.dll: UPX!t4

Finished

bye

Share this post


Link to post
Share on other sites

Download Killbox here:

http://www.downloads.subratam.org/KillBox.zip

Unzip to desktop.

Double-click on KillBox to launch it, then click to enable Delete on Reboot. Please type in the following complete file path into the top box of KillBox :

C:\WINDOWS\imgurla.exe

Now, click on the little red circle button (with a white "X") and click "Yes" to delete and then "Yes" to "Reboot now".

If it doesn't reboot on its own, then you reboot the computer yourself. Once restarted, Run HiJackThis and click "Scan", then post new logs from all accounts on your computer.

Share this post


Link to post
Share on other sites

ok, here ya go:

mine

Logfile of HijackThis v1.99.1

Scan saved at 7:42:57 AM, on 7/16/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\WINDOWS\system32\ScsiAccess.EXE

C:\Program Files\Common Files\Stardock\SDMCP.exe

C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Yahoo!\browser\ybrwicon.exe

C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

C:\Program Files\CursorXP\CursorXP.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Program Files\aim\aim.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Liz\My Documents\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl

O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab

O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab

O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/regis...34/sdcregie.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112485673484

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cab

O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab

O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll

O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Rick

Logfile of HijackThis v1.99.1

Scan saved at 7:49:37 AM, on 7/16/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\WINDOWS\system32\ScsiAccess.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\winlogon.exe

C:\Program Files\Common Files\Stardock\SDMCP.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Yahoo!\browser\ybrwicon.exe

C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe

C:\Documents and Settings\Liz\My Documents\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab

O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab

O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/regis...34/sdcregie.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112485673484

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cab

O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab

O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll

O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Jade

Logfile of HijackThis v1.99.1

Scan saved at 7:47:09 AM, on 7/16/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\WINDOWS\system32\ScsiAccess.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\winlogon.exe

C:\Program Files\Common Files\Stardock\SDMCP.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Yahoo!\browser\ybrwicon.exe

C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

C:\Program Files\aim\aim.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Documents and Settings\Liz\My Documents\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://aimtoday.aol.com/segmentation/welco...version=puccini

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O15 - Trusted Zone: *.media-motor.net

O15 - Trusted Zone: *.popuppers.com

O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab

O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab

O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/regis...34/sdcregie.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112485673484

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cab

O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab

O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll

O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Skye

Logfile of HijackThis v1.99.1

Scan saved at 7:51:37 AM, on 7/16/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\WINDOWS\system32\ScsiAccess.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\winlogon.exe

C:\Program Files\Common Files\Stardock\SDMCP.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Yahoo!\browser\ybrwicon.exe

C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

C:\Program Files\aim\aim.exe

C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\DOCUME~1\Skye\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O15 - Trusted Zone: *.media-motor.net

O15 - Trusted Zone: *.popuppers.com

O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab

O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab

O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/regis...34/sdcregie.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112485673484

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cab

O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab

O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll

O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Also, I wanted to ask you, actually hubby did, we always have 2 'new hardware found' boxes come up when we all log on. One is CLID, or similiar, and the other is MSTREAM. How do you get rid of those? Not that they hurt anything, just a pain.

Share this post


Link to post
Share on other sites

Hi Liz, when your done removing the following items, can you post the exact messages your getting for the 2 'new hardware found' boxes?

Liz:

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cab

Rick:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cab

Jade:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O15 - Trusted Zone: *.media-motor.net

O15 - Trusted Zone: *.popuppers.com

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cab

Skye:

You have Hijackthis running from the temporary directory it needs to be in a folder of it's own like the other accounts. I also recommend you remove weatherbug via add/remove programs since it usually comes bundled with crapware. Desktop Weather is a better alternative like Rick is using in his account.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O15 - Trusted Zone: *.media-motor.net

O15 - Trusted Zone: *.popuppers.com

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cab

After removing items please reboot your computer run Hijackthis and check if items have been removed. If any items are not removed let me know which ones and for what account(s).

Share this post


Link to post
Share on other sites

Liz, I need you to do the following as well:

Download WinPFind.zip from HERE and extract it to your C:\ folder.

This will create a folder called WinPFind in the C:\ folder.

Disconnect from the net and stay offline until all steps are complete.

Perform these steps for each account.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option 4 to Merge Winlogon Notify Defaults, Press enter, wait a few moments.

Then double-click WinPFind.exe inside c:\WinPFind to launch the program.

Then click on the Start Scan button and wait for it to finish.

This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan.

Click on the Copy to Clipboard button and then paste the contents of your clipboard in your next reply.

Share this post


Link to post
Share on other sites

Ok, Skyes' account has been deleted, so we now have 3 to work with. All her files were deleted also.

mine

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

UPX! C:\log.txt

PEC2 C:\log.txt

PEC2 C:\win.txt

UPX! C:\windows.txt

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

PECompact2 C:\WINDOWS\lpt$vpn.731

qoologic C:\WINDOWS\lpt$vpn.731

SAHAgent C:\WINDOWS\lpt$vpn.731

abetterinternet.com C:\WINDOWS\ojojo.dll

web-nex C:\WINDOWS\ojojo.dll

UPX! C:\WINDOWS\RMAgentOutput.dll

UPX! C:\WINDOWS\tsc.exe

PECompact2 C:\WINDOWS\VPTNFILE.731

qoologic C:\WINDOWS\VPTNFILE.731

SAHAgent C:\WINDOWS\VPTNFILE.731

UPX! C:\WINDOWS\vsapi32.dll

aspack C:\WINDOWS\vsapi32.dll

Checking %System% folder...

PEC2 C:\WINDOWS\system32\dfrg.msc

UPX! C:\WINDOWS\system32\locate.com

PECompact2 C:\WINDOWS\system32\MRT.exe

aspack C:\WINDOWS\system32\MRT.exe

aspack C:\WINDOWS\system32\ntdll.dll

PEC2 C:\WINDOWS\system32\oembios.bin

Umonitor C:\WINDOWS\system32\rasdlg.dll

Checking %System%\Drivers folder and sub-folders...

UPX! C:\WINDOWS\system32\drivers\avg7core.sys

FSG! C:\WINDOWS\system32\drivers\avg7core.sys

aspack C:\WINDOWS\system32\drivers\avg7core.sys

PTech C:\WINDOWS\system32\drivers\mtlstrm.sys

Checking the Windows folder for system and hidden files within the last 60 days...

6/18/2005 C:\WINDOWS\pcconfig.dat

7/13/2005 C:\WINDOWS\uccspecb.sys

7/13/2005 C:\WINDOWS\WindowsShellOld.Manifest

6/22/2005 C:\WINDOWS\inf\oem26.inf

5/28/2005 C:\WINDOWS\Minidump\Mini052805-01.dmp

6/1/2005 C:\WINDOWS\Minidump\Mini060105-01.dmp

6/17/2005 C:\WINDOWS\system32\AuxDrv32b_g.oxc

7/17/2005 C:\WINDOWS\system32\vsconfig.xml

5/28/2005 C:\WINDOWS\system32\zllictbl.dat

7/17/2005 C:\WINDOWS\system32\config\default.LOG

7/17/2005 C:\WINDOWS\system32\config\SAM.LOG

7/17/2005 C:\WINDOWS\system32\config\SECURITY.LOG

7/17/2005 C:\WINDOWS\system32\config\software.LOG

7/17/2005 C:\WINDOWS\system32\config\system.LOG

7/13/2005 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG

7/2/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\2e7a6763-87c2-428c-a82b-f5fa0d94af0b

7/2/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred

7/17/2005 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

Checking %ALLUSERSPROFILE%\Startup folder...

Checking %ALLUSERSPROFILE%\Application Data folder...

Checking %USERPROFILE%\Startup folder...

Checking %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

*\shellex\ContextMenuHandlers

*\shellex\ContextMenuHandlers\AVG7 Shell Extension

{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

*\shellex\ContextMenuHandlers\nfnfnsxg

{c5583504-9ba4-4eda-bb2d-5f62737ad84d} =

*\shellex\ContextMenuHandlers\Offline Files

{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll

*\shellex\ContextMenuHandlers\Open With

{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll

*\shellex\ContextMenuHandlers\Open With EncryptionMenu

{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll

*\shellex\ContextMenuHandlers\Yahoo! Mail

{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\Program Files\Yahoo!\Common\ymmapi.dll

*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}

Start Menu Pin =

SOFTWARE\Classes\Folder\shellex\ColumnHandlers

SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}

= %SystemRoot%\system32\SHELL32.dll

SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}

= %SystemRoot%\system32\SHELL32.dll

SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}

= %SystemRoot%\system32\SHELL32.dll

SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}

= %SystemRoot%\system32\SHELL32.dll

SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}

= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

IntelliPoint "C:\Program Files\Microsoft IntelliPoint\point32.exe"

AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

YBrowser C:\Program Files\Yahoo!\browser\ybrwicon.exe

SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

RegistryMechanic

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

DW4 "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCPClient

= C:\Program Files\Common Files\Stardock\mcpstub.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB

= C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\0aMCPClient

{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} = C:\PROGRA~1\COMMON~1\Stardock\mcpcore.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder

{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn

{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck

{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray

{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.ax

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javai.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVideoFX.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Salwrap.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

UserInit C:\WINDOWS\system32\userinit.exe,

Shell Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_DLLs wbsys.dll

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

WinPFind v1.0.0.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.

Rick

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

UPX! C:\log.txt

PEC2 C:\log.txt

PEC2 C:\win.txt

UPX! C:\windows.txt

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

PECompact2 C:\WINDOWS\lpt$vpn.731

qoologic C:\WINDOWS\lpt$vpn.731

SAHAgent C:\WINDOWS\lpt$vpn.731

abetterinternet.com C:\WINDOWS\ojojo.dll

web-nex C:\WINDOWS\ojojo.dll

UPX! C:\WINDOWS\RMAgentOutput.dll

UPX! C:\WINDOWS\tsc.exe

PECompact2 C:\WINDOWS\VPTNFILE.731

qoologic C:\WINDOWS\VPTNFILE.731

SAHAgent C:\WINDOWS\VPTNFILE.731

UPX! C:\WINDOWS\vsapi32.dll

aspack C:\WINDOWS\vsapi32.dll

Checking %System% folder...

PEC2 C:\WINDOWS\system32\dfrg.msc

UPX! C:\WINDOWS\system32\locate.com

PECompact2 C:\WINDOWS\system32\MRT.exe

aspack C:\WINDOWS\system32\MRT.exe

aspack C:\WINDOWS\system32\ntdll.dll

PEC2 C:\WINDOWS\system32\oembios.bin

Umonitor C:\WINDOWS\system32\rasdlg.dll

Checking %System%\Drivers folder and sub-folders...

UPX! C:\WINDOWS\system32\drivers\avg7core.sys

FSG! C:\WINDOWS\system32\drivers\avg7core.sys

aspack C:\WINDOWS\system32\drivers\avg7core.sys

PTech C:\WINDOWS\system32\drivers\mtlstrm.sys

Checking the Windows folder for system and hidden files within the last 60 days...

6/18/2005 C:\WINDOWS\pcconfig.dat

7/13/2005 C:\WINDOWS\uccspecb.sys

7/13/2005 C:\WINDOWS\WindowsShellOld.Manifest

6/22/2005 C:\WINDOWS\inf\oem26.inf

5/28/2005 C:\WINDOWS\Minidump\Mini052805-01.dmp

6/1/2005 C:\WINDOWS\Minidump\Mini060105-01.dmp

6/17/2005 C:\WINDOWS\system32\AuxDrv32b_g.oxc

7/17/2005 C:\WINDOWS\system32\vsconfig.xml

5/28/2005 C:\WINDOWS\system32\zllictbl.dat

7/17/2005 C:\WINDOWS\system32\config\default.LOG

7/17/2005 C:\WINDOWS\system32\config\SAM.LOG

7/17/2005 C:\WINDOWS\system32\config\SECURITY.LOG

7/17/2005 C:\WINDOWS\system32\config\software.LOG

7/17/2005 C:\WINDOWS\system32\config\system.LOG

7/13/2005 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG

7/2/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\2e7a6763-87c2-428c-a82b-f5fa0d94af0b

7/2/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred

7/17/2005 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

Checking %ALLUSERSPROFILE%\Startup folder...

Checking %ALLUSERSPROFILE%\Application Data folder...

Checking %USERPROFILE%\Startup folder...

Checking %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

*\shellex\ContextMenuHandlers

*\shellex\ContextMenuHandlers\AVG7 Shell Extension

{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

*\shellex\ContextMenuHandlers\nfnfnsxg

{c5583504-9ba4-4eda-bb2d-5f62737ad84d} =

*\shellex\ContextMenuHandlers\Offline Files

{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll

*\shellex\ContextMenuHandlers\Open With

{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll

*\shellex\ContextMenuHandlers\Open With EncryptionMenu

{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll

*\shellex\ContextMenuHandlers\Yahoo! Mail

{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\Program Files\Yahoo!\Common\ymmapi.dll

*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}

Start Menu Pin =

SOFTWARE\Classes\Folder\shellex\ColumnHandlers

SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}

= %SystemRoot%\system32\SHELL32.dll

SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}

= %SystemRoot%\system32\SHELL32.dll

SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}

= %SystemRoot%\system32\SHELL32.dll

SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}

= %SystemRoot%\system32\SHELL32.dll

SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}

= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

IntelliPoint "C:\Program Files\Microsoft IntelliPoint\point32.exe"

AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

YBrowser C:\Program Files\Yahoo!\browser\ybrwicon.exe

SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

RegistryMechanic

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

DW4 "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCPClient

= C:\Program Files\Common Files\Stardock\mcpstub.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB

= C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\0aMCPClient

{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} = C:\PROGRA~1\COMMON~1\Stardock\mcpcore.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder

{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn

{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck

{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray

{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.ax

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javai.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVideoFX.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Salwrap.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

UserInit C:\WINDOWS\system32\userinit.exe,

Shell Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_DLLs wbsys.dll

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

WinPFind v1.0.0.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.

Jade

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

UPX! C:\log.txt

PEC2 C:\log.txt

PEC2 C:\win.txt

UPX! C:\windows.txt

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

PECompact2 C:\WINDOWS\lpt$vpn.731

qoologic C:\WINDOWS\lpt$vpn.731

SAHAgent C:\WINDOWS\lpt$vpn.731

abetterinternet.com C:\WINDOWS\ojojo.dll

web-nex C:\WINDOWS\ojojo.dll

UPX! C:\WINDOWS\RMAgentOutput.dll

UPX! C:\WINDOWS\tsc.exe

PECompact2 C:\WINDOWS\VPTNFILE.731

qoologic C:\WINDOWS\VPTNFILE.731

SAHAgent C:\WINDOWS\VPTNFILE.731

UPX! C:\WINDOWS\vsapi32.dll

aspack C:\WINDOWS\vsapi32.dll

Checking %System% folder...

PEC2 C:\WINDOWS\system32\dfrg.msc

UPX! C:\WINDOWS\system32\locate.com

PECompact2 C:\WINDOWS\system32\MRT.exe

aspack C:\WINDOWS\system32\MRT.exe

aspack C:\WINDOWS\system32\ntdll.dll

PEC2 C:\WINDOWS\system32\oembios.bin

Umonitor C:\WINDOWS\system32\rasdlg.dll

Checking %System%\Drivers folder and sub-folders...

UPX! C:\WINDOWS\system32\drivers\avg7core.sys

FSG! C:\WINDOWS\system32\drivers\avg7core.sys

aspack C:\WINDOWS\system32\drivers\avg7core.sys

PTech C:\WINDOWS\system32\drivers\mtlstrm.sys

Checking the Windows folder for system and hidden files within the last 60 days...

6/18/2005 C:\WINDOWS\pcconfig.dat

7/13/2005 C:\WINDOWS\uccspecb.sys

7/13/2005 C:\WINDOWS\WindowsShellOld.Manifest

6/22/2005 C:\WINDOWS\inf\oem26.inf

5/28/2005 C:\WINDOWS\Minidump\Mini052805-01.dmp

6/1/2005 C:\WINDOWS\Minidump\Mini060105-01.dmp

6/17/2005 C:\WINDOWS\system32\AuxDrv32b_g.oxc

7/16/2005 C:\WINDOWS\system32\vsconfig.xml

5/28/2005 C:\WINDOWS\system32\zllictbl.dat

7/16/2005 C:\WINDOWS\system32\config\default.LOG

7/16/2005 C:\WINDOWS\system32\config\SAM.LOG

7/16/2005 C:\WINDOWS\system32\config\SECURITY.LOG

7/16/2005 C:\WINDOWS\system32\config\software.LOG

7/16/2005 C:\WINDOWS\system32\config\system.LOG

7/13/2005 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG

7/2/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\2e7a6763-87c2-428c-a82b-f5fa0d94af0b

7/2/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred

7/16/2005 C:\WINDOWS\Tasks\SA.DAT

7/6/2005 C:\WINDOWS\temp\History\History.IE5\desktop.ini

7/6/2005 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\desktop.ini

7/6/2005 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\9JGKA28P\desktop.ini

7/6/2005 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\H1WQ1U85\desktop.ini

7/6/2005 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\OTIR0D2B\desktop.ini

7/6/2005 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\XBU7GHEZ\desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

Checking %ALLUSERSPROFILE%\Startup folder...

Checking %ALLUSERSPROFILE%\Application Data folder...

Checking %USERPROFILE%\Startup folder...

Checking %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

*\shellex\ContextMenuHandlers

*\shellex\ContextMenuHandlers\AVG7 Shell Extension

{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

*\shellex\ContextMenuHandlers\nfnfnsxg

{c5583504-9ba4-4eda-bb2d-5f62737ad84d} =

*\shellex\ContextMenuHandlers\Offline Files

{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll

*\shellex\ContextMenuHandlers\Open With

{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll

*\shellex\ContextMenuHandlers\Open With EncryptionMenu

{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll

*\shellex\ContextMenuHandlers\Yahoo! Mail

{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\Program Files\Yahoo!\Common\ymmapi.dll

*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}

Start Menu Pin =

SOFTWARE\Classes\Folder\shellex\ColumnHandlers

SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}

= %SystemRoot%\system32\SHELL32.dll

SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}

= %SystemRoot%\system32\SHELL32.dll

SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}

= %SystemRoot%\system32\SHELL32.dll

SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}

= %SystemRoot%\system32\SHELL32.dll

SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}

= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

IntelliPoint "C:\Program Files\Microsoft IntelliPoint\point32.exe"

AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

YBrowser C:\Program Files\Yahoo!\browser\ybrwicon.exe

SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

RegistryMechanic

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe

AIM C:\Program Files\aim\aim.exe -cnetwait.odl

Yahoo! Pager "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet

MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCPClient

= C:\Program Files\Common Files\Stardock\mcpstub.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB

= C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\0aMCPClient

{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} = C:\PROGRA~1\COMMON~1\Stardock\mcpcore.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder

{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn

{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck

{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray

{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.ax

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javai.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVideoFX.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Salwrap.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

UserInit C:\WINDOWS\system32\userinit.exe,

Shell Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_DLLs wbsys.dll

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

WinPFind v1.0.0.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.

I haven't gotten the "new hardware" message the last couple times I was logging on and off the different accounts. Next time I do, I will let you know what they say.

Thanks!!

Share this post


Link to post
Share on other sites

Hi Liz,

I need you to go HERE and browse to the files below, one at a time then Submit for analysis. Please copy and paste the Scanner results and Status back here.

C:\WINDOWS\pcconfig.dat

C:\WINDOWS\uccspecb.sys

Share this post


Link to post
Share on other sites

Service load: 0% 100%

File: pcconfig.dat

Status: OK

MD5 51ca4ba7556c2a4bb0e981da7bc8b907

Packers detected: -

Scanner results

AntiVir Found nothing

ArcaVir Found nothing

Avast Found nothing

AVG Antivirus Found nothing

BitDefender Found nothing

ClamAV Found nothing

Dr.Web Found nothing

F-Prot Antivirus Found nothing

Fortinet Found nothing

Kaspersky Anti-Virus Found nothing

NOD32 Found nothing

Norman Virus Control Found nothing

UNA Found nothing

VBA32 Found nothing

Service load: 0% 100%

File: uccspecb.sys

Status: OK

MD5 0bd3364b4dd4cea7c2c7426598491a12

Packers detected: -

Scanner results

AntiVir Found nothing

ArcaVir Found nothing

Avast Found nothing

AVG Antivirus Found nothing

BitDefender Found nothing

ClamAV Found nothing

Dr.Web Found nothing

F-Prot Antivirus Found nothing

Fortinet Found nothing

Kaspersky Anti-Virus Found nothing

NOD32 Found nothing

Norman Virus Control Found nothing

UNA Found nothing

VBA32 Found nothing

Share this post


Link to post
Share on other sites

Liz, after consulting with other experts we feel that the two files you scanned at Jotti's are in fact bad.

Double-click on KillBox to launch it, then click to enable Delete on Reboot. Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

C:\log.txt

C:\win.txt

C:\windows.txt

C:\WINDOWS\pcconfig.dat

C:\WINDOWS\uccspecb.sys

C:\WINDOWS\ojojo.dll

Also for peace of mind please do the following online scans:

http://www.pandasoftware.com/activescan/co...n_principal.htm

http://www.windowsecurity.com/trojanscan/

Report back any files that cannot be removed.

Let me know how your computer is running.

Share this post


Link to post
Share on other sites

Ok, these are the results, I don't understand them, hopefully you can figure it out.

Incident Status Location

Adware:adware/pacimedia No disinfected C:\WINDOWS\SYSTEM32\ps1.exe

Adware:adware/exactsearch No disinfected C:\DOCUMENTS AND SETTINGS\LIZ\LOCAL SETTINGS\TEMP\blank.gif

Adware:adware/delfinmedia No disinfected C:\DOCUMENTS AND SETTINGS\LIZ\LOCAL SETTINGS\TEMP\motoin.exe

Adware:adware/nsearch No disinfected C:\sp.exe

Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.dll

Adware:adware/sahagent No disinfected C:\WINDOWS\unstall.exe

Adware:adware/myway No disinfected C:\PROGRAM FILES\MySearch

Spyware:spyware/media-motor No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/M67M.OCX

Adware:adware/wupd No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/MEDIAACCX.DLL

Adware:adware/wintools No disinfected HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_WINTOOLSSVC

Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET

Adware:adware/brilliantdigitalNo disinfected HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}

Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Jade\Local Settings\Temporary Internet Files\Content.IE5\Q4LV5IYF\upd208[1].exe

Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[beowser.dll]

Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[cBbinet.dll]

Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[cqutil.dll]

Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[cwypt32.dll]

Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[dmsrslvr.dll]

Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[doquery.dll]

Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[dv16gt.dLL]

Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[dXvclnt.dll]

Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[fedrclnr.dll]

Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[ibcoin2.dll]

Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[idetcfg.dll]

Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[ksdsl1.dll]

Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[kxcp32.dll]

Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[kydhe220.dll]

Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[lHprxy.dll]

Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[lutif11n.dll]

Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[mcident.dll]

Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[mjprivs.dll]

Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[mvdtclog.dll]

Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[guard.tmp]

Adware:Adware/DelFinMedia No disinfected C:\Documents and Settings\Liz\Local Settings\Temp\motoin.exe

Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Local Settings\Temp\upd208.exe

Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Local Settings\Temporary Internet Files\Content.IE5\DFBJLT8E\upd208[1].exe

Adware:Adware/DelFinMedia No disinfected C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe

Adware:Adware/Look2Me No disinfected C:\RECYCLER\S-1-5-21-654705994-3440055010-3760535603-1006\Dc3\l2mfix\backup.zip[drloader.dll]

Adware:Adware/Look2Me No disinfected C:\RECYCLER\S-1-5-21-654705994-3440055010-3760535603-1006\Dc3\l2mfix\backup.zip[iaxrip.dll]

Adware:Adware/Look2Me No disinfected C:\RECYCLER\S-1-5-21-654705994-3440055010-3760535603-1006\Dc3\l2mfix\backup.zip[iyfosoft.dll]

Adware:Adware/Look2Me No disinfected C:\RECYCLER\S-1-5-21-654705994-3440055010-3760535603-1006\Dc3\l2mfix\backup.zip[jkproxy.dll]

Adware:Adware/Look2Me No disinfected C:\RECYCLER\S-1-5-21-654705994-3440055010-3760535603-1006\Dc3\l2mfix\backup.zip[madtclog.dll]

Adware:Adware/Look2Me No disinfected C:\RECYCLER\S-1-5-21-654705994-3440055010-3760535603-1006\Dc3\l2mfix\backup.zip[guard.tmp]

Adware:Adware/BookedSpace No disinfected C:\WINDOWS\cfgmgr52.dll

Adware:Adware/IWon No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\WONWebLauncherControl.ocx

Adware:Adware/IWon No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\WONWebLauncherControl.ocx

Adware:Adware/IWon No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\WONWebLauncherControl.ocx

Adware:Adware/IWon No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\WONWebLauncherControl.ocx

Adware:Adware/IWon No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.5\WONWebLauncherControl.ocx

Adware:Adware/IWon No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.6\WONWebLauncherControl.ocx

Adware:Adware/IWon No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.7\WONWebLauncherControl.ocx

Adware:Adware/IWon No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.8\WONWebLauncherControl.ocx

Adware:Adware/IWon No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.9\WONWebLauncherControl.ocx

Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\m67m.inf

Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\m67m.ocx

Adware:Adware/Pacimedia No disinfected C:\WINDOWS\Downloaded Program Files\pcs_0006.exe

Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.dll

Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.inf

Adware:Adware/IWon No disinfected C:\WINDOWS\Downloaded Program Files\WONWebLauncherControl.ocx

Adware:Adware/BookedSpace No disinfected C:\WINDOWS\lhzgzhbk.exe

Possible Virus. No disinfected C:\WINDOWS\Live_Sex.exe

Adware:Adware/Look2Me No disinfected C:\WINDOWS\system\UpdInst.exe

Adware:Adware/Look2Me No disinfected C:\WINDOWS\temp\upd208.exe

Adware:Adware/SAHAgent No disinfected C:\WINDOWS\unstall.exe

I also d/l'd the other software, after the scan, this is the web addy to check the results

http://www.hijackfree.com/analyze/?id=a3ac...21-f1303aa2d81e

Share this post


Link to post
Share on other sites

Hi Liz, your link to HijackFree won't work for me.

================

Double-click on KillBox to launch it, then click to enable Delete on Reboot. Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

C:\WINDOWS\SYSTEM32\ps1.exe

C:\DOCUMENTS AND SETTINGS\LIZ\LOCAL SETTINGS\TEMP\blank.gif

C:\DOCUMENTS AND SETTINGS\LIZ\LOCAL SETTINGS\TEMP\motoin.exe

C:\sp.exe

C:\WINDOWS\cfgmgr52.dll

C:\WINDOWS\unstall.exe

C:\PROGRAM FILES\MySearch

C:/WINDOWS/DOWNLOADED PROGRAM FILES/M67M.OCX

C:/WINDOWS/DOWNLOADED PROGRAM FILES/MEDIAACCX.DLL

C:\Documents and Settings\Liz\Local Settings\Temporary Internet Files\Content.IE5\DFBJLT8E\upd208[1].exe

C:\WINDOWS\cfgmgr52.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.1\WONWebLauncherControl.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.2\WONWebLauncherControl.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.3\WONWebLauncherControl.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.4\WONWebLauncherControl.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.5\WONWebLauncherControl.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.6\WONWebLauncherControl.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.7\WONWebLauncherControl.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.8\WONWebLauncherControl.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.9\WONWebLauncherControl.ocx

C:\WINDOWS\Downloaded Program Files\m67m.inf

C:\WINDOWS\Downloaded Program Files\m67m.ocx

C:\WINDOWS\Downloaded Program Files\pcs_0006.exe

C:\WINDOWS\Downloaded Program Files\popcaploader.dll

C:\WINDOWS\Downloaded Program Files\popcaploader.inf

C:\WINDOWS\Downloaded Program Files\WONWebLauncherControl.ocx

C:\WINDOWS\lhzgzhbk.exe

C:\WINDOWS\Live_Sex.exe

C:\WINDOWS\system\UpdInst.exe

C:\WINDOWS\temp\upd208.exe

C:\WINDOWS\unstall.exe

==============

Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)

[*]C:\Windows\Temp\

[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temp\

[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\

[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested.

[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\

[*]Empty your "Recycle Bin"

===============

Make sure Ewido, Adaware and Spybot are updated, fix what they find rebooting inbetween each scan. Report back on how your computer is running.

Share this post


Link to post
Share on other sites

Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)

[*]C:\Windows\Temp\

[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temp\

[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\

[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested.

[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\

[*]Empty your "Recycle Bin"

Can you explain that? I admit to being a little computer savvy, but that escapes me :)

Thanks!

Share this post


Link to post
Share on other sites

BTW, here's the last HijackFree scan results:

Switch language

a-squared HiJackFree Analysis

www.hijackfree.com

Version info: Result ToDo

Your used version of a-squared HiJackFree: 1.20

The current version of a-squared HiJackFree: 1.20

Your used operating system version: Windows XP Service Pack 2

The current version of your operating system: Windows XP Service Pack 2

Registry Autoruns: Result ToDo

Name: IntelliPoint

Path: C:\Program Files\Microsoft IntelliPoint\point32.exe

Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Good: 3 - Bad: 0

View Details

Name: AVG7_CC

Path: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Good: 1 - Bad: 0

View Details

Name: AVG7_EMC

Path: C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Good: 2 - Bad: 0

View Details

Name: Zone Labs Client

Path: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Good: 2 - Bad: 0

View Details

Name: YBrowser

Path: C:\Program Files\Yahoo!\browser\ybrwicon.exe

Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Good: 1 - Bad: 0

View Details

Name: CursorXP

Path: C:\Program Files\CursorXP\CursorXP.exe

Location: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Good: 1 - Bad: 0

View Details

Name: PopUpStopperFreeEdition

Path: C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

Location: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Good: 2 - Bad: 0

View Details

Name: AIM

Path: C:\Program Files\aim\aim.exe -cnetwait.odl

Location: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Good: 1 - Bad: 0

View Details

Name: a-squared

Path: C:\Program Files\a2\a2guard.exe

Location: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Good: 2 - Bad: 0

View Details

Tricky and Other Autoruns: Result ToDo

Name: load

Path:

Location: win.ini

Not checked Unknown Item

Search at Google

Name: run

Path:

Location: win.ini

Not checked Unknown Item

Search at Google

Name: shell

Path: Explorer.exe

Location: win.ini

Not checked Unknown Item

Search at Google

Name: scrnsave.exe

Path: C:\WINDOWS\system32\logon.scr

Location: win.ini

Not checked Unknown Item

Search at Google

Name: NUL

Path: îÂ|8‘|ÿÿÿÿ2‘|«‘|ë‘|

Location: win.ini

Not checked Unknown Item

Search at Google

Name: NUL

Path: îÂ|8‘|ÿÿÿÿ2‘|«‘|ë‘|

Location: win.ini

Not checked Unknown Item

Search at Google

Name: SBC Self Support Tool

Path:

Location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Not checked Unknown Item

Search at Google

Name: AVG7_Run

Path: C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE

Location: HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run\

Not checked Unknown Item

Search at Google

Name: Shell

Path: Explorer.exe

Location: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\

Not checked Unknown Item

Search at Google

Name: {22d6f312-b0f6-11d0-94ab-0080c74c7e95}

Path: C:\WINDOWS\inf\unregmp2.exe /ShowWMP

Location: HKLM\Software\Microsoft\Active Setup\Installed Components\

Not checked Unknown Item

Search at Google

Name: {26923b43-4d38-484f-9b9e-de460746276c}

Path: C:\WINDOWS\system32\system32\shmgrate.exe OCInstallUserConfigIE

Location: HKLM\Software\Microsoft\Active Setup\Installed Components\

Not checked Unknown Item

Search at Google

Name: {881dd1c5-3dcf-431b-b061-f3f88e8be88a}

Path: C:\WINDOWS\system32\system32\shmgrate.exe OCInstallUserConfigOE

Location: HKLM\Software\Microsoft\Active Setup\Installed Components\

Not checked Unknown Item

Search at Google

Name: {2C7339CF-2B09-4501-B3F3-F3508C9228ED}

Path: C:\WINDOWS\system32\system32\regsvr32.exe /s /n /i:/UserInstall C:\WINDOWS\system32\system32\themeui.dll

Location: HKLM\Software\Microsoft\Active Setup\Installed Components\

Not checked Unknown Item

Search at Google

Name: {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

Path: C:\Program Files\Outlook Express\setup50.exe /APP:OE /CALLER:WINNT /user /install

Location: HKLM\Software\Microsoft\Active Setup\Installed Components\

Not checked Unknown Item

Search at Google

Name: {44BBA842-CC51-11CF-AAFA-00AA00B6015B}

Path: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

Location: HKLM\Software\Microsoft\Active Setup\Installed Components\

Not checked Unknown Item

Search at Google

Name: {4b218e3e-bc98-4770-93d3-2731b9329278}

Path: C:\WINDOWS\system32\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 C:\WINDOWS\system32\inf\ie.inf

Location: HKLM\Software\Microsoft\Active Setup\Installed Components\

Not checked Unknown Item

Search at Google

Name: {5945c046-1e7d-11d1-bc44-00c04fd912be}

Path: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

Location: HKLM\Software\Microsoft\Active Setup\Installed Components\

Not checked Unknown Item

Search at Google

Name: {6BF52A52-394A-11d3-B153-00C04F79FAA6}

Path: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

Location: HKLM\Software\Microsoft\Active Setup\Installed Components\

Not checked Unknown Item

Search at Google

Name: {7790769C-0471-11d2-AF11-00C04FA35D02}

Path: C:\Program Files\Outlook Express\setup50.exe /APP:WAB /CALLER:WINNT /user /install

Location: HKLM\Software\Microsoft\Active Setup\Installed Components\

Not checked Unknown Item

Search at Google

Name: {89820200-ECBD-11cf-8B85-00AA005B4340}

Path: regsvr32.exe /s /n /i:U shell32.dll

Location: HKLM\Software\Microsoft\Active Setup\Installed Components\

Not checked Unknown Item

Search at Google

Name: {89820200-ECBD-11cf-8B85-00AA005B4383}

Path: C:\WINDOWS\system32\system32\ie4uinit.exe

Location: HKLM\Software\Microsoft\Active Setup\Installed Components\

Not checked Unknown Item

Search at Google

Name: VBScript Script File

Path: C:\Program Files\Script Sentry\ScriptSentry.exe %1 %*

Location: HKEY_CLASSES_ROOT\vbsfile\shell\open\command\

Not checked Unknown Item

Search at Google

Name: VBScript Encoded Script File

Path: C:\Program Files\Script Sentry\ScriptSentry.exe %1 %*

Location: HKEY_CLASSES_ROOT\vbefile\shell\open\command\

Not checked Unknown Item

Search at Google

Name: JScript Script File

Path: C:\Program Files\Script Sentry\ScriptSentry.exe %1 %*

Location: HKEY_CLASSES_ROOT\jsfile\shell\open\command\

Not checked Unknown Item

Search at Google

Name: JScript Encoded Script File

Path: C:\Program Files\Script Sentry\ScriptSentry.exe %1 %*

Location: HKEY_CLASSES_ROOT\jsefile\shell\open\command\

Not checked Unknown Item

Search at Google

Name: Windows Script Host Settings File

Path: C:\Program Files\Script Sentry\ScriptSentry.exe %1 %*

Location: HKEY_CLASSES_ROOT\wshfile\shell\open\command\

Not checked Unknown Item

Search at Google

Name: Windows Script File

Path: C:\Program Files\Script Sentry\ScriptSentry.exe %1 %*

Location: HKEY_CLASSES_ROOT\wsffile\shell\open\command\

Not checked Unknown Item

Search at Google

Name: Application

Path: %1 %*

Location: HKEY_CLASSES_ROOT\exefile\shell\open\command\

Not checked Unknown Item

Search at Google

Name: MS-DOS Application

Path: %1 %*

Location: HKEY_CLASSES_ROOT\comfile\shell\open\command\

Not checked Unknown Item

Search at Google

Name: MS-DOS Batch File

Path: %1 %*

Location: HKEY_CLASSES_ROOT\batfile\shell\open\command\

Not checked Unknown Item

Search at Google

Name: Screen Saver

Path: %1 /S

Location: HKEY_CLASSES_ROOT\scrfile\shell\open\command\

Not checked Unknown Item

Search at Google

Name: Shortcut to MS-DOS Program

Path: %1 %*

Location: HKEY_CLASSES_ROOT\piffile\shell\open\command\

Not checked Unknown Item

Search at Google

Name: wbsys.dll

Path: wbsys.dll

Location: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\

Not checked Unknown Item

Search at Google

Name: SCRNSAVE.EXE

Path: C:\WINDOWS\system32\logon.scr

Location: HKCU\Control Panel\Desktop\

Not checked Unknown Item

Search at Google

Name: BootExecute

Path: autocheck autochk *

Location: HKLM\System\CurrentControlSet\Control\Session Manager\

Not checked Unknown Item

Search at Google

Name: 0aMCPClient

Path: C:\PROGRA~1\COMMON~1\Stardock\mcpcore.dll

Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

Not checked Unknown Item

Search at Google

Name: PostBootReminder

Path: C:\WINDOWS\system32\system32\SHELL32.dll

Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

Not checked Unknown Item

Search at Google

Name: CDBurn

Path: C:\WINDOWS\system32\system32\SHELL32.dll

Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

Not checked Unknown Item

Search at Google

Name: WebCheck

Path: C:\WINDOWS\system32\System32\webcheck.dll

Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

Not checked Unknown Item

Search at Google

Name: SysTray

Path: C:\WINDOWS\system32\stobject.dll

Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

Not checked Unknown Item

Search at Google

Layered Service Providers (LSP): Result ToDo

Name: mswsock.dll

Path: C:\WINDOWS\system32\system32\

Location: HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\

Good: 1 - Bad: 0

View Details

Name: rsvpsp.dll

Path: C:\WINDOWS\system32\system32\

Location: HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\

Good: 1 - Bad: 0

View Details

Explorer And Browser Addons: Result ToDo

Name: Yahoo! Companion BHO

Path: C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll

Location: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

ClsID: {02478D38-C3F9-4efb-9B51-7695ECA05670}

Good: 1 - Bad: 0

View Details

Name: AcroIEHlprObj Class

Path: C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

Location: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

ClsID: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

Good: 1 - Bad: 0

View Details

Name:

Path: C:\PROGRA~1\SPYBOT~1\SDHelper.dll

Location: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

ClsID: {53707962-6F74-2D53-2644-206D7942484F}

Good: 1 - Bad: 0

View Details

Name: URL Exec Hook

Path: shell32.dll

Location: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

ClsID: {AEB6717E-7E19-11d0-97EE-00C04FD91972}

Good: 0 - Bad: 0

Unknown Item

Search at Google

Name: Yahoo! Companion

Path: C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll

Location: HKLM\Software\Microsoft\Internet Explorer\Toolbar\

ClsID: {EF99BD32-C1FB-11D2-892F-0090271D4F88}

Good: 1 - Bad: 0

View Details

Local Open Ports: Result ToDo

Port: 135 TCP

Path: C:\WINDOWS\system32\svchost.exe (Process ID: 772)

Good: 1 - Bad: 0

View Details

Port: 139 TCP

Path: ? (Process ID: 4)

Good: 1 - Bad: 0

View Details

Port: 445 TCP

Path: ? (Process ID: 4)

Good: 1 - Bad: 0

View Details

Port: 1027 TCP

Path: C:\WINDOWS\system32\alg.exe (Process ID: 924)

Good: 1 - Bad: 0

View Details

Port: 1051 TCP

Path: C:\Program Files\aim\aim.exe (Process ID: 128)

Good: 0 - Bad: 0

Unknown Item

Search at Google

Port: 1059 TCP

Path: ? (Process ID: 128)

Good: 0 - Bad: 0

Unknown Item

Search at Google

Port: 5180 TCP

Path: ? (Process ID: 128)

Good: 0 - Bad: 0

Unknown Item

Search at Google

Port: 10110 TCP

Path: C:\Program Files\Grisoft\AVG Free\avgemc.exe (Process ID: 2000)

Good: 0 - Bad: 0

Unknown Item

Search at Google

Port: 123 UDP

Path: C:\WINDOWS\system32\svchost.exe (Process ID: 836)

Good: 1 - Bad: 0

View Details

Port: 123 UDP

Path: C:\WINDOWS\system32\svchost.exe (Process ID: 836)

Good: 1 - Bad: 0

View Details

Port: 137 UDP

Path: ? (Process ID: 4)

Good: 1 - Bad: 0

View Details

Port: 138 UDP

Path: ? (Process ID: 4)

Good: 1 - Bad: 0

View Details

Port: 445 UDP

Path: ? (Process ID: 4)

Good: 1 - Bad: 0

View Details

Port: 500 UDP

Path: C:\WINDOWS\system32\lsass.exe (Process ID: 580)

Good: 1 - Bad: 0

View Details

Port: 1052 UDP

Path: C:\Program Files\Grisoft\AVG Free\avgemc.exe (Process ID: 128)

Good: 0 - Bad: 0

Unknown Item

Search at Google

Port: 1900 UDP

Path: C:\WINDOWS\system32\svchost.exe (Process ID: 900)

Good: 0 - Bad: 0

Unknown Item

Search at Google

Port: 1900 UDP

Path: C:\WINDOWS\system32\svchost.exe (Process ID: 900)

Good: 0 - Bad: 0

Unknown Item

Search at Google

Port: 4500 UDP

Path: C:\WINDOWS\system32\lsass.exe (Process ID: 580)

Good: 0 - Bad: 0

Unknown Item

Search at Google

Running Processes: Result ToDo

Name: [system Process]

Process ID: 0

Path:

Info: Threads: 1 - Priority: Normal - Visible: No

Good: 1 - Bad: 0

View Details

Name: System

Process ID: 4

Path:

Info: Threads: 59 - Priority: Normal - Visible: No

Good: 1 - Bad: 0

View Details

Name: aim.exe

Process ID: 128

Path: C:\Program Files\aim\

Info: Threads: 11 - Priority: Normal - Visible: No

Good: 1 - Bad: 0

View Details

Name: a2guard.exe

Process ID: 148

Path: C:\Program Files\a2\

Info: Threads: 10 - Priority: Normal - Visible: No

Good: 1 - Bad: 0

View Details

Name: ycommon.exe

Process ID: 184

Path: C:\Program Files\Yahoo!\browser\

Info: Threads: 9 - Priority: Normal - Visible: No

Good: 0 - Bad: 0

Unknown Item

Search at Google

Submit new process info

Name: smss.exe

Process ID: 452

Path: C:\WINDOWS\system32\

Info: Threads: 3 - Priority: Normal - Visible: No

Good: 1 - Bad: 0

View Details

Name: csrss.exe

Process ID: 500

Path: C:\WINDOWS\system32\

Info: Threads: 11 - Priority: Normal - Visible: No

Good: 1 - Bad: 0

View Details

Name: winlogon.exe

Process ID: 524

Path: C:\WINDOWS\system32\

Info: Threads: 19 - Priority: High - Visible: No

Good: 1 - Bad: 0

View Details

Name: services.exe

Process ID: 568

Path: C:\WINDOWS\system32\

Info: Threads: 15 - Priority: Normal - Visible: No

Good: 1 - Bad: 0

View Details

Name: lsass.exe

Process ID: 580

Path: C:\WINDOWS\system32\

Info: Threads: 21 - Priority: Normal - Visible: No

Good: 1 - Bad: 0

View Details

Name: svchost.exe

Process ID: 724

Path: C:\WINDOWS\system32\

Info: Threads: 19 - Priority: Normal - Visible: No

Good: 1 - Bad: 0

View Details

Name: svchost.exe

Process ID: 772

Path: C:\WINDOWS\system32\

Info: Threads: 10 - Priority: Normal - Visible: No

Good: 1 - Bad: 0

View Details

Name: svchost.exe

Process ID: 836

Path: C:\WINDOWS\system32\

Info: Threads: 85 - Priority: Normal - Visible: No

Good: 1 - Bad: 0

View Details

Name: svchost.exe

Process ID: 900

Path: C:\WINDOWS\system32\

Info: Threads: 14 - Priority: Normal - Visible: No

Good: 1 - Bad: 0

View Details

Name: alg.exe

Process ID: 924

Path: C:\WINDOWS\system32\

Info: Threads: 6 - Priority: Normal - Visible: No

Good: 1 - Bad: 0

View Details

Name: mpbtn.exe

Process ID: 996

Path: C:\Program Files\SBC Self Support Tool\bin\

Info: Threads: 1 - Priority: Normal - Visible: No

Good: 0 - Bad: 0

Unknown Item

Search at Google

Submit new process info

Name: spoolsv.exe

Process ID: 1132

Path: C:\WINDOWS\system32\

Info: Threads: 15 - Priority: Normal - Visible: No

Good: 1 - Bad: 0

View Details

Name: SDMCP.exe

Process ID: 1256

Path: C:\Program Files\Common Files\Stardock\

Info: Threads: 2 - Priority: Normal - Visible: No

Good: 0 - Bad: 0

Unknown Item

Search at Google

Submit new process info

Name: wbload.exe

Process ID: 1292

Path: C:\Program Files\Stardock\Object Desktop\WindowBlinds\

Info: Threads: 1 - Priority: Normal - Visible: No

Good: 0 - Bad: 0

Unknown Item

Search at Google

Submit new process info

Name: avgamsvr.exe

Process ID: 1364

Path: C:\Program Files\Grisoft\AVG Free\

Info: Threads: 10 - Priority: Normal - Visible: No

Good: 1 - Bad: 0

View Details

Name: avgupsvc.exe

Process ID: 1380

Path: C:\Program Files\Grisoft\AVG Free\

Info: Threads: 4 - Priority: Normal - Visible: No

Good: 1 - Bad: 0

View Details

Name: KodakCCS.exe

Process ID: 1452

Path: C:\WINDOWS\system32\drivers\

Info: Threads: 2 - Priority: Normal - Visible: No

Good: 1 - Bad: 0

View Details

Name: ScsiAccess.EXE

Process ID: 1492

Path: C:\WINDOWS\system32\

Info: Threads: 2 - Priority: Normal - Visible: No

Good: 0 - Bad: 0

Unknown Item

Search at Google

Submit new process info

Name: svchost.exe

Process ID: 1532

Path: C:\WINDOWS\system32\

Info: Threads: 8 - Priority: Normal - Visible: No

Good: 1 - Bad: 0

View Details

Name: wdfmgr.exe

Process ID: 1556

Path: C:\WINDOWS\system32\

Info: Threads: 6 - Priority: Normal - Visible: No

Good: 1 - Bad: 0

View Details

Name: vsmon.exe

Process ID: 1592

Path: C:\WINDOWS\system32\ZoneLabs\

Info: Threads: 22 - Priority: Normal - Visible: No

Good: 1 - Bad: 0

View Details

Name: Explorer.EXE

Process ID: 1788

Path: C:\WINDOWS\

Info: Threads: 13 - Priority: Normal - Visible: No

Good: 1 - Bad: 0

View Details

Name: point32.exe

Process ID: 1984

Path: C:\Program Files\Microsoft IntelliPoint\

Info: Threads: 4 - Priority: Normal - Visible: No

Good: 1 - Bad: 0

View Details

Name: avgcc.exe

Process ID: 1992

Path: C:\Program Files\Grisoft\AVG Free\

Info: Threads: 7 - Priority: Normal - Visible: No

Good: 1 - Bad: 0

View Details

Name: avgemc.exe

Process ID: 2000

Path: C:\Program Files\Grisoft\AVG Free\

Info: Threads: 8 - Priority: Normal - Visible: No

Good: 1 - Bad: 0

View Details

Name: zlclient.exe

Process ID: 2008

Path: C:\Program Files\Zone Labs\ZoneAlarm\

Info: Threads: 6 - Priority: Normal - Visible: No

Good: 1 - Bad: 0

View Details

Name: ybrwicon.exe

Process ID: 2016

Path: C:\Program Files\Yahoo!\browser\

Info: Threads: 6 - Priority: Normal - Visible: No

Good: 0 - Bad: 0

Unknown Item

Search at Google

Submit new process info

Name: jusched.exe

Process ID: 2024

Path: C:\Program Files\Java\jre1.5.0_04\bin\

Info: Threads: 1 - Priority: Normal - Visible: No

Good: 2 - Bad: 0

View Details

Name: CursorXP.exe

Process ID: 2032

Path: C:\Program Files\CursorXP\

Info: Threads: 2 - Priority: High - Visible: No

Good: 0 - Bad: 0

Unknown Item

Search at Google

Submit new process info

Name: PSFree.exe

Process ID: 2044

Path: C:\Program Files\Panicware\Pop-Up Stopper Free Edition\

Info: Threads: 1 - Priority: Normal - Visible: No

Good: 0 - Bad: 0

Unknown Item

Search at Google

Submit new process info

Name: wuauclt.exe

Process ID: 2052

Path: C:\WINDOWS\system32\

Info: Threads: 8 - Priority: Normal - Visible: No

Good: 1 - Bad: 0

View Details

Name: a2start.exe

Process ID: 2744

Path: C:\Program Files\a2\

Info: Threads: 1 - Priority: Normal - Visible: No

Good: 1 - Bad: 0

View Details

Name: a2sys.exe (a-squared HiJackFree)

Process ID: 2764

Path: C:\Program Files\a2\

Info: Threads: 2 - Priority: Normal - Visible: Yes

Good: 1 - Bad: 0

View Details

This analysis is saved and available for at least 7 days at this website address.

Analysis generated on 7/19/2005 1:54:38 AM

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.