Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Aurora Infestation - Please Help

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics
View previous topic :: View next topic  
Author Message
shalexa77
Junior Member


Joined: 18 Jul 2005
Last Visit: 24 Nov 2005
Posts: 25

PostPosted: Mon Jul 18, 2005 6:16 pm    Post subject: Aurora Infestation - Please Help Reply with quote

I'm new to Hijack This so please be patient. I'm having trouble with Aurora popups and keep getting "Security Warnings" from WinFixer 2005. Have no idea how I got stuck in this stupid loop. Here is my log. Can someone please help.

Logfile of HijackThis v1.99.1
Scan saved at 5:51:05 PM, on 7/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\easl\slta.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sheryl\My Documents\download\HIJACK THIS\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.rr.com/v5/home/0,1793,141,00.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: (no name) - {00000000-0000-0000-0000-000000000001} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [abu] abu.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe
O4 - HKCU\..\Run: [Iurr] C:\Program Files\easl\slta.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} - http://cabs.media-motor.net/cabs/diamond.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\vkmdbg.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
Back to top
View user's profile Send private message
SWCS
Warrior


Joined: 30 Jun 2005
Last Visit: 03 Dec 2012
Posts: 52

PostPosted: Thu Jul 21, 2005 2:23 pm    Post subject: Reply with quote

shalexa77,

Important: Do this before any fix.

Please put your HijackThis in it's own folder. You can do a Right Click on any open area on the desktop, New> Folder, then rename the folder HJT.


Go to where your HijackThis is and Right Click on HijackThis.exe, select Cut, then open the new folder you just created (HJT) Right Click in the folder and select paste.

The reason we do this is HijackThis creates backup files just in case you'd need to restore one since we'll be cleaning out the temp files.



After the above:


Open HijackThis and select: Do a system scan and save a log file.

When the scan is finished, press Ctrl+A, then Ctrl+C, and paste its contents in a reply to this thread.

Thanks.

SWCS
Back to top
View user's profile Send private message
shalexa77
Junior Member


Joined: 18 Jul 2005
Last Visit: 24 Nov 2005
Posts: 25

PostPosted: Thu Jul 21, 2005 4:02 pm    Post subject: Here's my new log Reply with quote

Logfile of HijackThis v1.99.1
Scan saved at 5:01:37 PM, on 7/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\easl\slta.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.EXE
C:\Program Files\Trend Micro\Internet Security\PCCGUIDE.EXE
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sheryl\Desktop\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.rr.com/v5/home/0,1793,141,00.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: (no name) - {00000000-0000-0000-0000-000000000001} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [abu] abu.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [mscin] C:\WINDOWS\system32\m190309.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKCU\..\Run: [Iurr] C:\Program Files\easl\slta.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} - http://cabs.media-motor.net/cabs/diamond.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\mqwcnl32.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
Back to top
View user's profile Send private message
SWCS
Warrior


Joined: 30 Jun 2005
Last Visit: 03 Dec 2012
Posts: 52

PostPosted: Fri Jul 22, 2005 6:40 am    Post subject: Reply with quote

shalexa77,

I'll analyze your HJT log and get back to you.

Thanks.

SWCS
Back to top
View user's profile Send private message
SWCS
Warrior


Joined: 30 Jun 2005
Last Visit: 03 Dec 2012
Posts: 52

PostPosted: Fri Jul 22, 2005 9:09 am    Post subject: Reply with quote

shalexa77,

Go to Add/Remove Programs (Start/Control Panel/Add-Remove Programs) and remove ViewPoint Manager. It is often bundled with undesireables and often without the consent of the user.

Please run HJT and check the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: (no name) - {00000000-0000-0000-0000-000000000001} - (no file)
O4 - HKLM\..\Run: [abu] abu.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [mscin] C:\WINDOWS\system32\m190309.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} - http://cabs.media-motor.net/cabs/diamond.cab
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\mqwcnl32.dll


Are you running For Simulated Live Broadcasts (SLTA=Simulated Live Transfer Agent). See http://service.real.com/help/library/guides/helixuniversalserver/htmfiles/iqslta.htm. If not, check:
O4 - HKCU\..\Run: [Iurr] C:\Program Files\easl\slta.exe

Close all windows except HJT, click Fix Checked.

Navigate to the following files and delete them:

C:\WINDOWS\system32\mqwcnl32.dll << This file
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe << This file
C:\WINDOWS\system32\m190309.EXE << This file
C:\Program Files\NaviSearch\bin\nls.exe << This file
C:\WINDOWS\AuroraHandler.dll << This file
C:\WINDOWS\system32\exp.exe << This file


If you checked O4 - HKCU\..\Run: [Iurr] C:\Program Files\easl\slta.exe in HJT, then also delete:
C:\Program Files\easl\slta.exe << This file

Restart your computer, run another HJT scan and paste the log into a reply to this thread.

Thanks.


SWCS
Back to top
View user's profile Send private message
shalexa77
Junior Member


Joined: 18 Jul 2005
Last Visit: 24 Nov 2005
Posts: 25

PostPosted: Sun Jul 24, 2005 1:07 pm    Post subject: new troubles Reply with quote

Hi!
Thanks for taking a look at my logs. I'm really having trouble accessing the Internet at all now. Everytime I try I just get booted off. Any help will be appreciated.

Thanks
Back to top
View user's profile Send private message
SWCS
Warrior


Joined: 30 Jun 2005
Last Visit: 03 Dec 2012
Posts: 52

PostPosted: Sun Jul 24, 2005 6:43 pm    Post subject: Reply with quote

shalexa77,

Have you performed the tasks I previously posted?

I need a new HJT log, please.

Thanks.

SWCS
Back to top
View user's profile Send private message
shalexa77
Junior Member


Joined: 18 Jul 2005
Last Visit: 24 Nov 2005
Posts: 25

PostPosted: Sun Jul 24, 2005 9:25 pm    Post subject: New Log Reply with quote

Hi!

I posted one this afternoon but don't know what happened. Here is a new one. I'm really having a problem staying online. IE just keeps shutting off.

Thanks for any help!


Logfile of HijackThis v1.99.1
Scan saved at 10:23:37 PM, on 7/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\easl\slta.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Sheryl\Desktop\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.rr.com/v5/home/0,1793,141,00.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\dUdim700.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
Back to top
View user's profile Send private message
shalexa77
Junior Member


Joined: 18 Jul 2005
Last Visit: 24 Nov 2005
Posts: 25

PostPosted: Sun Jul 24, 2005 9:38 pm    Post subject: Ewido and Nailfix Reply with quote

Another question?
I'm seeing some posts that refer to using Ewido and Nailfix. Is this something I should be doing? If so where do I find them?

Thanks, again!
Back to top
View user's profile Send private message
shalexa77
Junior Member


Joined: 18 Jul 2005
Last Visit: 24 Nov 2005
Posts: 25

PostPosted: Mon Jul 25, 2005 9:12 am    Post subject: New Log Reply with quote

I found and ran AdAware SE which found about 200+ problems so here's another new log.

Logfile of HijackThis v1.99.1
Scan saved at 10:10:43 AM, on 7/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\easl\slta.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.EXE
C:\Program Files\Trend Micro\Internet Security\PCCGUIDE.EXE
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Documents and Settings\Sheryl\Desktop\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.rr.com/v5/home/0,1793,141,00.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\dUdim700.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
Back to top
View user's profile Send private message
SWCS
Warrior


Joined: 30 Jun 2005
Last Visit: 03 Dec 2012
Posts: 52

PostPosted: Mon Jul 25, 2005 10:30 am    Post subject: Reply with quote

shalexa77,

You do not have the Nail.exe infection that requires Ewido and the NailFix. You removed the AuroraHandler which should take care of the Aurora popups.

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

We'll keep at it until the infection is gone. Thanks for your patience.

SWCS
Back to top
View user's profile Send private message
shalexa77
Junior Member


Joined: 18 Jul 2005
Last Visit: 24 Nov 2005
Posts: 25

PostPosted: Mon Jul 25, 2005 12:28 pm    Post subject: L2MFIX log Reply with quote

Here you go

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\dUdim700.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{40D23503-F2BB-2086-BF24-C52D0509BBBE}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{F0F08737-0C36-101B-B086-0020AF07D0F4}"="Quick View Plus - Shell Extension object"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{48F45200-91E6-11CE-8A4F-0080C81A28D4}"="TMD Shell Extension"
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}"="VBPropSheet"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{0732B724-64A0-4B04-B7BA-DCD6E73A4962}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0732B724-64A0-4B04-B7BA-DCD6E73A4962}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0732B724-64A0-4B04-B7BA-DCD6E73A4962}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0732B724-64A0-4B04-B7BA-DCD6E73A4962}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0732B724-64A0-4B04-B7BA-DCD6E73A4962}\InprocServer32]
@="C:\\WINDOWS\\system32\\xysp3res.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
atl71.dll Wed Jul 6 2005 5:17:28p A.... 89,088 87.00 K
browseui.dll Mon May 2 2005 1:52:34p A.... 1,019,904 996.00 K
cdfview.dll Mon May 2 2005 1:52:34p A.... 151,040 147.50 K
cdm.dll Thu May 26 2005 4:16:24a A.... 75,544 73.77 K
dudim700.dll Sat Jul 23 2005 11:30:46a ..S.R 417,792 408.00 K
hhsetup.dll Thu May 26 2005 7:04:28p A.... 41,472 40.50 K
icm32.dll Tue Jun 28 2005 6:46:00p A.... 254,976 249.00 K
iepeers.dll Mon May 2 2005 1:52:34p A.... 250,880 245.00 K
iksetup.dll Tue Jul 19 2005 3:32:58p ..S.R 417,792 408.00 K
inseng.dll Mon May 2 2005 1:52:34p A.... 96,256 94.00 K
itircl.dll Thu May 26 2005 7:04:28p A.... 155,136 151.50 K
itss.dll Thu May 26 2005 7:04:28p A.... 137,216 134.00 K
iuengine.dll Thu May 26 2005 4:16:24a A.... 198,424 193.77 K
iz41_qc.dll Thu Jul 21 2005 4:06:24p ..S.R 417,792 408.00 K
mfc71.dll Wed Jul 6 2005 5:17:28p A.... 1,060,864 1.01 M
mscms.dll Tue Jun 28 2005 6:46:00p A.... 74,240 72.50 K
mshtml.dll Mon May 2 2005 1:52:36p A.... 3,012,608 2.87 M
mshtmled.dll Mon May 2 2005 1:52:36p A.... 448,512 438.00 K
msi.dll Wed May 4 2005 2:45:32p A.... 2,890,240 2.75 M
msrating.dll Mon May 2 2005 1:52:36p A.... 146,432 143.00 K
msvcp71.dll Wed Jul 6 2005 5:17:28p A.... 499,712 488.00 K
pngfilt.dll Mon May 2 2005 1:52:36p A.... 39,424 38.50 K
shdocvw.dll Mon May 2 2005 1:52:36p A.... 1,483,776 1.41 M
shlwapi.dll Mon May 2 2005 1:52:36p A.... 473,600 462.50 K
urlmon.dll Mon May 2 2005 1:52:36p A.... 607,744 593.50 K
vkmdbg.dll Sun Jul 17 2005 3:53:20p ..S.R 417,792 408.00 K
wininet.dll Mon May 2 2005 1:52:36p A.... 657,920 642.50 K
wuapi.dll Thu May 26 2005 4:16:30a A.... 465,176 454.27 K
wuaueng.dll Thu May 26 2005 4:16:30a A.... 1,343,768 1.28 M
wuaueng1.dll Thu May 26 2005 4:16:30a A.... 194,328 189.77 K
wucltui.dll Thu May 26 2005 4:16:30a A.... 127,256 124.27 K
wups.dll Thu May 26 2005 4:16:30a A.... 41,240 40.27 K
wups2.dll Thu May 26 2005 4:16:30a A.... 18,200 17.77 K
wuweb.dll Thu May 26 2005 4:16:30a A.... 173,536 169.47 K
xpsp3res.dll Mon May 16 2005 5:25:36p ..... 15,360 15.00 K
xysp3res.dll Mon Jul 25 2005 9:43:54a ..S.R 417,792 408.00 K

36 items found: 36 files (5 H/S), 0 directories.
Total of file sizes: 18,332,832 bytes 17.48 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Sun Jul 17 2005 4:10:26p ..S.R 417,792 408.00 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 417,792 bytes 408.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 381E-285E

Directory of C:\WINDOWS\System32

07/25/2005 09:43 AM 417,792 xysp3res.dll
07/23/2005 11:30 AM 417,792 dUdim700.dll
07/21/2005 04:06 PM 417,792 iz41_qc.dll
07/19/2005 03:32 PM 417,792 iksetup.dll
07/17/2005 04:10 PM 417,792 guard.tmp
07/17/2005 03:53 PM 417,792 vkmdbg.dll
07/13/2005 01:05 PM 401,408 t?skmgr.exe
06/25/2005 06:54 AM <DIR> dllcache
10/25/2003 10:51 AM 1,353 UbgrYPnp.exd
08/27/2002 03:41 PM <DIR> Microsoft
8 File(s) 2,909,513 bytes
2 Dir(s) 14,410,555,392 bytes free
Back to top
View user's profile Send private message
SWCS
Warrior


Joined: 30 Jun 2005
Last Visit: 03 Dec 2012
Posts: 52

PostPosted: Tue Jul 26, 2005 5:22 am    Post subject: Reply with quote

shalexa77,

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Note : Once the pc has restarted if a log does not appear or the icons didn't dissappear, run the "second.bat" located inside the L2mfix folder.

Thanks.

SWCS
Back to top
View user's profile Send private message
shalexa77
Junior Member


Joined: 18 Jul 2005
Last Visit: 24 Nov 2005
Posts: 25

PostPosted: Wed Jul 27, 2005 3:32 pm    Post subject: L2Mfix log Reply with quote

L2Mfix 1.03a

Running From:
C:\Documents and Settings\Sheryl\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Sheryl\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Sheryl\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1492 'explorer.exe'
Killing PID 1492 'explorer.exe'
Killing PID 1492 'explorer.exe'
Killing PID 1492 'explorer.exe'
Killing PID 1492 'explorer.exe'
Killing PID 1492 'explorer.exe'
Killing PID 1492 'explorer.exe'
Killing PID 1492 'explorer.exe'
Killing PID 1492 'explorer.exe'
Killing PID 1492 'explorer.exe'
Killing PID 1492 'explorer.exe'
Killing PID 1492 'explorer.exe'
Killing PID 1492 'explorer.exe'
Killing PID 1492 'explorer.exe'
Killing PID 1492 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1628 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\dUdim700.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dUdim700.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dugeng.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dugeng.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iksetup.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iksetup.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iz41_qc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iz41_qc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktdur.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktdur.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\vkmdbg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\vkmdbg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\dUdim700.dll
Successfully Deleted: C:\WINDOWS\system32\dUdim700.dll
deleting: C:\WINDOWS\system32\dUdim700.dll
Successfully Deleted: C:\WINDOWS\system32\dUdim700.dll
deleting: C:\WINDOWS\system32\dugeng.dll
Successfully Deleted: C:\WINDOWS\system32\dugeng.dll
deleting: C:\WINDOWS\system32\dugeng.dll
Successfully Deleted: C:\WINDOWS\system32\dugeng.dll
deleting: C:\WINDOWS\system32\iksetup.dll
Successfully Deleted: C:\WINDOWS\system32\iksetup.dll
deleting: C:\WINDOWS\system32\iksetup.dll
Successfully Deleted: C:\WINDOWS\system32\iksetup.dll
deleting: C:\WINDOWS\system32\iz41_qc.dll
Successfully Deleted: C:\WINDOWS\system32\iz41_qc.dll
deleting: C:\WINDOWS\system32\iz41_qc.dll
Successfully Deleted: C:\WINDOWS\system32\iz41_qc.dll
deleting: C:\WINDOWS\system32\ktdur.dll
Successfully Deleted: C:\WINDOWS\system32\ktdur.dll
deleting: C:\WINDOWS\system32\ktdur.dll
Successfully Deleted: C:\WINDOWS\system32\ktdur.dll
deleting: C:\WINDOWS\system32\vkmdbg.dll
Successfully Deleted: C:\WINDOWS\system32\vkmdbg.dll
deleting: C:\WINDOWS\system32\vkmdbg.dll
Successfully Deleted: C:\WINDOWS\system32\vkmdbg.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: dUdim700.dll (164 bytes security) (deflated 48%)
adding: dugeng.dll (164 bytes security) (deflated 48%)
adding: iksetup.dll (164 bytes security) (deflated 48%)
adding: iz41_qc.dll (164 bytes security) (deflated 48%)
adding: ktdur.dll (164 bytes security) (deflated 48%)
adding: vkmdbg.dll (164 bytes security) (deflated 48%)
adding: guard.tmp (164 bytes security) (deflated 48%)
adding: clear.reg (164 bytes security) (deflated 23%)
adding: echo.reg (164 bytes security) (deflated 8%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 83%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 65%)
adding: test.txt (164 bytes security) (deflated 83%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: xfind.txt (164 bytes security) (deflated 80%)
adding: backregs/0732B724-64A0-4B04-B7BA-DCD6E73A4962.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: dUdim700.dll
deleting local copy: dUdim700.dll
deleting local copy: dugeng.dll
deleting local copy: dugeng.dll
deleting local copy: iksetup.dll
deleting local copy: iksetup.dll
deleting local copy: iz41_qc.dll
deleting local copy: iz41_qc.dll
deleting local copy: ktdur.dll
deleting local copy: ktdur.dll
deleting local copy: vkmdbg.dll
deleting local copy: vkmdbg.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\dUdim700.dll
C:\WINDOWS\system32\dUdim700.dll
C:\WINDOWS\system32\dugeng.dll
C:\WINDOWS\system32\dugeng.dll
C:\WINDOWS\system32\iksetup.dll
C:\WINDOWS\system32\iksetup.dll
C:\WINDOWS\system32\iz41_qc.dll
C:\WINDOWS\system32\iz41_qc.dll
C:\WINDOWS\system32\ktdur.dll
C:\WINDOWS\system32\ktdur.dll
C:\WINDOWS\system32\vkmdbg.dll
C:\WINDOWS\system32\vkmdbg.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{0732B724-64A0-4B04-B7BA-DCD6E73A4962}"=-
[-HKEY_CLASSES_ROOT\CLSID\{0732B724-64A0-4B04-B7BA-DCD6E73A4962}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

Back to top
View user's profile Send private message
SWCS
Warrior


Joined: 30 Jun 2005
Last Visit: 03 Dec 2012
Posts: 52

PostPosted: Thu Jul 28, 2005 8:04 am    Post subject: Reply with quote

Hi shalexa77,

Looks like the l2m infection is gone. Great job!

Please run another HJT scan and post a log in a reply to this thread.

Thanks.

SWCS
Back to top
View user's profile Send private message
shalexa77
Junior Member


Joined: 18 Jul 2005
Last Visit: 24 Nov 2005
Posts: 25

PostPosted: Sun Jul 31, 2005 8:16 am    Post subject: New Log Reply with quote

Sorry It's taken so long to get back to you. It's been a busy few days. My Trend anti virus is still popping up with warnings every few minutes. Here's my new log. Thanks again for all your help!

Logfile of HijackThis v1.99.1
Scan saved at 9:15:19 AM, on 7/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\quarfc.exe
C:\WINDOWS\system32\quarfc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\easl\slta.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sheryl\Desktop\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.rr.com/v5/home/0,1793,141,00.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [quarfc] C:\WINDOWS\system32\quarfc.exe
O4 - HKCU\..\RunOnce: [quarfc] C:\WINDOWS\system32\quarfc.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
Back to top
View user's profile Send private message
SWCS
Warrior


Joined: 30 Jun 2005
Last Visit: 03 Dec 2012
Posts: 52

PostPosted: Sun Jul 31, 2005 10:57 am    Post subject: Reply with quote

shalexa77,

There are still a few items of concern in that HJT log.

Now, download killbox here:

KillBox


Unzip the folder to your desktop.

Start Killbox.exe

When it is open, enter C:\WINDOWS\system32\quarfc.exe into the field labeled "Full path of file to delete".

Select the Delete on reboot option.

Then press the button that looks like a red circle with a white X in it.

You will get a prompt that asks you this:
Quote:
All files will be deleted on reboot

Click yes to that

You will then get this prompt:
Quote:
files will be removed on reboot. Do you want to reboot now?

CLICK YES

Your computer will reboot.

Go to Add/Remove Programs (Start/Control Panel/Add-Remove Programs) and uninstall E2give Plug-in if it is there.

Run an HJT scan and check any of the following that are still there:

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O4 - HKCU\..\Run: [quarfc] C:\WINDOWS\system32\quarfc.exe
O4 - HKCU\..\RunOnce: [quarfc] C:\WINDOWS\system32\quarfc.exe
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx


Close all windows except HJT and click Fix Checked.

Navigate to the following files in Windows Explorer and delete if they still exist:

C:\WINDOWS\system32\quarfc.exe << This file
C:\Program Files\E2G << This folder

Please post a fresh HJT log in this thread when you are finished with Killbox.

Thanks.

SWCS
Back to top
View user's profile Send private message
shalexa77
Junior Member


Joined: 18 Jul 2005
Last Visit: 24 Nov 2005
Posts: 25

PostPosted: Wed Aug 03, 2005 11:47 am    Post subject: Here's my newest log Reply with quote

Logfile of HijackThis v1.99.1
Scan saved at 12:45:57 PM, on 8/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\easl\slta.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sheryl\Desktop\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.rr.com/v5/home/0,1793,141,00.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
Back to top
View user's profile Send private message
SWCS
Warrior


Joined: 30 Jun 2005
Last Visit: 03 Dec 2012
Posts: 52

PostPosted: Thu Aug 04, 2005 12:35 pm    Post subject: Reply with quote

Hi shalexa77,

Congratulations! Your most recent HJT log looks pretty clean. You've done a great job persevering through this process.

A couple of items to take care of in HJT. Run HJT and check the following:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)


Close all windows except HJT and click Fix Checked.

In order to help prevent future infection, I recommend that you install the following applications:

Ad-Aware Download.com - Ad-Aware dwnld. - used to clean out adware, spyware and some trojans

Spybot Search & Destroy Major Geeks - Spybot Search & Destroy dwnld. - used to clean out adware, spyware and some trojans - complements Ad-Aware

Spywareblaster Major Geeks - Spywareblaster dwnld. - used to clean out adware, spyware and some trojans

Spywareguard Major Geeks - Spywareguard dwnld. - used for real-time protection from spyware installation

IE/Spyad PC-World - IE/Spyad dwnld. - prevents potentially infected downloads from over 4000 websites and domains

MVPS Hosts File MVPS Host dwnld. prevents connection to known infectious websites

Google Toolbar Google Toolbar dwnld. - helps stop pop-up windows

Mozilla Firefox Mozilla web site - a more secure browser to use in place of Internet Explorer (keep IE on your computer since you will need it for Windows Updates and some Internet sites)

Also, keep up-to-date with your Windows Updates and do your Disk CleanUp (Start/Programs/Accessories/System Tools/Disk CleanUp) on a regular basis.

Tony Klein's article, "How I Got Infected in the First Place", may be a big help to you, also.

Thanks.

SWCS
Back to top
View user's profile Send private message
shalexa77
Junior Member


Joined: 18 Jul 2005
Last Visit: 24 Nov 2005
Posts: 25

PostPosted: Thu Aug 04, 2005 3:56 pm    Post subject: Here's a final log Reply with quote

Hi!
Thanks so much for sticking this out with me. My Computer seems to be working much better. Here is my most recent log. I don't seem to be able to get rid of the "02 BHO (no name)..." line

Logfile of HijackThis v1.99.1
Scan saved at 4:52:38 PM, on 8/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ati2sgag.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Sheryl\Desktop\Hijack This\HijackThis.exe
C:\Program Files\Trend Micro\Internet Security\TSC.EXE
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\easl\slta.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.rr.com/v5/home/0,1793,141,00.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
Back to top
View user's profile Send private message
shalexa77
Junior Member


Joined: 18 Jul 2005
Last Visit: 24 Nov 2005
Posts: 25

PostPosted: Thu Aug 04, 2005 5:15 pm    Post subject: New Warning Reply with quote

Hi!
I just got a Security Notification from Trend that says
C:\WINDOWS\ru.exe is infected and the
virus name shows as ADW CLICKSPRNG.K

Is there something I need to do?
Back to top
View user's profile Send private message
SWCS
Warrior


Joined: 30 Jun 2005
Last Visit: 03 Dec 2012
Posts: 52

PostPosted: Mon Aug 08, 2005 8:10 am    Post subject: Reply with quote

shalexa77,

Download Ad-aware Second Edition v1.06 here and install it. If you already have Ad-aware Second Edition v1.06 skip to the next step.

Open Ad-Aware and Click the "Check for updates now" line on the main screen. CLick the "Connect" button on the WebUpdate screen.

If an update is available, download it and install it. Click the "Finish" button to go back to the main screen.

Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Check the "Automatically quarantine objects prior to removal" setting and then click "Proceed" to save your changes

Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen. Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Then select "Use custom scanning options" and click "CUstomize". This will open the "Scan Settings Page. Make sure all of the following are On with a "green" checkmark:

Scan within archives
Scan active processes
Scan Registry
Deep-scan Registry
Scan my IE Favorites for banned URLs
Scan my Hosts File

Then click on the "Tweak" Button to open up the tweak settings.

Open up the Scanning Engine section and make sure all of the following are On with a "green" checkmark:

Scan registry for all users instead of current user only

Make sure the following is unchecked with a "red" X:

Unload recognized processes & modules during scan.

Open up the Cleaning Engine section and make sure all of the following are On with a "green" checkmark:

Always try to unload modules before deletion
During Removal, unload Explorer and IE if necessary
Let Windows remove files in use at next reboot.

Click the "Proceed" button to save settings.

Don't scan yet. We will do it in safe mode.

Also, download MWAV free from here. Install it, but do not run a scan with it yet.

Please reboot your computer into Safe Mode (Restart, when screen turns black, start pressing F8 until menu comes up, arrow up to Safe Mode and press Enter).

Run an Ad-Aware Scan and delete all files it finds.

Run an MWAV scan and let it clean up any infection it finds.

Run an HJT scan, and check:
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)

Close all windows except HJT and press Fix Checked.

Navigate to this file and delete it if it still exists:

C:\WINDOWS\ru.exe<<=This file

Reboot your computer, run an HJT scan and post a new log in this thread.

Thanks.

SWCS
Back to top
View user's profile Send private message
SWCS
Warrior


Joined: 30 Jun 2005
Last Visit: 03 Dec 2012
Posts: 52

PostPosted: Mon Aug 08, 2005 11:15 am    Post subject: Reply with quote

shalexa77,

Hold it. Run the mwav scan AFTER the reboot. It doesn't clean, just creates a log. Before you do the fresh HJT scan, Run MWAV. Do a full scan. When its done, copy/paste the information from the Virus Log Information pane and post it into your reply along with a fresh HJT log.

Thanks.

SWCS[/b]
Back to top
View user's profile Send private message
shalexa77
Junior Member


Joined: 18 Jul 2005
Last Visit: 24 Nov 2005
Posts: 25

PostPosted: Mon Aug 08, 2005 4:32 pm    Post subject: MWAV? Reply with quote

Where do it download it from? Can you send me a link?
Back to top
View user's profile Send private message
SWCS
Warrior


Joined: 30 Jun 2005
Last Visit: 03 Dec 2012
Posts: 52

PostPosted: Tue Aug 09, 2005 7:17 am    Post subject: Reply with quote

Hi shalexa77,

Download MWAV free from here.

SWCS
Back to top
View user's profile Send private message
shalexa77
Junior Member


Joined: 18 Jul 2005
Last Visit: 24 Nov 2005
Posts: 25

PostPosted: Wed Aug 10, 2005 4:41 pm    Post subject: MWAV? Reply with quote

It still doesn't show as a link. What is the website address?
Back to top
View user's profile Send private message
SWCS
Warrior


Joined: 30 Jun 2005
Last Visit: 03 Dec 2012
Posts: 52

PostPosted: Thu Aug 11, 2005 6:55 am    Post subject: Reply with quote

shalexa77,

Sorry, the links do not change color except with a roll-over of the mouse.

Click on the word here: Download MWAV free from here.

Thanks.

SWCS
Back to top
View user's profile Send private message
shalexa77
Junior Member


Joined: 18 Jul 2005
Last Visit: 24 Nov 2005
Posts: 25

PostPosted: Fri Aug 12, 2005 12:31 pm    Post subject: Help! Reply with quote

I think I ran all the steps but I can't post the MWAV log. I get a FATAL ERROR message saying its too large. Here's the HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 1:31:06 PM, on 8/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sheryl\Desktop\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.rr.com/v5/home/0,1793,141,00.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
Back to top
View user's profile Send private message
SWCS
Warrior


Joined: 30 Jun 2005
Last Visit: 03 Dec 2012
Posts: 52

PostPosted: Fri Aug 12, 2005 2:09 pm    Post subject: Reply with quote

shalexa77,

Boot into Safe Mode. Find and delete the following file:

C:\WINDOWS\Tasks\RUTASK.job<<= this file

When copying and pasting the mwav log, post just what is in the Virus Log pane, not the complete log.

Thank you.

swcs
Back to top
View user's profile Send private message
shalexa77
Junior Member


Joined: 18 Jul 2005
Last Visit: 24 Nov 2005
Posts: 25

PostPosted: Sat Aug 20, 2005 5:12 pm    Post subject: Here is my MWAV log Reply with quote

Sorry it took me so long. I didn't see your reply until just today.
Here's my copy of what was in the MWAVE Virus Pane

File C:\PROGRA~1\easl\slta.exe infected by "Trojan-Clicker.Win32.Agent.ei" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Sheryl\Desktop\l2mfix\Process.exe tagged as not-a-virus:RiskTool.Win32.Processor.20. No Action Taken.
File C:\Documents and Settings\Sheryl\Desktop\l2mfix.exe tagged as not-a-virus:RiskTool.Win32.Processor.20. No Action Taken.
Object "MyWebSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Lycos Sidesearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "CoolWebSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Quicken Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "pop Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "PerfectNav Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "eZula Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "stlbdist Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ActiveX.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\btiein.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\gsda.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\hrtbeat.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\RdxIE.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\System32\eabtstrp.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\System32\iuctl.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\system32\objsafe.tlb". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\iuctl.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\gsda.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\RdxIE.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\btiein.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\STREETGLOW V4.0c win2000_XP.bat". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BBASE\read me first.txt". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BBLUE\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BBLUE\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BBLUE\F_bumper_3.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BBLUE\L_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BBLUE\L_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BBLUE\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BBLUE\R_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BBLUE\R_bumper_3.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BBLUE\R_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BBLUE\R_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BCYAN\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BCYAN\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BCYAN\F_bumper_3.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BCYAN\L_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BCYAN\L_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BCYAN\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BCYAN\R_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BCYAN\R_bumper_3.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BCYAN\R_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BCYAN\R_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BGREEN\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BGREEN\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BGREEN\F_bumper_3.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BGREEN\L_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BGREEN\L_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BGREEN\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BGREEN\R_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BGREEN\R_bumper_3.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BGREEN\R_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BGREEN\R_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BMAGENTA\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BMAGENTA\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BMAGENTA\F_bumper_3.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BMAGENTA\L_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BMAGENTA\L_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BMAGENTA\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BMAGENTA\R_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BMAGENTA\R_bumper_3.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BMAGENTA\R_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BMAGENTA\R_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BRED\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BRED\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BRED\F_bumper_3.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BRED\L_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BRED\L_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BRED\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BRED\R_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BRED\R_bumper_3.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BRED\R_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BRED\R_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BYELLOW\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BYELLOW\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BYELLOW\F_bumper_3.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BYELLOW\L_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BYELLOW\L_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BYELLOW\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BYELLOW\R_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BYELLOW\R_bumper_3.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BYELLOW\R_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Baiern\BYELLOW\R_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DBASE\read me first.txt". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DBLUE\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DBLUE\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DBLUE\L_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DBLUE\L_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DBLUE\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DBLUE\R_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DBLUE\R_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DBLUE\R_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DCYAN\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DCYAN\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DCYAN\L_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DCYAN\L_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DCYAN\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DCYAN\R_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DCYAN\R_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DCYAN\R_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DGREEN\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DGREEN\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DGREEN\L_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DGREEN\L_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DGREEN\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DGREEN\R_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DGREEN\R_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DGREEN\R_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DMAGENTA\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DMAGENTA\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DMAGENTA\L_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DMAGENTA\L_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DMAGENTA\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DMAGENTA\R_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DMAGENTA\R_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DMAGENTA\R_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DRED\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DRED\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DRED\L_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DRED\L_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DRED\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DRED\R_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DRED\R_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DRED\R_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DYELLOW\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DYELLOW\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DYELLOW\L_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DYELLOW\L_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DYELLOW\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DYELLOW\R_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DYELLOW\R_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Duhen\DYELLOW\R_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EBASE\read me first.txt". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EBLUE\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EBLUE\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EBLUE\F_bumper_3.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EBLUE\F_bumper_4.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EBLUE\FL_fender_skirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EBLUE\FR_fender_skirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EBLUE\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EBLUE\R_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\ECYAN\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\ECYAN\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\ECYAN\F_bumper_3.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\ECYAN\F_bumper_4.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\ECYAN\FL_fender_skirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\ECYAN\FR_fender_skirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\ECYAN\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\ECYAN\R_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EGREEN\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EGREEN\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EGREEN\F_bumper_3.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EGREEN\F_bumper_4.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EGREEN\FL_fender_skirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EGREEN\FR_fender_skirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EGREEN\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EGREEN\R_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EMAGENTA\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EMAGENTA\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EMAGENTA\F_bumper_3.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EMAGENTA\F_bumper_4.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EMAGENTA\FL_fender_skirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EMAGENTA\FR_fender_skirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EMAGENTA\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EMAGENTA\R_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\ERED\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\ERED\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\ERED\F_bumper_3.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\ERED\F_bumper_4.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\ERED\FL_fender_skirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\ERED\FR_fender_skirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\ERED\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\ERED\R_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EYELLOW\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EYELLOW\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EYELLOW\F_bumper_3.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EYELLOW\F_bumper_4.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EYELLOW\FL_fender_skirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EYELLOW\FR_fender_skirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EYELLOW\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Einvagen\EYELLOW\R_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENBASE\read me first.txt". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENBLUE\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENBLUE\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENBLUE\L_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENBLUE\L_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENBLUE\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENBLUE\R_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENBLUE\R_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENBLUE\R_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENCYAN\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENCYAN\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENCYAN\L_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENCYAN\L_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENCYAN\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENCYAN\R_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENCYAN\R_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENCYAN\R_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENGREEN\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENGREEN\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENGREEN\L_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENGREEN\L_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENGREEN\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENGREEN\R_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENGREEN\R_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENGREEN\R_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENMAGENTA\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENMAGENTA\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENMAGENTA\L_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENMAGENTA\L_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENMAGENTA\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENMAGENTA\R_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENMAGENTA\R_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENMAGENTA\R_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENRED\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENRED\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENRED\L_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENRED\L_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENRED\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENRED\R_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENRED\R_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENRED\R_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENYELLOW\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENYELLOW\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENYELLOW\L_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENYELLOW\L_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENYELLOW\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENYELLOW\R_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENYELLOW\R_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Enula\ENYELLOW\R_sideskirt_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Extra\sgicon.ico". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Focer\FBASE\read me first.txt". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Focer\FBLUE\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Focer\FBLUE\L_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Focer\FBLUE\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Focer\FBLUE\R_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Focer\FCYAN\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Focer\FCYAN\L_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Focer\FCYAN\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Focer\FCYAN\R_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Focer\FGREEN\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Focer\FGREEN\L_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Focer\FGREEN\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Focer\FGREEN\R_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Focer\FMAGENTA\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Focer\FMAGENTA\L_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Focer\FMAGENTA\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Focer\FMAGENTA\R_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Focer\FRED\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Focer\FRED\L_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Focer\FRED\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Focer\FRED\R_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Focer\FYELLOW\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Focer\FYELLOW\L_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Focer\FYELLOW\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Focer\FYELLOW\R_sideskirt.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MBASE\read me first.txt". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MBLUE\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MBLUE\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MBLUE\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MBLUE\stock_L_exhaust_pipe.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MBLUE\stock_R_exhaust_pipe.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MCYAN\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MCYAN\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MCYAN\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MCYAN\stock_L_exhaust_pipe.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MCYAN\stock_R_exhaust_pipe.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MGREEN\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MGREEN\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MGREEN\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MGREEN\stock_L_exhaust_pipe.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MGREEN\stock_R_exhaust_pipe.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MMAGENTA\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MMAGENTA\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MMAGENTA\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MMAGENTA\stock_L_exhaust_pipe.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MMAGENTA\stock_R_exhaust_pipe.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MRED\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MRED\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MRED\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MRED\stock_L_exhaust_pipe.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MRED\stock_R_exhaust_pipe.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MYELLOW\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MYELLOW\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MYELLOW\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MYELLOW\stock_L_exhaust_pipe.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\MC\MYELLOW\stock_R_exhaust_pipe.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Nonus\NBASE\read me first.txt". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Nonus\NBLUE\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Nonus\NBLUE\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Nonus\NBLUE\F_bumper_3.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Nonus\NBLUE\FL_quarterpanel.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Nonus\NBLUE\FL_quarterpanel_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Nonus\NBLUE\FR_quarterpanel.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Nonus\NBLUE\FR_quarterpanel_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Nonus\NBLUE\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Nonus\NBLUE\R_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Nonus\NBLUE\R_bumper_3.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Nonus\NCYAN\F_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Nonus\NCYAN\F_bumper_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Nonus\NCYAN\F_bumper_3.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Nonus\NCYAN\FL_quarterpanel.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Nonus\NCYAN\FL_quarterpanel_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Nonus\NCYAN\FR_quarterpanel.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Nonus\NCYAN\FR_quarterpanel_2.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Activision Value\Street Legal Racing\rev4sg\Nonus\NCYAN\R_bumper.cfg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Shar
Back to top
View user's profile Send private message
SWCS
Warrior


Joined: 30 Jun 2005
Last Visit: 03 Dec 2012
Posts: 52

PostPosted: Mon Aug 22, 2005 12:37 pm    Post subject: Reply with quote

shalexa77,

Since it has been 10 days since your last HJT log, you will need to copy and paste a new HJT log so that I can compare it with the mwav log.

In the meantime, I will research the findings in the mwav virus log.

Thank you.

SWCS
Back to top
View user's profile Send private message
shalexa77
Junior Member


Joined: 18 Jul 2005
Last Visit: 24 Nov 2005
Posts: 25

PostPosted: Sun Aug 28, 2005 12:19 pm    Post subject: New HJT Log Reply with quote

For some reason it has quit notifying me when you reply. I'm sorry it took me so long to realize I should just check the string. Thanks again for all your help. Here's a new HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 1:18:20 PM, on 8/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Sheryl\Desktop\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.rr.com/v5/home/0,1793,141,00.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe


This subject is now closed, if you need it re-opened please pm a moderator to reopen it.
Anyone else with similar issues please start a thread of your own.

September 18, 2005

Thank you,

Nick
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group