Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Hellppp.. im in tears almost<<VX2>>
Goto page 1, 2  Next
 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics
View previous topic :: View next topic  
Author Message
shadow_777
Junior Member


Joined: 24 Feb 2005
Last Visit: 31 Jul 2005
Posts: 49
Location: The UK... WHOO!

PostPosted: Thu Feb 24, 2005 10:06 am    Post subject: Hellppp.. im in tears almost<<VX2>> Reply with quote

what is wrong with my pc:

. recycle bin doesnt work ( files do not go into it when deleted)
. every few times of starting windows up and logging on, ull.monitor is not working ( apparently due to a warning)) and , about 5 mins later the start toolbar changes colour then the pc automatically reboots for no reason
. advert madness ( even as i type now i am flodded with ads) and i use firefox only, never IE but it still shows IE ads without opening the browser

so this is my hijackthis log. please help. i am at the end of my tether




Logfile of HijackThis v1.99.1
Scan saved at 18:04:53, on 24/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Yrdyxb.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\hadi.JIM-BU062HALYEV\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\HADI~1.JIM\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\HADI~1.JIM\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinXP] C:\WINDOWS\plugin1.exe
O4 - HKLM\..\Run: [WinXPHome] C:\WINDOWS\plugin2.exe
O4 - HKLM\..\Run: [yxgt] C:\WINDOWS\yxgt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [L4hnuX2] C:\WINDOWS\wwgmdnf.exe
O4 - HKLM\..\Run: [LabtecKB] C:\Program Files\Labtec\Labtec Keyboard-Desktop Software\DsiMmKbd.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [pgfljc] C:\WINDOWS\System32\pgfljc.exe
O4 - HKLM\..\Run: [Msmbrvmy] C:\Program Files\Bcyad\Kryebom.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Iaarcg.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Yrdyxb.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [ibxaovbe] c:\windows\system32\ibxaovbe.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: hnhygi.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O9 - Extra 'Tools' menuitem: &Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrivers/webinstall/shockwave/Install.cab
O16 - DPF: {22222222-2222-2222-2222-222222222222} - file://c:\x.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/9.11.0004/OCI/setup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/067bd5ebfee280f66715/netzip/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\ir2ql5f51.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)


thats it...

Arrow Question
_________________
STICK TWO FINGERS UP TO SPYWARE !!!!

I HOPE SATAN HAS A SPOT FOR SPYWARE CREATORS
Back to top
View user's profile Send private message MSN Messenger
shadow_777
Junior Member


Joined: 24 Feb 2005
Last Visit: 31 Jul 2005
Posts: 49
Location: The UK... WHOO!

PostPosted: Fri Feb 25, 2005 8:21 am    Post subject: Reply with quote

please... dont ignore.... anyone... Crying or Very sad
_________________
STICK TWO FINGERS UP TO SPYWARE !!!!

I HOPE SATAN HAS A SPOT FOR SPYWARE CREATORS
Back to top
View user's profile Send private message MSN Messenger
shadow_777
Junior Member


Joined: 24 Feb 2005
Last Visit: 31 Jul 2005
Posts: 49
Location: The UK... WHOO!

PostPosted: Sat Feb 26, 2005 7:48 am    Post subject: Reply with quote

Sad help pleeaaaaseee
_________________
STICK TWO FINGERS UP TO SPYWARE !!!!

I HOPE SATAN HAS A SPOT FOR SPYWARE CREATORS
Back to top
View user's profile Send private message MSN Messenger
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Jan 2014
Posts: 4953
Location: Phx. AZ.

PostPosted: Sat Feb 26, 2005 8:02 am    Post subject: Reply with quote

Hi shadow, welcome to the forums.

you have multiple infections let start with the worst of the bunch.

You have the latest version of VX2. Download L2mfix from one of these two locations:

L2MFixAtrib
L2MFixSub
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
shadow_777
Junior Member


Joined: 24 Feb 2005
Last Visit: 31 Jul 2005
Posts: 49
Location: The UK... WHOO!

PostPosted: Sun Feb 27, 2005 12:09 pm    Post subject: Reply with quote

ok thanx. an soz for my other post, i thought noone was gonna reply lol... here is what i got ( its a loooooottt):

L2MFIX find log 1.02b
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Telephony]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mv6ol9j31.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{416A587D-3FAA-4733-AD61-C2EB3D76D851}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{95C12E20-5A5B-48AE-A05C-DB5776A722E1}"=""
"{A9197B5B-0C24-40B3-85DF-E0CAC80CD23E}"=""
"{0AD2ED22-2967-4FCA-83EA-4D775145F60B}"=""
"{8967865B-0CD0-4D3B-BA8E-B2D80B276BB3}"=""
"{5B56919C-47AC-48F9-B140-0ADA3D5B83E4}"=""
"{D42FA0EA-3EEE-44BA-946D-55AB631B719F}"=""
"{FA89348F-7B37-4B96-8F10-094D9E074808}"=""
"{E4EC9D43-DCC6-4331-9977-484009AB3A93}"=""
"{D9A79C03-0E0B-43E0-9382-BBC56D25BA56}"=""
"{9D505FAC-E70B-47C0-B283-459C8BCACD22}"=""
"{A798B2CA-0CA8-487E-9A71-0E411DBAD27B}"=""
"{6254DB6D-7B7F-4194-A160-D2B41CF10683}"=""
"{DD202250-06B4-40D3-8BAD-F79F55000067}"=""
"{F3EB4EF6-7C91-4D21-9DE3-67BE79844C4F}"=""
"{07C88F62-DC47-47BF-ADF9-C26EEEE3281D}"=""
"{FFA12426-6EC9-4366-8FAB-15F7092FE696}"=""
"{B6AD3972-3DBC-468F-9453-F89597869C40}"=""
"{9953826B-81A8-4C82-90B6-E30064C062EE}"=""
"{BAB53E4E-4173-441F-A613-EB341421DE9E}"=""
"{3EE24A1B-1A53-48D3-8969-C5636C2C75C0}"=""
"{60E80B4E-F2F8-4B29-8DEB-48433056D6B0}"=""
"{91D8B5A8-1985-4506-9C77-9D75E38BDE11}"=""
"{72B48E45-CED7-4767-8234-11CDA78F39E7}"=""
"{BA0D346E-8FDB-4441-AF6E-9D6FB9B2059A}"=""
"{9ACF7BA3-3FCF-4410-9F2E-CD395983CFF3}"=""
"{298FAC76-E9C5-42B3-AE57-C5639F080C8F}"=""
"{42778649-F5F4-428B-955A-341B06E29538}"=""
"{4A59A8F1-1992-4D40-B363-9557023F5178}"=""
"{8D6A9A58-434C-4168-8A95-C1F693358843}"=""
"{C7963190-D9E1-4F16-A589-E5214BBFF882}"=""
"{FD4666C0-3A8C-405C-B896-4C84EF80E8E1}"=""
"{174B73D3-3D73-469F-9C33-C03CB5DAF17C}"=""
"{EC654677-5C70-48C5-B59F-C7E1CB2C8C93}"=""
"{56F40FA0-5A21-4D4D-81CF-58A8A3D7EB44}"=""
"{725EBCB1-901B-42A3-B558-40ED2A114E19}"=""
"{1D764A30-F613-497C-9818-5B40682C802C}"=""
"{D3EE59A7-1BC6-4E7D-9C8A-63765A5B439C}"=""
"{EA22B8B1-DE2F-46BA-9A5C-0DF5B18A3AE0}"=""
"{AE3C89E8-933F-41E6-AA13-7521433D0EE5}"=""
"{C0A4AA39-321A-4E55-B321-BE4C90793AA0}"=""
"{E300875E-BB44-42C4-B319-F53388D76228}"=""
"{C7FE3DF4-70EF-403C-978B-F67683390081}"=""
"{DE2CA9B4-ADB3-4757-9D54-C09B335C6886}"=""
"{04FF22BC-6483-4141-957B-EEED95589B1A}"=""
"{94362BFB-9BE3-487D-8140-716768F8847C}"=""
"{F4D50383-1AE4-4724-8935-E57387D68004}"=""
"{4BC85E2E-42F4-429A-9BA1-CE9C3BC61BC9}"=""
"{83884AD9-E7E0-4D8F-BD3E-D8CAF8A452D2}"=""
"{ABFC1531-D026-4E30-A728-3521EEE66AB9}"=""
"{C298C823-6133-4B8F-8C9D-8F9BF9C218CF}"=""
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{95C12E20-5A5B-48AE-A05C-DB5776A722E1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{95C12E20-5A5B-48AE-A05C-DB5776A722E1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{95C12E20-5A5B-48AE-A05C-DB5776A722E1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{95C12E20-5A5B-48AE-A05C-DB5776A722E1}\InprocServer32]
@="C:\\WINDOWS\\system32\\iyfgnt5.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A9197B5B-0C24-40B3-85DF-E0CAC80CD23E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A9197B5B-0C24-40B3-85DF-E0CAC80CD23E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A9197B5B-0C24-40B3-85DF-E0CAC80CD23E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A9197B5B-0C24-40B3-85DF-E0CAC80CD23E}\InprocServer32]
@="blank"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0AD2ED22-2967-4FCA-83EA-4D775145F60B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0AD2ED22-2967-4FCA-83EA-4D775145F60B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0AD2ED22-2967-4FCA-83EA-4D775145F60B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0AD2ED22-2967-4FCA-83EA-4D775145F60B}\InprocServer32]
@="blank"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8967865B-0CD0-4D3B-BA8E-B2D80B276BB3}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8967865B-0CD0-4D3B-BA8E-B2D80B276BB3}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8967865B-0CD0-4D3B-BA8E-B2D80B276BB3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8967865B-0CD0-4D3B-BA8E-B2D80B276BB3}\InprocServer32]
@="C:\\WINDOWS\\system32\\aLaamon.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5B56919C-47AC-48F9-B140-0ADA3D5B83E4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5B56919C-47AC-48F9-B140-0ADA3D5B83E4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5B56919C-47AC-48F9-B140-0ADA3D5B83E4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5B56919C-47AC-48F9-B140-0ADA3D5B83E4}\InprocServer32]
@="blank"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D42FA0EA-3EEE-44BA-946D-55AB631B719F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D42FA0EA-3EEE-44BA-946D-55AB631B719F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D42FA0EA-3EEE-44BA-946D-55AB631B719F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D42FA0EA-3EEE-44BA-946D-55AB631B719F}\InprocServer32]
@="C:\\WINDOWS\\system32\\lmadperf.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{FA89348F-7B37-4B96-8F10-094D9E074808}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FA89348F-7B37-4B96-8F10-094D9E074808}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FA89348F-7B37-4B96-8F10-094D9E074808}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FA89348F-7B37-4B96-8F10-094D9E074808}\InprocServer32]
@="C:\\WINDOWS\\system32\\egentlog.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E4EC9D43-DCC6-4331-9977-484009AB3A93}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E4EC9D43-DCC6-4331-9977-484009AB3A93}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E4EC9D43-DCC6-4331-9977-484009AB3A93}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E4EC9D43-DCC6-4331-9977-484009AB3A93}\InprocServer32]
@="C:\\WINDOWS\\system32\\nhdenb32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D9A79C03-0E0B-43E0-9382-BBC56D25BA56}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D9A79C03-0E0B-43E0-9382-BBC56D25BA56}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D9A79C03-0E0B-43E0-9382-BBC56D25BA56}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D9A79C03-0E0B-43E0-9382-BBC56D25BA56}\InprocServer32]
@="C:\\WINDOWS\\system32\\umrcntra.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9D505FAC-E70B-47C0-B283-459C8BCACD22}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9D505FAC-E70B-47C0-B283-459C8BCACD22}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9D505FAC-E70B-47C0-B283-459C8BCACD22}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9D505FAC-E70B-47C0-B283-459C8BCACD22}\InprocServer32]
@="C:\\WINDOWS\\system32\\iwsutil.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A798B2CA-0CA8-487E-9A71-0E411DBAD27B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A798B2CA-0CA8-487E-9A71-0E411DBAD27B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A798B2CA-0CA8-487E-9A71-0E411DBAD27B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A798B2CA-0CA8-487E-9A71-0E411DBAD27B}\InprocServer32]
@="C:\\WINDOWS\\system32\\kqd103.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6254DB6D-7B7F-4194-A160-D2B41CF10683}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6254DB6D-7B7F-4194-A160-D2B41CF10683}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6254DB6D-7B7F-4194-A160-D2B41CF10683}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6254DB6D-7B7F-4194-A160-D2B41CF10683}\InprocServer32]
@="C:\\WINDOWS\\system32\\sdmpsnap.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DD202250-06B4-40D3-8BAD-F79F55000067}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DD202250-06B4-40D3-8BAD-F79F55000067}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DD202250-06B4-40D3-8BAD-F79F55000067}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DD202250-06B4-40D3-8BAD-F79F55000067}\InprocServer32]
@="C:\\WINDOWS\\system32\\gredit.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F3EB4EF6-7C91-4D21-9DE3-67BE79844C4F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F3EB4EF6-7C91-4D21-9DE3-67BE79844C4F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F3EB4EF6-7C91-4D21-9DE3-67BE79844C4F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F3EB4EF6-7C91-4D21-9DE3-67BE79844C4F}\InprocServer32]
@="C:\\WINDOWS\\system32\\iLsrecst.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{07C88F62-DC47-47BF-ADF9-C26EEEE3281D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{07C88F62-DC47-47BF-ADF9-C26EEEE3281D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{07C88F62-DC47-47BF-ADF9-C26EEEE3281D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{07C88F62-DC47-47BF-ADF9-C26EEEE3281D}\InprocServer32]
@="C:\\WINDOWS\\system32\\dxusic.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{FFA12426-6EC9-4366-8FAB-15F7092FE696}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FFA12426-6EC9-4366-8FAB-15F7092FE696}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FFA12426-6EC9-4366-8FAB-15F7092FE696}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FFA12426-6EC9-4366-8FAB-15F7092FE696}\InprocServer32]
@="C:\\WINDOWS\\system32\\ciprops.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B6AD3972-3DBC-468F-9453-F89597869C40}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B6AD3972-3DBC-468F-9453-F89597869C40}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B6AD3972-3DBC-468F-9453-F89597869C40}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B6AD3972-3DBC-468F-9453-F89597869C40}\InprocServer32]
@="C:\\WINDOWS\\system32\\mmupgrd.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9953826B-81A8-4C82-90B6-E30064C062EE}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9953826B-81A8-4C82-90B6-E30064C062EE}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9953826B-81A8-4C82-90B6-E30064C062EE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9953826B-81A8-4C82-90B6-E30064C062EE}\InprocServer32]
@="C:\\WINDOWS\\system32\\wqvdmod.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BAB53E4E-4173-441F-A613-EB341421DE9E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BAB53E4E-4173-441F-A613-EB341421DE9E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BAB53E4E-4173-441F-A613-EB341421DE9E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BAB53E4E-4173-441F-A613-EB341421DE9E}\InprocServer32]
@="C:\\WINDOWS\\system32\\agsldp.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3EE24A1B-1A53-48D3-8969-C5636C2C75C0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3EE24A1B-1A53-48D3-8969-C5636C2C75C0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3EE24A1B-1A53-48D3-8969-C5636C2C75C0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3EE24A1B-1A53-48D3-8969-C5636C2C75C0}\InprocServer32]
@="C:\\WINDOWS\\system32\\wznnls.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{60E80B4E-F2F8-4B29-8DEB-48433056D6B0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{60E80B4E-F2F8-4B29-8DEB-48433056D6B0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{60E80B4E-F2F8-4B29-8DEB-48433056D6B0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{60E80B4E-F2F8-4B29-8DEB-48433056D6B0}\InprocServer32]
@="C:\\WINDOWS\\system32\\crosys.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{91D8B5A8-1985-4506-9C77-9D75E38BDE11}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{91D8B5A8-1985-4506-9C77-9D75E38BDE11}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{91D8B5A8-1985-4506-9C77-9D75E38BDE11}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{91D8B5A8-1985-4506-9C77-9D75E38BDE11}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{72B48E45-CED7-4767-8234-11CDA78F39E7}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{72B48E45-CED7-4767-8234-11CDA78F39E7}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{72B48E45-CED7-4767-8234-11CDA78F39E7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{72B48E45-CED7-4767-8234-11CDA78F39E7}\InprocServer32]
@="C:\\WINDOWS\\system32\\udzip32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BA0D346E-8FDB-4441-AF6E-9D6FB9B2059A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BA0D346E-8FDB-4441-AF6E-9D6FB9B2059A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BA0D346E-8FDB-4441-AF6E-9D6FB9B2059A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BA0D346E-8FDB-4441-AF6E-9D6FB9B2059A}\InprocServer32]
@="C:\\WINDOWS\\system32\\numsapi.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9ACF7BA3-3FCF-4410-9F2E-CD395983CFF3}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9ACF7BA3-3FCF-4410-9F2E-CD395983CFF3}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9ACF7BA3-3FCF-4410-9F2E-CD395983CFF3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9ACF7BA3-3FCF-4410-9F2E-CD395983CFF3}\InprocServer32]
@="C:\\WINDOWS\\system32\\sqrobj.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{298FAC76-E9C5-42B3-AE57-C5639F080C8F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{298FAC76-E9C5-42B3-AE57-C5639F080C8F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{298FAC76-E9C5-42B3-AE57-C5639F080C8F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{298FAC76-E9C5-42B3-AE57-C5639F080C8F}\InprocServer32]
@="C:\\WINDOWS\\system32\\iidkcs32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{42778649-F5F4-428B-955A-341B06E29538}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{42778649-F5F4-428B-955A-341B06E29538}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{42778649-F5F4-428B-955A-341B06E29538}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{42778649-F5F4-428B-955A-341B06E29538}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4A59A8F1-1992-4D40-B363-9557023F5178}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4A59A8F1-1992-4D40-B363-9557023F5178}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4A59A8F1-1992-4D40-B363-9557023F5178}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4A59A8F1-1992-4D40-B363-9557023F5178}\InprocServer32]
@="C:\\WINDOWS\\system32\\pdwrprof.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8D6A9A58-434C-4168-8A95-C1F693358843}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8D6A9A58-434C-4168-8A95-C1F693358843}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8D6A9A58-434C-4168-8A95-C1F693358843}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8D6A9A58-434C-4168-8A95-C1F693358843}\InprocServer32]
@="C:\\WINDOWS\\system32\\myvcrt40.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C7963190-D9E1-4F16-A589-E5214BBFF882}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C7963190-D9E1-4F16-A589-E5214BBFF882}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C7963190-D9E1-4F16-A589-E5214BBFF882}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C7963190-D9E1-4F16-A589-E5214BBFF882}\InprocServer32]
@="C:\\WINDOWS\\system32\\piotowiz.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{FD4666C0-3A8C-405C-B896-4C84EF80E8E1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FD4666C0-3A8C-405C-B896-4C84EF80E8E1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FD4666C0-3A8C-405C-B896-4C84EF80E8E1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FD4666C0-3A8C-405C-B896-4C84EF80E8E1}\InprocServer32]
@="C:\\WINDOWS\\system32\\czetcfg.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{174B73D3-3D73-469F-9C33-C03CB5DAF17C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{174B73D3-3D73-469F-9C33-C03CB5DAF17C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{174B73D3-3D73-469F-9C33-C03CB5DAF17C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{174B73D3-3D73-469F-9C33-C03CB5DAF17C}\InprocServer32]
@="C:\\WINDOWS\\system32\\wjnstrm.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{EC654677-5C70-48C5-B59F-C7E1CB2C8C93}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EC654677-5C70-48C5-B59F-C7E1CB2C8C93}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EC654677-5C70-48C5-B59F-C7E1CB2C8C93}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EC654677-5C70-48C5-B59F-C7E1CB2C8C93}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{56F40FA0-5A21-4D4D-81CF-58A8A3D7EB44}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{56F40FA0-5A21-4D4D-81CF-58A8A3D7EB44}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{56F40FA0-5A21-4D4D-81CF-58A8A3D7EB44}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{56F40FA0-5A21-4D4D-81CF-58A8A3D7EB44}\InprocServer32]
@="C:\\WINDOWS\\system32\\msiwave.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{725EBCB1-901B-42A3-B558-40ED2A114E19}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{725EBCB1-901B-42A3-B558-40ED2A114E19}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{725EBCB1-901B-42A3-B558-40ED2A114E19}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{725EBCB1-901B-42A3-B558-40ED2A114E19}\InprocServer32]
@="C:\\WINDOWS\\system32\\cqrsrv.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1D764A30-F613-497C-9818-5B40682C802C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1D764A30-F613-497C-9818-5B40682C802C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1D764A30-F613-497C-9818-5B40682C802C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1D764A30-F613-497C-9818-5B40682C802C}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D3EE59A7-1BC6-4E7D-9C8A-63765A5B439C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D3EE59A7-1BC6-4E7D-9C8A-63765A5B439C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D3EE59A7-1BC6-4E7D-9C8A-63765A5B439C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D3EE59A7-1BC6-4E7D-9C8A-63765A5B439C}\InprocServer32]
@="C:\\WINDOWS\\system32\\whnstrm.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{EA22B8B1-DE2F-46BA-9A5C-0DF5B18A3AE0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EA22B8B1-DE2F-46BA-9A5C-0DF5B18A3AE0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EA22B8B1-DE2F-46BA-9A5C-0DF5B18A3AE0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EA22B8B1-DE2F-46BA-9A5C-0DF5B18A3AE0}\InprocServer32]
@="C:\\WINDOWS\\system32\\dWvclnt.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{AE3C89E8-933F-41E6-AA13-7521433D0EE5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AE3C89E8-933F-41E6-AA13-7521433D0EE5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AE3C89E8-933F-41E6-AA13-7521433D0EE5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AE3C89E8-933F-41E6-AA13-7521433D0EE5}\InprocServer32]
@="C:\\WINDOWS\\system32\\wynfax.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C0A4AA39-321A-4E55-B321-BE4C90793AA0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C0A4AA39-321A-4E55-B321-BE4C90793AA0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C0A4AA39-321A-4E55-B321-BE4C90793AA0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C0A4AA39-321A-4E55-B321-BE4C90793AA0}\InprocServer32]
@="C:\\WINDOWS\\system32\\mlrddm.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E300875E-BB44-42C4-B319-F53388D76228}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E300875E-BB44-42C4-B319-F53388D76228}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E300875E-BB44-42C4-B319-F53388D76228}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E300875E-BB44-42C4-B319-F53388D76228}\InprocServer32]
@="C:\\WINDOWS\\system32\\nftui1.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C7FE3DF4-70EF-403C-978B-F67683390081}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C7FE3DF4-70EF-403C-978B-F67683390081}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C7FE3DF4-70EF-403C-978B-F67683390081}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C7FE3DF4-70EF-403C-978B-F67683390081}\InprocServer32]
@="C:\\WINDOWS\\system32\\ej86l1ls1.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DE2CA9B4-ADB3-4757-9D54-C09B335C6886}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DE2CA9B4-ADB3-4757-9D54-C09B335C6886}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DE2CA9B4-ADB3-4757-9D54-C09B335C6886}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DE2CA9B4-ADB3-4757-9D54-C09B335C6886}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{04FF22BC-6483-4141-957B-EEED95589B1A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{04FF22BC-6483-4141-957B-EEED95589B1A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{04FF22BC-6483-4141-957B-EEED95589B1A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{04FF22BC-6483-4141-957B-EEED95589B1A}\InprocServer32]
@="C:\\WINDOWS\\system32\\idircl.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{94362BFB-9BE3-487D-8140-716768F8847C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{94362BFB-9BE3-487D-8140-716768F8847C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{94362BFB-9BE3-487D-8140-716768F8847C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{94362BFB-9BE3-487D-8140-716768F8847C}\InprocServer32]
@="C:\\WINDOWS\\system32\\mgiseq.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F4D50383-1AE4-4724-8935-E57387D68004}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F4D50383-1AE4-4724-8935-E57387D68004}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F4D50383-1AE4-4724-8935-E57387D68004}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F4D50383-1AE4-4724-8935-E57387D68004}\InprocServer32]
@="C:\\WINDOWS\\system32\\msg30217.cpy.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4BC85E2E-42F4-429A-9BA1-CE9C3BC61BC9}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4BC85E2E-42F4-429A-9BA1-CE9C3BC61BC9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4BC85E2E-42F4-429A-9BA1-CE9C3BC61BC9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4BC85E2E-42F4-429A-9BA1-CE9C3BC61BC9}\InprocServer32]
@="C:\\WINDOWS\\system32\\cxcguq.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{83884AD9-E7E0-4D8F-BD3E-D8CAF8A452D2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{83884AD9-E7E0-4D8F-BD3E-D8CAF8A452D2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{83884AD9-E7E0-4D8F-BD3E-D8CAF8A452D2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{83884AD9-E7E0-4D8F-BD3E-D8CAF8A452D2}\InprocServer32]
@="C:\\WINDOWS\\system32\\utrdpa.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{ABFC1531-D026-4E30-A728-3521EEE66AB9}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ABFC1531-D026-4E30-A728-3521EEE66AB9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ABFC1531-D026-4E30-A728-3521EEE66AB9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ABFC1531-D026-4E30-A728-3521EEE66AB9}\InprocServer32]
@="C:\\WINDOWS\\system32\\sQfrdm.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C298C823-6133-4B8F-8C9D-8F9BF9C218CF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C298C823-6133-4B8F-8C9D-8F9BF9C218CF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C298C823-6133-4B8F-8C9D-8F9BF9C218CF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C298C823-6133-4B8F-8C9D-8F9BF9C218CF}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
4l3ir5.dll Wed 29 Dec 2004 16:23:54 A.... 594,606 580.67 K
8z6n7.dll Tue 25 Jan 2005 12:14:34 A.SHR 699,468 683.07 K
agsldp.dll Sun 6 Feb 2005 0:59:36 A.... 231,161 225.74 K
ajtiveds.dll Sun 23 Jan 2005 13:19:20 A.... 229,736 224.35 K
akcore.dll Sun 23 Jan 2005 13:24:52 A.... 188,416 184.00 K
aklsp.dll Sun 23 Jan 2005 13:24:58 A.... 196,608 192.00 K
akrules.dll Sun 23 Jan 2005 13:24:54 A.... 110,592 108.00 K
akupd.dll Tue 22 Feb 2005 16:07:06 A.... 155,648 152.00 K
alaamon.dll Tue 25 Jan 2005 12:38:00 A.... 231,040 225.63 K
aza02g~1.dll Thu 24 Feb 2005 15:47:36 ..S.R 232,197 226.75 K
azaol5~1.dll Sat 19 Feb 2005 11:05:26 A.S.R 229,370 223.99 K
bjpn.dll Fri 25 Feb 2005 20:19:12 A.... 39,936 39.00 K
bridge.dll Sat 26 Feb 2005 20:08:04 A.... 69,632 68.00 K
browseui.dll Tue 7 Dec 2004 17:41:16 A.... 1,017,856 994.00 K
c6002g~1.dll Fri 28 Jan 2005 16:20:30 A.S.R 229,947 224.55 K
cdfview.dll Tue 7 Dec 2004 17:43:02 A.... 143,360 140.00 K
ciprops.dll Thu 3 Feb 2005 20:38:10 A.... 231,945 226.51 K
cjlbact.dll Sun 23 Jan 2005 13:26:38 A.... 229,736 224.35 K
cpcguq.dll Fri 25 Feb 2005 16:11:38 A.... 5,632 5.50 K
cqrsrv.dll Sat 12 Feb 2005 12:41:44 A.... 230,974 225.56 K
crosys.dll Mon 7 Feb 2005 15:42:04 A.... 229,379 224.00 K
cxcguq.dll Sat 19 Feb 2005 21:04:22 A.... 231,463 226.04 K
czetcfg.dll Sat 12 Feb 2005 8:33:56 A.... 230,335 224.93 K
d40m0e~1.dll Sat 26 Feb 2005 9:20:40 ..S.R 231,742 226.31 K
d80m0i~1.dll Wed 9 Feb 2005 20:30:06 A.S.R 231,413 225.99 K
deound3d.dll Fri 25 Feb 2005 20:31:04 A.... 229,942 224.55 K
docore.dll Tue 25 Jan 2005 13:03:30 A.... 151,552 148.00 K
dolsp.dll Sun 23 Jan 2005 14:36:58 A.... 139,264 136.00 K
dosync.dll Tue 22 Feb 2005 17:17:12 A.... 114,688 112.00 K
dstaclen.dll Mon 31 Jan 2005 15:59:42 A.... 232,000 226.56 K
dugeng.dll Sat 26 Feb 2005 18:06:54 A.... 228,888 223.52 K
dwvclnt.dll Wed 16 Feb 2005 20:56:38 A.... 231,638 226.21 K
dxusic.dll Thu 3 Feb 2005 15:55:58 A.... 231,161 225.74 K
e002la~1.dll Tue 22 Feb 2005 19:08:22 ..S.R 228,800 223.44 K
e8200i~1.dll Sun 20 Feb 2005 23:34:22 A.S.R 232,079 226.64 K
eaezpn.dll Fri 25 Feb 2005 16:11:38 A.... 24,576 24.00 K
egentlog.dll Wed 26 Jan 2005 18:29:22 A.... 230,181 224.79 K
ej86l1~1.dll Fri 18 Feb 2005 19:21:48 A.... 231,917 226.48 K
en28l1~1.dll Sun 20 Feb 2005 19:44:06 A.S.R 232,064 226.63 K
en48l1~1.dll Fri 11 Feb 2005 22:52:20 A.S.R 228,840 223.48 K
en6ul1~1.dll Thu 17 Feb 2005 23:22:34 A.S.R 231,916 226.48 K
en86l1~1.dll Wed 26 Jan 2005 17:54:48 A.S.R 230,481 225.08 K
en8ul1~1.dll Sat 12 Feb 2005 13:36:16 A.S.R 230,335 224.93 K
enp4l1~1.dll Tue 25 Jan 2005 13:53:14 A.S.R 229,831 224.44 K
f00ola~1.dll Sat 29 Jan 2005 19:37:16 A.S.R 231,722 226.29 K
f8l0li~1.dll Sun 6 Feb 2005 23:35:38 A.S.R 229,151 223.78 K
fp2o03~1.dll Tue 22 Feb 2005 20:02:14 ..S.R 232,051 226.61 K
fp6m03~1.dll Wed 16 Feb 2005 17:59:26 A.S.R 230,393 224.99 K
fp8m03~1.dll Sat 12 Feb 2005 12:49:48 A.S.R 230,974 225.56 K
fpj203~1.dll Sun 13 Feb 2005 21:56:04 A.S.R 230,606 225.20 K
fplu03~1.dll Sat 26 Feb 2005 17:01:00 ..S.R 229,821 224.43 K
fprm03~1.dll Fri 11 Feb 2005 20:52:54 A.S.R 228,840 223.48 K
geoctl.dll Wed 9 Feb 2005 22:12:42 A.... 376,832 368.00 K
ghedit.dll Mon 21 Feb 2005 21:51:34 A.... 232,051 226.61 K
gp0ml3~1.dll Sat 12 Feb 2005 13:43:06 A.S.R 230,335 224.93 K
gpjol3~1.dll Tue 25 Jan 2005 15:53:44 A.... 228,856 223.49 K
gpnsl3~1.dll Sun 6 Feb 2005 2:33:36 A.S.R 231,161 225.74 K
gredit.dll Tue 1 Feb 2005 22:14:06 A.... 231,161 225.74 K
h04mla~1.dll Sun 20 Feb 2005 19:17:30 A.S.R 228,642 223.28 K
h0n0la~1.dll Fri 25 Feb 2005 20:13:38 ..S.R 230,992 225.58 K
h40q0e~1.dll Wed 26 Jan 2005 17:34:38 A.S.R 228,923 223.55 K
h42o0e~1.dll Fri 25 Feb 2005 20:15:38 ..S.R 229,942 224.55 K
hrlu05~1.dll Sat 26 Feb 2005 9:54:04 ..S.R 231,638 226.21 K
i006la~1.dll Tue 25 Jan 2005 12:14:14 A.S.R 231,431 226.00 K
i060la~1.dll Sun 20 Feb 2005 19:09:56 A.S.R 228,950 223.58 K
i4240e~1.dll Fri 11 Feb 2005 19:48:24 A.S.R 228,840 223.48 K
i4jq0e~1.dll Wed 26 Jan 2005 16:16:08 A.S.R 229,437 224.06 K
ib50_qc.dll Sun 27 Feb 2005 17:51:16 A.... 230,257 224.86 K
idircl.dll Sat 19 Feb 2005 11:18:44 A.... 228,887 223.52 K
iepeers.dll Tue 7 Dec 2004 11:51:58 A.... 236,032 230.50 K
iidkcs32.dll Thu 10 Feb 2005 16:32:30 A.... 231,305 225.88 K
iissdo.dll Sat 26 Feb 2005 19:46:48 A.... 228,888 223.52 K
ilsrecst.dll Wed 2 Feb 2005 15:49:26 A.... 231,945 226.51 K
iodj.dll Fri 25 Feb 2005 19:16:56 A.... 39,936 39.00 K
ir0ql5~1.dll Sat 26 Feb 2005 18:11:08 ..S.R 228,888 223.52 K
ir22l5~1.dll Sat 19 Feb 2005 18:02:38 A.S.R 229,153 223.78 K
ir24l5~1.dll Fri 18 Feb 2005 19:13:16 A.S.R 228,912 223.55 K
ir2ql5~1.dll Sat 26 Feb 2005 18:43:32 ..S.R 228,888 223.52 K
ir4ol5~1.dll Wed 16 Feb 2005 20:39:30 A.S.R 229,122 223.75 K
ir62l5~1.dll Sun 23 Jan 2005 16:43:18 A.S.R 231,001 225.59 K
irjml5~1.dll Mon 31 Jan 2005 21:08:40 A.S.R 231,161 225.74 K
irl4l5~1.dll Tue 8 Feb 2005 21:17:54 A.S.R 230,838 225.43 K
irl6l5~1.dll Sun 13 Feb 2005 13:04:16 A.S.R 230,335 224.93 K
irlml5~1.dll Tue 25 Jan 2005 15:21:36 A.S.R 232,175 226.73 K
irr0l5~1.dll Sun 20 Feb 2005 22:49:50 A.S.R 228,747 223.38 K
iueshare.dll Mon 21 Feb 2005 21:44:58 A.... 232,051 226.61 K
iwsutil.dll Fri 28 Jan 2005 16:16:28 A.... 229,947 224.55 K
iyfgnt5.dll Sun 23 Jan 2005 18:31:04 A.... 230,786 225.38 K
j0j6la~1.dll Sun 6 Feb 2005 20:21:44 A.S.R 231,161 225.74 K
j2p00c~1.dll Wed 16 Feb 2005 18:23:20 A.S.R 231,721 226.29 K
j84o0i~1.dll Tue 8 Feb 2005 20:05:12 A.S.R 231,134 225.71 K
j8n20i~1.dll Sat 26 Feb 2005 17:03:02 ..S.R 228,888 223.52 K
jao.dll Sun 27 Feb 2005 18:54:58 A.... 49,152 48.00 K
jgco.dll Thu 24 Feb 2005 19:43:40 A.... 39,936 39.00 K
k008la~1.dll Thu 3 Feb 2005 20:45:10 A.S.R 231,945 226.51 K
k262lc~1.dll Sun 23 Jan 2005 19:31:08 A.S.R 230,786 225.38 K
k4440e~1.dll Sun 23 Jan 2005 16:43:24 A.S.R 230,505 225.10 K
kqd103.dll Fri 28 Jan 2005 16:36:30 A.... 230,181 224.79 K
l04qla~1.dll Sat 26 Feb 2005 9:13:02 ..S.R 228,970 223.60 K
l0r0la~1.dll Sun 27 Feb 2005 18:02:10 ..S.R 230,257 224.86 K
l20ulc~1.dll Mon 21 Feb 2005 23:05:54 ..S.R 232,253 226.81 K
lmadperf.dll Wed 26 Jan 2005 16:33:36 A.... 228,923 223.55 K
lv0o09~1.dll Sun 13 Feb 2005 14:03:44 A.S.R 230,702 225.29 K
lv2209~1.dll Fri 11 Feb 2005 20:47:08 A.S.R 228,840 223.48 K
lv4s09~1.dll Thu 10 Feb 2005 19:39:32 A.S.R 231,305 225.88 K
lvj409~1.dll Sat 19 Feb 2005 13:01:44 A.S.R 228,887 223.52 K
lvjq09~1.dll Sun 20 Feb 2005 10:49:20 A.S.R 229,075 223.70 K
lvr409~1.dll Sun 27 Feb 2005 17:52:16 ..S.R 230,257 224.86 K
m4460e~1.dll Mon 31 Jan 2005 20:01:46 A.S.R 232,000 226.56 K
m646lg~1.dll Fri 25 Feb 2005 20:39:58 ..S.R 231,588 226.16 K
mgiseq.dll Sat 19 Feb 2005 18:02:30 A.... 230,528 225.13 K
mlrddm.dll Thu 17 Feb 2005 22:58:34 A.... 231,916 226.48 K
mmupgrd.dll Fri 4 Feb 2005 11:03:36 A.... 231,161 225.74 K
msg302~1.dll Sat 19 Feb 2005 18:16:30 A.... 231,463 226.04 K
mshtml.dll Thu 27 Jan 2005 15:35:12 A.... 2,806,272 2.68 M
msiwave.dll Sun 13 Feb 2005 11:36:12 A.... 230,335 224.93 K
mtyo1.dll Wed 29 Dec 2004 16:38:34 A.SHR 380,712 371.79 K
mv6ol9~1.dll Sun 27 Feb 2005 10:43:12 ..S.R 230,257 224.86 K
mvr0l9~1.dll Wed 23 Feb 2005 20:47:20 ..S.R 228,897 223.53 K
myvcrt40.dll Fri 11 Feb 2005 20:34:08 A.... 228,840 223.48 K
n0n6la~1.dll Fri 18 Feb 2005 21:00:48 A.S.R 231,917 226.48 K
n46q0e~1.dll Fri 25 Feb 2005 22:48:10 ..S.R 229,942 224.55 K
n86q0i~1.dll Sun 27 Feb 2005 11:27:42 ..S.R 228,888 223.52 K
nftui1.dll Fri 18 Feb 2005 10:22:10 A.... 231,917 226.48 K
nhdenb32.dll Wed 26 Jan 2005 18:38:36 A.... 229,947 224.55 K
numsapi.dll Tue 8 Feb 2005 20:04:54 A.... 229,379 224.00 K
ole32.dll Fri 14 Jan 2005 5:33:52 A.... 1,258,496 1.20 M
olecli32.dll Fri 14 Jan 2005 5:33:52 A.... 68,608 67.00 K
olecnv32.dll Fri 14 Jan 2005 5:33:52 A.... 35,328 34.50 K
p6n8lg~1.dll Sat 26 Feb 2005 15:30:06 ..S.R 228,888 223.52 K
pcic.dll Thu 24 Feb 2005 17:03:22 A.... 39,936 39.00 K
pdwrprof.dll Fri 11 Feb 2005 16:14:20 A.... 228,840 223.48 K
pgflj.dll Mon 24 Jan 2005 16:07:32 A.... 98,816 96.50 K
piotowiz.dll Fri 11 Feb 2005 20:48:54 A.... 228,840 223.48 K
pqrfts.dll Fri 25 Feb 2005 20:13:38 A.... 229,942 224.55 K
qzicy.dll Mon 24 Jan 2005 16:08:06 A.... 99,840 97.50 K
r4r60e~1.dll Wed 9 Feb 2005 20:04:56 A.S.R 229,379 224.00 K
rpcss.dll Fri 14 Jan 2005 5:33:52 A.... 284,672 278.00 K
sdmpsnap.dll Sat 29 Jan 2005 15:04:12 A.... 231,722 226.29 K
shdocvw.dll Tue 7 Dec 2004 17:34:48 A.... 1,337,344 1.27 M
shell32.dll Tue 21 Dec 2004 20:55:12 A.... 8,443,904 8.05 M
shlwapi.dll Tue 7 Dec 2004 18:11:50 A.... 402,432 393.00 K
sporder.dll Sun 23 Jan 2005 13:24:54 A.... 8,464 8.27 K
sqfrdm.dll Sun 20 Feb 2005 19:17:24 A.... 232,051 226.61 K
sqrobj.dll Wed 9 Feb 2005 16:44:56 A.... 229,379 224.00 K
srvsvc.dll Tue 7 Dec 2004 19:34:38 A.... 79,872 78.00 K
t68ulg~1.dll Sun 20 Feb 2005 23:34:26 A.S.R 228,695 223.33 K
thpisrv.dll Mon 21 Feb 2005 0:11:50 A.... 232,051 226.61 K
udzip32.dll Mon 7 Feb 2005 21:22:02 A.... 229,379 224.00 K
umrcntra.dll Thu 27 Jan 2005 16:00:44 A.... 230,181 224.79 K
urlmon.dll Tue 7 Dec 2004 16:37:46 A.... 495,104 483.50 K
user32.dll Wed 29 Dec 2004 1:31:44 A.... 574,464 561.00 K
utrdpa.dll Sun 20 Feb 2005 10:49:14 A.... 231,767 226.33 K
whnstrm.dll Wed 16 Feb 2005 16:35:12 A.... 230,393 224.99 K
wincor~1.dll Sun 30 Jan 2005 16:12:32 A.... 188,416 184.00 K
wininet.dll Tue 7 Dec 2004 16:37:02 A.... 590,336 576.50 K
winlspak.dll Sun 30 Jan 2005 16:12:38 A.... 196,608 192.00 K
winrul~1.dll Sun 30 Jan 2005 16:12:34 A.... 110,592 108.00 K
winupdak.dll Wed 23 Feb 2005 20:52:04 A.... 155,648 152.00 K
wjnstrm.dll Fri 11 Feb 2005 21:17:18 A.... 228,840 223.48 K
wqvdmod.dll Sat 5 Feb 2005 16:43:36 A.... 231,161 225.74 K
wynfax.dll Thu 17 Feb 2005 8:58:30 A.... 231,916 226.48 K
wznnls.dll Sun 6 Feb 2005 19:17:42 A.... 231,161 225.74 K
xpsp2res.dll Wed 1 Dec 2004 14:46:38 ..... 594,432 580.50 K

164 items found: 164 files (71 H/S), 0 directories.
Total of file sizes: 50,753,082 bytes 48.40 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Sun 27 Feb 2005 18:46:50 A.... 230,257 224.86 K
~glh0012.tmp Mon 24 Jan 2005 16:08:22 A.... 0 0.00 K
~glh0018.tmp Mon 24 Jan 2005 16:08:22 A.... 0 0.00 K

3 items found: 3 files, 0 directories.
Total of file sizes: 230,257 bytes 224.86 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 542A-9D84

Directory of C:\WINDOWS\System32

27/02/2005 18:02 230,257 l0r0la9m1d.dll
27/02/2005 17:52 230,257 lvr4099qe.dll
27/02/2005 11:27 228,888 n86q0ij5e8o.dll
27/02/2005 10:43 230,257 mv6ol9j31.dll
26/02/2005 18:43 228,888 ir2ql5f51.dll
26/02/2005 18:11 228,888 ir0ql5d51.dll
26/02/2005 17:33 <DIR> dllcache
26/02/2005 17:03 228,888 j8n20i5oe8.dll
26/02/2005 17:00 229,821 fplu0339e.dll
26/02/2005 15:30 228,888 p6n8lg5u16.dll
26/02/2005 09:54 231,638 hrlu0539e.dll
26/02/2005 09:20 231,742 d40m0ed1eh0.dll
26/02/2005 09:13 228,970 l04qlah51d4.dll
25/02/2005 22:48 229,942 n46q0ej5eho.dll
25/02/2005 20:39 231,588 m646lghs1646.dll
25/02/2005 20:15 229,942 h42o0ef3eh2.dll
25/02/2005 20:13 230,992 h0n0la5m1d.dll
24/02/2005 15:47 232,197 aza02gdmg60a2.dll
23/02/2005 20:47 228,897 mvr0l99m1.dll
22/02/2005 20:02 232,051 fp2o03f3e.dll
22/02/2005 19:08 228,800 e002lado1d0c.dll
21/02/2005 23:05 232,253 l20ulcd91f0.dll
20/02/2005 23:34 228,695 t68ulgl916q.dll
20/02/2005 23:34 232,079 e8200ifme82a0.dll
20/02/2005 22:49 228,747 irr0l59m1.dll
20/02/2005 19:44 232,064 en28l1fu1.dll
20/02/2005 19:17 228,642 h04mlah11d4.dll
20/02/2005 19:09 228,950 i060lajm1doa.dll
20/02/2005 10:49 229,075 lvjq0915e.dll
19/02/2005 18:02 229,153 ir22l5fo1.dll
19/02/2005 13:01 228,887 lvj4091qe.dll
19/02/2005 11:05 229,370 azaol5731.dll
18/02/2005 21:00 231,917 n0n6la5s1d.dll
18/02/2005 19:13 228,912 ir24l5fq1.dll
17/02/2005 23:22 231,916 en6ul1j91.dll
16/02/2005 20:39 229,122 ir4ol5h31.dll
16/02/2005 18:23 231,721 j2p00c7mef.dll
16/02/2005 17:59 230,393 fp6m03j1e.dll
13/02/2005 21:56 230,606 fpj2031oe.dll
13/02/2005 14:03 230,702 lv0o09d3e.dll
13/02/2005 13:04 230,335 irl6l53s1.dll
12/02/2005 13:43 230,335 gp0ml3d11.dll
12/02/2005 13:36 230,335 en8ul1l91.dll
12/02/2005 12:49 230,974 fp8m03l1e.dll
11/02/2005 22:52 228,840 en48l1hu1.dll
11/02/2005 20:52 228,840 fprm0391e.dll
11/02/2005 20:47 228,840 lv2209foe.dll
11/02/2005 19:48 228,840 i4240efqeh2e0.dll
10/02/2005 19:39 231,305 lv4s09h7e.dll
09/02/2005 20:30 231,413 d80m0id1e80.dll
09/02/2005 20:04 229,379 r4r60e9seh.dll
08/02/2005 21:17 230,838 irl4l53q1.dll
08/02/2005 20:05 231,134 j84o0ih3e84.dll
06/02/2005 23:35 229,151 f8l0li3m18.dll
06/02/2005 20:21 231,161 j0j6la1s1d.dll
06/02/2005 02:33 231,161 gpnsl3571.dll
03/02/2005 20:45 231,945 k008ladu1d08.dll
31/01/2005 21:08 231,161 irjml5111.dll
31/01/2005 20:01 232,000 m4460ehseh460.dll
29/01/2005 19:37 231,722 f00olad31d0.dll
28/01/2005 16:20 229,947 c6002gdmg60a2.dll
26/01/2005 17:54 230,481 en86l1ls1.dll
26/01/2005 17:34 228,923 h40q0ed5eh0.dll
26/01/2005 16:16 229,437 i4jq0e15eh.dll
25/01/2005 15:21 232,175 irlml5311.dll
25/01/2005 13:53 229,831 enp4l17q1.dll
25/01/2005 12:14 699,468 8z6n7.dll
25/01/2005 12:14 231,431 i006lads1d06.dll
23/01/2005 19:31 230,786 k262lcjo1foc.dll
23/01/2005 16:43 230,505 k4440ehqeh4e0.dll
23/01/2005 16:43 231,001 ir62l5jo1.dll
31/12/2004 19:33 178,480 nbkx.exe
29/12/2004 16:38 255,707 vnv.sys
29/12/2004 16:38 207,808 abznx.sys
29/12/2004 16:38 380,712 mtyo1.dll
29/12/2004 16:38 202,035 51cci3.exe
29/12/2004 16:38 273,933 wyuc6.exe
11/08/2004 21:08 <DIR> Microsoft
76 File(s) 18,087,364 bytes
2 Dir(s) 16,296,751,104 bytes free


ok so now what?
_________________
STICK TWO FINGERS UP TO SPYWARE !!!!

I HOPE SATAN HAS A SPOT FOR SPYWARE CREATORS
Back to top
View user's profile Send private message MSN Messenger
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Jan 2014
Posts: 4953
Location: Phx. AZ.

PostPosted: Sun Feb 27, 2005 2:10 pm    Post subject: Reply with quote

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
shadow_777
Junior Member


Joined: 24 Feb 2005
Last Visit: 31 Jul 2005
Posts: 49
Location: The UK... WHOO!

PostPosted: Mon Feb 28, 2005 9:03 am    Post subject: Reply with quote

done that, heres the log:::


L2Mfix 1.02b

Running From:
C:\Documents and Settings\hadi.JIM-BU062HALYEV\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C access for really "Everyone"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\hadi.JIM-BU062HALYEV\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\hadi.JIM-BU062HALYEV\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1832 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 588 'rundll32.exe'
Killing PID 1256 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\agsldp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ajtiveds.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\aLaamon.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\aza02gdmg60a2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\azaol5731.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\c6002gdmg60a2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ciprops.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cjlbact.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cqrsrv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\crosys.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cxcguq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\czetcfg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\d40m0ed1eh0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\d80m0id1e80.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\deound3d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dStaclen.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dugeng.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dWvclnt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dxusic.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\e002lado1d0c.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\e8200ifme82a0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\egentlog.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ej86l1ls1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en28l1fu1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en48l1hu1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en6ul1j91.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en86l1ls1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en8ul1l91.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\enp4l17q1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\f00olad31d0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\f8l0li3m18.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp2o03f3e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp6m03j1e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp8m03l1e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fpj2031oe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fplu0339e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fprm0391e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ghedit.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gp0ml3d11.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gpjol3131.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gpnsl3571.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gredit.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\h04mlah11d4.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\h0n0la5m1d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\h40q0ed5eh0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\h42o0ef3eh2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hrlu0539e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i006lads1d06.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i060lajm1doa.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i4240efqeh2e0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i4jq0e15eh.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ib50_qc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\idircl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iidkcs32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iIssdo.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iLsrecst.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir0ql5d51.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir22l5fo1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir24l5fq1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir2ql5f51.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir4ol5h31.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir62l5jo1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\irjml5111.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\irl4l53q1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\irl6l53s1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\irlml5311.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\irr0l59m1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iueshare.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iwsutil.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iyfgnt5.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j0j6la1s1d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j2p00c7mef.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j84o0ih3e84.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j8n20i5oe8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k008ladu1d08.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k262lcjo1foc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k4440ehqeh4e0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kqd103.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l04qlah51d4.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l0r0la9m1d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l20ulcd91f0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lmadperf.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv0o09d3e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv2209foe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv4s09h7e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvj4091qe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvjq0915e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvr4099qe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m4460ehseh460.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m646lghs1646.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mgiseq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mlrddm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mmupgrd.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\msg30217.cpy.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\msiwave.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mv00l9dm1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvr0l99m1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\myvcrt40.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\n0n6la5s1d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\n46q0ej5eho.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\n86q0ij5e8o.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nftui1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nhdenb32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\numsapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p6n8lg5u16.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pdwrprof.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\piotowiz.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pqrfts.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\r4r60e9seh.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sdmpsnap.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sQfrdm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sqrobj.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\t68ulgl916q.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\tHpisrv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\udzip32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\umrcntra.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\utrdpa.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\whnstrm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wjnstrm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wqvdmod.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wynfax.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wznnls.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\agsldp.dll
Successfully Deleted: C:\WINDOWS\system32\agsldp.dll
deleting: C:\WINDOWS\system32\ajtiveds.dll
Successfully Deleted: C:\WINDOWS\system32\ajtiveds.dll
deleting: C:\WINDOWS\system32\aLaamon.dll
Successfully Deleted: C:\WINDOWS\system32\aLaamon.dll
deleting: C:\WINDOWS\system32\aza02gdmg60a2.dll
Successfully Deleted: C:\WINDOWS\system32\aza02gdmg60a2.dll
deleting: C:\WINDOWS\system32\azaol5731.dll
Successfully Deleted: C:\WINDOWS\system32\azaol5731.dll
deleting: C:\WINDOWS\system32\c6002gdmg60a2.dll
Successfully Deleted: C:\WINDOWS\system32\c6002gdmg60a2.dll
deleting: C:\WINDOWS\system32\ciprops.dll
Successfully Deleted: C:\WINDOWS\system32\ciprops.dll
deleting: C:\WINDOWS\system32\cjlbact.dll
Successfully Deleted: C:\WINDOWS\system32\cjlbact.dll
deleting: C:\WINDOWS\system32\cqrsrv.dll
Successfully Deleted: C:\WINDOWS\system32\cqrsrv.dll
deleting: C:\WINDOWS\system32\crosys.dll
Successfully Deleted: C:\WINDOWS\system32\crosys.dll
deleting: C:\WINDOWS\system32\cxcguq.dll
Successfully Deleted: C:\WINDOWS\system32\cxcguq.dll
deleting: C:\WINDOWS\system32\czetcfg.dll
Successfully Deleted: C:\WINDOWS\system32\czetcfg.dll
deleting: C:\WINDOWS\system32\d40m0ed1eh0.dll
Successfully Deleted: C:\WINDOWS\system32\d40m0ed1eh0.dll
deleting: C:\WINDOWS\system32\d80m0id1e80.dll
Successfully Deleted: C:\WINDOWS\system32\d80m0id1e80.dll
deleting: C:\WINDOWS\system32\deound3d.dll
Successfully Deleted: C:\WINDOWS\system32\deound3d.dll
deleting: C:\WINDOWS\system32\dStaclen.dll
Successfully Deleted: C:\WINDOWS\system32\dStaclen.dll
deleting: C:\WINDOWS\system32\dugeng.dll
Successfully Deleted: C:\WINDOWS\system32\dugeng.dll
deleting: C:\WINDOWS\system32\dWvclnt.dll
Successfully Deleted: C:\WINDOWS\system32\dWvclnt.dll
deleting: C:\WINDOWS\system32\dxusic.dll
Successfully Deleted: C:\WINDOWS\system32\dxusic.dll
deleting: C:\WINDOWS\system32\e002lado1d0c.dll
Successfully Deleted: C:\WINDOWS\system32\e002lado1d0c.dll
deleting: C:\WINDOWS\system32\e8200ifme82a0.dll
Successfully Deleted: C:\WINDOWS\system32\e8200ifme82a0.dll
deleting: C:\WINDOWS\system32\egentlog.dll
Successfully Deleted: C:\WINDOWS\system32\egentlog.dll
deleting: C:\WINDOWS\system32\ej86l1ls1.dll
Successfully Deleted: C:\WINDOWS\system32\ej86l1ls1.dll
deleting: C:\WINDOWS\system32\en28l1fu1.dll
Successfully Deleted: C:\WINDOWS\system32\en28l1fu1.dll
deleting: C:\WINDOWS\system32\en48l1hu1.dll
Successfully Deleted: C:\WINDOWS\system32\en48l1hu1.dll
deleting: C:\WINDOWS\system32\en6ul1j91.dll
Successfully Deleted: C:\WINDOWS\system32\en6ul1j91.dll
deleting: C:\WINDOWS\system32\en86l1ls1.dll
Successfully Deleted: C:\WINDOWS\system32\en86l1ls1.dll
deleting: C:\WINDOWS\system32\en8ul1l91.dll
Successfully Deleted: C:\WINDOWS\system32\en8ul1l91.dll
deleting: C:\WINDOWS\system32\enp4l17q1.dll
Successfully Deleted: C:\WINDOWS\system32\enp4l17q1.dll
deleting: C:\WINDOWS\system32\f00olad31d0.dll
Successfully Deleted: C:\WINDOWS\system32\f00olad31d0.dll
deleting: C:\WINDOWS\system32\f8l0li3m18.dll
Successfully Deleted: C:\WINDOWS\system32\f8l0li3m18.dll
deleting: C:\WINDOWS\system32\fp2o03f3e.dll
Successfully Deleted: C:\WINDOWS\system32\fp2o03f3e.dll
deleting: C:\WINDOWS\system32\fp6m03j1e.dll
Successfully Deleted: C:\WINDOWS\system32\fp6m03j1e.dll
deleting: C:\WINDOWS\system32\fp8m03l1e.dll
Successfully Deleted: C:\WINDOWS\system32\fp8m03l1e.dll
deleting: C:\WINDOWS\system32\fpj2031oe.dll
Successfully Deleted: C:\WINDOWS\system32\fpj2031oe.dll
deleting: C:\WINDOWS\system32\fplu0339e.dll
Successfully Deleted: C:\WINDOWS\system32\fplu0339e.dll
deleting: C:\WINDOWS\system32\fprm0391e.dll
Successfully Deleted: C:\WINDOWS\system32\fprm0391e.dll
deleting: C:\WINDOWS\system32\ghedit.dll
Successfully Deleted: C:\WINDOWS\system32\ghedit.dll
deleting: C:\WINDOWS\system32\gp0ml3d11.dll
Successfully Deleted: C:\WINDOWS\system32\gp0ml3d11.dll
deleting: C:\WINDOWS\system32\gpjol3131.dll
Successfully Deleted: C:\WINDOWS\system32\gpjol3131.dll
deleting: C:\WINDOWS\system32\gpnsl3571.dll
Successfully Deleted: C:\WINDOWS\system32\gpnsl3571.dll
deleting: C:\WINDOWS\system32\gredit.dll
Successfully Deleted: C:\WINDOWS\system32\gredit.dll
deleting: C:\WINDOWS\system32\h04mlah11d4.dll
Successfully Deleted: C:\WINDOWS\system32\h04mlah11d4.dll
deleting: C:\WINDOWS\system32\h0n0la5m1d.dll
Successfully Deleted: C:\WINDOWS\system32\h0n0la5m1d.dll
deleting: C:\WINDOWS\system32\h40q0ed5eh0.dll
Successfully Deleted: C:\WINDOWS\system32\h40q0ed5eh0.dll
deleting: C:\WINDOWS\system32\h42o0ef3eh2.dll
Successfully Deleted: C:\WINDOWS\system32\h42o0ef3eh2.dll
deleting: C:\WINDOWS\system32\hrlu0539e.dll
Successfully Deleted: C:\WINDOWS\system32\hrlu0539e.dll
deleting: C:\WINDOWS\system32\i006lads1d06.dll
Successfully Deleted: C:\WINDOWS\system32\i006lads1d06.dll
deleting: C:\WINDOWS\system32\i060lajm1doa.dll
Successfully Deleted: C:\WINDOWS\system32\i060lajm1doa.dll
deleting: C:\WINDOWS\system32\i4240efqeh2e0.dll
Successfully Deleted: C:\WINDOWS\system32\i4240efqeh2e0.dll
deleting: C:\WINDOWS\system32\i4jq0e15eh.dll
Successfully Deleted: C:\WINDOWS\system32\i4jq0e15eh.dll
deleting: C:\WINDOWS\system32\ib50_qc.dll
Successfully Deleted: C:\WINDOWS\system32\ib50_qc.dll
deleting: C:\WINDOWS\system32\idircl.dll
Successfully Deleted: C:\WINDOWS\system32\idircl.dll
deleting: C:\WINDOWS\system32\iidkcs32.dll
Successfully Deleted: C:\WINDOWS\system32\iidkcs32.dll
deleting: C:\WINDOWS\system32\iIssdo.dll
Successfully Deleted: C:\WINDOWS\system32\iIssdo.dll
deleting: C:\WINDOWS\system32\iLsrecst.dll
Successfully Deleted: C:\WINDOWS\system32\iLsrecst.dll
deleting: C:\WINDOWS\system32\ir0ql5d51.dll
Successfully Deleted: C:\WINDOWS\system32\ir0ql5d51.dll
deleting: C:\WINDOWS\system32\ir22l5fo1.dll
Successfully Deleted: C:\WINDOWS\system32\ir22l5fo1.dll
deleting: C:\WINDOWS\system32\ir24l5fq1.dll
Successfully Deleted: C:\WINDOWS\system32\ir24l5fq1.dll
deleting: C:\WINDOWS\system32\ir2ql5f51.dll
Successfully Deleted: C:\WINDOWS\system32\ir2ql5f51.dll
deleting: C:\WINDOWS\system32\ir4ol5h31.dll
Successfully Deleted: C:\WINDOWS\system32\ir4ol5h31.dll
deleting: C:\WINDOWS\system32\ir62l5jo1.dll
Successfully Deleted: C:\WINDOWS\system32\ir62l5jo1.dll
deleting: C:\WINDOWS\system32\irjml5111.dll
Successfully Deleted: C:\WINDOWS\system32\irjml5111.dll
deleting: C:\WINDOWS\system32\irl4l53q1.dll
Successfully Deleted: C:\WINDOWS\system32\irl4l53q1.dll
deleting: C:\WINDOWS\system32\irl6l53s1.dll
Successfully Deleted: C:\WINDOWS\system32\irl6l53s1.dll
deleting: C:\WINDOWS\system32\irlml5311.dll
Successfully Deleted: C:\WINDOWS\system32\irlml5311.dll
deleting: C:\WINDOWS\system32\irr0l59m1.dll
Successfully Deleted: C:\WINDOWS\system32\irr0l59m1.dll
deleting: C:\WINDOWS\system32\iueshare.dll
Successfully Deleted: C:\WINDOWS\system32\iueshare.dll
deleting: C:\WINDOWS\system32\iwsutil.dll
Successfully Deleted: C:\WINDOWS\system32\iwsutil.dll
deleting: C:\WINDOWS\system32\iyfgnt5.dll
Successfully Deleted: C:\WINDOWS\system32\iyfgnt5.dll
deleting: C:\WINDOWS\system32\j0j6la1s1d.dll
Successfully Deleted: C:\WINDOWS\system32\j0j6la1s1d.dll
deleting: C:\WINDOWS\system32\j2p00c7mef.dll
Successfully Deleted: C:\WINDOWS\system32\j2p00c7mef.dll
deleting: C:\WINDOWS\system32\j84o0ih3e84.dll
Successfully Deleted: C:\WINDOWS\system32\j84o0ih3e84.dll
deleting: C:\WINDOWS\system32\j8n20i5oe8.dll
Successfully Deleted: C:\WINDOWS\system32\j8n20i5oe8.dll
deleting: C:\WINDOWS\system32\k008ladu1d08.dll
Successfully Deleted: C:\WINDOWS\system32\k008ladu1d08.dll
deleting: C:\WINDOWS\system32\k262lcjo1foc.dll
Successfully Deleted: C:\WINDOWS\system32\k262lcjo1foc.dll
deleting: C:\WINDOWS\system32\k4440ehqeh4e0.dll
Successfully Deleted: C:\WINDOWS\system32\k4440ehqeh4e0.dll
deleting: C:\WINDOWS\system32\kqd103.dll
Successfully Deleted: C:\WINDOWS\system32\kqd103.dll
deleting: C:\WINDOWS\system32\l04qlah51d4.dll
Successfully Deleted: C:\WINDOWS\system32\l04qlah51d4.dll
deleting: C:\WINDOWS\system32\l0r0la9m1d.dll
Successfully Deleted: C:\WINDOWS\system32\l0r0la9m1d.dll
deleting: C:\WINDOWS\system32\l20ulcd91f0.dll
Successfully Deleted: C:\WINDOWS\system32\l20ulcd91f0.dll
deleting: C:\WINDOWS\system32\lmadperf.dll
Successfully Deleted: C:\WINDOWS\system32\lmadperf.dll
deleting: C:\WINDOWS\system32\lv0o09d3e.dll
Successfully Deleted: C:\WINDOWS\system32\lv0o09d3e.dll
deleting: C:\WINDOWS\system32\lv2209foe.dll
Successfully Deleted: C:\WINDOWS\system32\lv2209foe.dll
deleting: C:\WINDOWS\system32\lv4s09h7e.dll
Successfully Deleted: C:\WINDOWS\system32\lv4s09h7e.dll
deleting: C:\WINDOWS\system32\lvj4091qe.dll
Successfully Deleted: C:\WINDOWS\system32\lvj4091qe.dll
deleting: C:\WINDOWS\system32\lvjq0915e.dll
Successfully Deleted: C:\WINDOWS\system32\lvjq0915e.dll
deleting: C:\WINDOWS\system32\lvr4099qe.dll
Successfully Deleted: C:\WINDOWS\system32\lvr4099qe.dll
deleting: C:\WINDOWS\system32\m4460ehseh460.dll
Successfully Deleted: C:\WINDOWS\system32\m4460ehseh460.dll
deleting: C:\WINDOWS\system32\m646lghs1646.dll
Successfully Deleted: C:\WINDOWS\system32\m646lghs1646.dll
deleting: C:\WINDOWS\system32\mgiseq.dll
Successfully Deleted: C:\WINDOWS\system32\mgiseq.dll
deleting: C:\WINDOWS\system32\mlrddm.dll
Successfully Deleted: C:\WINDOWS\system32\mlrddm.dll
deleting: C:\WINDOWS\system32\mmupgrd.dll
Successfully Deleted: C:\WINDOWS\system32\mmupgrd.dll
deleting: C:\WINDOWS\system32\msg30217.cpy.dll
Successfully Deleted: C:\WINDOWS\system32\msg30217.cpy.dll
deleting: C:\WINDOWS\system32\msiwave.dll
Successfully Deleted: C:\WINDOWS\system32\msiwave.dll
deleting: C:\WINDOWS\system32\mv00l9dm1.dll
Successfully Deleted: C:\WINDOWS\system32\mv00l9dm1.dll
deleting: C:\WINDOWS\system32\mvr0l99m1.dll
Successfully Deleted: C:\WINDOWS\system32\mvr0l99m1.dll
deleting: C:\WINDOWS\system32\myvcrt40.dll
Successfully Deleted: C:\WINDOWS\system32\myvcrt40.dll
deleting: C:\WINDOWS\system32\n0n6la5s1d.dll
Successfully Deleted: C:\WINDOWS\system32\n0n6la5s1d.dll
deleting: C:\WINDOWS\system32\n46q0ej5eho.dll
Successfully Deleted: C:\WINDOWS\system32\n46q0ej5eho.dll
deleting: C:\WINDOWS\system32\n86q0ij5e8o.dll
Successfully Deleted: C:\WINDOWS\system32\n86q0ij5e8o.dll
deleting: C:\WINDOWS\system32\nftui1.dll
Successfully Deleted: C:\WINDOWS\system32\nftui1.dll
deleting: C:\WINDOWS\system32\nhdenb32.dll
Successfully Deleted: C:\WINDOWS\system32\nhdenb32.dll
deleting: C:\WINDOWS\system32\numsapi.dll
Successfully Deleted: C:\WINDOWS\system32\numsapi.dll
deleting: C:\WINDOWS\system32\p6n8lg5u16.dll
Successfully Deleted: C:\WINDOWS\system32\p6n8lg5u16.dll
deleting: C:\WINDOWS\system32\pdwrprof.dll
Successfully Deleted: C:\WINDOWS\system32\pdwrprof.dll
deleting: C:\WINDOWS\system32\piotowiz.dll
Successfully Deleted: C:\WINDOWS\system32\piotowiz.dll
deleting: C:\WINDOWS\system32\pqrfts.dll
Successfully Deleted: C:\WINDOWS\system32\pqrfts.dll
deleting: C:\WINDOWS\system32\r4r60e9seh.dll
Successfully Deleted: C:\WINDOWS\system32\r4r60e9seh.dll
deleting: C:\WINDOWS\system32\sdmpsnap.dll
Successfully Deleted: C:\WINDOWS\system32\sdmpsnap.dll
deleting: C:\WINDOWS\system32\sQfrdm.dll
Successfully Deleted: C:\WINDOWS\system32\sQfrdm.dll
deleting: C:\WINDOWS\system32\sqrobj.dll
Successfully Deleted: C:\WINDOWS\system32\sqrobj.dll
deleting: C:\WINDOWS\system32\t68ulgl916q.dll
Successfully Deleted: C:\WINDOWS\system32\t68ulgl916q.dll
deleting: C:\WINDOWS\system32\tHpisrv.dll
Successfully Deleted: C:\WINDOWS\system32\tHpisrv.dll
deleting: C:\WINDOWS\system32\udzip32.dll
Successfully Deleted: C:\WINDOWS\system32\udzip32.dll
deleting: C:\WINDOWS\system32\umrcntra.dll
Successfully Deleted: C:\WINDOWS\system32\umrcntra.dll
deleting: C:\WINDOWS\system32\utrdpa.dll
Successfully Deleted: C:\WINDOWS\system32\utrdpa.dll
deleting: C:\WINDOWS\system32\whnstrm.dll
Successfully Deleted: C:\WINDOWS\system32\whnstrm.dll
deleting: C:\WINDOWS\system32\wjnstrm.dll
Successfully Deleted: C:\WINDOWS\system32\wjnstrm.dll
deleting: C:\WINDOWS\system32\wqvdmod.dll
Successfully Deleted: C:\WINDOWS\system32\wqvdmod.dll
deleting: C:\WINDOWS\system32\wynfax.dll
Successfully Deleted: C:\WINDOWS\system32\wynfax.dll
deleting: C:\WINDOWS\system32\wznnls.dll
Successfully Deleted: C:\WINDOWS\system32\wznnls.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: agsldp.dll (164 bytes security) (deflated 5%)
adding: ajtiveds.dll (164 bytes security) (deflated 5%)
adding: aLaamon.dll (164 bytes security) (deflated 5%)
adding: aza02gdmg60a2.dll (164 bytes security) (deflated 6%)
adding: azaol5731.dll (164 bytes security) (deflated 5%)
adding: c6002gdmg60a2.dll (164 bytes security) (deflated 5%)
adding: ciprops.dll (164 bytes security) (deflated 6%)
adding: cjlbact.dll (164 bytes security) (deflated 5%)
adding: cqrsrv.dll (164 bytes security) (deflated 5%)
adding: crosys.dll (164 bytes security) (deflated 5%)
adding: cxcguq.dll (164 bytes security) (deflated 5%)
adding: czetcfg.dll (164 bytes security) (deflated 5%)
adding: d40m0ed1eh0.dll (164 bytes security) (deflated 6%)
adding: d80m0id1e80.dll (164 bytes security) (deflated 5%)
adding: deound3d.dll (164 bytes security) (deflated 5%)
adding: dStaclen.dll (164 bytes security) (deflated 6%)
adding: dugeng.dll (164 bytes security) (deflated 4%)
adding: dWvclnt.dll (164 bytes security) (deflated 6%)
adding: dxusic.dll (164 bytes security) (deflated 5%)
adding: e002lado1d0c.dll (164 bytes security) (deflated 4%)
adding: e8200ifme82a0.dll (164 bytes security) (deflated 6%)
adding: egentlog.dll (164 bytes security) (deflated 5%)
adding: ej86l1ls1.dll (164 bytes security) (deflated 6%)
adding: en28l1fu1.dll (164 bytes security) (deflated 6%)
adding: en48l1hu1.dll (164 bytes security) (deflated 4%)
adding: en6ul1j91.dll (164 bytes security) (deflated 6%)
adding: en86l1ls1.dll (164 bytes security) (deflated 5%)
adding: en8ul1l91.dll (164 bytes security) (deflated 5%)
adding: enp4l17q1.dll (164 bytes security) (deflated 5%)
adding: f00olad31d0.dll (164 bytes security) (deflated 6%)
adding: f8l0li3m18.dll (164 bytes security) (deflated 5%)
adding: fp2o03f3e.dll (164 bytes security) (deflated 6%)
adding: fp6m03j1e.dll (164 bytes security) (deflated 5%)
adding: fp8m03l1e.dll (164 bytes security) (deflated 5%)
adding: fpj2031oe.dll (164 bytes security) (deflated 5%)
adding: fplu0339e.dll (164 bytes security) (deflated 5%)
adding: fprm0391e.dll (164 bytes security) (deflated 4%)
adding: ghedit.dll (164 bytes security) (deflated 6%)
adding: gp0ml3d11.dll (164 bytes security) (deflated 5%)
adding: gpjol3131.dll (164 bytes security) (deflated 4%)
adding: gpnsl3571.dll (164 bytes security) (deflated 5%)
adding: gredit.dll (164 bytes security) (deflated 5%)
adding: h04mlah11d4.dll (164 bytes security) (deflated 4%)
adding: h0n0la5m1d.dll (164 bytes security) (deflated 5%)
adding: h40q0ed5eh0.dll (164 bytes security) (deflated 4%)
adding: h42o0ef3eh2.dll (164 bytes security) (deflated 5%)
adding: hrlu0539e.dll (164 bytes security) (deflated 6%)
adding: i006lads1d06.dll (164 bytes security) (deflated 5%)
adding: i060lajm1doa.dll (164 bytes security) (deflated 4%)
adding: i4240efqeh2e0.dll (164 bytes security) (deflated 4%)
adding: i4jq0e15eh.dll (164 bytes security) (deflated 5%)
adding: ib50_qc.dll (164 bytes security) (deflated 5%)
adding: idircl.dll (164 bytes security) (deflated 4%)
adding: iidkcs32.dll (164 bytes security) (deflated 5%)
adding: iIssdo.dll (164 bytes security) (deflated 4%)
adding: iLsrecst.dll (164 bytes security) (deflated 6%)
adding: ir0ql5d51.dll (164 bytes security) (deflated 4%)
adding: ir22l5fo1.dll (164 bytes security) (deflated 5%)
adding: ir24l5fq1.dll (164 bytes security) (deflated 4%)
adding: ir2ql5f51.dll (164 bytes security) (deflated 4%)
adding: ir4ol5h31.dll (164 bytes security) (deflated 5%)
adding: ir62l5jo1.dll (164 bytes security) (deflated 5%)
adding: irjml5111.dll (164 bytes security) (deflated 5%)
adding: irl4l53q1.dll (164 bytes security) (deflated 5%)
adding: irl6l53s1.dll (164 bytes security) (deflated 5%)
adding: irlml5311.dll (164 bytes security) (deflated 6%)
adding: irr0l59m1.dll (164 bytes security) (deflated 4%)
adding: iueshare.dll (164 bytes security) (deflated 6%)
adding: iwsutil.dll (164 bytes security) (deflated 5%)
adding: iyfgnt5.dll (164 bytes security) (deflated 5%)
adding: j0j6la1s1d.dll (164 bytes security) (deflated 5%)
adding: j2p00c7mef.dll (164 bytes security) (deflated 6%)
adding: j84o0ih3e84.dll (164 bytes security) (deflated 5%)
adding: j8n20i5oe8.dll (164 bytes security) (deflated 4%)
adding: k008ladu1d08.dll (164 bytes security) (deflated 6%)
adding: k262lcjo1foc.dll (164 bytes security) (deflated 5%)
adding: k4440ehqeh4e0.dll (164 bytes security) (deflated 5%)
adding: kqd103.dll (164 bytes security) (deflated 5%)
adding: l04qlah51d4.dll (164 bytes security) (deflated 4%)
adding: l0r0la9m1d.dll (164 bytes security) (deflated 5%)
adding: l20ulcd91f0.dll (164 bytes security) (deflated 6%)
adding: lmadperf.dll (164 bytes security) (deflated 4%)
adding: lv0o09d3e.dll (164 bytes security) (deflated 5%)
adding: lv2209foe.dll (164 bytes security) (deflated 4%)
adding: lv4s09h7e.dll (164 bytes security) (deflated 5%)
adding: lvj4091qe.dll (164 bytes security) (deflated 4%)
adding: lvjq0915e.dll (164 bytes security) (deflated 5%)
adding: lvr4099qe.dll (164 bytes security) (deflated 5%)
adding: m4460ehseh460.dll (164 bytes security) (deflated 6%)
adding: m646lghs1646.dll (164 bytes security) (deflated 6%)
adding: mgiseq.dll (164 bytes security) (deflated 5%)
adding: mlrddm.dll (164 bytes security) (deflated 6%)
adding: mmupgrd.dll (164 bytes security) (deflated 5%)
adding: msg30217.cpy.dll (164 bytes security) (deflated 5%)
adding: msiwave.dll (164 bytes security) (deflated 5%)
adding: mv00l9dm1.dll (164 bytes security) (deflated 5%)
adding: mvr0l99m1.dll (164 bytes security) (deflated 4%)
adding: myvcrt40.dll (164 bytes security) (deflated 4%)
adding: n0n6la5s1d.dll (164 bytes security) (deflated 6%)
adding: n46q0ej5eho.dll (164 bytes security) (deflated 5%)
adding: n86q0ij5e8o.dll (164 bytes security) (deflated 4%)
adding: nftui1.dll (164 bytes security) (deflated 6%)
adding: nhdenb32.dll (164 bytes security) (deflated 5%)
adding: numsapi.dll (164 bytes security) (deflated 5%)
adding: p6n8lg5u16.dll (164 bytes security) (deflated 4%)
adding: pdwrprof.dll (164 bytes security) (deflated 4%)
adding: piotowiz.dll (164 bytes security) (deflated 4%)
adding: pqrfts.dll (164 bytes security) (deflated 5%)
adding: r4r60e9seh.dll (164 bytes security) (deflated 5%)
adding: sdmpsnap.dll (164 bytes security) (deflated 6%)
adding: sQfrdm.dll (164 bytes security) (deflated 6%)
adding: sqrobj.dll (164 bytes security) (deflated 5%)
adding: t68ulgl916q.dll (164 bytes security) (deflated 4%)
adding: tHpisrv.dll (164 bytes security) (deflated 6%)
adding: udzip32.dll (164 bytes security) (deflated 5%)
adding: umrcntra.dll (164 bytes security) (deflated 5%)
adding: utrdpa.dll (164 bytes security) (deflated 6%)
adding: whnstrm.dll (164 bytes security) (deflated 5%)
adding: wjnstrm.dll (164 bytes security) (deflated 4%)
adding: wqvdmod.dll (164 bytes security) (deflated 5%)
adding: wynfax.dll (164 bytes security) (deflated 6%)
adding: wznnls.dll (164 bytes security) (deflated 5%)
adding: guard.tmp (164 bytes security) (deflated 5%)
adding: clear.reg (164 bytes security) (deflated 73%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: desktop.ini (164 bytes security) (deflated 13%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 89%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 78%)
adding: test.txt (164 bytes security) (deflated 85%)
adding: test2.txt (164 bytes security) (deflated 50%)
adding: test3.txt (164 bytes security) (deflated 50%)
adding: test5.txt (164 bytes security) (deflated 50%)
adding: xfind.txt (164 bytes security) (deflated 80%)
adding: backregs/04FF22BC-6483-4141-957B-EEED95589B1A.reg (164 bytes security) (deflated 70%)
adding: backregs/07C88F62-DC47-47BF-ADF9-C26EEEE3281D.reg (164 bytes security) (deflated 70%)
adding: backregs/0AD2ED22-2967-4FCA-83EA-4D775145F60B.reg (164 bytes security) (deflated 71%)
adding: backregs/174B73D3-3D73-469F-9C33-C03CB5DAF17C.reg (164 bytes security) (deflated 70%)
adding: backregs/1D764A30-F613-497C-9818-5B40682C802C.reg (164 bytes security) (deflated 70%)
adding: backregs/298FAC76-E9C5-42B3-AE57-C5639F080C8F.reg (164 bytes security) (deflated 70%)
adding: backregs/3EE24A1B-1A53-48D3-8969-C5636C2C75C0.reg (164 bytes security) (deflated 70%)
adding: backregs/42778649-F5F4-428B-955A-341B06E29538.reg (164 bytes security) (deflated 70%)
adding: backregs/4A59A8F1-1992-4D40-B363-9557023F5178.reg (164 bytes security) (deflated 70%)
adding: backregs/4BC85E2E-42F4-429A-9BA1-CE9C3BC61BC9.reg (164 bytes security) (deflated 70%)
adding: backregs/56F40FA0-5A21-4D4D-81CF-58A8A3D7EB44.reg (164 bytes security) (deflated 70%)
adding: backregs/5B56919C-47AC-48F9-B140-0ADA3D5B83E4.reg (164 bytes security) (deflated 71%)
adding: backregs/60E80B4E-F2F8-4B29-8DEB-48433056D6B0.reg (164 bytes security) (deflated 70%)
adding: backregs/6254DB6D-7B7F-4194-A160-D2B41CF10683.reg (164 bytes security) (deflated 70%)
adding: backregs/725EBCB1-901B-42A3-B558-40ED2A114E19.reg (164 bytes security) (deflated 70%)
adding: backregs/72B48E45-CED7-4767-8234-11CDA78F39E7.reg (164 bytes security) (deflated 70%)
adding: backregs/83884AD9-E7E0-4D8F-BD3E-D8CAF8A452D2.reg (164 bytes security) (deflated 70%)
adding: backregs/8967865B-0CD0-4D3B-BA8E-B2D80B276BB3.reg (164 bytes security) (deflated 70%)
adding: backregs/8D6A9A58-434C-4168-8A95-C1F693358843.reg (164 bytes security) (deflated 70%)
adding: backregs/91D8B5A8-1985-4506-9C77-9D75E38BDE11.reg (164 bytes security) (deflated 70%)
adding: backregs/94362BFB-9BE3-487D-8140-716768F8847C.reg (164 bytes security) (deflated 70%)
adding: backregs/95C12E20-5A5B-48AE-A05C-DB5776A722E1.reg (164 bytes security) (deflated 70%)
adding: backregs/9953826B-81A8-4C82-90B6-E30064C062EE.reg (164 bytes security) (deflated 70%)
adding: backregs/9ACF7BA3-3FCF-4410-9F2E-CD395983CFF3.reg (164 bytes security) (deflated 70%)
adding: backregs/9D505FAC-E70B-47C0-B283-459C8BCACD22.reg (164 bytes security) (deflated 70%)
adding: backregs/A798B2CA-0CA8-487E-9A71-0E411DBAD27B.reg (164 bytes security) (deflated 70%)
adding: backregs/A9197B5B-0C24-40B3-85DF-E0CAC80CD23E.reg (164 bytes security) (deflated 71%)
adding: backregs/ABFC1531-D026-4E30-A728-3521EEE66AB9.reg (164 bytes security) (deflated 70%)
adding: backregs/AE3C89E8-933F-41E6-AA13-7521433D0EE5.reg (164 bytes security) (deflated 70%)
adding: backregs/B6AD3972-3DBC-468F-9453-F89597869C40.reg (164 bytes security) (deflated 70%)
adding: backregs/BA0D346E-8FDB-4441-AF6E-9D6FB9B2059A.reg (164 bytes security) (deflated 70%)
adding: backregs/BAB53E4E-4173-441F-A613-EB341421DE9E.reg (164 bytes security) (deflated 70%)
adding: backregs/C0A4AA39-321A-4E55-B321-BE4C90793AA0.reg (164 bytes security) (deflated 70%)
adding: backregs/C298C823-6133-4B8F-8C9D-8F9BF9C218CF.reg (164 bytes security) (deflated 70%)
adding: backregs/C7963190-D9E1-4F16-A589-E5214BBFF882.reg (164 bytes security) (deflated 70%)
adding: backregs/C7FE3DF4-70EF-403C-978B-F67683390081.reg (164 bytes security) (deflated 70%)
adding: backregs/D3EE59A7-1BC6-4E7D-9C8A-63765A5B439C.reg (164 bytes security) (deflated 70%)
adding: backregs/D42FA0EA-3EEE-44BA-946D-55AB631B719F.reg (164 bytes security) (deflated 70%)
adding: backregs/D9A79C03-0E0B-43E0-9382-BBC56D25BA56.reg (164 bytes security) (deflated 70%)
adding: backregs/DD202250-06B4-40D3-8BAD-F79F55000067.reg (164 bytes security) (deflated 71%)
adding: backregs/DE2CA9B4-ADB3-4757-9D54-C09B335C6886.reg (164 bytes security) (deflated 70%)
adding: backregs/E300875E-BB44-42C4-B319-F53388D76228.reg (164 bytes security) (deflated 70%)
adding: backregs/E4EC9D43-DCC6-4331-9977-484009AB3A93.reg (164 bytes security) (deflated 70%)
adding: backregs/EA22B8B1-DE2F-46BA-9A5C-0DF5B18A3AE0.reg (164 bytes security) (deflated 70%)
adding: backregs/EC654677-5C70-48C5-B59F-C7E1CB2C8C93.reg (164 bytes security) (deflated 70%)
adding: backregs/F3EB4EF6-7C91-4D21-9DE3-67BE79844C4F.reg (164 bytes security) (deflated 70%)
adding: backregs/F4D50383-1AE4-4724-8935-E57387D68004.reg (164 bytes security) (deflated 70%)
adding: backregs/FA89348F-7B37-4B96-8F10-094D9E074808.reg (164 bytes security) (deflated 70%)
adding: backregs/FD4666C0-3A8C-405C-B896-4C84EF80E8E1.reg (164 bytes security) (deflated 70%)
adding: backregs/FFA12426-6EC9-4366-8FAB-15F7092FE696.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for really "Everyone"


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: agsldp.dll
deleting local copy: ajtiveds.dll
deleting local copy: aLaamon.dll
deleting local copy: aza02gdmg60a2.dll
deleting local copy: azaol5731.dll
deleting local copy: c6002gdmg60a2.dll
deleting local copy: ciprops.dll
deleting local copy: cjlbact.dll
deleting local copy: cqrsrv.dll
deleting local copy: crosys.dll
deleting local copy: cxcguq.dll
deleting local copy: czetcfg.dll
deleting local copy: d40m0ed1eh0.dll
deleting local copy: d80m0id1e80.dll
deleting local copy: deound3d.dll
deleting local copy: dStaclen.dll
deleting local copy: dugeng.dll
deleting local copy: dWvclnt.dll
deleting local copy: dxusic.dll
deleting local copy: e002lado1d0c.dll
deleting local copy: e8200ifme82a0.dll
deleting local copy: egentlog.dll
deleting local copy: ej86l1ls1.dll
deleting local copy: en28l1fu1.dll
deleting local copy: en48l1hu1.dll
deleting local copy: en6ul1j91.dll
deleting local copy: en86l1ls1.dll
deleting local copy: en8ul1l91.dll
deleting local copy: enp4l17q1.dll
deleting local copy: f00olad31d0.dll
deleting local copy: f8l0li3m18.dll
deleting local copy: fp2o03f3e.dll
deleting local copy: fp6m03j1e.dll
deleting local copy: fp8m03l1e.dll
deleting local copy: fpj2031oe.dll
deleting local copy: fplu0339e.dll
deleting local copy: fprm0391e.dll
deleting local copy: ghedit.dll
deleting local copy: gp0ml3d11.dll
deleting local copy: gpjol3131.dll
deleting local copy: gpnsl3571.dll
deleting local copy: gredit.dll
deleting local copy: h04mlah11d4.dll
deleting local copy: h0n0la5m1d.dll
deleting local copy: h40q0ed5eh0.dll
deleting local copy: h42o0ef3eh2.dll
deleting local copy: hrlu0539e.dll
deleting local copy: i006lads1d06.dll
deleting local copy: i060lajm1doa.dll
deleting local copy: i4240efqeh2e0.dll
deleting local copy: i4jq0e15eh.dll
deleting local copy: ib50_qc.dll
deleting local copy: idircl.dll
deleting local copy: iidkcs32.dll
deleting local copy: iIssdo.dll
deleting local copy: iLsrecst.dll
deleting local copy: ir0ql5d51.dll
deleting local copy: ir22l5fo1.dll
deleting local copy: ir24l5fq1.dll
deleting local copy: ir2ql5f51.dll
deleting local copy: ir4ol5h31.dll
deleting local copy: ir62l5jo1.dll
deleting local copy: irjml5111.dll
deleting local copy: irl4l53q1.dll
deleting local copy: irl6l53s1.dll
deleting local copy: irlml5311.dll
deleting local copy: irr0l59m1.dll
deleting local copy: iueshare.dll
deleting local copy: iwsutil.dll
deleting local copy: iyfgnt5.dll
deleting local copy: j0j6la1s1d.dll
deleting local copy: j2p00c7mef.dll
deleting local copy: j84o0ih3e84.dll
deleting local copy: j8n20i5oe8.dll
deleting local copy: k008ladu1d08.dll
deleting local copy: k262lcjo1foc.dll
deleting local copy: k4440ehqeh4e0.dll
deleting local copy: kqd103.dll
deleting local copy: l04qlah51d4.dll
deleting local copy: l0r0la9m1d.dll
deleting local copy: l20ulcd91f0.dll
deleting local copy: lmadperf.dll
deleting local copy: lv0o09d3e.dll
deleting local copy: lv2209foe.dll
deleting local copy: lv4s09h7e.dll
deleting local copy: lvj4091qe.dll
deleting local copy: lvjq0915e.dll
deleting local copy: lvr4099qe.dll
deleting local copy: m4460ehseh460.dll
deleting local copy: m646lghs1646.dll
deleting local copy: mgiseq.dll
deleting local copy: mlrddm.dll
deleting local copy: mmupgrd.dll
deleting local copy: msg30217.cpy.dll
deleting local copy: msiwave.dll
deleting local copy: mv00l9dm1.dll
deleting local copy: mvr0l99m1.dll
deleting local copy: myvcrt40.dll
deleting local copy: n0n6la5s1d.dll
deleting local copy: n46q0ej5eho.dll
deleting local copy: n86q0ij5e8o.dll
deleting local copy: nftui1.dll
deleting local copy: nhdenb32.dll
deleting local copy: numsapi.dll
deleting local copy: p6n8lg5u16.dll
deleting local copy: pdwrprof.dll
deleting local copy: piotowiz.dll
deleting local copy: pqrfts.dll
deleting local copy: r4r60e9seh.dll
deleting local copy: sdmpsnap.dll
deleting local copy: sQfrdm.dll
deleting local copy: sqrobj.dll
deleting local copy: t68ulgl916q.dll
deleting local copy: tHpisrv.dll
deleting local copy: udzip32.dll
deleting local copy: umrcntra.dll
deleting local copy: utrdpa.dll
deleting local copy: whnstrm.dll
deleting local copy: wjnstrm.dll
deleting local copy: wqvdmod.dll
deleting local copy: wynfax.dll
deleting local copy: wznnls.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\agsldp.dll
C:\WINDOWS\system32\ajtiveds.dll
C:\WINDOWS\system32\aLaamon.dll
C:\WINDOWS\system32\aza02gdmg60a2.dll
C:\WINDOWS\system32\azaol5731.dll
C:\WINDOWS\system32\c6002gdmg60a2.dll
C:\WINDOWS\system32\ciprops.dll
C:\WINDOWS\system32\cjlbact.dll
C:\WINDOWS\system32\cqrsrv.dll
C:\WINDOWS\system32\crosys.dll
C:\WINDOWS\system32\cxcguq.dll
C:\WINDOWS\system32\czetcfg.dll
C:\WINDOWS\system32\d40m0ed1eh0.dll
C:\WINDOWS\system32\d80m0id1e80.dll
C:\WINDOWS\system32\deound3d.dll
C:\WINDOWS\system32\dStaclen.dll
C:\WINDOWS\system32\dugeng.dll
C:\WINDOWS\system32\dWvclnt.dll
C:\WINDOWS\system32\dxusic.dll
C:\WINDOWS\system32\e002lado1d0c.dll
C:\WINDOWS\system32\e8200ifme82a0.dll
C:\WINDOWS\system32\egentlog.dll
C:\WINDOWS\system32\ej86l1ls1.dll
C:\WINDOWS\system32\en28l1fu1.dll
C:\WINDOWS\system32\en48l1hu1.dll
C:\WINDOWS\system32\en6ul1j91.dll
C:\WINDOWS\system32\en86l1ls1.dll
C:\WINDOWS\system32\en8ul1l91.dll
C:\WINDOWS\system32\enp4l17q1.dll
C:\WINDOWS\system32\f00olad31d0.dll
C:\WINDOWS\system32\f8l0li3m18.dll
C:\WINDOWS\system32\fp2o03f3e.dll
C:\WINDOWS\system32\fp6m03j1e.dll
C:\WINDOWS\system32\fp8m03l1e.dll
C:\WINDOWS\system32\fpj2031oe.dll
C:\WINDOWS\system32\fplu0339e.dll
C:\WINDOWS\system32\fprm0391e.dll
C:\WINDOWS\system32\ghedit.dll
C:\WINDOWS\system32\gp0ml3d11.dll
C:\WINDOWS\system32\gpjol3131.dll
C:\WINDOWS\system32\gpnsl3571.dll
C:\WINDOWS\system32\gredit.dll
C:\WINDOWS\system32\h04mlah11d4.dll
C:\WINDOWS\system32\h0n0la5m1d.dll
C:\WINDOWS\system32\h40q0ed5eh0.dll
C:\WINDOWS\system32\h42o0ef3eh2.dll
C:\WINDOWS\system32\hrlu0539e.dll
C:\WINDOWS\system32\i006lads1d06.dll
C:\WINDOWS\system32\i060lajm1doa.dll
C:\WINDOWS\system32\i4240efqeh2e0.dll
C:\WINDOWS\system32\i4jq0e15eh.dll
C:\WINDOWS\system32\ib50_qc.dll
C:\WINDOWS\system32\idircl.dll
C:\WINDOWS\system32\iidkcs32.dll
C:\WINDOWS\system32\iIssdo.dll
C:\WINDOWS\system32\iLsrecst.dll
C:\WINDOWS\system32\ir0ql5d51.dll
C:\WINDOWS\system32\ir22l5fo1.dll
C:\WINDOWS\system32\ir24l5fq1.dll
C:\WINDOWS\system32\ir2ql5f51.dll
C:\WINDOWS\system32\ir4ol5h31.dll
C:\WINDOWS\system32\ir62l5jo1.dll
C:\WINDOWS\system32\irjml5111.dll
C:\WINDOWS\system32\irl4l53q1.dll
C:\WINDOWS\system32\irl6l53s1.dll
C:\WINDOWS\system32\irlml5311.dll
C:\WINDOWS\system32\irr0l59m1.dll
C:\WINDOWS\system32\iueshare.dll
C:\WINDOWS\system32\iwsutil.dll
C:\WINDOWS\system32\iyfgnt5.dll
C:\WINDOWS\system32\j0j6la1s1d.dll
C:\WINDOWS\system32\j2p00c7mef.dll
C:\WINDOWS\system32\j84o0ih3e84.dll
C:\WINDOWS\system32\j8n20i5oe8.dll
C:\WINDOWS\system32\k008ladu1d08.dll
C:\WINDOWS\system32\k262lcjo1foc.dll
C:\WINDOWS\system32\k4440ehqeh4e0.dll
C:\WINDOWS\system32\kqd103.dll
C:\WINDOWS\system32\l04qlah51d4.dll
C:\WINDOWS\system32\l0r0la9m1d.dll
C:\WINDOWS\system32\l20ulcd91f0.dll
C:\WINDOWS\system32\lmadperf.dll
C:\WINDOWS\system32\lv0o09d3e.dll
C:\WINDOWS\system32\lv2209foe.dll
C:\WINDOWS\system32\lv4s09h7e.dll
C:\WINDOWS\system32\lvj4091qe.dll
C:\WINDOWS\system32\lvjq0915e.dll
C:\WINDOWS\system32\lvr4099qe.dll
C:\WINDOWS\system32\m4460ehseh460.dll
C:\WINDOWS\system32\m646lghs1646.dll
C:\WINDOWS\system32\mgiseq.dll
C:\WINDOWS\system32\mlrddm.dll
C:\WINDOWS\system32\mmupgrd.dll
C:\WINDOWS\system32\msg30217.cpy.dll
C:\WINDOWS\system32\msiwave.dll
C:\WINDOWS\system32\mv00l9dm1.dll
C:\WINDOWS\system32\mvr0l99m1.dll
C:\WINDOWS\system32\myvcrt40.dll
C:\WINDOWS\system32\n0n6la5s1d.dll
C:\WINDOWS\system32\n46q0ej5eho.dll
C:\WINDOWS\system32\n86q0ij5e8o.dll
C:\WINDOWS\system32\nftui1.dll
C:\WINDOWS\system32\nhdenb32.dll
C:\WINDOWS\system32\numsapi.dll
C:\WINDOWS\system32\p6n8lg5u16.dll
C:\WINDOWS\system32\pdwrprof.dll
C:\WINDOWS\system32\piotowiz.dll
C:\WINDOWS\system32\pqrfts.dll
C:\WINDOWS\system32\r4r60e9seh.dll
C:\WINDOWS\system32\sdmpsnap.dll
C:\WINDOWS\system32\sQfrdm.dll
C:\WINDOWS\system32\sqrobj.dll
C:\WINDOWS\system32\t68ulgl916q.dll
C:\WINDOWS\system32\tHpisrv.dll
C:\WINDOWS\system32\udzip32.dll
C:\WINDOWS\system32\umrcntra.dll
C:\WINDOWS\system32\utrdpa.dll
C:\WINDOWS\system32\whnstrm.dll
C:\WINDOWS\system32\wjnstrm.dll
C:\WINDOWS\system32\wqvdmod.dll
C:\WINDOWS\system32\wynfax.dll
C:\WINDOWS\system32\wznnls.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{95C12E20-5A5B-48AE-A05C-DB5776A722E1}"=-
"{A9197B5B-0C24-40B3-85DF-E0CAC80CD23E}"=-
"{0AD2ED22-2967-4FCA-83EA-4D775145F60B}"=-
"{8967865B-0CD0-4D3B-BA8E-B2D80B276BB3}"=-
"{5B56919C-47AC-48F9-B140-0ADA3D5B83E4}"=-
"{D42FA0EA-3EEE-44BA-946D-55AB631B719F}"=-
"{FA89348F-7B37-4B96-8F10-094D9E074808}"=-
"{E4EC9D43-DCC6-4331-9977-484009AB3A93}"=-
"{D9A79C03-0E0B-43E0-9382-BBC56D25BA56}"=-
"{9D505FAC-E70B-47C0-B283-459C8BCACD22}"=-
"{A798B2CA-0CA8-487E-9A71-0E411DBAD27B}"=-
"{6254DB6D-7B7F-4194-A160-D2B41CF10683}"=-
"{DD202250-06B4-40D3-8BAD-F79F55000067}"=-
"{F3EB4EF6-7C91-4D21-9DE3-67BE79844C4F}"=-
"{07C88F62-DC47-47BF-ADF9-C26EEEE3281D}"=-
"{FFA12426-6EC9-4366-8FAB-15F7092FE696}"=-
"{B6AD3972-3DBC-468F-9453-F89597869C40}"=-
"{9953826B-81A8-4C82-90B6-E30064C062EE}"=-
"{BAB53E4E-4173-441F-A613-EB341421DE9E}"=-
"{3EE24A1B-1A53-48D3-8969-C5636C2C75C0}"=-
"{60E80B4E-F2F8-4B29-8DEB-48433056D6B0}"=-
"{91D8B5A8-1985-4506-9C77-9D75E38BDE11}"=-
"{72B48E45-CED7-4767-8234-11CDA78F39E7}"=-
"{BA0D346E-8FDB-4441-AF6E-9D6FB9B2059A}"=-
"{9ACF7BA3-3FCF-4410-9F2E-CD395983CFF3}"=-
"{298FAC76-E9C5-42B3-AE57-C5639F080C8F}"=-
"{42778649-F5F4-428B-955A-341B06E29538}"=-
"{4A59A8F1-1992-4D40-B363-9557023F5178}"=-
"{8D6A9A58-434C-4168-8A95-C1F693358843}"=-
"{C7963190-D9E1-4F16-A589-E5214BBFF882}"=-
"{FD4666C0-3A8C-405C-B896-4C84EF80E8E1}"=-
"{174B73D3-3D73-469F-9C33-C03CB5DAF17C}"=-
"{EC654677-5C70-48C5-B59F-C7E1CB2C8C93}"=-
"{56F40FA0-5A21-4D4D-81CF-58A8A3D7EB44}"=-
"{725EBCB1-901B-42A3-B558-40ED2A114E19}"=-
"{1D764A30-F613-497C-9818-5B40682C802C}"=-
"{D3EE59A7-1BC6-4E7D-9C8A-63765A5B439C}"=-
"{EA22B8B1-DE2F-46BA-9A5C-0DF5B18A3AE0}"=-
"{AE3C89E8-933F-41E6-AA13-7521433D0EE5}"=-
"{C0A4AA39-321A-4E55-B321-BE4C90793AA0}"=-
"{E300875E-BB44-42C4-B319-F53388D76228}"=-
"{C7FE3DF4-70EF-403C-978B-F67683390081}"=-
"{DE2CA9B4-ADB3-4757-9D54-C09B335C6886}"=-
"{04FF22BC-6483-4141-957B-EEED95589B1A}"=-
"{94362BFB-9BE3-487D-8140-716768F8847C}"=-
"{F4D50383-1AE4-4724-8935-E57387D68004}"=-
"{4BC85E2E-42F4-429A-9BA1-CE9C3BC61BC9}"=-
"{83884AD9-E7E0-4D8F-BD3E-D8CAF8A452D2}"=-
"{ABFC1531-D026-4E30-A728-3521EEE66AB9}"=-
"{C298C823-6133-4B8F-8C9D-8F9BF9C218CF}"=-
[-HKEY_CLASSES_ROOT\CLSID\{95C12E20-5A5B-48AE-A05C-DB5776A722E1}]
[-HKEY_CLASSES_ROOT\CLSID\{A9197B5B-0C24-40B3-85DF-E0CAC80CD23E}]
[-HKEY_CLASSES_ROOT\CLSID\{0AD2ED22-2967-4FCA-83EA-4D775145F60B}]
[-HKEY_CLASSES_ROOT\CLSID\{8967865B-0CD0-4D3B-BA8E-B2D80B276BB3}]
[-HKEY_CLASSES_ROOT\CLSID\{5B56919C-47AC-48F9-B140-0ADA3D5B83E4}]
[-HKEY_CLASSES_ROOT\CLSID\{D42FA0EA-3EEE-44BA-946D-55AB631B719F}]
[-HKEY_CLASSES_ROOT\CLSID\{FA89348F-7B37-4B96-8F10-094D9E074808}]
[-HKEY_CLASSES_ROOT\CLSID\{E4EC9D43-DCC6-4331-9977-484009AB3A93}]
[-HKEY_CLASSES_ROOT\CLSID\{D9A79C03-0E0B-43E0-9382-BBC56D25BA56}]
[-HKEY_CLASSES_ROOT\CLSID\{9D505FAC-E70B-47C0-B283-459C8BCACD22}]
[-HKEY_CLASSES_ROOT\CLSID\{A798B2CA-0CA8-487E-9A71-0E411DBAD27B}]
[-HKEY_CLASSES_ROOT\CLSID\{6254DB6D-7B7F-4194-A160-D2B41CF10683}]
[-HKEY_CLASSES_ROOT\CLSID\{DD202250-06B4-40D3-8BAD-F79F55000067}]
[-HKEY_CLASSES_ROOT\CLSID\{F3EB4EF6-7C91-4D21-9DE3-67BE79844C4F}]
[-HKEY_CLASSES_ROOT\CLSID\{07C88F62-DC47-47BF-ADF9-C26EEEE3281D}]
[-HKEY_CLASSES_ROOT\CLSID\{FFA12426-6EC9-4366-8FAB-15F7092FE696}]
[-HKEY_CLASSES_ROOT\CLSID\{B6AD3972-3DBC-468F-9453-F89597869C40}]
[-HKEY_CLASSES_ROOT\CLSID\{9953826B-81A8-4C82-90B6-E30064C062EE}]
[-HKEY_CLASSES_ROOT\CLSID\{BAB53E4E-4173-441F-A613-EB341421DE9E}]
[-HKEY_CLASSES_ROOT\CLSID\{3EE24A1B-1A53-48D3-8969-C5636C2C75C0}]
[-HKEY_CLASSES_ROOT\CLSID\{60E80B4E-F2F8-4B29-8DEB-48433056D6B0}]
[-HKEY_CLASSES_ROOT\CLSID\{91D8B5A8-1985-4506-9C77-9D75E38BDE11}]
[-HKEY_CLASSES_ROOT\CLSID\{72B48E45-CED7-4767-8234-11CDA78F39E7}]
[-HKEY_CLASSES_ROOT\CLSID\{BA0D346E-8FDB-4441-AF6E-9D6FB9B2059A}]
[-HKEY_CLASSES_ROOT\CLSID\{9ACF7BA3-3FCF-4410-9F2E-CD395983CFF3}]
[-HKEY_CLASSES_ROOT\CLSID\{298FAC76-E9C5-42B3-AE57-C5639F080C8F}]
[-HKEY_CLASSES_ROOT\CLSID\{42778649-F5F4-428B-955A-341B06E29538}]
[-HKEY_CLASSES_ROOT\CLSID\{4A59A8F1-1992-4D40-B363-9557023F5178}]
[-HKEY_CLASSES_ROOT\CLSID\{8D6A9A58-434C-4168-8A95-C1F693358843}]
[-HKEY_CLASSES_ROOT\CLSID\{C7963190-D9E1-4F16-A589-E5214BBFF882}]
[-HKEY_CLASSES_ROOT\CLSID\{FD4666C0-3A8C-405C-B896-4C84EF80E8E1}]
[-HKEY_CLASSES_ROOT\CLSID\{174B73D3-3D73-469F-9C33-C03CB5DAF17C}]
[-HKEY_CLASSES_ROOT\CLSID\{EC654677-5C70-48C5-B59F-C7E1CB2C8C93}]
[-HKEY_CLASSES_ROOT\CLSID\{56F40FA0-5A21-4D4D-81CF-58A8A3D7EB44}]
[-HKEY_CLASSES_ROOT\CLSID\{725EBCB1-901B-42A3-B558-40ED2A114E19}]
[-HKEY_CLASSES_ROOT\CLSID\{1D764A30-F613-497C-9818-5B40682C802C}]
[-HKEY_CLASSES_ROOT\CLSID\{D3EE59A7-1BC6-4E7D-9C8A-63765A5B439C}]
[-HKEY_CLASSES_ROOT\CLSID\{EA22B8B1-DE2F-46BA-9A5C-0DF5B18A3AE0}]
[-HKEY_CLASSES_ROOT\CLSID\{AE3C89E8-933F-41E6-AA13-7521433D0EE5}]
[-HKEY_CLASSES_ROOT\CLSID\{C0A4AA39-321A-4E55-B321-BE4C90793AA0}]
[-HKEY_CLASSES_ROOT\CLSID\{E300875E-BB44-42C4-B319-F53388D76228}]
[-HKEY_CLASSES_ROOT\CLSID\{C7FE3DF4-70EF-403C-978B-F67683390081}]
[-HKEY_CLASSES_ROOT\CLSID\{DE2CA9B4-ADB3-4757-9D54-C09B335C6886}]
[-HKEY_CLASSES_ROOT\CLSID\{04FF22BC-6483-4141-957B-EEED95589B1A}]
[-HKEY_CLASSES_ROOT\CLSID\{94362BFB-9BE3-487D-8140-716768F8847C}]
[-HKEY_CLASSES_ROOT\CLSID\{F4D50383-1AE4-4724-8935-E57387D68004}]
[-HKEY_CLASSES_ROOT\CLSID\{4BC85E2E-42F4-429A-9BA1-CE9C3BC61BC9}]
[-HKEY_CLASSES_ROOT\CLSID\{83884AD9-E7E0-4D8F-BD3E-D8CAF8A452D2}]
[-HKEY_CLASSES_ROOT\CLSID\{ABFC1531-D026-4E30-A728-3521EEE66AB9}]
[-HKEY_CLASSES_ROOT\CLSID\{C298C823-6133-4B8F-8C9D-8F9BF9C218CF}]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{416A587D-3FAA-4733-AD61-C2EB3D76D851}"=-
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{416A587D-3FAA-4733-AD61-C2EB3D76D851}</IDone>
<IDtwo>VT15</IDtwo>
<VERSION>200</VERSION>
****************************************************************************







now?
_________________
STICK TWO FINGERS UP TO SPYWARE !!!!

I HOPE SATAN HAS A SPOT FOR SPYWARE CREATORS
Back to top
View user's profile Send private message MSN Messenger
3162
Honorary Site Admin


Joined: 31 Mar 2004
Last Visit: 04 May 2009
Posts: 4452

PostPosted: Mon Feb 28, 2005 3:03 pm    Post subject: Reply with quote

TeMerc asked one of the vx2 experts to step in here.

Now please post a hijackthis log, we will probably have some other things to take care of.

Thanks
_________________
Proud member of the Chest Zipper Club!
Back to top
View user's profile Send private message
shadow_777
Junior Member


Joined: 24 Feb 2005
Last Visit: 31 Jul 2005
Posts: 49
Location: The UK... WHOO!

PostPosted: Tue Mar 01, 2005 8:34 am    Post subject: Reply with quote

Logfile of HijackThis v1.99.1
Scan saved at 16:33:00, on 01/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Labtec\Labtec Keyboard-Desktop Software\DsiMmKbd.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\WINDOWS\System32\vmss\vmss.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Bcyad\Kryebom.exe
C:\WINDOWS\System32\Yrdyxb.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\wkwyug.exe
C:\WINDOWS\System32\svcnet.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\windows\system32\ibxaovbe.exe
c:\windows\system32\calc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\hadi.JIM-BU062HALYEV\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\HADI~1.JIM\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\HADI~1.JIM\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinXP] C:\WINDOWS\plugin1.exe
O4 - HKLM\..\Run: [WinXPHome] C:\WINDOWS\plugin2.exe
O4 - HKLM\..\Run: [yxgt] C:\WINDOWS\yxgt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [L4hnuX2] C:\WINDOWS\wwgmdnf.exe
O4 - HKLM\..\Run: [LabtecKB] C:\Program Files\Labtec\Labtec Keyboard-Desktop Software\DsiMmKbd.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [pgfljc] C:\WINDOWS\System32\pgfljc.exe
O4 - HKLM\..\Run: [Msmbrvmy] C:\Program Files\Bcyad\Kryebom.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Iaarcg.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Yrdyxb.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [ibxaovbe] c:\windows\system32\ibxaovbe.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\HADI~1.JIM\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [Shellapi32] svcnet.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Shellapi32] svcnet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O9 - Extra 'Tools' menuitem: &Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrivers/webinstall/shockwave/Install.cab
O16 - DPF: {22222222-2222-2222-2222-222222222222} - file://c:\x.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/9.11.0004/OCI/setup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/067bd5ebfee280f66715/netzip/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

there you go
_________________
STICK TWO FINGERS UP TO SPYWARE !!!!

I HOPE SATAN HAS A SPOT FOR SPYWARE CREATORS
Back to top
View user's profile Send private message MSN Messenger
shadow_777
Junior Member


Joined: 24 Feb 2005
Last Visit: 31 Jul 2005
Posts: 49
Location: The UK... WHOO!

PostPosted: Wed Mar 02, 2005 9:33 am    Post subject: Reply with quote

so???
_________________
STICK TWO FINGERS UP TO SPYWARE !!!!

I HOPE SATAN HAS A SPOT FOR SPYWARE CREATORS
Back to top
View user's profile Send private message MSN Messenger
shadow_777
Junior Member


Joined: 24 Feb 2005
Last Visit: 31 Jul 2005
Posts: 49
Location: The UK... WHOO!

PostPosted: Sat Mar 05, 2005 4:19 am    Post subject: Reply with quote

?????
_________________
STICK TWO FINGERS UP TO SPYWARE !!!!

I HOPE SATAN HAS A SPOT FOR SPYWARE CREATORS
Back to top
View user's profile Send private message MSN Messenger
shadow_777
Junior Member


Joined: 24 Feb 2005
Last Visit: 31 Jul 2005
Posts: 49
Location: The UK... WHOO!

PostPosted: Sat Mar 05, 2005 9:36 am    Post subject: Reply with quote

Logfile of HijackThis v1.99.1
Scan saved at 17:34:21, on 05/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\plugin1.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Labtec\Labtec Keyboard-Desktop Software\DsiMmKbd.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\WINDOWS\System32\vmss\vmss.exe
C:\Program Files\Bcyad\Kryebom.exe
C:\WINDOWS\System32\Iaarcg.exe
C:\WINDOWS\System32\Yrdyxb.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
C:\WINDOWS\ikcgkmpw.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\System32\wkwyug.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svcnet.exe
C:\Documents and Settings\hadi.JIM-BU062HALYEV\Desktop\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\HADI~1.JIM\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinXP] C:\WINDOWS\plugin1.exe
O4 - HKLM\..\Run: [WinXPHome] C:\WINDOWS\plugin2.exe
O4 - HKLM\..\Run: [yxgt] C:\WINDOWS\yxgt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [L4hnuX2] C:\WINDOWS\wwgmdnf.exe
O4 - HKLM\..\Run: [LabtecKB] C:\Program Files\Labtec\Labtec Keyboard-Desktop Software\DsiMmKbd.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [pgfljc] C:\WINDOWS\System32\pgfljc.exe
O4 - HKLM\..\Run: [Msmbrvmy] C:\Program Files\Bcyad\Kryebom.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Iaarcg.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Yrdyxb.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Shellapi32] svcnet.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [3SAPVAb0] C:\WINDOWS\ikcgkmpw.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [mswspl] C:\WINDOWS\plugin1.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Shellapi32] svcnet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O9 - Extra 'Tools' menuitem: &Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrivers/webinstall/shockwave/Install.cab
O16 - DPF: {22222222-2222-2222-2222-222222222222} - file://c:\x.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/9.11.0004/OCI/setup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/067bd5ebfee280f66715/netzip/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

new log anyone?
_________________
STICK TWO FINGERS UP TO SPYWARE !!!!

I HOPE SATAN HAS A SPOT FOR SPYWARE CREATORS
Back to top
View user's profile Send private message MSN Messenger
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 09 Apr 2014
Posts: 10886
Location: Ontario

PostPosted: Sun Mar 06, 2005 5:18 pm    Post subject: Reply with quote

Shadow

Sorry for delay...I just saw your log. I will be along shortly. will need to look at the rest of what has transpired before I see what next to do.

Since it has been a while since last log can you post a fresh one please?

thanks!

Will be a few things I need you to check to help resolve this quicker.
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 09 Apr 2014
Posts: 10886
Location: Ontario

PostPosted: Sun Mar 06, 2005 6:55 pm    Post subject: Reply with quote

Hi again...

Infections you have are quite complex. Will require a fair bit of your time to resolve.
I'll stick with ya till its resolved.

Few things we can do now...

If you still have BPS Spyware and adware remover installed please uninstall it. It is in our list of rougue/suspects. See here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Reboot when done.

Several steps will be required to fix.
Can be done tho. Smile
Once main infector is nailed we can make good progress.

Going to have to be very careful where you browse...IE security settings have been modified and other windows settings modified to lower overall security.

To start off...Please do the following:

Configure your system to "show all files". Instructions here:

http://www.bleepingcomputer.com/forums/tutorial62.html

Download LSPFix from here:

http://www.cexx.org/LSPFix.exe

Save the app to desktop.
but dont run it yet

Copy instructions to notepad and save them. Much of the work is in safe mode, NO IE open, cannot see this page.

Click start> run> type services.msc and hit enter.

Scroll down to:

Zesoft

Double click it to bring up properties
Click stop if available. then set startup type to disable
Click Apply.

Scroll down to:

ISEXEng

Double click to bring up properties
click stop if available and set startup type to disable
Hit apply and OK.

Exit that window.

Click start> run> type cmd and hit enter.

type: net stop delprot and hit enter.
Should get success msg after a few seconds.

Type sc deltete "delprot" and hit enter.
should get success messege.

Type sc delete "zesoft" and hit enter.
Should get success messege.

Type sc delete "isexng" and hit enter.
Should get success messege.

Type exit to exit the cmd window.

Double click lspfix.exe
checkmark "I know what I am doing"
Move all instinces of dolsp.dll and aklsp.dll (Nothing else!) to the remove pane.
Click "finish" and close program.

Restart PC to safe mode (tap f8 at bootup)
Log into your account.

Start hijackthis, check the following items, then close all open windows and hit "fix checked" (some may not be present)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\HADI~1.JIM\LOCALS~1\Temp\se.dll/sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll

O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll

O4 - HKLM\..\Run: [WinXP] C:\WINDOWS\plugin1.exe

O4 - HKLM\..\Run: [WinXPHome] C:\WINDOWS\plugin2.exe

O4 - HKLM\..\Run: [yxgt] C:\WINDOWS\yxgt.exe

O4 - HKLM\..\Run: [L4hnuX2] C:\WINDOWS\wwgmdnf.exe


O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe

O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe

O4 - HKLM\..\Run: [pgfljc] C:\WINDOWS\System32\pgfljc.exe

O4 - HKLM\..\Run: [Msmbrvmy] C:\Program Files\Bcyad\Kryebom.exe

O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Iaarcg.exe

O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Yrdyxb.exe

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe

O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe

O4 - HKLM\..\Run: [Shellapi32] svcnet.exe

O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe

O4 - HKLM\..\Run: [3SAPVAb0] C:\WINDOWS\ikcgkmpw.exe

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load

O4 - HKLM\..\Run: [mswspl] C:\WINDOWS\plugin1.exe

O4 - HKCU\..\Run: [Shellapi32] svcnet.exe

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrivers/webinstall/shockwave/Install.cab

O16 - DPF: {22222222-2222-2222-2222-222222222222} - file://c:\x.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/067bd5ebfee280f66715/netzip/RdxIE601.cab

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)

O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)

O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)


Find and delete if found the following files/folders:

C:\WINDOWS\wwgmdnf.exe << This file
C:\WINDOWS\farmmext.exe << This file
C:\WINDOWS\yxgt.exe << This file
C:\WINDOWS\zeta.exe << This file
C:\WINDOWS\plugin2.exe << This file
C:\WINDOWS\ikcgkmpw.exe << This file
C:\WINDOWS\plugin1.exe << This file

C:\WINDOWS\isrvs << This folder

C:\Windows\system32\aklsp.dll << This file
c:\windows\system32\docore.dll << This file
c:\windows\system32\dosync.dll << This file
c:\windows\system32\akupd.dll << This file
C:\windows\system32\akrules.dll << This file
c:\windows\system32\akcore.dll << This file
c:\windows\system32\ibxaovbe.exe << This file
C:\WINDOWS\System32\svcnet.exe << This file
C:\WINDOWS\System32\angelex.exe << This file
c:\windows\system32\dolsp.dll << This file
C:\WINDOWS\System32\Yrdyxb.exe << This file
C:\WINDOWS\System32\Iaarcg.exe << This file
C:\WINDOWS\System32\pgfljc.exe << This file
C:\WINDOWS\System32\bridge.dll << This file
C:\Windows\system32\mplay32.dll << This file <--NOT mplay32.exe!!!
C:\Windows\system32\ntec32.exe<< This file
C:\Windows\system32\ntsmod.exe<< This file
C:\Windows\system32\sysdebug32.exe<< This file
C:\Windows\system32\msts32.exe<< This file

C:\Windows\system32\drivers\delprot.sys << this file

C:\WINDOWS\System32\wsxsvc << This folder
C:\WINDOWS\System32\vmss << This folder

C:\Program files\ISTBar << This folder
C:\Program Files\ISTsvc << This folder
C:\Program Files\Bcyad << This folder
C:\Program Files\CSBB << This folder

Empty entire contents of the following folders inclucing any sub folders within:

C:\Windows\temp

C:\Windows\prefetch

C:\documents and settings\{user name(s)}\local settings\temp

C:\documents and settings\{user name(s)}\local settings\temporary internet files

Empty recycle bin.

Reboot to normal windows.

See the following link and follow instructions exactly as laid out for best success.

http://www.spywarewarrior.com/viewtopic.php?t=10697

If you are unable to connect to the kaspersky site for download or updates please do the following:

Go to:

C:\Windows\system32\drivers\etc\HOSTS <--No extension...and delete the file.
If you get access denied error; right click it, check properties, if "read only" is checked; uncheck it and try to delete the file again.
We will replace it with known good later.

Once you have done that....

Please post new hijack log.

Once I see new log and results of what I asked you to check above will determine what we do next.

Phew!...Thanks!

I'll be on all nite.
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
shadow_777
Junior Member


Joined: 24 Feb 2005
Last Visit: 31 Jul 2005
Posts: 49
Location: The UK... WHOO!

PostPosted: Mon Mar 07, 2005 12:12 pm    Post subject: Reply with quote

Logfile of HijackThis v1.99.1
Scan saved at 20:10:44, on 07/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Labtec\Labtec Keyboard-Desktop Software\DsiMmKbd.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\WINDOWS\System32\wkwyug.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\StreamCast\Morpheus\morphexe.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\hadi.JIM-BU062HALYEV\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [LabtecKB] C:\Program Files\Labtec\Labtec Keyboard-Desktop Software\DsiMmKbd.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O9 - Extra 'Tools' menuitem: &Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/9.11.0004/OCI/setup.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe





ok?
_________________
STICK TWO FINGERS UP TO SPYWARE !!!!

I HOPE SATAN HAS A SPOT FOR SPYWARE CREATORS
Back to top
View user's profile Send private message MSN Messenger
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 09 Apr 2014
Posts: 10886
Location: Ontario

PostPosted: Mon Mar 07, 2005 3:35 pm    Post subject: Reply with quote

Wow!

That is one heck of an improvement! Big Thumb Up

Still some work to do tho....

System has improved?

Have you uninstalled BPS antispyware?

One other log I will need from you to help find all componets of narrator trojan you have.


  • Download FindIt NT-2K-XP.
  • Unzip the contents of FindIt NT-2K-XP.zip to a convenient location.
  • Navigate to the FindIt NT-2K-XP directory.
  • Double-click on FindNarrator.bat and wait for it to run. it takes at least 10-15 minuites.
  • It should open a Notepad window with the FindNarrator log.
  • Post the contents of FindNarrator.txt into your next post.


Thanks!
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
shadow_777
Junior Member


Joined: 24 Feb 2005
Last Visit: 31 Jul 2005
Posts: 49
Location: The UK... WHOO!

PostPosted: Mon Mar 07, 2005 4:12 pm    Post subject: Reply with quote

Very Happy Very Happy Very Happy
BIG progress! Brilliant! Just like to give you so many thanks, you dont know how grateful i... oh the log, of course lol

here:


---------------- FindNarrator NT-2K-XP ----------------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

***** Operating System *****

Microsoft Windows XP Professional 5.1 Service Pack 1 (Build 2600)

********* Date/Time ********

07 March 2005 (07/03/2005)
23:58, GMT Standard Time

*********** Path ***********

FindNarrator.bat is running from: C:\Documents and Settings\hadi.JIM-BU062HALYEV\Desktop\FindIt NT-2K-XP\FindIt NT-2K-XP

---------------- Strings.exe Qoologic Results ----------------

C:\WINDOWS\system32\cpcguq.dll: updates.qoologic.com
C:\WINDOWS\system32\eaezpn.dll: updates.qoologic.com
C:\WINDOWS\system32\hqhpua.exe: updates.qoologic.com

---------------- Strings.exe Aspack Results ----------------

C:\WINDOWS\system32\pvpquk.dat: .aspack
C:\WINDOWS\system32\thinInstOIT61MegaV2s.dll: 'aspackl
C:\WINDOWS\system32\thinInstOIT61MegaV2s.dlltmp: 'aspackl
C:\WINDOWS\system32\wkwyug.exe: .aspack

---------------- Active Setup Installed Components ----------------

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\47482538-f9ba-4a0a-9408-1f353696266d

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{02f78298-8af6-495c-9ecb-b6ae68678186}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{10072CEC-8CC1-11D1-986E-00A0C955B42F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{166B1BCA-3F9C-11CF-8075-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{283807B5-2C60-11D0-A31D-00AA00B92C03}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2A202491-F00D-11cf-87CC-0020AFEECF20}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{30528230-99F7-4BB4-88D8-FA1D4F56A2AB}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{347B0667-C7ED-429B-BDE3-CC8D3BACAA31}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{36f8ec70-c29a-11d1-b5c7-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3bf42070-b3b1-11d1-b5c5-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3e7bb08a-a7a3-4692-8eac-ac5e7895755b}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4278c270-a269-11d1-b5bf-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f216970-c90c-11d1-b5c7-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{73FA19D0-2D75-11D2-995D-00C04F98BBC9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A17E30C4-A9BA-11D4-8673-60DB54C10000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AA218328-0EA8-4D70-8972-E987A9190FF4}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{B9191F79-5613-4C76-AA2A-398534BB8999}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CC2A9BA0-3BDD-11D0-821E-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11cf-96B8-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}

---------------- Context Menu Handlers ----------------
REGEDIT4

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu]
@="{85BBD920-42A0-1069-A2E4-08002B30309D}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fqfgyx]
@="{f7769ee6-a0fd-4a19-a756-337778a7b93c}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Kaspersky Anti-Virus]
@="{dd230880-495a-11d1-b064-008048ec2fc5}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail]
@="{5464D816-CF16-4784-B9F3-75C0DB52B499}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}]
@="Start Menu Pin"

---------------- Run Key ----------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"bcmwltry"="bcmwltry.exe"
"removecpl"="RemoveCpl.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Desksite CMA"="C:\\Program Files\\desksite\\bin\\cma.exe"
"LabtecKB"="C:\\Program Files\\Labtec\\Labtec Keyboard-Desktop Software\\DsiMmKbd.EXE"
"LVCOMS"="C:\\Program Files\\Common Files\\Logitech\\QCDriver2\\LVCOMS.EXE"
"mswspl"=""
"Narrator"="C:\\WINDOWS\\System32\\wkwyug.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

---------------- FindNarrator NT-2K-XP ----------------



ok
ps. system has improved but still a few bugs lol
_________________
STICK TWO FINGERS UP TO SPYWARE !!!!

I HOPE SATAN HAS A SPOT FOR SPYWARE CREATORS
Back to top
View user's profile Send private message MSN Messenger
shadow_777
Junior Member


Joined: 24 Feb 2005
Last Visit: 31 Jul 2005
Posts: 49
Location: The UK... WHOO!

PostPosted: Mon Mar 07, 2005 4:17 pm    Post subject: Reply with quote

ps. going to sleep now lol, its late in england an i got school (dammit) so ill be on tommorow hopefully
_________________
STICK TWO FINGERS UP TO SPYWARE !!!!

I HOPE SATAN HAS A SPOT FOR SPYWARE CREATORS
Back to top
View user's profile Send private message MSN Messenger
shadow_777
Junior Member


Joined: 24 Feb 2005
Last Visit: 31 Jul 2005
Posts: 49
Location: The UK... WHOO!

PostPosted: Tue Mar 08, 2005 8:26 am    Post subject: Reply with quote

Ok blender im back Smile so anything up with the log???
_________________
STICK TWO FINGERS UP TO SPYWARE !!!!

I HOPE SATAN HAS A SPOT FOR SPYWARE CREATORS
Back to top
View user's profile Send private message MSN Messenger
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 09 Apr 2014
Posts: 10886
Location: Ontario

PostPosted: Tue Mar 08, 2005 11:25 am    Post subject: Reply with quote

Hi there!

alrighty!...one more big nasty to remove.

Please copy the following instructions to a notepad file and save them
You will need to be Offline and NO IE windows open
You won't see this page.
We also need to shut down explorer.exe so it is important to keep your saved notepad file open and killbox open. Your desktop will dissapear dyring much of this process...normal.


  1. Download the Pocket Killbox.
  2. Unzip the contents of KillBox.zip to a convenient location.
  3. Disconnect from internet and shut down all running programs
  4. Double-click on KillBox.exe.
  5. Keep Notepad open!
  6. Start Task manager (ctrl+alt+del) and end task explorer.exe
  7. Ok warning and close task manager (desktop dissapears now)
  8. In Killbox Click "Delete on Reboot"
  9. Paste this file into the top "Full Path of File to Delete" box.

    • C:\WINDOWS\System32\cpcguq.dll

  10. Click the "Delete File" button which looks like a stop sign.
  11. Click "Yes" at the Delete on Reboot prompt.
  12. Click "No" at the Pending Operations prompt.
  13. Repeat steps 8-12 above for these files:

    • C:\WINDOWS\System32\eaezpn.dll
    • C:\WINDOWS\System32\hqhpua.exe
    • C:\WINDOWS\System32\pvpquk.dat
    • C:\WINDOWS\System32\wkwyug.exe
    • C:\WINDOWS\System32\thinInstOIT61MegaV2s.dll
    • C:\WINDOWS\System32\thinInstOIT61MegaV2s.dlltmp

  14. Click "Delete on Reboot"
  15. Paste this file into the top "Full Path of File to Delete" box.

    • C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\hnhygi.exe

  16. Click the "Delete File" button which looks like a stop sign.
  17. Click "Yes" at the Delete on Reboot prompt.
  18. Click "Yes" at the Pending Operations prompt to restart your computer. Allow machine to reboot.
  19. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
  20. Once the computer has been restarted, double-click on FindNarrator.bat and post the new FindNarrator.txt.

Please also post new hijack log.

Thanks! Very Happy
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
shadow_777
Junior Member


Joined: 24 Feb 2005
Last Visit: 31 Jul 2005
Posts: 49
Location: The UK... WHOO!

PostPosted: Wed Mar 09, 2005 1:32 pm    Post subject: Reply with quote

ok Ive done what you said ( i hope properly)

here is the FindNarrator log:

Very Happy

---------------- FindNarrator NT-2K-XP ----------------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

***** Operating System *****

Microsoft Windows XP Professional 5.1 Service Pack 1 (Build 2600)

********* Date/Time ********

09 March 2005 (09/03/2005)
21:16, GMT Standard Time

*********** Path ***********

FindNarrator.bat is running from: C:\Documents and Settings\hadi.JIM-BU062HALYEV\Desktop\FindIt NT-2K-XP\FindIt NT-2K-XP

---------------- Strings.exe Qoologic Results ----------------

C:\WINDOWS\system32\cpcguq.dll: updates.qoologic.com
C:\WINDOWS\system32\eaezpn.dll: updates.qoologic.com
C:\WINDOWS\system32\hqhpua.exe: updates.qoologic.com

---------------- Strings.exe Aspack Results ----------------

C:\WINDOWS\system32\pvpquk.dat: .aspack
C:\WINDOWS\system32\wkwyug.exe: .aspack

---------------- Active Setup Installed Components ----------------

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\47482538-f9ba-4a0a-9408-1f353696266d

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{02f78298-8af6-495c-9ecb-b6ae68678186}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{10072CEC-8CC1-11D1-986E-00A0C955B42F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{166B1BCA-3F9C-11CF-8075-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{283807B5-2C60-11D0-A31D-00AA00B92C03}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2A202491-F00D-11cf-87CC-0020AFEECF20}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{30528230-99F7-4BB4-88D8-FA1D4F56A2AB}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{347B0667-C7ED-429B-BDE3-CC8D3BACAA31}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{36f8ec70-c29a-11d1-b5c7-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3bf42070-b3b1-11d1-b5c5-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3e7bb08a-a7a3-4692-8eac-ac5e7895755b}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4278c270-a269-11d1-b5bf-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f216970-c90c-11d1-b5c7-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{73FA19D0-2D75-11D2-995D-00C04F98BBC9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A17E30C4-A9BA-11D4-8673-60DB54C10000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AA218328-0EA8-4D70-8972-E987A9190FF4}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{B9191F79-5613-4C76-AA2A-398534BB8999}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CC2A9BA0-3BDD-11D0-821E-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11cf-96B8-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}

---------------- Context Menu Handlers ----------------
REGEDIT4

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu]
@="{85BBD920-42A0-1069-A2E4-08002B30309D}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fqfgyx]
@="{f7769ee6-a0fd-4a19-a756-337778a7b93c}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Kaspersky Anti-Virus]
@="{dd230880-495a-11d1-b064-008048ec2fc5}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail]
@="{5464D816-CF16-4784-B9F3-75C0DB52B499}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}]
@="Start Menu Pin"

---------------- Run Key ----------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"bcmwltry"="bcmwltry.exe"
"removecpl"="RemoveCpl.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Desksite CMA"="C:\\Program Files\\desksite\\bin\\cma.exe"
"LabtecKB"="C:\\Program Files\\Labtec\\Labtec Keyboard-Desktop Software\\DsiMmKbd.EXE"
"LVCOMS"="C:\\Program Files\\Common Files\\Logitech\\QCDriver2\\LVCOMS.EXE"
"mswspl"=""
"Narrator"="C:\\WINDOWS\\System32\\wkwyug.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

---------------- FindNarrator NT-2K-XP ----------------







and now the hijackthis log as you asked for




Logfile of HijackThis v1.99.1
Scan saved at 21:31:16, on 09/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Labtec\Labtec Keyboard-Desktop Software\DsiMmKbd.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\hnhygi.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\hadi.JIM-BU062HALYEV\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [LabtecKB] C:\Program Files\Labtec\Labtec Keyboard-Desktop Software\DsiMmKbd.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O9 - Extra 'Tools' menuitem: &Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/9.11.0004/OCI/setup.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
_________________
STICK TWO FINGERS UP TO SPYWARE !!!!

I HOPE SATAN HAS A SPOT FOR SPYWARE CREATORS
Back to top
View user's profile Send private message MSN Messenger
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 09 Apr 2014
Posts: 10886
Location: Ontario

PostPosted: Wed Mar 09, 2005 11:01 pm    Post subject: Reply with quote

Hi

Ok...Fix didnt go well as I thought...I missed part of it the first time.

Lets go again after it. Twisted Evil


  1. Done
  2. Done
  3. Disconnect from internet and shut down all running programs
  4. Double-click on KillBox.exe.
  5. Keep Notepad open!
  6. Start Task manager (ctrl+alt+del) and end task explorer.exe
  7. Ok warning and close task manager (desktop dissapears now)
  8. In Killbox Click "Delete on Reboot"
  9. Paste this file into the top "Full Path of File to Delete" box.

    • C:\WINDOWS\System32\cpcguq.dll

  10. Click the "Delete File" button which looks like a stop sign.
  11. Click "Yes" at the Delete on Reboot prompt.
  12. Click "No" at the Pending Operations prompt.
  13. Repeat steps 8-12 above for these files:

    • C:\WINDOWS\System32\eaezpn.dll
    • C:\WINDOWS\System32\hqhpua.exe
    • C:\WINDOWS\System32\pvpquk.dat
    • C:\WINDOWS\System32\wkwyug.exe

  14. Click "Delete on Reboot"
  15. Paste this file into the top "Full Path of File to Delete" box.

    • C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\hnhygi.exe

  16. Click the "Delete File" button which looks like a stop sign.
  17. Click "Yes" at the Delete on Reboot prompt.
  18. Click "Yes" at the Pending Operations prompt to restart your computer. Allow machine to reboot.
  19. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
  20. Once the computer has been restarted, double-click on FindNarrator.bat and post the new FindNarrator.txt.

Please also post new hijack log.
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
shadow_777
Junior Member


Joined: 24 Feb 2005
Last Visit: 31 Jul 2005
Posts: 49
Location: The UK... WHOO!

PostPosted: Fri Mar 11, 2005 5:14 am    Post subject: Reply with quote

ok, i hope it worked perfectly this time - this is my findnarrator log:



---------------- FindNarrator NT-2K-XP ----------------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

***** Operating System *****

Microsoft Windows XP Professional 5.1 Service Pack 1 (Build 2600)

********* Date/Time ********

11 March 2005 (11/03/2005)
13:00, GMT Standard Time

*********** Path ***********

FindNarrator.bat is running from: C:\Documents and Settings\hadi.JIM-BU062HALYEV\Desktop\FindIt NT-2K-XP\FindIt NT-2K-XP

---------------- Strings.exe Qoologic Results ----------------


---------------- Strings.exe Aspack Results ----------------


---------------- Active Setup Installed Components ----------------

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\47482538-f9ba-4a0a-9408-1f353696266d

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{02f78298-8af6-495c-9ecb-b6ae68678186}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{10072CEC-8CC1-11D1-986E-00A0C955B42F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{166B1BCA-3F9C-11CF-8075-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{283807B5-2C60-11D0-A31D-00AA00B92C03}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2A202491-F00D-11cf-87CC-0020AFEECF20}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{30528230-99F7-4BB4-88D8-FA1D4F56A2AB}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{347B0667-C7ED-429B-BDE3-CC8D3BACAA31}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{36f8ec70-c29a-11d1-b5c7-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3bf42070-b3b1-11d1-b5c5-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3e7bb08a-a7a3-4692-8eac-ac5e7895755b}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4278c270-a269-11d1-b5bf-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f216970-c90c-11d1-b5c7-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{73FA19D0-2D75-11D2-995D-00C04F98BBC9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A17E30C4-A9BA-11D4-8673-60DB54C10000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AA218328-0EA8-4D70-8972-E987A9190FF4}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{B9191F79-5613-4C76-AA2A-398534BB8999}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CC2A9BA0-3BDD-11D0-821E-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11cf-96B8-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}

---------------- Context Menu Handlers ----------------
REGEDIT4

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu]
@="{85BBD920-42A0-1069-A2E4-08002B30309D}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fqfgyx]
@="{f7769ee6-a0fd-4a19-a756-337778a7b93c}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Kaspersky Anti-Virus]
@="{dd230880-495a-11d1-b064-008048ec2fc5}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail]
@="{5464D816-CF16-4784-B9F3-75C0DB52B499}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}]
@="Start Menu Pin"

---------------- Run Key ----------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"bcmwltry"="bcmwltry.exe"
"removecpl"="RemoveCpl.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Desksite CMA"="C:\\Program Files\\desksite\\bin\\cma.exe"
"LabtecKB"="C:\\Program Files\\Labtec\\Labtec Keyboard-Desktop Software\\DsiMmKbd.EXE"
"LVCOMS"="C:\\Program Files\\Common Files\\Logitech\\QCDriver2\\LVCOMS.EXE"
"mswspl"=""
"Narrator"="C:\\WINDOWS\\System32\\wkwyug.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

---------------- FindNarrator NT-2K-XP ----------------







errm... now hijack this log:



Logfile of HijackThis v1.99.1
Scan saved at 13:14:03, on 11/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Labtec\Labtec Keyboard-Desktop Software\DsiMmKbd.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\hadi.JIM-BU062HALYEV\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [LabtecKB] C:\Program Files\Labtec\Labtec Keyboard-Desktop Software\DsiMmKbd.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\System32\wkwyug.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O9 - Extra 'Tools' menuitem: &Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/9.11.0004/OCI/setup.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://img.mediaplex.com/cgi-bin/html/ads/3990/
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe




ok? now?
_________________
STICK TWO FINGERS UP TO SPYWARE !!!!

I HOPE SATAN HAS A SPOT FOR SPYWARE CREATORS
Back to top
View user's profile Send private message MSN Messenger
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 09 Apr 2014
Posts: 10886
Location: Ontario

PostPosted: Fri Mar 11, 2005 7:42 am    Post subject: Reply with quote

LOL!

I'm not usually into rap....but not bad... Very Happy

Ok....narrator is gone! Very Happy

A regedit to do to clean out remanents.

Copy the following text inside the code box to a new notepad file, save as file name remove.reg, as file types all files and save it to your desktop.

Code:
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\47482538-f9ba-4a0a-9408-1f353696266d]

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fqfgyx]

[-HKEY_CLASSES_ROOT\CLSID\{f7769ee6-a0fd-4a19-a756-337778a7b93c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mswspl"=-
"narrator"=-


Double click remove.reg
Answer yes to merge/add items to registry
Should get success messege.
That will remove items left over from Narrator in registry.

I see you picked up some new stuff.
iMesh comes bundled with junk. I suggest Uninstalling it.
You can do that in add/remove programs.
There will likely also be an entry in add/remove programs called iMesh ads support
Uninstall that as well.

That is likely your wierd search engine as they will customise popups according to where you are surfing.

Reboot after removing those 2 apps and post new log please.

Here is info page on infected/not infected p2p programs.:

http://www.safer-networking.org/en/articles/index.html

http://www.spywareinfo.com/articles/p2p/

Did you uninstall bps spyware remover?

Thanks!
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
shadow_777
Junior Member


Joined: 24 Feb 2005
Last Visit: 31 Jul 2005
Posts: 49
Location: The UK... WHOO!

PostPosted: Sat Mar 12, 2005 11:04 am    Post subject: Reply with quote

yeah i unisntalled BPS... at least i think i did...Plus i removed iMESH as you said, i thought it was good as a friend reccomened but na..lol

ok rebooting now, posting log in a minute
_________________
STICK TWO FINGERS UP TO SPYWARE !!!!

I HOPE SATAN HAS A SPOT FOR SPYWARE CREATORS
Back to top
View user's profile Send private message MSN Messenger
shadow_777
Junior Member


Joined: 24 Feb 2005
Last Visit: 31 Jul 2005
Posts: 49
Location: The UK... WHOO!

PostPosted: Sat Mar 12, 2005 11:57 am    Post subject: Reply with quote

Logfile of HijackThis v1.99.1
Scan saved at 19:54:58, on 12/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Labtec\Labtec Keyboard-Desktop Software\DsiMmKbd.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\hadi.JIM-BU062HALYEV\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [LabtecKB] C:\Program Files\Labtec\Labtec Keyboard-Desktop Software\DsiMmKbd.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O9 - Extra 'Tools' menuitem: &Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/9.11.0004/OCI/setup.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://img.mediaplex.com/cgi-bin/html/ads/3990/
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab



ok?
_________________
STICK TWO FINGERS UP TO SPYWARE !!!!

I HOPE SATAN HAS A SPOT FOR SPYWARE CREATORS
Back to top
View user's profile Send private message MSN Messenger
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 09 Apr 2014
Posts: 10886
Location: Ontario

PostPosted: Sun Mar 13, 2005 8:48 am    Post subject: Reply with quote

Hi

Ok....Please check in add/remove programs to see if Bps spyware and adware is uninstalled. (not in list)

If it is not listed...please do the following:

Download LSPFix here: (If you deleted the one you already downloaded)

http://www.cexx.org/LSPFix.exe

Save the file but dont run it yet.

Start hijackthis, check the following entry, then close all open windows and hit "fix checked":

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://img.mediaplex.com/cgi-bin/html/ads/3990/

Exit Hijackthis.

Exit IE and disconnect from internet.
Start LSPFix.exe
Check "I know what I am doing"
Move all instances of apptoport.dll (Nothing else!) to the remove pane using the >>
Click finish and close program.

Reboot

Find and delete:

c:\program files\bulletproofsoft.com <--entire folder

Please post new hijack log and let me know how things are running.
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
shadow_777
Junior Member


Joined: 24 Feb 2005
Last Visit: 31 Jul 2005
Posts: 49
Location: The UK... WHOO!

PostPosted: Sun Mar 13, 2005 9:41 am    Post subject: Reply with quote

things are doing fine, all i find wrong is a search bar and the odd ad or two, but thats no problem. here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 17:41:02, on 13/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Labtec\Labtec Keyboard-Desktop Software\DsiMmKbd.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\hadi.JIM-BU062HALYEV\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [LabtecKB] C:\Program Files\Labtec\Labtec Keyboard-Desktop Software\DsiMmKbd.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O9 - Extra 'Tools' menuitem: &Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/9.11.0004/OCI/setup.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
_________________
STICK TWO FINGERS UP TO SPYWARE !!!!

I HOPE SATAN HAS A SPOT FOR SPYWARE CREATORS
Back to top
View user's profile Send private message MSN Messenger
shadow_777
Junior Member


Joined: 24 Feb 2005
Last Visit: 31 Jul 2005
Posts: 49
Location: The UK... WHOO!

PostPosted: Sun Mar 13, 2005 10:18 am    Post subject: Reply with quote

oh plus one more problem- my pc often freezes and i have to reboot, this is a big annoyance Sad
_________________
STICK TWO FINGERS UP TO SPYWARE !!!!

I HOPE SATAN HAS A SPOT FOR SPYWARE CREATORS
Back to top
View user's profile Send private message MSN Messenger
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 09 Apr 2014
Posts: 10886
Location: Ontario

PostPosted: Sun Mar 13, 2005 8:45 pm    Post subject: Reply with quote

Hi

Log shows nothing about a search bar....but HJT does not "show all"
Can you give a bit more info what this search bar looks like?

Lets look a little deeper and see if we can find what is still freezing system.
If you are still getting popups and wierd searchbar....something is still there.

I need to see a full startup list please.

Start hijack> "Open misc tools section"
Beside "generate startup list log" check both:

List also minor sections
List empty sections

Then hit "generate startup list log" and OK
Post entire results please.

Thanks!
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
shadow_777
Junior Member


Joined: 24 Feb 2005
Last Visit: 31 Jul 2005
Posts: 49
Location: The UK... WHOO!

PostPosted: Wed Mar 16, 2005 8:38 am    Post subject: Reply with quote

searchbar is:

called ISearch
it appears in firefox next to the adress bar, where the quick search engines are. every time i open firefox, it should have a google search- but its ISearch. i can change it back to google though, but only to go back after a new mozilla firefox window is opened


here is my complete log, as you said:


StartupList report, 16/03/2005, 16:34:14
StartupList version: 1.52.2
Started from : C:\Documents and Settings\hadi.JIM-BU062HALYEV\Desktop\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Labtec\Labtec Keyboard-Desktop Software\DsiMmKbd.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\hadi.JIM-BU062HALYEV\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\hadi.JIM-BU062HALYEV\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IMJPMIG8.1 = C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
bcmwltry = bcmwltry.exe
removecpl = RemoveCpl.exe
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Desksite CMA = C:\Program Files\desksite\bin\cma.exe
LabtecKB = C:\Program Files\Labtec\Labtec Keyboard-Desktop Software\DsiMmKbd.EXE
LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

Desktop Search Removal Tool = "C:\WINDOWS\inst\kill.exe" /VERYSILENT /NOCANCEL /NORESTART /SP-
Bonus Sites Removal Tool = "C:\WINDOWS\inst\kill.exe" /VERYSILENT /NOCANCEL /NORESTART /SP-
iSearch Toolbar Removal Tool = "C:\WINDOWS\inst\kill.exe" /VERYSILENT /NOCANCEL /NORESTART /SP-

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\sstext3d.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

*No BHO's found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Checkers Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll
CODEBASE = http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Minesweeper Flags Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\minesweeper.dll
CODEBASE = http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst0401.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[InstallShield Setup Player 2K2]
CODEBASE = http://sib1.od2.com/common/Member/ClientInstall/9.11.0004/OCI/setup.exe

[Java Plug-in 1.5.0_01]
InProcServer32 = C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

[YAddBook Class]
InProcServer32 = blank
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab

[Java Plug-in 1.5.0_01]
InProcServer32 = C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab

[{E5D419D6-A846-4514-9FAD-97E826C84822}]
CODEBASE = http://fdl.msn.com/zone/datafiles/heartbeat.cab

[Solitaire Showdown Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\solitaireshowdown.dll
CODEBASE = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\mswsock.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\rsvpsp.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
BCM 802.11g Network Adapter Driver: System32\DRIVERS\bcmwl5.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
delprot: \SystemRoot\system32\drivers\delprot.sys (system)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Dritek HotKey Filter Driver: System32\DRIVERS\DKbFltr.sys (manual start)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\DRIVERS\dmio.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
MS IEEE-1284.4 Driver: System32\DRIVERS\Dot4.sys (manual start)
Print Class Driver for IEEE-1284.4: System32\DRIVERS\Dot4Prt.sys (manual start)
Scan Class Driver for IEEE-1284.4: System32\DRIVERS\Dot4Scan.sys (manual start)
Dot4USB Filter Dot4USB Filter: System32\DRIVERS\dot4usb.sys (manual start)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
INFUSB: system32\drivers\infusb.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IrDA Protocol: System32\DRIVERS\irda.sys (autostart)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
Infrared Monitor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Serial Infrared Driver: System32\DRIVERS\irsir.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
ISEXEng: C:\WINDOWS\System32\angelex.exe (disabled)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (manual start)
OrangeWare USB 2.0 Root Hub Support: System32\DRIVERS\ousb2hub.sys (manual start)
NEC PCI to USB Enhanced Host Controller: System32\Drivers\ousbehci.sys (autostart)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Logitech QuickCam Express(PID_0920): System32\DRIVERS\LV532AV.SYS (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Labtec WebCam(PID_0840): System32\DRIVERS\LVCD.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (IrDA): System32\DRIVERS\rasirda.sys (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiSV: System32\DRIVERS\SiSV.sys (manual start)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{AB12B30E-15DF-4993-9A67-D4813070FE4E} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: System32\DRIVERS\viaagp.sys (system)
ViaIde: System32\DRIVERS\viaide.sys (system)
VIA AC'97 Audio Controller (WDM): system32\drivers\ac97via.sys (manual start)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (manual start)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 32,813 bytes
Report generated in 0.761 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


ok?
_________________
STICK TWO FINGERS UP TO SPYWARE !!!!

I HOPE SATAN HAS A SPOT FOR SPYWARE CREATORS
Back to top
View user's profile Send private message MSN Messenger
shadow_777
Junior Member


Joined: 24 Feb 2005
Last Visit: 31 Jul 2005
Posts: 49
Location: The UK... WHOO!

PostPosted: Wed Mar 16, 2005 8:40 am    Post subject: Reply with quote

Plus- what about the freezing problem? that is a bigger annoyance Sad
_________________
STICK TWO FINGERS UP TO SPYWARE !!!!

I HOPE SATAN HAS A SPOT FOR SPYWARE CREATORS
Back to top
View user's profile Send private message MSN Messenger
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 09 Apr 2014
Posts: 10886
Location: Ontario

PostPosted: Thu Mar 17, 2005 1:23 am    Post subject: Reply with quote

Hi

Freezup is possibly from Isearch itself...

Going to have to do a little searching for it...But first...

Copy the following text inside the code box to a new notepad file, save as file name remove.reg, as file types all files and save to desktop. dont run it yet.

Code:
REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delprot]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\delprot]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\delprot]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\delprot]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DELPROT]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DELPROT]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DELPROT]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ISEXEng]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ISEXEng]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ISEXEng]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ISEXEng]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ISEXEng]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ISEXEng]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ISEXEng]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ISEXEng]


Click start> run> type services.msc and hit enter.
In next window...
Scroll down to messenger
Double click it to bring up properties.
Click stop
Using pulldown arrow beside "startup type" set it to disabled
Apply and OK changes.
Exit services applet.
We stopped that to shut off the silly "messenger service" spam popups. (has nothing to do with MSN.)

For each of the commands below...if you get error...just continue on to next one.

Click start> run> type cmd and hit enter.

At the prompt type net stop delprot and hit enter.
Type sc delete "delprot" and hit enter.
Type sc delete "ISEXEng" and hit enter.

Should get success for each one except possibly the first if the driver file is missing.

Reboot to safe mode

Double click remove.reg
Answer yes to add/merge prompt.
Should get success messege.
That will delete those 2 bad services from registry.

Find and delete if present the following:

C:\Windows\system32\drivers\delprot.sys <--file

C:\Windows\delprot.ini <--file

C:\windows\system32\angelx.exe <--file

C:\Windows\isrvs <--folder

Empty out temp folders again
Empty out prefetch folder again
Empty trash bin again
Empty out temporary internet files inc. offline content
Empty Firefox cache (tools> options> privacy> click "clear" button beside "cache". OK prompt if any.

Back to normal windows....

Need you to check something for me...

Go to C:\Windows\explorer.exe <--right click this file| properties. What is file size? (need to know exact kb please)

Do same check on the following 2 files:

C:\Windows\system32\dllcache\explorer.exe

C:\Windows\ServicePackFiles\i386\explorer.exe

Report back here on size of all 3

Now to find registry locations of Isearch and get export of it all...

Download Registry Search Tool from here:

http://www.billsway.com/vbspage/

Unzip it to desktop.

Double click regsearch.vbs
Paste the following text into the find box and hit OK:

Isearch

It will dissapear for a few minuites to run its search.
Will tell you when done and offer to show you file.
Say yes to see it.

Post entire results here please along with new startup list (complete)

**Note** If Antivirus warn you of possible melicious script please allow to run. It is not dangerous. All it is doing is searching registry for info we ask and putting results to text file for us to read.

Thanks!
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
shadow_777
Junior Member


Joined: 24 Feb 2005
Last Visit: 31 Jul 2005
Posts: 49
Location: The UK... WHOO!

PostPosted: Thu Mar 17, 2005 10:32 am    Post subject: Reply with quote

980 KB- explorer.exe

980 KB- explorer.exe (Dllcache)

couldnt find ServicePackFiles

one sec- im gonna do the searchtool now
_________________
STICK TWO FINGERS UP TO SPYWARE !!!!

I HOPE SATAN HAS A SPOT FOR SPYWARE CREATORS
Back to top
View user's profile Send private message MSN Messenger
shadow_777
Junior Member


Joined: 24 Feb 2005
Last Visit: 31 Jul 2005
Posts: 49
Location: The UK... WHOO!

PostPosted: Thu Mar 17, 2005 10:45 am    Post subject: Reply with quote

REGEDIT4
; RegSrch.vbs Bill James

; Registry search results for string "Isearch" 17/03/2005 18:41:19

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F247DC0-902E-11D0-A80C-00A0C906241A}]
@="Content Index ISearch Creator Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0C061EC1-EB5C-45CF-AD26-E94B40BB2DE9}]
@="_ISearchAssistantEvents"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D2EFD50-75CE-11D1-B75A-00A0C90564FE}]
@="ISearchCommandExt"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{47C922A2-3DD5-11D2-BF8B-00C04FB93661}]
@="ISearches"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{72423E8F-8011-11D2-BE79-00A0C9A83DA1}]
@="ISearchAssistantOC"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{72423E8F-8011-11D2-BE79-00A0C9A83DA2}]
@="ISearchAssistantOC2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{72423E8F-8011-11D2-BE79-00A0C9A83DA3}]
@="ISearchAssistantOC3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7366EA16-7A1A-4EA2-B042-973D3E9CD99B}]
@="ISearchJob"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{88AEE058-D4B0-4725-A2F1-814A67AE964C}]
@="ISearchCompletedCallback"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A700A634-2850-4C47-938A-9E4B6E5AF9A6}]
@="ISearchCompletedCallbackArgs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BA9239A4-3DD5-11D2-BF8B-00C04FB93661}]
@="ISearch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C6570AE1-05A5-4E8E-A292-8460325518D2}]
@="ISearchBand"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C66ABAC9-96D0-4940-BFBC-8F519CEEEB13}]
@="ISearchBar"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D40CFF62-E08C-4498-941A-01E25F0FD33C}]
@="ISearchResult"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DB5CEF35-BEC6-4762-A1BD-253F5BF67C72}]
@="ISearchCompanionInfo"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F74F2E3B-CEF7-4856-A170-8258A35CE375}]
@="ISearchAssistant"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"iSearch Toolbar Removal Tool"="\"C:\\WINDOWS\\inst\\kill.exe\" /VERYSILENT /NOCANCEL /NORESTART /SP-"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ISAPISearch]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ISAPISearch\Linkage]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ISAPISearch\Performance]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ISAPISearch]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ISAPISearch\Linkage]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ISAPISearch\Performance]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ISAPISearch]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ISAPISearch\Linkage]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ISAPISearch\Performance]

[HKEY_USERS\S-1-5-21-854245398-1580436667-1957994488-1005\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\inst\\kill.exe"="iSearch Removal Tool "


.and the startup list



StartupList report, 17/03/2005, 18:44:50
StartupList version: 1.52.2
Started from : C:\Documents and Settings\hadi.JIM-BU062HALYEV\Desktop\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Labtec\Labtec Keyboard-Desktop Software\DsiMmKbd.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\hadi.JIM-BU062HALYEV\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\hadi.JIM-BU062HALYEV\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IMJPMIG8.1 = C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
bcmwltry = bcmwltry.exe
removecpl = RemoveCpl.exe
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Desksite CMA = C:\Program Files\desksite\bin\cma.exe
LabtecKB = C:\Program Files\Labtec\Labtec Keyboard-Desktop Software\DsiMmKbd.EXE
LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

Desktop Search Removal Tool = "C:\WINDOWS\inst\kill.exe" /VERYSILENT /NOCANCEL /NORESTART /SP-
Bonus Sites Removal Tool = "C:\WINDOWS\inst\kill.exe" /VERYSILENT /NOCANCEL /NORESTART /SP-
iSearch Toolbar Removal Tool = "C:\WINDOWS\inst\kill.exe" /VERYSILENT /NOCANCEL /NORESTART /SP-

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\sstext3d.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

*No BHO's found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Checkers Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll
CODEBASE = http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Minesweeper Flags Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\minesweeper.dll
CODEBASE = http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst0401.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[InstallShield Setup Player 2K2]
CODEBASE = http://sib1.od2.com/common/Member/ClientInstall/9.11.0004/OCI/setup.exe

[Java Plug-in 1.5.0_01]
InProcServer32 = C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

[YAddBook Class]
InProcServer32 = blank
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab

[Java Plug-in 1.5.0_01]
InProcServer32 = C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab

[{E5D419D6-A846-4514-9FAD-97E826C84822}]
CODEBASE = http://fdl.msn.com/zone/datafiles/heartbeat.cab

[Solitaire Showdown Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\solitaireshowdown.dll
CODEBASE = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\mswsock.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\rsvpsp.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
BCM 802.11g Network Adapter Driver: System32\DRIVERS\bcmwl5.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Dritek HotKey Filter Driver: System32\DRIVERS\DKbFltr.sys (manual start)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\DRIVERS\dmio.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
MS IEEE-1284.4 Driver: System32\DRIVERS\Dot4.sys (manual start)
Print Class Driver for IEEE-1284.4: System32\DRIVERS\Dot4Prt.sys (manual start)
Scan Class Driver for IEEE-1284.4: System32\DRIVERS\Dot4Scan.sys (manual start)
Dot4USB Filter Dot4USB Filter: System32\DRIVERS\dot4usb.sys (manual start)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
INFUSB: system32\drivers\infusb.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IrDA Protocol: System32\DRIVERS\irda.sys (autostart)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
Infrared Monitor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Serial Infrared Driver: System32\DRIVERS\irsir.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (manual start)
OrangeWare USB 2.0 Root Hub Support: System32\DRIVERS\ousb2hub.sys (manual start)
NEC PCI to USB Enhanced Host Controller: System32\Drivers\ousbehci.sys (autostart)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Logitech QuickCam Express(PID_0920): System32\DRIVERS\LV532AV.SYS (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Labtec WebCam(PID_0840): System32\DRIVERS\LVCD.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (IrDA): System32\DRIVERS\rasirda.sys (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiSV: System32\DRIVERS\SiSV.sys (manual start)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{AB12B30E-15DF-4993-9A67-D4813070FE4E} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: System32\DRIVERS\viaagp.sys (system)
ViaIde: System32\DRIVERS\viaide.sys (system)
VIA AC'97 Audio Controller (WDM): system32\drivers\ac97via.sys (manual start)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (manual start)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 32,655 bytes
Report generated in 3.505 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


ok?
_________________
STICK TWO FINGERS UP TO SPYWARE !!!!

I HOPE SATAN HAS A SPOT FOR SPYWARE CREATORS
Back to top
View user's profile Send private message MSN Messenger
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 09 Apr 2014
Posts: 10886
Location: Ontario

PostPosted: Thu Mar 17, 2005 11:33 am    Post subject: Reply with quote

Hi

Ok....file sizes on explorer.exe are OK.
You likely could not find ServicePackFiles folder if you opted not to keep old files when installing sp1....thats ok.

Startup list looks better....those bad services are gone.

I need to check a few things before I make a regedit file to fix rest of isearch.

Cus we're gonna do a fair big regedit please make yourself a restore point...just a precaution I like to take.

Start> programs> accessories> system tools> system restore.
Click "create restore point"
Call it whatever you like and then hit "create"
Should get success messege.
Close window when done.

Ill be back shortly.
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 09 Apr 2014
Posts: 10886
Location: Ontario

PostPosted: Thu Mar 17, 2005 12:29 pm    Post subject: Reply with quote

Ok...I dont like the results...almost everything there is valid.
Not as big of a regedit as I first thought.

Few startup entries that should have gone away a couple bootups ago...

Copy the following text inside the code boc to a new notepad file, save as file name remove.reg, as file types all files and save it to the desktop.

Code:
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Desktop Search Removal Tool"=-
"Bonus Sites Removal Tool"=-
"iSearch Toolbar Removal Tool"=-

[HKEY_USERS\S-1-5-21-854245398-1580436667-1957994488-1005\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\inst\\kill.exe"=-


Double click remove.reg
Answer yes to add/merge with registry
Shoould get success messege.

Reboot

I think the results is case sensitive search issue....Lets try again with slight difference.

Open regsearch.vbs again.
Paste or type this into the search bar and hit OK:

iSearch

Let it run its scan....post results when done along with normal hijackthis log.
System still freezing/dragging?

Thanks!
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
shadow_777
Junior Member


Joined: 24 Feb 2005
Last Visit: 31 Jul 2005
Posts: 49
Location: The UK... WHOO!

PostPosted: Thu Mar 17, 2005 1:11 pm    Post subject: Reply with quote

system still freezing ... but it last froze before i followed your last instruction, so lets hope it wont. here are the results





REGEDIT4
; RegSrch.vbs Bill James

; Registry search results for string "iSearch " 17/03/2005 21:05:35

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F247DC0-902E-11D0-A80C-00A0C906241A}]
@="Content Index ISearch Creator Object"


thats all. now the hijack log:


Logfile of HijackThis v1.99.1
Scan saved at 21:10:24, on 17/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Labtec\Labtec Keyboard-Desktop Software\DsiMmKbd.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svcnet.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\StreamCast\Morpheus\morphexe.exe
C:\Documents and Settings\hadi.JIM-BU062HALYEV\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [LabtecKB] C:\Program Files\Labtec\Labtec Keyboard-Desktop Software\DsiMmKbd.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Shellapi32] svcnet.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Shellapi32] svcnet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O9 - Extra 'Tools' menuitem: &Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/9.11.0004/OCI/setup.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab

ok..
_________________
STICK TWO FINGERS UP TO SPYWARE !!!!

I HOPE SATAN HAS A SPOT FOR SPYWARE CREATORS
Back to top
View user's profile Send private message MSN Messenger
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 09 Apr 2014
Posts: 10886
Location: Ontario

PostPosted: Fri Mar 18, 2005 4:13 am    Post subject: Reply with quote

Hi

You picked up a nice worm...likely from morpheus

P2P-Worm.Win32.Tibick.f

Info here:

http://www.viruslist.com/en/viruses/encyclopedia?virusid=70081

Open task manager (ctrl+alt+del)

End task on the following:

svcnet.exe

Ok warning.

Start hijackthis, check the following entries, then close all other open windows and hit "fix checked":

R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)

O4 - HKLM\..\Run: [Shellapi32] svcnet.exe

O4 - HKCU\..\Run: [Shellapi32] svcnet.exe


Reboot to safe mode

find and delete the following:

C:\Windows\system32\svcnet.exe <--file

C:\Windows\system32\msview <--entire folder....It is full of about 100+ copies of worm.

C:\Program Files\Mozilla Firefox\extensions\{2bafa858-4ff3-4207-822e-ef46d1b431de}\chrome\isearch.jar <--file

Empty trash bin...

Reboot back to normal windows.

run online scan here: (only works with IE)

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Let them clean up what they find.
Note what they cannot clean.

Reboot after.

If you insist on continue to use morpheus you will need to check the configuration of it....it is likely set to auto share contents of "msview" folder.

Another note on morpheus......it comes bundled with adware/spyware.

Uninfected/infected p2p apps info:

http://www.safer-networking.org/en/articles/index.html

http://www.spywareinfo.com/articles/p2p/

lets try this to remove iSearch from firefox:

Open Firefox
Hit "tools"
Hit "extensions"
Hilight the "isearch" one then click "uninstall"

Go to:

C:\Program files\Mozilla Firefox\search plugins

isearch.src
isearch.gif
isearch anything else.

Reboot again....

Post new log when done please.
Let me know if still freezing.
Let me know if firefox still affected.

Thanks!
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
shadow_777
Junior Member


Joined: 24 Feb 2005
Last Visit: 31 Jul 2005
Posts: 49
Location: The UK... WHOO!

PostPosted: Fri Mar 18, 2005 7:00 am    Post subject: Reply with quote

I have good news and bad news

BAD NEWS

System still seems to be freezing, last time it froze was about 7 mins before last reboot to post this so i dunno

GOOD NEWS

after going into searchplugins and deleting it it seems to have gone, it isnt default search, it isnt even THERE ANYMORE!



but the freezing is getting really irritating. i will post later today saying if it froze again. ok

thankyou very very very very very very much this isearch was a nasty little bugga to get rid of. i will also post a hijack log:


ps. i couldnt find the R3... in hijackthis so ii suppose its gone, whatever it was


Logfile of HijackThis v1.99.1
Scan saved at 14:59:02, on 18/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Labtec\Labtec Keyboard-Desktop Software\DsiMmKbd.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\IMT Labs Messenger Plugin\Cloud.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\hadi.JIM-BU062HALYEV\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [LabtecKB] C:\Program Files\Labtec\Labtec Keyboard-Desktop Software\DsiMmKbd.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloudPlugin] "C:\Program Files\IMT Labs Messenger Plugin\Cloud.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O9 - Extra 'Tools' menuitem: &Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/9.11.0004/OCI/setup.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab

there. Smile
_________________
STICK TWO FINGERS UP TO SPYWARE !!!!

I HOPE SATAN HAS A SPOT FOR SPYWARE CREATORS
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics All times are GMT - 8 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group