CsrLiz344 Posted July 14, 2005 Report Share Posted July 14, 2005 Spybot and Adaware didn't help, it's still there (XXX Dialer)...Logfile of HijackThis v1.99.1Scan saved at 3:30:30 PM, on 7/14/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\system32\drivers\KodakCCS.exeC:\WINDOWS\system32\ScsiAccess.EXEC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\Program Files\Common Files\Stardock\SDMCP.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Microsoft IntelliPoint\point32.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Yahoo!\browser\ybrwicon.exeC:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exeC:\PROGRA~1\Yahoo!\browser\ycommon.exeC:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exeC:\PROGRA~1\Yahoo!\PARENT~1\ypc.exeC:\Program Files\Winamp\winampa.exeC:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exeC:\WINDOWS\System32\hkcmd.exeC:\Program Files\BroadJump\Client Foundation\CFD.exeC:\Program Files\CursorXP\CursorXP.exeC:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exeC:\Program Files\Messenger\msmsgs.exeC:\PROGRA~1\aim\aim.exeC:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeC:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeC:\Program Files\SBC Self Support Tool\bin\mpbtn.exeC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\Documents and Settings\Liz\My Documents\HJT\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dslR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dslR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dslR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F3 - REG:win.ini: load=C:\\spq.exeO2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dllO2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dllO2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dllO3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dllO3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dllO4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRunO4 - HKLM\..\Run: [hdejmk] c:\windows\system32\hdejmk.exeO4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exeO4 - HKLM\..\Run: [iPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -lO4 - HKLM\..\Run: [iPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exeO4 - HKLM\..\Run: [YPC] C:\PROGRA~1\Yahoo!\PARENT~1\ypc.exeO4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgentO4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exeO4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exeO4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quietO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exeO4 - HKCU\..\Run: [AIM] C:\PROGRA~1\aim\aim.exe -cnetwait.odlO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeO4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exeO4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exeO8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTMLO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htmO8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dllO9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dllO9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dllO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\aim\aim.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: START_PAGE_URL=http://www.emachines.comO15 - Trusted Zone: *.media-motor.netO15 - Trusted Zone: *.popuppers.comO16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cabO16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cabO16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cabO16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c8.cabO16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/regis...34/sdcregie.cabO16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cabO16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocxO16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112485673484O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cabO16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cabO16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cabO16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cabO16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cabO20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\drloader.dllO20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dllO20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\mvdtclog.dllO20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\iaxrip.dllO20 - Winlogon Notify: Themes - C:\WINDOWS\system32\iaxrip.dllO20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\drloader.dllO20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exeO23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXEO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exeO23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE Link to post Share on other sites
njustice Posted July 14, 2005 Report Share Posted July 14, 2005 Download L2mfix from one of these two locations:http://www.atribune.org/downloads/l2mfix.exehttp://www.downloads.subratam.org/l2mfix.exeSave the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! Link to post Share on other sites
CsrLiz344 Posted July 15, 2005 Author Report Share Posted July 15, 2005 Ok. here it is. I also noticed my system restore isn't working, and now my computer is real "jerky". If I try to play hearts, it looks like the cards are skipping, and that applies to everything I do. The system restore is turned back on, but there is no date in bold except today, I can't go back to June either. Grrr-this thing is aggravating me!!L2MFIX find log 1.03These are the registry keys present**********************************************************************************Winlogon/notify:Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]"Asynchronous"=dword:00000000"DllName"="""Impersonate"=dword:00000000"Logon"="WinLogon""Logoff"="WinLogoff""Shutdown"="WinShutdown"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]"Asynchronous"=dword:00000000"DllName"="C:\\WINDOWS\\system32\\iaxrip.dll""Impersonate"=dword:00000000"Logon"="WinLogon""Logoff"="WinLogoff""Shutdown"="WinShutdown"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCPClient]"Asynchronous"=dword:00000000"DllName"="C:\\Program Files\\Common Files\\Stardock\\mcpstub.dll""Startup"="MCPSystemStartup""Logon"="MCPLogonStartup"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SMDEn]"Asynchronous"=dword:00000000"DllName"="C:\\WINDOWS\\system32\\iaxrip.dll""Impersonate"=dword:00000000"Logon"="WinLogon""Logoff"="WinLogoff""Shutdown"="WinShutdown"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Themes]"Asynchronous"=dword:00000000"DllName"="C:\\WINDOWS\\system32\\drloader.dll""Impersonate"=dword:00000000"Logon"="WinLogon""Logoff"="WinLogoff""Shutdown"="WinShutdown"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Uninstall]"Asynchronous"=dword:00000000"DllName"="C:\\WINDOWS\\system32\\drloader.dll""Impersonate"=dword:00000000"Logon"="WinLogon""Logoff"="WinLogoff""Shutdown"="WinShutdown"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB]"Asynchronous"=dword:00000000"DllName"="C:\\PROGRA~1\\Stardock\\OBJECT~1\\WINDOW~1\\fastload.dll""Startup"="StartSys""Logon"="StartWB"**********************************************************************************useragent:Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]"{3CFB6117-AB06-4CBB-D23B-E92DAB0565B5}"=""**********************************************************************************Shell Extension key:Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet""{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management""{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page""{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page""{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing""{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension""{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension""{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension""{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension""{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page""{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page""{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler""{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension""{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects""{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management""{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management""{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression""{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension""{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI""{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu""{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase""{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext""{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts""{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile""{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page""{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing""{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension""{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension""{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension""{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections""{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections""{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras""{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras""{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras""{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras""{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras""{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension""{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension""{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host""{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link""{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler""{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension""{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks""{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu""{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search""{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support""{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support""{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run...""{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet""{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail""{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts""{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools""{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler""{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler""{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler""{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler""{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler""{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor""{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar""{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status""{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder""{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2""{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy""{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand""{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band""{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band""{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search""{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search""{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility""{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address""{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox""{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete""{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor""{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List""{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List""{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible""{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar""{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser""{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List""{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List""{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container""{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu""{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp""{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar""{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite""{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist""{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings""{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band""{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service""{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer""{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture""{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut""{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service""{FF393560-C2A7-11CF-BFF4-444553540000}"="History""{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files""{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files""{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook""{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen""{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook""{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC""{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC""{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet""{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space""{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band""{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service""{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service""{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder""{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck""{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr""{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder""{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler""{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent""{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent""{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent""{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent""{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent""{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler""{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager""{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator""{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher""{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs""{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory""{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor""{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)""{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor""{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler""{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard""{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web""{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object""{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard""{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts""{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler""{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target""{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File""{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut""{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object""{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu""{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties""{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview""{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext""{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control""{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control""{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control""{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control""{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control""{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI""{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object""{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find""{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find""{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI""{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs""{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook""{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target""{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties""{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu""{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options""{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder""{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler""{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell""{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%""{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler""{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer""{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People...""{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler""{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler""{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler""{F802F260-519B-11D1-BB5D-0060974C6013}"="ICQ Shell Extension""{20082881-FC36-4E47-9A7A-644C95FF749F}"="IntelliPoint Wireless Control Panel Property Page""{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}"="IntelliPoint Wheel Control Panel Property Page""{653DCCC2-13DB-45B2-A389-427885776CFE}"="IntelliPoint Activities Control Panel Property Page""{124597D8-850A-41AE-849C-017A4FA99CA2}"="IntelliPoint Buttons Control Panel Property Page""{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults""{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page""{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions""{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder""{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension""{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension""{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player""{2F5AC606-70CF-461C-BFE1-734234536262}"="WindowBlinds CPL Extension""{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices""{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu""{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}"="CopyToCD shell extension""{acb4a560-3606-11d3-aef4-00104bd0f92d}"="KodakShellExtension""{D251F2C0-ADC5-4A2C-9158-991DB6AF9003}"="""{9650F943-878D-434C-BE40-0C26BBED2679}"="""{A6625691-0AF7-49AB-89BF-0211D60B9275}"="""{1109B115-12A5-4DB3-9934-B00A89CBAD99}"="""{1BD1FA66-A177-4DE0-8225-F838460CF2A4}"="""{81E4550B-A272-4A9F-A4EC-BE8F79D2481C}"="""{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"**********************************************************************************HKEY ROOT CLASSIDS:Windows Registry Editor Version 5.00[HKEY_CLASSES_ROOT\CLSID\{D251F2C0-ADC5-4A2C-9158-991DB6AF9003}]@=""[HKEY_CLASSES_ROOT\CLSID\{D251F2C0-ADC5-4A2C-9158-991DB6AF9003}\Implemented Categories]@=""[HKEY_CLASSES_ROOT\CLSID\{D251F2C0-ADC5-4A2C-9158-991DB6AF9003}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]@=""[HKEY_CLASSES_ROOT\CLSID\{D251F2C0-ADC5-4A2C-9158-991DB6AF9003}\InprocServer32]@="C:\\WINDOWS\\system32\\cwypt32.dll""ThreadingModel"="Apartment"Windows Registry Editor Version 5.00[HKEY_CLASSES_ROOT\CLSID\{9650F943-878D-434C-BE40-0C26BBED2679}]@=""[HKEY_CLASSES_ROOT\CLSID\{9650F943-878D-434C-BE40-0C26BBED2679}\Implemented Categories]@=""[HKEY_CLASSES_ROOT\CLSID\{9650F943-878D-434C-BE40-0C26BBED2679}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]@=""[HKEY_CLASSES_ROOT\CLSID\{9650F943-878D-434C-BE40-0C26BBED2679}\InprocServer32]@="C:\\WINDOWS\\system32\\idetcfg.dll""ThreadingModel"="Apartment"Windows Registry Editor Version 5.00[HKEY_CLASSES_ROOT\CLSID\{A6625691-0AF7-49AB-89BF-0211D60B9275}]@=""[HKEY_CLASSES_ROOT\CLSID\{A6625691-0AF7-49AB-89BF-0211D60B9275}\Implemented Categories]@=""[HKEY_CLASSES_ROOT\CLSID\{A6625691-0AF7-49AB-89BF-0211D60B9275}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]@=""[HKEY_CLASSES_ROOT\CLSID\{A6625691-0AF7-49AB-89BF-0211D60B9275}\InprocServer32]@="C:\\WINDOWS\\system32\\drloader.dll""ThreadingModel"="Apartment"Windows Registry Editor Version 5.00[HKEY_CLASSES_ROOT\CLSID\{1109B115-12A5-4DB3-9934-B00A89CBAD99}]@=""[HKEY_CLASSES_ROOT\CLSID\{1109B115-12A5-4DB3-9934-B00A89CBAD99}\Implemented Categories]@=""[HKEY_CLASSES_ROOT\CLSID\{1109B115-12A5-4DB3-9934-B00A89CBAD99}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]@=""[HKEY_CLASSES_ROOT\CLSID\{1109B115-12A5-4DB3-9934-B00A89CBAD99}\InprocServer32]@="C:\\WINDOWS\\system32\\ksdsl1.dll""ThreadingModel"="Apartment"Windows Registry Editor Version 5.00[HKEY_CLASSES_ROOT\CLSID\{1BD1FA66-A177-4DE0-8225-F838460CF2A4}]@=""[HKEY_CLASSES_ROOT\CLSID\{1BD1FA66-A177-4DE0-8225-F838460CF2A4}\Implemented Categories]@=""[HKEY_CLASSES_ROOT\CLSID\{1BD1FA66-A177-4DE0-8225-F838460CF2A4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]@=""[HKEY_CLASSES_ROOT\CLSID\{1BD1FA66-A177-4DE0-8225-F838460CF2A4}\InprocServer32]@="C:\\WINDOWS\\system32\\iaxrip.dll""ThreadingModel"="Apartment"Windows Registry Editor Version 5.00[HKEY_CLASSES_ROOT\CLSID\{81E4550B-A272-4A9F-A4EC-BE8F79D2481C}]@=""[HKEY_CLASSES_ROOT\CLSID\{81E4550B-A272-4A9F-A4EC-BE8F79D2481C}\Implemented Categories]@=""[HKEY_CLASSES_ROOT\CLSID\{81E4550B-A272-4A9F-A4EC-BE8F79D2481C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]@=""[HKEY_CLASSES_ROOT\CLSID\{81E4550B-A272-4A9F-A4EC-BE8F79D2481C}\InprocServer32]@="C:\\WINDOWS\\system32\\ibcoin2.dll""ThreadingModel"="Apartment"**********************************************************************************Files Found are not all bad files:Locate .tmp files:Directory Listing of system files: Volume in drive C has no label. Volume Serial Number is 24BA-00FB Directory of C:\WINDOWS\System3207/14/2005 10:53 PM 417,792 ksdsl1.dll07/14/2005 06:27 PM 417,792 ibcoin2.dll07/14/2005 02:44 PM 417,792 kxcp32.dll07/14/2005 01:57 PM 417,792 dmsrslvr.dll07/14/2005 01:57 PM 417,792 drloader.dll07/14/2005 12:48 PM 417,792 kydhe220.dll07/14/2005 12:42 PM 417,792 lHprxy.dll07/14/2005 12:29 PM 417,792 mcident.dll07/14/2005 11:38 AM 417,792 mjprivs.dll07/14/2005 08:24 AM 417,792 lutif11n.dll07/11/2005 06:31 PM 417,792 fedrclnr.dll07/10/2005 06:31 PM 417,792 iaxrip.dll07/06/2005 09:46 PM 417,792 idetcfg.dll07/06/2005 09:44 PM 417,792 guard.tmp07/06/2005 01:42 PM 417,792 cwypt32.dll06/22/2005 07:37 PM <DIR> dllcache06/17/2005 06:31 PM 5 AuxDrv32b_g.oxc11/01/2002 12:25 PM <DIR> Microsoft 16 File(s) 6,266,885 bytes 2 Dir(s) 29,284,995,072 bytes free Link to post Share on other sites
njustice Posted July 15, 2005 Report Share Posted July 15, 2005 Close any programs you have open since this step requires a reboot.From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Link to post Share on other sites
CsrLiz344 Posted July 15, 2005 Author Report Share Posted July 15, 2005 Fix LogL2Mfix 1.03aRunning From:C:\Documents and Settings\Liz\Desktop\l2mfixRegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and aboveCopyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)This program is Freeware, use it on your own risk!Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:(NI) ALLOW Full access NT AUTHORITY\SYSTEM(IO) ALLOW Full access NT AUTHORITY\SYSTEM(ID-NI) ALLOW Read BUILTIN\Users(ID-IO) ALLOW Read BUILTIN\Users(ID-NI) ALLOW Full access BUILTIN\Administrators(ID-IO) ALLOW Full access BUILTIN\Administrators(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM(ID-IO) ALLOW Full access CREATOR OWNERSetting registry permissions:RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and aboveCopyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)This program is Freeware, use it on your own risk!Denying C(CI) access for predefined group "Administrators" - adding new ACCESS DENY entryRegistry Permissions set too:RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and aboveCopyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)This program is Freeware, use it on your own risk!Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:(CI) DENY --C------- BUILTIN\Administrators(NI) ALLOW Full access NT AUTHORITY\SYSTEM(IO) ALLOW Full access NT AUTHORITY\SYSTEM(ID-NI) ALLOW Read BUILTIN\Users(ID-IO) ALLOW Read BUILTIN\Users(ID-NI) ALLOW Full access BUILTIN\Administrators(ID-IO) ALLOW Full access BUILTIN\Administrators(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM(ID-IO) ALLOW Full access CREATOR OWNERSetting up for RebootStarting Reboot!C:\Documents and Settings\Liz\Desktop\l2mfix System Rebooted! Running From:C:\Documents and Settings\Liz\Desktop\l2mfixkilling explorer and rundll32.exe Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03Copyright© 2002-2003 [email protected]Killing PID 1920 'explorer.exe'Killing PID 1920 'explorer.exe'Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03Copyright© 2002-2003 [email protected]Killing PID 1312 'rundll32.exe'Killing PID 1684 'rundll32.exe'Killing PID 196 'rundll32.exe'Scanning First Pass. Please Wait!First Pass Completed Second Pass Scanning Second pass Completed!Backing Up: C:\WINDOWS\system32\beowser.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\beowser.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\cBbinet.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\cBbinet.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\cqutil.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\cqutil.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\cwypt32.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\cwypt32.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\dmsrslvr.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\dmsrslvr.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\doquery.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\doquery.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\dv16gt.dLL 1 file(s) copied.Backing Up: C:\WINDOWS\system32\dv16gt.dLL 1 file(s) copied.Backing Up: C:\WINDOWS\system32\dXvclnt.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\dXvclnt.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\fedrclnr.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\fedrclnr.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\ibcoin2.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\ibcoin2.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\idetcfg.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\idetcfg.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\ksdsl1.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\ksdsl1.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\kxcp32.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\kxcp32.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\kydhe220.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\kydhe220.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\lHprxy.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\lHprxy.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\lutif11n.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\lutif11n.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\mcident.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\mcident.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\mjprivs.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\mjprivs.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\mvdtclog.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\mvdtclog.dll 1 file(s) copied.Backing Up: C:\WINDOWS\system32\guard.tmp 1 file(s) copied.Backing Up: C:\WINDOWS\system32\guard.tmp 1 file(s) copied.deleting: C:\WINDOWS\system32\beowser.dll Successfully Deleted: C:\WINDOWS\system32\beowser.dlldeleting: C:\WINDOWS\system32\beowser.dll Successfully Deleted: C:\WINDOWS\system32\beowser.dlldeleting: C:\WINDOWS\system32\cBbinet.dll Successfully Deleted: C:\WINDOWS\system32\cBbinet.dlldeleting: C:\WINDOWS\system32\cBbinet.dll Successfully Deleted: C:\WINDOWS\system32\cBbinet.dlldeleting: C:\WINDOWS\system32\cqutil.dll Successfully Deleted: C:\WINDOWS\system32\cqutil.dlldeleting: C:\WINDOWS\system32\cqutil.dll Successfully Deleted: C:\WINDOWS\system32\cqutil.dlldeleting: C:\WINDOWS\system32\cwypt32.dll Successfully Deleted: C:\WINDOWS\system32\cwypt32.dlldeleting: C:\WINDOWS\system32\cwypt32.dll Successfully Deleted: C:\WINDOWS\system32\cwypt32.dlldeleting: C:\WINDOWS\system32\dmsrslvr.dll Successfully Deleted: C:\WINDOWS\system32\dmsrslvr.dlldeleting: C:\WINDOWS\system32\dmsrslvr.dll Successfully Deleted: C:\WINDOWS\system32\dmsrslvr.dlldeleting: C:\WINDOWS\system32\doquery.dll Successfully Deleted: C:\WINDOWS\system32\doquery.dlldeleting: C:\WINDOWS\system32\doquery.dll Successfully Deleted: C:\WINDOWS\system32\doquery.dlldeleting: C:\WINDOWS\system32\dv16gt.dLL Successfully Deleted: C:\WINDOWS\system32\dv16gt.dLLdeleting: C:\WINDOWS\system32\dv16gt.dLL Successfully Deleted: C:\WINDOWS\system32\dv16gt.dLLdeleting: C:\WINDOWS\system32\dXvclnt.dll Successfully Deleted: C:\WINDOWS\system32\dXvclnt.dlldeleting: C:\WINDOWS\system32\dXvclnt.dll Successfully Deleted: C:\WINDOWS\system32\dXvclnt.dlldeleting: C:\WINDOWS\system32\fedrclnr.dll Successfully Deleted: C:\WINDOWS\system32\fedrclnr.dlldeleting: C:\WINDOWS\system32\fedrclnr.dll Successfully Deleted: C:\WINDOWS\system32\fedrclnr.dlldeleting: C:\WINDOWS\system32\ibcoin2.dll Successfully Deleted: C:\WINDOWS\system32\ibcoin2.dlldeleting: C:\WINDOWS\system32\ibcoin2.dll Successfully Deleted: C:\WINDOWS\system32\ibcoin2.dlldeleting: C:\WINDOWS\system32\idetcfg.dll Successfully Deleted: C:\WINDOWS\system32\idetcfg.dlldeleting: C:\WINDOWS\system32\idetcfg.dll Successfully Deleted: C:\WINDOWS\system32\idetcfg.dlldeleting: C:\WINDOWS\system32\ksdsl1.dll Successfully Deleted: C:\WINDOWS\system32\ksdsl1.dlldeleting: C:\WINDOWS\system32\ksdsl1.dll Successfully Deleted: C:\WINDOWS\system32\ksdsl1.dlldeleting: C:\WINDOWS\system32\kxcp32.dll Successfully Deleted: C:\WINDOWS\system32\kxcp32.dlldeleting: C:\WINDOWS\system32\kxcp32.dll Successfully Deleted: C:\WINDOWS\system32\kxcp32.dlldeleting: C:\WINDOWS\system32\kydhe220.dll Successfully Deleted: C:\WINDOWS\system32\kydhe220.dlldeleting: C:\WINDOWS\system32\kydhe220.dll Successfully Deleted: C:\WINDOWS\system32\kydhe220.dlldeleting: C:\WINDOWS\system32\lHprxy.dll Successfully Deleted: C:\WINDOWS\system32\lHprxy.dlldeleting: C:\WINDOWS\system32\lHprxy.dll Successfully Deleted: C:\WINDOWS\system32\lHprxy.dlldeleting: C:\WINDOWS\system32\lutif11n.dll Successfully Deleted: C:\WINDOWS\system32\lutif11n.dlldeleting: C:\WINDOWS\system32\lutif11n.dll Successfully Deleted: C:\WINDOWS\system32\lutif11n.dlldeleting: C:\WINDOWS\system32\mcident.dll Successfully Deleted: C:\WINDOWS\system32\mcident.dlldeleting: C:\WINDOWS\system32\mcident.dll Successfully Deleted: C:\WINDOWS\system32\mcident.dlldeleting: C:\WINDOWS\system32\mjprivs.dll Successfully Deleted: C:\WINDOWS\system32\mjprivs.dlldeleting: C:\WINDOWS\system32\mjprivs.dll Successfully Deleted: C:\WINDOWS\system32\mjprivs.dlldeleting: C:\WINDOWS\system32\mvdtclog.dll Successfully Deleted: C:\WINDOWS\system32\mvdtclog.dlldeleting: C:\WINDOWS\system32\mvdtclog.dll Successfully Deleted: C:\WINDOWS\system32\mvdtclog.dlldeleting: C:\WINDOWS\system32\guard.tmp Successfully Deleted: C:\WINDOWS\system32\guard.tmpdeleting: C:\WINDOWS\system32\guard.tmp Successfully Deleted: C:\WINDOWS\system32\guard.tmpZipping up files for submission: adding: beowser.dll (164 bytes security) (deflated 48%) adding: cBbinet.dll (164 bytes security) (deflated 48%) adding: cqutil.dll (164 bytes security) (deflated 48%) adding: cwypt32.dll (164 bytes security) (deflated 48%) adding: dmsrslvr.dll (164 bytes security) (deflated 48%) adding: doquery.dll (164 bytes security) (deflated 48%) adding: dv16gt.dLL (164 bytes security) (deflated 48%) adding: dXvclnt.dll (164 bytes security) (deflated 48%) adding: fedrclnr.dll (164 bytes security) (deflated 48%) adding: ibcoin2.dll (164 bytes security) (deflated 48%) adding: idetcfg.dll (164 bytes security) (deflated 48%) adding: ksdsl1.dll (164 bytes security) (deflated 48%) adding: kxcp32.dll (164 bytes security) (deflated 48%) adding: kydhe220.dll (164 bytes security) (deflated 48%) adding: lHprxy.dll (164 bytes security) (deflated 48%) adding: lutif11n.dll (164 bytes security) (deflated 48%) adding: mcident.dll (164 bytes security) (deflated 48%) adding: mjprivs.dll (164 bytes security) (deflated 48%) adding: mvdtclog.dll (164 bytes security) (deflated 48%) adding: guard.tmp (164 bytes security) (deflated 48%) adding: clear.reg (164 bytes security) (deflated 58%) adding: echo.reg (164 bytes security) (deflated 8%) adding: direct.txt (164 bytes security) (stored 0%) adding: lo2.txt (164 bytes security) (deflated 88%) adding: readme.txt (164 bytes security) (deflated 49%) adding: report.txt (164 bytes security) (deflated 66%) adding: test.txt (164 bytes security) (deflated 88%) adding: test2.txt (164 bytes security) (deflated 40%) adding: test3.txt (164 bytes security) (deflated 40%) adding: test5.txt (164 bytes security) (deflated 40%) adding: xfind.txt (164 bytes security) (deflated 85%) adding: backregs/1109B115-12A5-4DB3-9934-B00A89CBAD99.reg (164 bytes security) (deflated 70%) adding: backregs/1BD1FA66-A177-4DE0-8225-F838460CF2A4.reg (164 bytes security) (deflated 70%) adding: backregs/81E4550B-A272-4A9F-A4EC-BE8F79D2481C.reg (164 bytes security) (deflated 70%) adding: backregs/9650F943-878D-434C-BE40-0C26BBED2679.reg (164 bytes security) (deflated 70%) adding: backregs/A6625691-0AF7-49AB-89BF-0211D60B9275.reg (164 bytes security) (deflated 70%) adding: backregs/D251F2C0-ADC5-4A2C-9158-991DB6AF9003.reg (164 bytes security) (deflated 70%) adding: backregs/shell.reg (164 bytes security) (deflated 73%)Restoring Registry Permissions: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and aboveCopyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)This program is Freeware, use it on your own risk!Revoking access for predefined group "Administrators"Inherited ACE can not be revoked here!Inherited ACE can not be revoked here!Registry permissions set too:RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and aboveCopyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)This program is Freeware, use it on your own risk!Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:(NI) ALLOW Full access NT AUTHORITY\SYSTEM(IO) ALLOW Full access NT AUTHORITY\SYSTEM(ID-NI) ALLOW Read BUILTIN\Users(ID-IO) ALLOW Read BUILTIN\Users(ID-NI) ALLOW Full access BUILTIN\Administrators(ID-IO) ALLOW Full access BUILTIN\Administrators(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM(ID-IO) ALLOW Full access CREATOR OWNERRestoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successfuldeleting local copy: beowser.dll deleting local copy: beowser.dll deleting local copy: cBbinet.dll deleting local copy: cBbinet.dll deleting local copy: cqutil.dll deleting local copy: cqutil.dll deleting local copy: cwypt32.dll deleting local copy: cwypt32.dll deleting local copy: dmsrslvr.dll deleting local copy: dmsrslvr.dll deleting local copy: doquery.dll deleting local copy: doquery.dll deleting local copy: dv16gt.dLL deleting local copy: dv16gt.dLL deleting local copy: dXvclnt.dll deleting local copy: dXvclnt.dll deleting local copy: fedrclnr.dll deleting local copy: fedrclnr.dll deleting local copy: ibcoin2.dll deleting local copy: ibcoin2.dll deleting local copy: idetcfg.dll deleting local copy: idetcfg.dll deleting local copy: ksdsl1.dll deleting local copy: ksdsl1.dll deleting local copy: kxcp32.dll deleting local copy: kxcp32.dll deleting local copy: kydhe220.dll deleting local copy: kydhe220.dll deleting local copy: lHprxy.dll deleting local copy: lHprxy.dll deleting local copy: lutif11n.dll deleting local copy: lutif11n.dll deleting local copy: mcident.dll deleting local copy: mcident.dll deleting local copy: mjprivs.dll deleting local copy: mjprivs.dll deleting local copy: mvdtclog.dll deleting local copy: mvdtclog.dll deleting local copy: guard.tmp deleting local copy: guard.tmp The following Is the Current Export of the Winlogon notify key:****************************************************************************Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]"Asynchronous"=dword:00000000"DllName"="""Impersonate"=dword:00000000"Logon"="WinLogon""Logoff"="WinLogoff""Shutdown"="WinShutdown"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCPClient]"Asynchronous"=dword:00000000"DllName"="C:\\Program Files\\Common Files\\Stardock\\mcpstub.dll""Startup"="MCPSystemStartup""Logon"="MCPLogonStartup"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB]"Asynchronous"=dword:00000000"DllName"="C:\\PROGRA~1\\Stardock\\OBJECT~1\\WINDOW~1\\fastload.dll""Startup"="StartSys""Logon"="StartWB"The following are the files found: ****************************************************************************C:\WINDOWS\system32\beowser.dll C:\WINDOWS\system32\beowser.dll C:\WINDOWS\system32\cBbinet.dll C:\WINDOWS\system32\cBbinet.dll C:\WINDOWS\system32\cqutil.dll C:\WINDOWS\system32\cqutil.dll C:\WINDOWS\system32\cwypt32.dll C:\WINDOWS\system32\cwypt32.dll C:\WINDOWS\system32\dmsrslvr.dll C:\WINDOWS\system32\dmsrslvr.dll C:\WINDOWS\system32\doquery.dll C:\WINDOWS\system32\doquery.dll C:\WINDOWS\system32\dv16gt.dLL C:\WINDOWS\system32\dv16gt.dLL C:\WINDOWS\system32\dXvclnt.dll C:\WINDOWS\system32\dXvclnt.dll C:\WINDOWS\system32\fedrclnr.dll C:\WINDOWS\system32\fedrclnr.dll C:\WINDOWS\system32\ibcoin2.dll C:\WINDOWS\system32\ibcoin2.dll C:\WINDOWS\system32\idetcfg.dll C:\WINDOWS\system32\idetcfg.dll C:\WINDOWS\system32\ksdsl1.dll C:\WINDOWS\system32\ksdsl1.dll C:\WINDOWS\system32\kxcp32.dll C:\WINDOWS\system32\kxcp32.dll C:\WINDOWS\system32\kydhe220.dll C:\WINDOWS\system32\kydhe220.dll C:\WINDOWS\system32\lHprxy.dll C:\WINDOWS\system32\lHprxy.dll C:\WINDOWS\system32\lutif11n.dll C:\WINDOWS\system32\lutif11n.dll C:\WINDOWS\system32\mcident.dll C:\WINDOWS\system32\mcident.dll C:\WINDOWS\system32\mjprivs.dll C:\WINDOWS\system32\mjprivs.dll C:\WINDOWS\system32\mvdtclog.dll C:\WINDOWS\system32\mvdtclog.dll C:\WINDOWS\system32\guard.tmp C:\WINDOWS\system32\guard.tmp Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. ****************************************************************************REGEDIT4[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]"{D251F2C0-ADC5-4A2C-9158-991DB6AF9003}"=-"{9650F943-878D-434C-BE40-0C26BBED2679}"=-"{A6625691-0AF7-49AB-89BF-0211D60B9275}"=-"{1109B115-12A5-4DB3-9934-B00A89CBAD99}"=-"{1BD1FA66-A177-4DE0-8225-F838460CF2A4}"=-"{81E4550B-A272-4A9F-A4EC-BE8F79D2481C}"=-[-HKEY_CLASSES_ROOT\CLSID\{D251F2C0-ADC5-4A2C-9158-991DB6AF9003}][-HKEY_CLASSES_ROOT\CLSID\{9650F943-878D-434C-BE40-0C26BBED2679}][-HKEY_CLASSES_ROOT\CLSID\{A6625691-0AF7-49AB-89BF-0211D60B9275}][-HKEY_CLASSES_ROOT\CLSID\{1109B115-12A5-4DB3-9934-B00A89CBAD99}][-HKEY_CLASSES_ROOT\CLSID\{1BD1FA66-A177-4DE0-8225-F838460CF2A4}][-HKEY_CLASSES_ROOT\CLSID\{81E4550B-A272-4A9F-A4EC-BE8F79D2481C}]REGEDIT4[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]"SV1"=""****************************************************************************Desktop.ini Contents: ******************************************************************************************************************************************************** HJT LogLogfile of HijackThis v1.99.1Scan saved at 12:26:26 AM, on 7/15/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\Program Files\Common Files\Stardock\SDMCP.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\system32\drivers\KodakCCS.exeC:\WINDOWS\system32\ScsiAccess.EXEC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exeC:\Program Files\Microsoft IntelliPoint\point32.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Yahoo!\browser\ybrwicon.exeC:\Program Files\CursorXP\CursorXP.exeC:\PROGRA~1\Yahoo!\browser\ycommon.exeC:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exeC:\WINDOWS\System32\imapi.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\explorer.exeC:\Program Files\Yahoo!\browser\ybrowser.exeC:\Documents and Settings\Liz\My Documents\HJT\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dslR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dslR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dslR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dllO3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dllO3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dllO4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exeO4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exeO4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exeO8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTMLO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htmO8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dllO9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dllO9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dllO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\aim\aim.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: START_PAGE_URL=http://www.emachines.comO16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cabO16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cabO16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cabO16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c8.cabO16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/regis...34/sdcregie.cabO16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cabO16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocxO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112485673484O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cabO16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cabO16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cabO16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cabO16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cabO20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dllO20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exeO23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXEO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exeO23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE Link to post Share on other sites
njustice Posted July 15, 2005 Report Share Posted July 15, 2005 CsrLiz344,-You may wish to print out a copy of these instructions to follow while you complete this procedure.===============Go to Add/Remove programs and remove(uninstall) the following, if present: Viewpoint Toolbar===============Go to www.trendmicro.com, if your using Firefox or Netscape go to be.trendmicro-europe.com and then:1. Click "Free Online Scan".2. Click "Scan now, it's free".It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's done:1. Select all available drives.2. Check(tick) "Auto Clean".3. Click "Scan".When it completes, copy the full filename of any files that cannot be cleaned or deleted and post them when your done with the following fix. If you encounter problems during this step, please move on to the next step.==============Run HiJackThis and click "Scan", then check(tick) the following, if present: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c8.cab O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab? O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx Now, with all windows closed except HiJackThis, click "Fix checked".===============Locate and delete the following item(s), if present. Make sure your able to"view system and hidden files/folders":folders... C:\Program Files\Viewpoint-Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".===============Reboot your computer.Post back a new log, report any problems and let me know how everything goes.IMPORTANT! PLEASE do not restart your computer unless asked, restarting can reinfect your computer resulting in us starting the cleaning up process all over!-~Njustice~ Link to post Share on other sites
CsrLiz344 Posted July 15, 2005 Author Report Share Posted July 15, 2005 Ok, did all that. My original problem, which is on the support forum, is still there! UGH! It's the XXX Dialer on hubbys screen. I ran HJT on that one, and didn't see anything different than mine. The red app for Yahoo is still on his, but that's about it. ::sigh:: Decided to d/l a 30 day trial of PC_Cillin while I was waiting for the trend scan, but it kept making my computer reboot by itself. Needless to say, it's gone Anyway, here's the latest log. And, BTW, I appreciate everybody's help, you guys rock!Logfile of HijackThis v1.99.1Scan saved at 9:45:17 AM, on 7/15/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\system32\drivers\KodakCCS.exeC:\WINDOWS\system32\ScsiAccess.EXEC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\Program Files\Common Files\Stardock\SDMCP.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Microsoft IntelliPoint\point32.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Yahoo!\browser\ybrwicon.exeC:\Program Files\CursorXP\CursorXP.exeC:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exeC:\PROGRA~1\Yahoo!\browser\ycommon.exeC:\Program Files\aim\aim.exeC:\Program Files\SBC Self Support Tool\bin\mpbtn.exeC:\Program Files\Yahoo!\browser\ybrowser.exeC:\Documents and Settings\Liz\My Documents\HJT\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dslR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dslR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dslR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dllO4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exeO4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exeO4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odlO4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exeO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htmO8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dllO9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dllO9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dllO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: START_PAGE_URL=http://www.emachines.comO16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cabO16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cabO16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cabO16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cabO16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/regis...34/sdcregie.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112485673484O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cabO16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cabO16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cabO16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cabO16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cabO20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dllO20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\drloader.dllO20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exeO23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXEO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exeO23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE Link to post Share on other sites
njustice Posted July 15, 2005 Report Share Posted July 15, 2005 Liz....did you run l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter on hubby's account? If not, please do so and tell me which account is setup as Administrator/Owner.Also....do the following under Admin/Owner account:Download rkfiles.zip and unzip it to its own permanent folder.Important! Reboot in SAFE MODE !!Start in Safe Mode Using the F8 method:Restart the computer in Safe Mode.As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.Use the arrow keys to select the Safe Mode menu item.Press the Enter key.Locate the rkfiles.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.Post the contents of C:\log.txt back here and I will review it when it comes in. Link to post Share on other sites
CsrLiz344 Posted July 15, 2005 Author Report Share Posted July 15, 2005 Did the rkfiles thing, copied the log, hit paste, and when I got back here, there's nothing there. There wasn't a whole lot on it, I can do it again and write it down if you need it. We are all admins, and I rebooted into his screen and that dialer didn't come up (woohoo)!!!!!As far as how the comp is running, it's fine. Seems faster now then it was (DSL), maybe cause all that crap is gone. The one thing I noticed, and I think I mentioned it earlier, is my system restore is whacked. I don't plan on restoring it, but the only date available is yesterday's. Nothing else is bold, and I can't switch months. Link to post Share on other sites
njustice Posted July 16, 2005 Report Share Posted July 16, 2005 Hi Liz, if possible then yes I would like to see the log...thanks Njustice! Link to post Share on other sites
CsrLiz344 Posted July 16, 2005 Author Report Share Posted July 16, 2005 Okie dokie, here ya go:C:\Documents and Settings\Liz\Desktop\rkfiles PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Files Found in system Folder............ ------------------------C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213C:\WINDOWS\system32\oembios.bin: peC2"y)QFiles Found in all users startup Folder............ ------------------------Files Found in all users windows Folder............ ------------------------C:\WINDOWS\imgurla.exe: UPX!C:\WINDOWS\RMAgentOutput.dll: UPX!C:\WINDOWS\tsc.exe: UPX!C:\WINDOWS\vsapi32.dll: UPX!t4Finishedbye Link to post Share on other sites
njustice Posted July 16, 2005 Report Share Posted July 16, 2005 Download Killbox here: http://www.downloads.subratam.org/KillBox.zip Unzip to desktop.Double-click on KillBox to launch it, then click to enable Delete on Reboot. Please type in the following complete file path into the top box of KillBox :C:\WINDOWS\imgurla.exe Now, click on the little red circle button (with a white "X") and click "Yes" to delete and then "Yes" to "Reboot now". If it doesn't reboot on its own, then you reboot the computer yourself. Once restarted, Run HiJackThis and click "Scan", then post new logs from all accounts on your computer. Link to post Share on other sites
CsrLiz344 Posted July 16, 2005 Author Report Share Posted July 16, 2005 ok, here ya go: mineLogfile of HijackThis v1.99.1Scan saved at 7:42:57 AM, on 7/16/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\system32\drivers\KodakCCS.exeC:\WINDOWS\system32\ScsiAccess.EXEC:\Program Files\Common Files\Stardock\SDMCP.exeC:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Microsoft IntelliPoint\point32.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Yahoo!\browser\ybrwicon.exeC:\Program Files\Java\jre1.5.0_04\bin\jusched.exeC:\Program Files\CursorXP\CursorXP.exeC:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exeC:\Program Files\aim\aim.exeC:\PROGRA~1\Yahoo!\browser\ycommon.exeC:\Program Files\SBC Self Support Tool\bin\mpbtn.exeC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\Liz\My Documents\HJT\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dslR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dslR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dslR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dllO4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exeO4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exeO4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odlO4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exeO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htmO8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dllO9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dllO9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dllO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: START_PAGE_URL=http://www.emachines.comO16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cabO16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cabO16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cabO16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cabO16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/regis...34/sdcregie.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112485673484O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cabO16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cabO16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cabO16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cabO16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cabO20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dllO20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exeO23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXEO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exeO23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE RickLogfile of HijackThis v1.99.1Scan saved at 7:49:37 AM, on 7/16/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\system32\drivers\KodakCCS.exeC:\WINDOWS\system32\ScsiAccess.EXEC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\winlogon.exeC:\Program Files\Common Files\Stardock\SDMCP.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Microsoft IntelliPoint\point32.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Yahoo!\browser\ybrwicon.exeC:\Program Files\Java\jre1.5.0_04\bin\jusched.exeC:\Program Files\SBC Self Support Tool\bin\mpbtn.exeC:\Documents and Settings\Liz\My Documents\HJT\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dslR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dslR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostO2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dllO4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exeO4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dllO9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dllO9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dllO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: START_PAGE_URL=http://www.emachines.comO16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cabO16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cabO16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cabO16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cabO16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/regis...34/sdcregie.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112485673484O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cabO16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cabO16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cabO16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cabO16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cabO20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dllO20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exeO23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXEO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exeO23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE JadeLogfile of HijackThis v1.99.1Scan saved at 7:47:09 AM, on 7/16/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\system32\drivers\KodakCCS.exeC:\WINDOWS\system32\ScsiAccess.EXEC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\winlogon.exeC:\Program Files\Common Files\Stardock\SDMCP.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Microsoft IntelliPoint\point32.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Yahoo!\browser\ybrwicon.exeC:\Program Files\Java\jre1.5.0_04\bin\jusched.exeC:\Program Files\aim\aim.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\SBC Self Support Tool\bin\mpbtn.exeC:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exeC:\Documents and Settings\Liz\My Documents\HJT\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dslR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dslR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://aimtoday.aol.com/segmentation/welco...version=pucciniR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostO2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dllO4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exeO4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exeO4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odlO4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quietO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dllO9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dllO9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dllO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: START_PAGE_URL=http://www.emachines.comO15 - Trusted Zone: *.media-motor.netO15 - Trusted Zone: *.popuppers.comO16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cabO16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cabO16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cabO16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cabO16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/regis...34/sdcregie.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112485673484O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cabO16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cabO16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cabO16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cabO16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cabO20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dllO20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exeO23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXEO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exeO23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE SkyeLogfile of HijackThis v1.99.1Scan saved at 7:51:37 AM, on 7/16/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\system32\drivers\KodakCCS.exeC:\WINDOWS\system32\ScsiAccess.EXEC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\winlogon.exeC:\Program Files\Common Files\Stardock\SDMCP.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Microsoft IntelliPoint\point32.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Yahoo!\browser\ybrwicon.exeC:\Program Files\Java\jre1.5.0_04\bin\jusched.exeC:\Program Files\aim\aim.exeC:\Program Files\SBC Self Support Tool\bin\mpbtn.exeC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\DOCUME~1\Skye\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dslR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dslR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostO2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dllO4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exeO4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odlO4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quietO4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exeO4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dllO9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dllO9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dllO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: START_PAGE_URL=http://www.emachines.comO15 - Trusted Zone: *.media-motor.netO15 - Trusted Zone: *.popuppers.comO16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cabO16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cabO16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cabO16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cabO16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/regis...34/sdcregie.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112485673484O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cabO16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cabO16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cabO16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cabO16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cabO20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dllO20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exeO23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXEO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exeO23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE Also, I wanted to ask you, actually hubby did, we always have 2 'new hardware found' boxes come up when we all log on. One is CLID, or similiar, and the other is MSTREAM. How do you get rid of those? Not that they hurt anything, just a pain. Link to post Share on other sites
njustice Posted July 16, 2005 Report Share Posted July 16, 2005 Hi Liz, when your done removing the following items, can you post the exact messages your getting for the 2 'new hardware found' boxes?Liz:O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cabRick:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comO16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cabJade:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comO15 - Trusted Zone: *.media-motor.netO15 - Trusted Zone: *.popuppers.comO16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cabSkye:You have Hijackthis running from the temporary directory it needs to be in a folder of it's own like the other accounts. I also recommend you remove weatherbug via add/remove programs since it usually comes bundled with crapware. Desktop Weather is a better alternative like Rick is using in his account.R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comO4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1O15 - Trusted Zone: *.media-motor.netO15 - Trusted Zone: *.popuppers.comO16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cabAfter removing items please reboot your computer run Hijackthis and check if items have been removed. If any items are not removed let me know which ones and for what account(s). Link to post Share on other sites
njustice Posted July 16, 2005 Report Share Posted July 16, 2005 Liz, I need you to do the following as well:Download WinPFind.zip from HERE and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Disconnect from the net and stay offline until all steps are complete.Perform these steps for each account.Close any programs you have open since this step requires a reboot.From the l2mfix folder on your desktop, double click l2mfix.bat and select option 4 to Merge Winlogon Notify Defaults, Press enter, wait a few moments.Then double-click WinPFind.exe inside c:\WinPFind to launch the program. Then click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of your clipboard in your next reply. Link to post Share on other sites
CsrLiz344 Posted July 17, 2005 Author Report Share Posted July 17, 2005 Ok, Skyes' account has been deleted, so we now have 3 to work with. All her files were deleted also. mineWARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Checking %SystemDrive% folder...UPX! C:\log.txtPEC2 C:\log.txtPEC2 C:\win.txtUPX! C:\windows.txtChecking %ProgramFilesDir% folder...Checking %WinDir% folder...PECompact2 C:\WINDOWS\lpt$vpn.731qoologic C:\WINDOWS\lpt$vpn.731SAHAgent C:\WINDOWS\lpt$vpn.731abetterinternet.com C:\WINDOWS\ojojo.dllweb-nex C:\WINDOWS\ojojo.dllUPX! C:\WINDOWS\RMAgentOutput.dllUPX! C:\WINDOWS\tsc.exePECompact2 C:\WINDOWS\VPTNFILE.731qoologic C:\WINDOWS\VPTNFILE.731SAHAgent C:\WINDOWS\VPTNFILE.731UPX! C:\WINDOWS\vsapi32.dllaspack C:\WINDOWS\vsapi32.dllChecking %System% folder...PEC2 C:\WINDOWS\system32\dfrg.mscUPX! C:\WINDOWS\system32\locate.comPECompact2 C:\WINDOWS\system32\MRT.exeaspack C:\WINDOWS\system32\MRT.exeaspack C:\WINDOWS\system32\ntdll.dllPEC2 C:\WINDOWS\system32\oembios.binUmonitor C:\WINDOWS\system32\rasdlg.dllChecking %System%\Drivers folder and sub-folders...UPX! C:\WINDOWS\system32\drivers\avg7core.sysFSG! C:\WINDOWS\system32\drivers\avg7core.sysaspack C:\WINDOWS\system32\drivers\avg7core.sysPTech C:\WINDOWS\system32\drivers\mtlstrm.sysChecking the Windows folder for system and hidden files within the last 60 days...6/18/2005 C:\WINDOWS\pcconfig.dat7/13/2005 C:\WINDOWS\uccspecb.sys7/13/2005 C:\WINDOWS\WindowsShellOld.Manifest6/22/2005 C:\WINDOWS\inf\oem26.inf5/28/2005 C:\WINDOWS\Minidump\Mini052805-01.dmp6/1/2005 C:\WINDOWS\Minidump\Mini060105-01.dmp6/17/2005 C:\WINDOWS\system32\AuxDrv32b_g.oxc7/17/2005 C:\WINDOWS\system32\vsconfig.xml5/28/2005 C:\WINDOWS\system32\zllictbl.dat7/17/2005 C:\WINDOWS\system32\config\default.LOG7/17/2005 C:\WINDOWS\system32\config\SAM.LOG7/17/2005 C:\WINDOWS\system32\config\SECURITY.LOG7/17/2005 C:\WINDOWS\system32\config\software.LOG7/17/2005 C:\WINDOWS\system32\config\system.LOG7/13/2005 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG7/2/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\2e7a6763-87c2-428c-a82b-f5fa0d94af0b7/2/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred7/17/2005 C:\WINDOWS\Tasks\SA.DAT»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»» Checking %ALLUSERSPROFILE%\Startup folder...Checking %ALLUSERSPROFILE%\Application Data folder...Checking %USERPROFILE%\Startup folder...Checking %USERPROFILE%\Application Data folder...»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»» *\shellex\ContextMenuHandlers*\shellex\ContextMenuHandlers\AVG7 Shell Extension {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll*\shellex\ContextMenuHandlers\nfnfnsxg {c5583504-9ba4-4eda-bb2d-5f62737ad84d} = *\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll*\shellex\ContextMenuHandlers\Open With {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll*\shellex\ContextMenuHandlers\Open With EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll*\shellex\ContextMenuHandlers\Yahoo! Mail {5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\Program Files\Yahoo!\Common\ymmapi.dll*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} Start Menu Pin = SOFTWARE\Classes\Folder\shellex\ColumnHandlersSOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871} = %SystemRoot%\system32\SHELL32.dllSOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dllSOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dllSOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE} = %SystemRoot%\system32\SHELL32.dllSOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627} = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run IntelliPoint "C:\Program Files\Microsoft IntelliPoint\point32.exe" AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe YBrowser C:\Program Files\Yahoo!\browser\ybrwicon.exe SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe RegistryMechanic HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponentsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceExHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DW4 "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\NotifyHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain = crypt32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet = cryptnet.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll = cscdll.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCPClient = C:\Program Files\Common Files\Stardock\mcpstub.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp = wlnotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule = wlnotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy = sclgntfy.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn = WlNotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv = wlnotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB = C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon = wlnotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoadHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\0aMCPClient {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} = C:\PROGRA~1\COMMON~1\Stardock\mcpcore.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution OptionsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.axHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLLHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocxHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocxHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javai.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVideoFX.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Salwrap.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a pathHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserInit C:\WINDOWS\system32\userinit.exe, Shell Explorer.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs wbsys.dll»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» WinPFind v1.0.0.8 - Log file written to "WinPFind.Txt" in the WinPFind folder. RickWARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Checking %SystemDrive% folder...UPX! C:\log.txtPEC2 C:\log.txtPEC2 C:\win.txtUPX! C:\windows.txtChecking %ProgramFilesDir% folder...Checking %WinDir% folder...PECompact2 C:\WINDOWS\lpt$vpn.731qoologic C:\WINDOWS\lpt$vpn.731SAHAgent C:\WINDOWS\lpt$vpn.731abetterinternet.com C:\WINDOWS\ojojo.dllweb-nex C:\WINDOWS\ojojo.dllUPX! C:\WINDOWS\RMAgentOutput.dllUPX! C:\WINDOWS\tsc.exePECompact2 C:\WINDOWS\VPTNFILE.731qoologic C:\WINDOWS\VPTNFILE.731SAHAgent C:\WINDOWS\VPTNFILE.731UPX! C:\WINDOWS\vsapi32.dllaspack C:\WINDOWS\vsapi32.dllChecking %System% folder...PEC2 C:\WINDOWS\system32\dfrg.mscUPX! C:\WINDOWS\system32\locate.comPECompact2 C:\WINDOWS\system32\MRT.exeaspack C:\WINDOWS\system32\MRT.exeaspack C:\WINDOWS\system32\ntdll.dllPEC2 C:\WINDOWS\system32\oembios.binUmonitor C:\WINDOWS\system32\rasdlg.dllChecking %System%\Drivers folder and sub-folders...UPX! C:\WINDOWS\system32\drivers\avg7core.sysFSG! C:\WINDOWS\system32\drivers\avg7core.sysaspack C:\WINDOWS\system32\drivers\avg7core.sysPTech C:\WINDOWS\system32\drivers\mtlstrm.sysChecking the Windows folder for system and hidden files within the last 60 days...6/18/2005 C:\WINDOWS\pcconfig.dat7/13/2005 C:\WINDOWS\uccspecb.sys7/13/2005 C:\WINDOWS\WindowsShellOld.Manifest6/22/2005 C:\WINDOWS\inf\oem26.inf5/28/2005 C:\WINDOWS\Minidump\Mini052805-01.dmp6/1/2005 C:\WINDOWS\Minidump\Mini060105-01.dmp6/17/2005 C:\WINDOWS\system32\AuxDrv32b_g.oxc7/17/2005 C:\WINDOWS\system32\vsconfig.xml5/28/2005 C:\WINDOWS\system32\zllictbl.dat7/17/2005 C:\WINDOWS\system32\config\default.LOG7/17/2005 C:\WINDOWS\system32\config\SAM.LOG7/17/2005 C:\WINDOWS\system32\config\SECURITY.LOG7/17/2005 C:\WINDOWS\system32\config\software.LOG7/17/2005 C:\WINDOWS\system32\config\system.LOG7/13/2005 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG7/2/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\2e7a6763-87c2-428c-a82b-f5fa0d94af0b7/2/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred7/17/2005 C:\WINDOWS\Tasks\SA.DAT»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»» Checking %ALLUSERSPROFILE%\Startup folder...Checking %ALLUSERSPROFILE%\Application Data folder...Checking %USERPROFILE%\Startup folder...Checking %USERPROFILE%\Application Data folder...»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»» *\shellex\ContextMenuHandlers*\shellex\ContextMenuHandlers\AVG7 Shell Extension {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll*\shellex\ContextMenuHandlers\nfnfnsxg {c5583504-9ba4-4eda-bb2d-5f62737ad84d} = *\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll*\shellex\ContextMenuHandlers\Open With {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll*\shellex\ContextMenuHandlers\Open With EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll*\shellex\ContextMenuHandlers\Yahoo! Mail {5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\Program Files\Yahoo!\Common\ymmapi.dll*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} Start Menu Pin = SOFTWARE\Classes\Folder\shellex\ColumnHandlersSOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871} = %SystemRoot%\system32\SHELL32.dllSOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dllSOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dllSOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE} = %SystemRoot%\system32\SHELL32.dllSOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627} = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run IntelliPoint "C:\Program Files\Microsoft IntelliPoint\point32.exe" AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe YBrowser C:\Program Files\Yahoo!\browser\ybrwicon.exe SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe RegistryMechanic HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponentsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceExHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DW4 "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\NotifyHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain = crypt32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet = cryptnet.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll = cscdll.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCPClient = C:\Program Files\Common Files\Stardock\mcpstub.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp = wlnotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule = wlnotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy = sclgntfy.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn = WlNotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv = wlnotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB = C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon = wlnotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoadHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\0aMCPClient {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} = C:\PROGRA~1\COMMON~1\Stardock\mcpcore.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution OptionsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.axHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLLHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocxHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocxHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javai.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVideoFX.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Salwrap.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a pathHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserInit C:\WINDOWS\system32\userinit.exe, Shell Explorer.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs wbsys.dll»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» WinPFind v1.0.0.8 - Log file written to "WinPFind.Txt" in the WinPFind folder. JadeWARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Checking %SystemDrive% folder...UPX! C:\log.txtPEC2 C:\log.txtPEC2 C:\win.txtUPX! C:\windows.txtChecking %ProgramFilesDir% folder...Checking %WinDir% folder...PECompact2 C:\WINDOWS\lpt$vpn.731qoologic C:\WINDOWS\lpt$vpn.731SAHAgent C:\WINDOWS\lpt$vpn.731abetterinternet.com C:\WINDOWS\ojojo.dllweb-nex C:\WINDOWS\ojojo.dllUPX! C:\WINDOWS\RMAgentOutput.dllUPX! C:\WINDOWS\tsc.exePECompact2 C:\WINDOWS\VPTNFILE.731qoologic C:\WINDOWS\VPTNFILE.731SAHAgent C:\WINDOWS\VPTNFILE.731UPX! C:\WINDOWS\vsapi32.dllaspack C:\WINDOWS\vsapi32.dllChecking %System% folder...PEC2 C:\WINDOWS\system32\dfrg.mscUPX! C:\WINDOWS\system32\locate.comPECompact2 C:\WINDOWS\system32\MRT.exeaspack C:\WINDOWS\system32\MRT.exeaspack C:\WINDOWS\system32\ntdll.dllPEC2 C:\WINDOWS\system32\oembios.binUmonitor C:\WINDOWS\system32\rasdlg.dllChecking %System%\Drivers folder and sub-folders...UPX! C:\WINDOWS\system32\drivers\avg7core.sysFSG! C:\WINDOWS\system32\drivers\avg7core.sysaspack C:\WINDOWS\system32\drivers\avg7core.sysPTech C:\WINDOWS\system32\drivers\mtlstrm.sysChecking the Windows folder for system and hidden files within the last 60 days...6/18/2005 C:\WINDOWS\pcconfig.dat7/13/2005 C:\WINDOWS\uccspecb.sys7/13/2005 C:\WINDOWS\WindowsShellOld.Manifest6/22/2005 C:\WINDOWS\inf\oem26.inf5/28/2005 C:\WINDOWS\Minidump\Mini052805-01.dmp6/1/2005 C:\WINDOWS\Minidump\Mini060105-01.dmp6/17/2005 C:\WINDOWS\system32\AuxDrv32b_g.oxc7/16/2005 C:\WINDOWS\system32\vsconfig.xml5/28/2005 C:\WINDOWS\system32\zllictbl.dat7/16/2005 C:\WINDOWS\system32\config\default.LOG7/16/2005 C:\WINDOWS\system32\config\SAM.LOG7/16/2005 C:\WINDOWS\system32\config\SECURITY.LOG7/16/2005 C:\WINDOWS\system32\config\software.LOG7/16/2005 C:\WINDOWS\system32\config\system.LOG7/13/2005 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG7/2/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\2e7a6763-87c2-428c-a82b-f5fa0d94af0b7/2/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred7/16/2005 C:\WINDOWS\Tasks\SA.DAT7/6/2005 C:\WINDOWS\temp\History\History.IE5\desktop.ini7/6/2005 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\desktop.ini7/6/2005 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\9JGKA28P\desktop.ini7/6/2005 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\H1WQ1U85\desktop.ini7/6/2005 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\OTIR0D2B\desktop.ini7/6/2005 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\XBU7GHEZ\desktop.ini»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»» Checking %ALLUSERSPROFILE%\Startup folder...Checking %ALLUSERSPROFILE%\Application Data folder...Checking %USERPROFILE%\Startup folder...Checking %USERPROFILE%\Application Data folder...»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»» *\shellex\ContextMenuHandlers*\shellex\ContextMenuHandlers\AVG7 Shell Extension {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll*\shellex\ContextMenuHandlers\nfnfnsxg {c5583504-9ba4-4eda-bb2d-5f62737ad84d} = *\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll*\shellex\ContextMenuHandlers\Open With {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll*\shellex\ContextMenuHandlers\Open With EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll*\shellex\ContextMenuHandlers\Yahoo! Mail {5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\Program Files\Yahoo!\Common\ymmapi.dll*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} Start Menu Pin = SOFTWARE\Classes\Folder\shellex\ColumnHandlersSOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871} = %SystemRoot%\system32\SHELL32.dllSOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dllSOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dllSOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE} = %SystemRoot%\system32\SHELL32.dllSOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627} = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run IntelliPoint "C:\Program Files\Microsoft IntelliPoint\point32.exe" AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe YBrowser C:\Program Files\Yahoo!\browser\ybrwicon.exe SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe RegistryMechanic HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponentsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceExHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe AIM C:\Program Files\aim\aim.exe -cnetwait.odl Yahoo! Pager "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /backgroundHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\NotifyHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain = crypt32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet = cryptnet.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll = cscdll.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCPClient = C:\Program Files\Common Files\Stardock\mcpstub.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp = wlnotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule = wlnotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy = sclgntfy.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn = WlNotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv = wlnotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB = C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon = wlnotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoadHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\0aMCPClient {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} = C:\PROGRA~1\COMMON~1\Stardock\mcpcore.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution OptionsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.axHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLLHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocxHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocxHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javai.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVideoFX.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Salwrap.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a pathHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserInit C:\WINDOWS\system32\userinit.exe, Shell Explorer.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs wbsys.dll»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» WinPFind v1.0.0.8 - Log file written to "WinPFind.Txt" in the WinPFind folder. I haven't gotten the "new hardware" message the last couple times I was logging on and off the different accounts. Next time I do, I will let you know what they say. Thanks!! Link to post Share on other sites
njustice Posted July 17, 2005 Report Share Posted July 17, 2005 Hi Liz, I need you to go HERE and browse to the files below, one at a time then Submit for analysis. Please copy and paste the Scanner results and Status back here.C:\WINDOWS\pcconfig.datC:\WINDOWS\uccspecb.sys Link to post Share on other sites
CsrLiz344 Posted July 17, 2005 Author Report Share Posted July 17, 2005 Service load: 0% 100% File: pcconfig.dat Status: OK MD5 51ca4ba7556c2a4bb0e981da7bc8b907 Packers detected: - Scanner results AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing UNA Found nothing VBA32 Found nothing Service load: 0% 100% File: uccspecb.sys Status: OK MD5 0bd3364b4dd4cea7c2c7426598491a12 Packers detected: - Scanner results AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing UNA Found nothing VBA32 Found nothing Link to post Share on other sites
njustice Posted July 18, 2005 Report Share Posted July 18, 2005 Liz, after consulting with other experts we feel that the two files you scanned at Jotti's are in fact bad.Double-click on KillBox to launch it, then click to enable Delete on Reboot. Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes. C:\log.txtC:\win.txtC:\windows.txtC:\WINDOWS\pcconfig.datC:\WINDOWS\uccspecb.sysC:\WINDOWS\ojojo.dllAlso for peace of mind please do the following online scans:http://www.pandasoftware.com/activescan/co...n_principal.htmhttp://www.windowsecurity.com/trojanscan/Report back any files that cannot be removed.Let me know how your computer is running. Link to post Share on other sites
CsrLiz344 Posted July 18, 2005 Author Report Share Posted July 18, 2005 I got the Panda done, it found a bunch of spyware, will do the other in the morning. Do you want the names of them, I saved the report. Link to post Share on other sites
njustice Posted July 18, 2005 Report Share Posted July 18, 2005 Liz, go ahead and post the report after your done with the other scan. Link to post Share on other sites
CsrLiz344 Posted July 18, 2005 Author Report Share Posted July 18, 2005 Ok, these are the results, I don't understand them, hopefully you can figure it out.Incident Status Location Adware:adware/pacimedia No disinfected C:\WINDOWS\SYSTEM32\ps1.exe Adware:adware/exactsearch No disinfected C:\DOCUMENTS AND SETTINGS\LIZ\LOCAL SETTINGS\TEMP\blank.gif Adware:adware/delfinmedia No disinfected C:\DOCUMENTS AND SETTINGS\LIZ\LOCAL SETTINGS\TEMP\motoin.exe Adware:adware/nsearch No disinfected C:\sp.exe Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.dll Adware:adware/sahagent No disinfected C:\WINDOWS\unstall.exe Adware:adware/myway No disinfected C:\PROGRAM FILES\MySearch Spyware:spyware/media-motor No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/M67M.OCX Adware:adware/wupd No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/MEDIAACCX.DLL Adware:adware/wintools No disinfected HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_WINTOOLSSVC Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET Adware:adware/brilliantdigitalNo disinfected HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908} Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Jade\Local Settings\Temporary Internet Files\Content.IE5\Q4LV5IYF\upd208[1].exe Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[beowser.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[cBbinet.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[cqutil.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[cwypt32.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[dmsrslvr.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[doquery.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[dv16gt.dLL] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[dXvclnt.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[fedrclnr.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[ibcoin2.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[idetcfg.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[ksdsl1.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[kxcp32.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[kydhe220.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[lHprxy.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[lutif11n.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[mcident.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[mjprivs.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[mvdtclog.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Desktop\l2mfix\backup.zip[guard.tmp] Adware:Adware/DelFinMedia No disinfected C:\Documents and Settings\Liz\Local Settings\Temp\motoin.exe Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Local Settings\Temp\upd208.exe Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Liz\Local Settings\Temporary Internet Files\Content.IE5\DFBJLT8E\upd208[1].exe Adware:Adware/DelFinMedia No disinfected C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe Adware:Adware/Look2Me No disinfected C:\RECYCLER\S-1-5-21-654705994-3440055010-3760535603-1006\Dc3\l2mfix\backup.zip[drloader.dll] Adware:Adware/Look2Me No disinfected C:\RECYCLER\S-1-5-21-654705994-3440055010-3760535603-1006\Dc3\l2mfix\backup.zip[iaxrip.dll] Adware:Adware/Look2Me No disinfected C:\RECYCLER\S-1-5-21-654705994-3440055010-3760535603-1006\Dc3\l2mfix\backup.zip[iyfosoft.dll] Adware:Adware/Look2Me No disinfected C:\RECYCLER\S-1-5-21-654705994-3440055010-3760535603-1006\Dc3\l2mfix\backup.zip[jkproxy.dll] Adware:Adware/Look2Me No disinfected C:\RECYCLER\S-1-5-21-654705994-3440055010-3760535603-1006\Dc3\l2mfix\backup.zip[madtclog.dll] Adware:Adware/Look2Me No disinfected C:\RECYCLER\S-1-5-21-654705994-3440055010-3760535603-1006\Dc3\l2mfix\backup.zip[guard.tmp] Adware:Adware/BookedSpace No disinfected C:\WINDOWS\cfgmgr52.dll Adware:Adware/IWon No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\WONWebLauncherControl.ocx Adware:Adware/IWon No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\WONWebLauncherControl.ocx Adware:Adware/IWon No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\WONWebLauncherControl.ocx Adware:Adware/IWon No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\WONWebLauncherControl.ocx Adware:Adware/IWon No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.5\WONWebLauncherControl.ocx Adware:Adware/IWon No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.6\WONWebLauncherControl.ocx Adware:Adware/IWon No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.7\WONWebLauncherControl.ocx Adware:Adware/IWon No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.8\WONWebLauncherControl.ocx Adware:Adware/IWon No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.9\WONWebLauncherControl.ocx Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\m67m.inf Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\m67m.ocx Adware:Adware/Pacimedia No disinfected C:\WINDOWS\Downloaded Program Files\pcs_0006.exe Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.dll Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.inf Adware:Adware/IWon No disinfected C:\WINDOWS\Downloaded Program Files\WONWebLauncherControl.ocx Adware:Adware/BookedSpace No disinfected C:\WINDOWS\lhzgzhbk.exe Possible Virus. No disinfected C:\WINDOWS\Live_Sex.exe Adware:Adware/Look2Me No disinfected C:\WINDOWS\system\UpdInst.exe Adware:Adware/Look2Me No disinfected C:\WINDOWS\temp\upd208.exe Adware:Adware/SAHAgent No disinfected C:\WINDOWS\unstall.exe I also d/l'd the other software, after the scan, this is the web addy to check the resultshttp://www.hijackfree.com/analyze/?id=a3ac...21-f1303aa2d81e Link to post Share on other sites
njustice Posted July 18, 2005 Report Share Posted July 18, 2005 Hi Liz, your link to HijackFree won't work for me.================Double-click on KillBox to launch it, then click to enable Delete on Reboot. Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes. C:\WINDOWS\SYSTEM32\ps1.exe C:\DOCUMENTS AND SETTINGS\LIZ\LOCAL SETTINGS\TEMP\blank.gif C:\DOCUMENTS AND SETTINGS\LIZ\LOCAL SETTINGS\TEMP\motoin.exe C:\sp.exe C:\WINDOWS\cfgmgr52.dll C:\WINDOWS\unstall.exe C:\PROGRAM FILES\MySearchC:/WINDOWS/DOWNLOADED PROGRAM FILES/M67M.OCX C:/WINDOWS/DOWNLOADED PROGRAM FILES/MEDIAACCX.DLLC:\Documents and Settings\Liz\Local Settings\Temporary Internet Files\Content.IE5\DFBJLT8E\upd208[1].exeC:\WINDOWS\cfgmgr52.dll C:\WINDOWS\Downloaded Program Files\CONFLICT.1\WONWebLauncherControl.ocx C:\WINDOWS\Downloaded Program Files\CONFLICT.2\WONWebLauncherControl.ocx C:\WINDOWS\Downloaded Program Files\CONFLICT.3\WONWebLauncherControl.ocx C:\WINDOWS\Downloaded Program Files\CONFLICT.4\WONWebLauncherControl.ocx C:\WINDOWS\Downloaded Program Files\CONFLICT.5\WONWebLauncherControl.ocx C:\WINDOWS\Downloaded Program Files\CONFLICT.6\WONWebLauncherControl.ocx C:\WINDOWS\Downloaded Program Files\CONFLICT.7\WONWebLauncherControl.ocx C:\WINDOWS\Downloaded Program Files\CONFLICT.8\WONWebLauncherControl.ocx C:\WINDOWS\Downloaded Program Files\CONFLICT.9\WONWebLauncherControl.ocx C:\WINDOWS\Downloaded Program Files\m67m.inf C:\WINDOWS\Downloaded Program Files\m67m.ocx C:\WINDOWS\Downloaded Program Files\pcs_0006.exe C:\WINDOWS\Downloaded Program Files\popcaploader.dll C:\WINDOWS\Downloaded Program Files\popcaploader.inf C:\WINDOWS\Downloaded Program Files\WONWebLauncherControl.ocx C:\WINDOWS\lhzgzhbk.exe C:\WINDOWS\Live_Sex.exe C:\WINDOWS\system\UpdInst.exe C:\WINDOWS\temp\upd208.exe C:\WINDOWS\unstall.exe==============Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)[*]C:\Windows\Temp\[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temp\[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\ [*]C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested.[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\[*]Empty your "Recycle Bin"===============Make sure Ewido, Adaware and Spybot are updated, fix what they find rebooting inbetween each scan. Report back on how your computer is running. Link to post Share on other sites
CsrLiz344 Posted July 18, 2005 Author Report Share Posted July 18, 2005 Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)[*]C:\Windows\Temp\[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temp\[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\ [*]C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested.[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\[*]Empty your "Recycle Bin"Can you explain that? I admit to being a little computer savvy, but that escapes me Thanks! Link to post Share on other sites
CsrLiz344 Posted July 18, 2005 Author Report Share Posted July 18, 2005 BTW, here's the last HijackFree scan results: Switch language a-squared HiJackFree Analysis www.hijackfree.com Version info: Result ToDo Your used version of a-squared HiJackFree: 1.20 The current version of a-squared HiJackFree: 1.20 Your used operating system version: Windows XP Service Pack 2 The current version of your operating system: Windows XP Service Pack 2 Registry Autoruns: Result ToDo Name: IntelliPoint Path: C:\Program Files\Microsoft IntelliPoint\point32.exe Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Good: 3 - Bad: 0View Details Name: AVG7_CC Path: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Good: 1 - Bad: 0View Details Name: AVG7_EMC Path: C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Good: 2 - Bad: 0View Details Name: Zone Labs Client Path: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Good: 2 - Bad: 0View Details Name: YBrowser Path: C:\Program Files\Yahoo!\browser\ybrwicon.exe Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Good: 1 - Bad: 0View Details Name: CursorXP Path: C:\Program Files\CursorXP\CursorXP.exe Location: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Good: 1 - Bad: 0View Details Name: PopUpStopperFreeEdition Path: C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe Location: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Good: 2 - Bad: 0View Details Name: AIM Path: C:\Program Files\aim\aim.exe -cnetwait.odl Location: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Good: 1 - Bad: 0View Details Name: a-squared Path: C:\Program Files\a2\a2guard.exe Location: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Good: 2 - Bad: 0View Details Tricky and Other Autoruns: Result ToDo Name: load Path: Location: win.ini Not checked Unknown ItemSearch at Google Name: run Path: Location: win.ini Not checked Unknown ItemSearch at Google Name: shell Path: Explorer.exe Location: win.ini Not checked Unknown ItemSearch at Google Name: scrnsave.exe Path: C:\WINDOWS\system32\logon.scr Location: win.ini Not checked Unknown ItemSearch at Google Name: NUL Path: îÂ|8‘|ÿÿÿÿ2‘|«‘|ë‘| Location: win.ini Not checked Unknown ItemSearch at Google Name: NUL Path: îÂ|8‘|ÿÿÿÿ2‘|«‘|ë‘| Location: win.ini Not checked Unknown ItemSearch at Google Name: SBC Self Support Tool Path: Location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Not checked Unknown ItemSearch at Google Name: AVG7_Run Path: C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE Location: HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run\ Not checked Unknown ItemSearch at Google Name: Shell Path: Explorer.exe Location: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Not checked Unknown ItemSearch at Google Name: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} Path: C:\WINDOWS\inf\unregmp2.exe /ShowWMP Location: HKLM\Software\Microsoft\Active Setup\Installed Components\ Not checked Unknown ItemSearch at Google Name: {26923b43-4d38-484f-9b9e-de460746276c} Path: C:\WINDOWS\system32\system32\shmgrate.exe OCInstallUserConfigIE Location: HKLM\Software\Microsoft\Active Setup\Installed Components\ Not checked Unknown ItemSearch at Google Name: {881dd1c5-3dcf-431b-b061-f3f88e8be88a} Path: C:\WINDOWS\system32\system32\shmgrate.exe OCInstallUserConfigOE Location: HKLM\Software\Microsoft\Active Setup\Installed Components\ Not checked Unknown ItemSearch at Google Name: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} Path: C:\WINDOWS\system32\system32\regsvr32.exe /s /n /i:/UserInstall C:\WINDOWS\system32\system32\themeui.dll Location: HKLM\Software\Microsoft\Active Setup\Installed Components\ Not checked Unknown ItemSearch at Google Name: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} Path: C:\Program Files\Outlook Express\setup50.exe /APP:OE /CALLER:WINNT /user /install Location: HKLM\Software\Microsoft\Active Setup\Installed Components\ Not checked Unknown ItemSearch at Google Name: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} Path: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT Location: HKLM\Software\Microsoft\Active Setup\Installed Components\ Not checked Unknown ItemSearch at Google Name: {4b218e3e-bc98-4770-93d3-2731b9329278} Path: C:\WINDOWS\system32\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 C:\WINDOWS\system32\inf\ie.inf Location: HKLM\Software\Microsoft\Active Setup\Installed Components\ Not checked Unknown ItemSearch at Google Name: {5945c046-1e7d-11d1-bc44-00c04fd912be} Path: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser Location: HKLM\Software\Microsoft\Active Setup\Installed Components\ Not checked Unknown ItemSearch at Google Name: {6BF52A52-394A-11d3-B153-00C04F79FAA6} Path: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub Location: HKLM\Software\Microsoft\Active Setup\Installed Components\ Not checked Unknown ItemSearch at Google Name: {7790769C-0471-11d2-AF11-00C04FA35D02} Path: C:\Program Files\Outlook Express\setup50.exe /APP:WAB /CALLER:WINNT /user /install Location: HKLM\Software\Microsoft\Active Setup\Installed Components\ Not checked Unknown ItemSearch at Google Name: {89820200-ECBD-11cf-8B85-00AA005B4340} Path: regsvr32.exe /s /n /i:U shell32.dll Location: HKLM\Software\Microsoft\Active Setup\Installed Components\ Not checked Unknown ItemSearch at Google Name: {89820200-ECBD-11cf-8B85-00AA005B4383} Path: C:\WINDOWS\system32\system32\ie4uinit.exe Location: HKLM\Software\Microsoft\Active Setup\Installed Components\ Not checked Unknown ItemSearch at Google Name: VBScript Script File Path: C:\Program Files\Script Sentry\ScriptSentry.exe %1 %* Location: HKEY_CLASSES_ROOT\vbsfile\shell\open\command\ Not checked Unknown ItemSearch at Google Name: VBScript Encoded Script File Path: C:\Program Files\Script Sentry\ScriptSentry.exe %1 %* Location: HKEY_CLASSES_ROOT\vbefile\shell\open\command\ Not checked Unknown ItemSearch at Google Name: JScript Script File Path: C:\Program Files\Script Sentry\ScriptSentry.exe %1 %* Location: HKEY_CLASSES_ROOT\jsfile\shell\open\command\ Not checked Unknown ItemSearch at Google Name: JScript Encoded Script File Path: C:\Program Files\Script Sentry\ScriptSentry.exe %1 %* Location: HKEY_CLASSES_ROOT\jsefile\shell\open\command\ Not checked Unknown ItemSearch at Google Name: Windows Script Host Settings File Path: C:\Program Files\Script Sentry\ScriptSentry.exe %1 %* Location: HKEY_CLASSES_ROOT\wshfile\shell\open\command\ Not checked Unknown ItemSearch at Google Name: Windows Script File Path: C:\Program Files\Script Sentry\ScriptSentry.exe %1 %* Location: HKEY_CLASSES_ROOT\wsffile\shell\open\command\ Not checked Unknown ItemSearch at Google Name: Application Path: %1 %* Location: HKEY_CLASSES_ROOT\exefile\shell\open\command\ Not checked Unknown ItemSearch at Google Name: MS-DOS Application Path: %1 %* Location: HKEY_CLASSES_ROOT\comfile\shell\open\command\ Not checked Unknown ItemSearch at Google Name: MS-DOS Batch File Path: %1 %* Location: HKEY_CLASSES_ROOT\batfile\shell\open\command\ Not checked Unknown ItemSearch at Google Name: Screen Saver Path: %1 /S Location: HKEY_CLASSES_ROOT\scrfile\shell\open\command\ Not checked Unknown ItemSearch at Google Name: Shortcut to MS-DOS Program Path: %1 %* Location: HKEY_CLASSES_ROOT\piffile\shell\open\command\ Not checked Unknown ItemSearch at Google Name: wbsys.dll Path: wbsys.dll Location: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\ Not checked Unknown ItemSearch at Google Name: SCRNSAVE.EXE Path: C:\WINDOWS\system32\logon.scr Location: HKCU\Control Panel\Desktop\ Not checked Unknown ItemSearch at Google Name: BootExecute Path: autocheck autochk * Location: HKLM\System\CurrentControlSet\Control\Session Manager\ Not checked Unknown ItemSearch at Google Name: 0aMCPClient Path: C:\PROGRA~1\COMMON~1\Stardock\mcpcore.dll Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ Not checked Unknown ItemSearch at Google Name: PostBootReminder Path: C:\WINDOWS\system32\system32\SHELL32.dll Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ Not checked Unknown ItemSearch at Google Name: CDBurn Path: C:\WINDOWS\system32\system32\SHELL32.dll Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ Not checked Unknown ItemSearch at Google Name: WebCheck Path: C:\WINDOWS\system32\System32\webcheck.dll Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ Not checked Unknown ItemSearch at Google Name: SysTray Path: C:\WINDOWS\system32\stobject.dll Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ Not checked Unknown ItemSearch at Google Layered Service Providers (LSP): Result ToDo Name: mswsock.dll Path: C:\WINDOWS\system32\system32\ Location: HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ Good: 1 - Bad: 0View Details Name: rsvpsp.dll Path: C:\WINDOWS\system32\system32\ Location: HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ Good: 1 - Bad: 0View Details Explorer And Browser Addons: Result ToDo Name: Yahoo! Companion BHO Path: C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll Location: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ClsID: {02478D38-C3F9-4efb-9B51-7695ECA05670} Good: 1 - Bad: 0View Details Name: AcroIEHlprObj Class Path: C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll Location: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ClsID: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} Good: 1 - Bad: 0View Details Name: Path: C:\PROGRA~1\SPYBOT~1\SDHelper.dll Location: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ClsID: {53707962-6F74-2D53-2644-206D7942484F} Good: 1 - Bad: 0View Details Name: URL Exec Hook Path: shell32.dll Location: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ ClsID: {AEB6717E-7E19-11d0-97EE-00C04FD91972} Good: 0 - Bad: 0 Unknown ItemSearch at Google Name: Yahoo! Companion Path: C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll Location: HKLM\Software\Microsoft\Internet Explorer\Toolbar\ ClsID: {EF99BD32-C1FB-11D2-892F-0090271D4F88} Good: 1 - Bad: 0View Details Local Open Ports: Result ToDo Port: 135 TCP Path: C:\WINDOWS\system32\svchost.exe (Process ID: 772) Good: 1 - Bad: 0View Details Port: 139 TCP Path: ? (Process ID: 4) Good: 1 - Bad: 0View Details Port: 445 TCP Path: ? (Process ID: 4) Good: 1 - Bad: 0View Details Port: 1027 TCP Path: C:\WINDOWS\system32\alg.exe (Process ID: 924) Good: 1 - Bad: 0View Details Port: 1051 TCP Path: C:\Program Files\aim\aim.exe (Process ID: 128) Good: 0 - Bad: 0 Unknown ItemSearch at Google Port: 1059 TCP Path: ? (Process ID: 128) Good: 0 - Bad: 0 Unknown ItemSearch at Google Port: 5180 TCP Path: ? (Process ID: 128) Good: 0 - Bad: 0 Unknown ItemSearch at Google Port: 10110 TCP Path: C:\Program Files\Grisoft\AVG Free\avgemc.exe (Process ID: 2000) Good: 0 - Bad: 0 Unknown ItemSearch at Google Port: 123 UDP Path: C:\WINDOWS\system32\svchost.exe (Process ID: 836) Good: 1 - Bad: 0View Details Port: 123 UDP Path: C:\WINDOWS\system32\svchost.exe (Process ID: 836) Good: 1 - Bad: 0View Details Port: 137 UDP Path: ? (Process ID: 4) Good: 1 - Bad: 0View Details Port: 138 UDP Path: ? (Process ID: 4) Good: 1 - Bad: 0View Details Port: 445 UDP Path: ? (Process ID: 4) Good: 1 - Bad: 0View Details Port: 500 UDP Path: C:\WINDOWS\system32\lsass.exe (Process ID: 580) Good: 1 - Bad: 0View Details Port: 1052 UDP Path: C:\Program Files\Grisoft\AVG Free\avgemc.exe (Process ID: 128) Good: 0 - Bad: 0 Unknown ItemSearch at Google Port: 1900 UDP Path: C:\WINDOWS\system32\svchost.exe (Process ID: 900) Good: 0 - Bad: 0 Unknown ItemSearch at Google Port: 1900 UDP Path: C:\WINDOWS\system32\svchost.exe (Process ID: 900) Good: 0 - Bad: 0 Unknown ItemSearch at Google Port: 4500 UDP Path: C:\WINDOWS\system32\lsass.exe (Process ID: 580) Good: 0 - Bad: 0 Unknown ItemSearch at Google Running Processes: Result ToDo Name: [system Process] Process ID: 0 Path: Info: Threads: 1 - Priority: Normal - Visible: No Good: 1 - Bad: 0View Details Name: System Process ID: 4 Path: Info: Threads: 59 - Priority: Normal - Visible: No Good: 1 - Bad: 0View Details Name: aim.exe Process ID: 128 Path: C:\Program Files\aim\ Info: Threads: 11 - Priority: Normal - Visible: No Good: 1 - Bad: 0View Details Name: a2guard.exe Process ID: 148 Path: C:\Program Files\a2\ Info: Threads: 10 - Priority: Normal - Visible: No Good: 1 - Bad: 0View Details Name: ycommon.exe Process ID: 184 Path: C:\Program Files\Yahoo!\browser\ Info: Threads: 9 - Priority: Normal - Visible: No Good: 0 - Bad: 0 Unknown ItemSearch at GoogleSubmit new process info Name: smss.exe Process ID: 452 Path: C:\WINDOWS\system32\ Info: Threads: 3 - Priority: Normal - Visible: No Good: 1 - Bad: 0View Details Name: csrss.exe Process ID: 500 Path: C:\WINDOWS\system32\ Info: Threads: 11 - Priority: Normal - Visible: No Good: 1 - Bad: 0View Details Name: winlogon.exe Process ID: 524 Path: C:\WINDOWS\system32\ Info: Threads: 19 - Priority: High - Visible: No Good: 1 - Bad: 0View Details Name: services.exe Process ID: 568 Path: C:\WINDOWS\system32\ Info: Threads: 15 - Priority: Normal - Visible: No Good: 1 - Bad: 0View Details Name: lsass.exe Process ID: 580 Path: C:\WINDOWS\system32\ Info: Threads: 21 - Priority: Normal - Visible: No Good: 1 - Bad: 0View Details Name: svchost.exe Process ID: 724 Path: C:\WINDOWS\system32\ Info: Threads: 19 - Priority: Normal - Visible: No Good: 1 - Bad: 0View Details Name: svchost.exe Process ID: 772 Path: C:\WINDOWS\system32\ Info: Threads: 10 - Priority: Normal - Visible: No Good: 1 - Bad: 0View Details Name: svchost.exe Process ID: 836 Path: C:\WINDOWS\system32\ Info: Threads: 85 - Priority: Normal - Visible: No Good: 1 - Bad: 0View Details Name: svchost.exe Process ID: 900 Path: C:\WINDOWS\system32\ Info: Threads: 14 - Priority: Normal - Visible: No Good: 1 - Bad: 0View Details Name: alg.exe Process ID: 924 Path: C:\WINDOWS\system32\ Info: Threads: 6 - Priority: Normal - Visible: No Good: 1 - Bad: 0View Details Name: mpbtn.exe Process ID: 996 Path: C:\Program Files\SBC Self Support Tool\bin\ Info: Threads: 1 - Priority: Normal - Visible: No Good: 0 - Bad: 0 Unknown ItemSearch at GoogleSubmit new process info Name: spoolsv.exe Process ID: 1132 Path: C:\WINDOWS\system32\ Info: Threads: 15 - Priority: Normal - Visible: No Good: 1 - Bad: 0View Details Name: SDMCP.exe Process ID: 1256 Path: C:\Program Files\Common Files\Stardock\ Info: Threads: 2 - Priority: Normal - Visible: No Good: 0 - Bad: 0 Unknown ItemSearch at GoogleSubmit new process info Name: wbload.exe Process ID: 1292 Path: C:\Program Files\Stardock\Object Desktop\WindowBlinds\ Info: Threads: 1 - Priority: Normal - Visible: No Good: 0 - Bad: 0 Unknown ItemSearch at GoogleSubmit new process info Name: avgamsvr.exe Process ID: 1364 Path: C:\Program Files\Grisoft\AVG Free\ Info: Threads: 10 - Priority: Normal - Visible: No Good: 1 - Bad: 0View Details Name: avgupsvc.exe Process ID: 1380 Path: C:\Program Files\Grisoft\AVG Free\ Info: Threads: 4 - Priority: Normal - Visible: No Good: 1 - Bad: 0View Details Name: KodakCCS.exe Process ID: 1452 Path: C:\WINDOWS\system32\drivers\ Info: Threads: 2 - Priority: Normal - Visible: No Good: 1 - Bad: 0View Details Name: ScsiAccess.EXE Process ID: 1492 Path: C:\WINDOWS\system32\ Info: Threads: 2 - Priority: Normal - Visible: No Good: 0 - Bad: 0 Unknown ItemSearch at GoogleSubmit new process info Name: svchost.exe Process ID: 1532 Path: C:\WINDOWS\system32\ Info: Threads: 8 - Priority: Normal - Visible: No Good: 1 - Bad: 0View Details Name: wdfmgr.exe Process ID: 1556 Path: C:\WINDOWS\system32\ Info: Threads: 6 - Priority: Normal - Visible: No Good: 1 - Bad: 0View Details Name: vsmon.exe Process ID: 1592 Path: C:\WINDOWS\system32\ZoneLabs\ Info: Threads: 22 - Priority: Normal - Visible: No Good: 1 - Bad: 0View Details Name: Explorer.EXE Process ID: 1788 Path: C:\WINDOWS\ Info: Threads: 13 - Priority: Normal - Visible: No Good: 1 - Bad: 0View Details Name: point32.exe Process ID: 1984 Path: C:\Program Files\Microsoft IntelliPoint\ Info: Threads: 4 - Priority: Normal - Visible: No Good: 1 - Bad: 0View Details Name: avgcc.exe Process ID: 1992 Path: C:\Program Files\Grisoft\AVG Free\ Info: Threads: 7 - Priority: Normal - Visible: No Good: 1 - Bad: 0View Details Name: avgemc.exe Process ID: 2000 Path: C:\Program Files\Grisoft\AVG Free\ Info: Threads: 8 - Priority: Normal - Visible: No Good: 1 - Bad: 0View Details Name: zlclient.exe Process ID: 2008 Path: C:\Program Files\Zone Labs\ZoneAlarm\ Info: Threads: 6 - Priority: Normal - Visible: No Good: 1 - Bad: 0View Details Name: ybrwicon.exe Process ID: 2016 Path: C:\Program Files\Yahoo!\browser\ Info: Threads: 6 - Priority: Normal - Visible: No Good: 0 - Bad: 0 Unknown ItemSearch at GoogleSubmit new process info Name: jusched.exe Process ID: 2024 Path: C:\Program Files\Java\jre1.5.0_04\bin\ Info: Threads: 1 - Priority: Normal - Visible: No Good: 2 - Bad: 0View Details Name: CursorXP.exe Process ID: 2032 Path: C:\Program Files\CursorXP\ Info: Threads: 2 - Priority: High - Visible: No Good: 0 - Bad: 0 Unknown ItemSearch at GoogleSubmit new process info Name: PSFree.exe Process ID: 2044 Path: C:\Program Files\Panicware\Pop-Up Stopper Free Edition\ Info: Threads: 1 - Priority: Normal - Visible: No Good: 0 - Bad: 0 Unknown ItemSearch at GoogleSubmit new process info Name: wuauclt.exe Process ID: 2052 Path: C:\WINDOWS\system32\ Info: Threads: 8 - Priority: Normal - Visible: No Good: 1 - Bad: 0View Details Name: a2start.exe Process ID: 2744 Path: C:\Program Files\a2\ Info: Threads: 1 - Priority: Normal - Visible: No Good: 1 - Bad: 0View Details Name: a2sys.exe (a-squared HiJackFree) Process ID: 2764 Path: C:\Program Files\a2\ Info: Threads: 2 - Priority: Normal - Visible: Yes Good: 1 - Bad: 0View Details This analysis is saved and available for at least 7 days at this website address. Analysis generated on 7/19/2005 1:54:38 AM Link to post Share on other sites
Recommended Posts