Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Command Service malware - Oh, to be able to remove it!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Command Service malware - Oh, to be able to remove it!

Unread postby lblondon » August 17th, 2006, 2:43 pm

Have the above on my pc and despite valiant attempts at removal, which include
spybot
regedit

cannot seem to do it, any help gratefully received

Thanks
Liz

System scan below
Logfile of HijackThis v1.99.1
Scan saved at 19:38:59, on 8/17/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\TGl6IEJyb3duYmlsbA\command.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\internat.exe
C:\PROGRA~1\COMMON~1\ozuz\ozuzm.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\COMMON~1\ozuz\ozuza.exe
c:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redi ... 9&s=search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-GB\MSNTB.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [defender] C:\\dfndrff_8.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_8.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [McRegWiz] C:\Program Files\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [ozuz] C:\PROGRA~1\COMMON~1\ozuz\ozuzm.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - c:\WINDOWS\system32\SHDOCVW.DLL
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 9117949366
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://l00kl23.com/default.cab?uid=34&i ... d=4&tag=51
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD58CA12-8424-47D5-BD30-97C19F9BF87A}: NameServer = 62.6.40.178 194.72.9.38
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\i2420choef4c0.dll (file missing)
O20 - Winlogon Notify: Screen Savers - C:\WINDOWS\system32\iqfgnt5.dll (file missing)
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\ir68l5ju1.dll (file missing)
O20 - Winlogon Notify: Time Zones - C:\WINDOWS\system32\p84u0ih9e84.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TGl6IEJyb3duYmlsbA\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Windows Idle Process - Unknown owner - C:\WINDOWS\system32\smsc.exe (file missing)
lblondon
Active Member
 
Posts: 10
Joined: August 17th, 2006, 2:35 pm
Advertisement
Register to Remove

Unread postby Navigator » August 17th, 2006, 7:53 pm

Hello lblondon...welcome to Malware Removal...you have some nasty infections on this computer! It may take several steps to try and clean...

Download L2mfix.exe from one of these two locations...
- http://www.atribune.org/downloads/l2mfix.exe
- http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

If you receive, while running option #1, an error similar like:
C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application..
Then please use "option #5" or the web page link in the l2mfix folder to solve this error condition. Do not run the fix portion without fixing this first. After you have run "Option #5", use the instructions above run "Option #1" again.
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Command Service malware - Oh, to be able to remove it!

Unread postby lblondon » August 18th, 2006, 3:22 pm

Hi Navigator, thanks for taking the time to help, done as instructed, below is log information as requested.
Liz

L2MFIX find log 032106
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AdminDebug]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\l80u0id9e80.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\i2420choef4c0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Screen Savers]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\iqfgnt5.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellServiceObjectDelayLoad]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ir68l5ju1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{5ED1D2A8-C042-118E-BFF4-EBDA9A1BFB96}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Merge Shell Folder"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Microsoft SearchBand"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{7D688A77-C613-11D0-999B-00C04FD655E1}"="SlowFile Icon Overlay"
"{a2d76d60-0125-11d1-943d-004095210265}"="M-Systems TrueFFS"
"{0A082D00-EC93-11D0-B1E6-80580BC10627}"="Corel Media Folder Root Menu Handler"
"{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}"="Folder To Corel Media Folder Menu Handler"
"{E856F161-1AE5-11d1-AB9B-00C0F00683EB}"="Corel Media Folder"
"{CDB89701-262F-11D1-AB9C-00C0F00683EB}"="Corel Media Find Folder"
"{F8152501-455F-11D1-B1E6-444553540000}"="Corel Media Folder Copy Hook Handler"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec Directcd Shell Extension"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{8DE56A0D-E58B-41FE-9F80-3563CDCB2C22}"="Default Image Extrator for Properties"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{23985298-DC57-4F0F-ACDD-06A8ED462D83}"=""
"{12414AF9-F71A-4DF3-91F6-BFB600A1DD3D}"=""
"{2E2B9E67-AE1F-40E9-8CAB-F2A7CFB7E573}"=""
"{F627453C-EF38-4E9F-9665-D606FA6C1F7E}"=""
"{EDA0B4B8-EDD2-4DE7-8301-1C5876E2E219}"=""
"{16F9BE12-A3DA-475D-9110-2D44E3030BAE}"=""
"{87D67269-6E4F-4F4D-A213-34D1552A93D6}"=""
"{5A904DAD-2AA5-42C3-A379-769C04D2E3DE}"=""
"{99D84535-B016-41B2-9F04-9BA66C525789}"=""
"{26DF2529-BF13-4B0E-B108-43F8FEEC1097}"=""
"{9D73BE8D-C6E8-4553-83DF-FC65C48B726E}"=""
"{DDEE6BA4-2194-461D-AE0A-41F1A21C187A}"=""
"{7F3A1C96-4A40-4268-B4C2-B2E5B5A71F1E}"=""
"{592F920D-2C2A-44F0-934E-953306B0C1A3}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{23985298-DC57-4F0F-ACDD-06A8ED462D83}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{23985298-DC57-4F0F-ACDD-06A8ED462D83}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{23985298-DC57-4F0F-ACDD-06A8ED462D83}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{23985298-DC57-4F0F-ACDD-06A8ED462D83}\InprocServer32]
@="C:\\WINDOWS\\system32\\iqfgnt5.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{12414AF9-F71A-4DF3-91F6-BFB600A1DD3D}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{12414AF9-F71A-4DF3-91F6-BFB600A1DD3D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{12414AF9-F71A-4DF3-91F6-BFB600A1DD3D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{12414AF9-F71A-4DF3-91F6-BFB600A1DD3D}\InprocServer32]
@="C:\\WINDOWS\\system32\\ixfgnt5.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2E2B9E67-AE1F-40E9-8CAB-F2A7CFB7E573}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2E2B9E67-AE1F-40E9-8CAB-F2A7CFB7E573}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2E2B9E67-AE1F-40E9-8CAB-F2A7CFB7E573}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2E2B9E67-AE1F-40E9-8CAB-F2A7CFB7E573}\InprocServer32]
@="C:\\WINDOWS\\system32\\DODRGCTL.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F627453C-EF38-4E9F-9665-D606FA6C1F7E}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{F627453C-EF38-4E9F-9665-D606FA6C1F7E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F627453C-EF38-4E9F-9665-D606FA6C1F7E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F627453C-EF38-4E9F-9665-D606FA6C1F7E}\InprocServer32]
@="C:\\WINDOWS\\system32\\mPcrovsn.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{EDA0B4B8-EDD2-4DE7-8301-1C5876E2E219}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{EDA0B4B8-EDD2-4DE7-8301-1C5876E2E219}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EDA0B4B8-EDD2-4DE7-8301-1C5876E2E219}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EDA0B4B8-EDD2-4DE7-8301-1C5876E2E219}\InprocServer32]
@="C:\\WINDOWS\\system32\\iXsuserr.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{16F9BE12-A3DA-475D-9110-2D44E3030BAE}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{16F9BE12-A3DA-475D-9110-2D44E3030BAE}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{16F9BE12-A3DA-475D-9110-2D44E3030BAE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{16F9BE12-A3DA-475D-9110-2D44E3030BAE}\InprocServer32]
@="C:\\WINDOWS\\system32\\idmp.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{87D67269-6E4F-4F4D-A213-34D1552A93D6}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{87D67269-6E4F-4F4D-A213-34D1552A93D6}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{87D67269-6E4F-4F4D-A213-34D1552A93D6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{87D67269-6E4F-4F4D-A213-34D1552A93D6}\InprocServer32]
@="C:\\WINDOWS\\system32\\dicpcsvc.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5A904DAD-2AA5-42C3-A379-769C04D2E3DE}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{5A904DAD-2AA5-42C3-A379-769C04D2E3DE}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5A904DAD-2AA5-42C3-A379-769C04D2E3DE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5A904DAD-2AA5-42C3-A379-769C04D2E3DE}\InprocServer32]
@="C:\\WINDOWS\\system32\\swrmdll.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{99D84535-B016-41B2-9F04-9BA66C525789}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{99D84535-B016-41B2-9F04-9BA66C525789}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{99D84535-B016-41B2-9F04-9BA66C525789}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{99D84535-B016-41B2-9F04-9BA66C525789}\InprocServer32]
@="C:\\WINDOWS\\system32\\tyolhelp.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{26DF2529-BF13-4B0E-B108-43F8FEEC1097}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{26DF2529-BF13-4B0E-B108-43F8FEEC1097}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{26DF2529-BF13-4B0E-B108-43F8FEEC1097}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{26DF2529-BF13-4B0E-B108-43F8FEEC1097}\InprocServer32]
@="C:\\WINDOWS\\system32\\cncui.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9D73BE8D-C6E8-4553-83DF-FC65C48B726E}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{9D73BE8D-C6E8-4553-83DF-FC65C48B726E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9D73BE8D-C6E8-4553-83DF-FC65C48B726E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9D73BE8D-C6E8-4553-83DF-FC65C48B726E}\InprocServer32]
@="C:\\WINDOWS\\system32\\dFd8thk.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DDEE6BA4-2194-461D-AE0A-41F1A21C187A}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{DDEE6BA4-2194-461D-AE0A-41F1A21C187A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DDEE6BA4-2194-461D-AE0A-41F1A21C187A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DDEE6BA4-2194-461D-AE0A-41F1A21C187A}\InprocServer32]
@="C:\\WINDOWS\\system32\\dheml.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7F3A1C96-4A40-4268-B4C2-B2E5B5A71F1E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7F3A1C96-4A40-4268-B4C2-B2E5B5A71F1E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7F3A1C96-4A40-4268-B4C2-B2E5B5A71F1E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7F3A1C96-4A40-4268-B4C2-B2E5B5A71F1E}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{592F920D-2C2A-44F0-934E-953306B0C1A3}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{592F920D-2C2A-44F0-934E-953306B0C1A3}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{592F920D-2C2A-44F0-934E-953306B0C1A3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{592F920D-2C2A-44F0-934E-953306B0C1A3}\InprocServer32]
@="C:\\WINDOWS\\system32\\modtcui.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
cmrtc.dll Sun 6 Aug 2006 13:23:20 ..S.R 234,265 228.77 K
csmdlg32.dll Sat 5 Aug 2006 21:45:00 ..S.R 234,709 229.21 K
dcnim.dll Tue 15 Aug 2006 21:42:54 ..S.R 237,291 231.73 K
dicpcsvc.dll Tue 25 Jul 2006 19:26:06 ..S.R 234,798 229.29 K
dnauth.dll Mon 7 Aug 2006 12:01:56 ..S.R 236,809 231.26 K
enj2l1~1.dll Mon 7 Aug 2006 12:36:34 ..S.R 233,853 228.37 K
fp0o03~1.dll Sun 30 Jul 2006 18:29:10 ..S.R 234,775 229.27 K
fp6403~1.dll Tue 8 Aug 2006 18:04:10 ..S.R 233,835 228.35 K
fp8s03~1.dll Mon 14 Aug 2006 18:31:54 ..S.R 236,209 230.67 K
fpnq03~1.dll Sun 6 Aug 2006 12:56:04 ..S.R 234,818 229.31 K
fpr803~1.dll Sun 13 Aug 2006 17:50:36 ..S.R 234,840 229.34 K
fprq03~1.dll Wed 9 Aug 2006 14:36:04 ..S.R 233,947 228.46 K
h22o0c~1.dll Thu 17 Aug 2006 23:26:04 ..S.R 237,291 231.73 K
h24m0c~1.dll Sun 6 Aug 2006 11:36:04 ..S.R 234,407 228.91 K
idmp.dll Wed 19 Jul 2006 18:36:56 ..S.R 235,000 229.49 K
igmontr.dll Sat 5 Aug 2006 22:12:32 ..S.R 236,173 230.64 K
inssvcs.dll Sun 6 Aug 2006 11:36:06 ..S.R 234,265 228.77 K
ir8ul5~1.dll Mon 14 Aug 2006 20:55:20 ..S.R 234,240 228.75 K
irnql5~1.dll Sun 30 Jul 2006 22:51:54 ..S.R 236,027 230.49 K
j6p0lg~1.dll Sun 6 Aug 2006 15:35:32 ..S.R 234,458 228.96 K
jz4025~1.dll Mon 14 Aug 2006 18:31:54 ..S.R 235,426 229.91 K
k8js0i~1.dll Sun 6 Aug 2006 12:49:54 ..S.R 234,983 229.47 K
ksdal.dll Wed 16 Aug 2006 17:55:22 ..S.R 233,705 228.23 K
l80u0i~1.dll Wed 16 Aug 2006 19:53:46 ..S.R 233,702 228.22 K
lvp209~1.dll Wed 19 Jul 2006 20:27:58 ..S.R 235,000 229.49 K
m482le~1.dll Sun 30 Jul 2006 21:16:48 ..S.R 235,196 229.68 K
m4rm0e~1.dll Sat 22 Jul 2006 20:49:26 ..S.R 235,957 230.43 K
m8460i~1.dll Mon 7 Aug 2006 13:26:10 ..S.R 233,572 228.10 K
mbpi32.dll Sun 30 Jul 2006 21:48:02 ..S.R 234,472 228.98 K
modtcui.dll Fri 18 Aug 2006 20:00:24 ..S.R 233,702 228.22 K
mtrd2x40.dll Tue 15 Aug 2006 22:06:00 ..S.R 237,291 231.73 K
mut2fw95.dll Mon 7 Aug 2006 12:36:34 ..S.R 236,809 231.26 K
muxoci.dll Sun 6 Aug 2006 15:25:28 ..S.R 234,458 228.96 K
mv0ml9~1.dll Tue 15 Aug 2006 21:42:54 ..S.R 233,802 228.32 K
mvl8l9~1.dll Tue 25 Jul 2006 19:29:06 ..S.R 234,798 229.29 K
mvmbg.dll Sun 30 Jul 2006 22:52:00 ..S.R 234,472 228.98 K
mvrol9~1.dll Sat 5 Aug 2006 23:56:04 ..S.R 236,486 230.94 K
n04sla~1.dll Tue 15 Aug 2006 21:13:50 ..S.R 235,426 229.91 K
o4pqle~1.dll Wed 16 Aug 2006 19:21:52 ..S.R 233,705 228.23 K
ogesvr.dll Sun 6 Aug 2006 16:21:20 ..S.R 234,646 229.14 K
opbc16gt.dll Sat 12 Aug 2006 13:29:10 ..S.R 233,947 228.46 K
p0n8la~1.dll Mon 7 Aug 2006 12:01:56 ..S.R 234,173 228.68 K
p2r4lc~1.dll Sun 6 Aug 2006 15:22:00 ..S.R 235,950 230.42 K
qkvd.dll Sun 30 Jul 2006 23:13:22 ..S.R 234,472 228.98 K
u8ruli~1.dll Sun 6 Aug 2006 16:48:26 ..S.R 234,247 228.75 K
ylrwin32.dll Sun 6 Aug 2006 12:49:54 ..S.R 234,265 228.77 K

46 items found: 46 files (46 H/S), 0 directories.
Total of file sizes: 10,806,672 bytes 10.30 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
atmtdd~1.tmp Fri 18 Aug 2006 20:00:08 A.... 0 0.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 0 bytes 0.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is C038-E40C

Directory of C:\WINDOWS\System32

18/08/2006 20:00 233,702 modtcui.dll
17/08/2006 23:26 237,291 h22o0cf3ef2.dll
16/08/2006 19:53 233,702 l80u0id9e80.dll
16/08/2006 19:21 233,705 o4pqle751h.dll
16/08/2006 17:55 233,705 ksdal.dll
15/08/2006 22:05 237,291 mtrd2x40.dll
15/08/2006 21:42 237,291 dCnim.dll
15/08/2006 21:42 233,802 mv0ml9d11.dll
15/08/2006 21:13 235,426 n04slah71d4.dll
14/08/2006 20:55 234,240 ir8ul5l91.dll
14/08/2006 18:31 235,426 jz4025hmg.dll
14/08/2006 18:31 236,209 fp8s03l7e.dll
13/08/2006 17:50 234,840 fpr8039ue.dll
12/08/2006 13:29 233,947 opbc16gt.dll
09/08/2006 14:36 233,947 fprq0395e.dll
08/08/2006 18:04 233,835 fp6403jqe.dll
07/08/2006 13:26 233,572 m8460ihse8460.dll
07/08/2006 12:36 236,809 MUT2FW95.DLL
07/08/2006 12:36 233,853 enj2l11o1.dll
07/08/2006 12:01 236,809 dnauth.dll
07/08/2006 12:01 234,173 p0n8la5u1d.dll
06/08/2006 16:48 234,247 u8ruli9918.dll
06/08/2006 16:21 234,646 ogesvr.dll
06/08/2006 15:35 234,458 j6p0lg7m16.dll
06/08/2006 15:25 234,458 muxoci.dll
06/08/2006 15:21 235,950 p2r4lc9q1f.dll
06/08/2006 13:23 234,265 cmrtc.dll
06/08/2006 12:56 234,818 fpnq0355e.dll
06/08/2006 12:49 234,265 YLRWin32.dll
06/08/2006 12:49 234,983 k8js0i17e8.dll
06/08/2006 11:36 234,265 iNssvcs.dll
06/08/2006 11:36 234,407 h24m0ch1ef4.dll
05/08/2006 23:56 236,486 mvrol9931.dll
05/08/2006 22:15 <DIR> dllcache
05/08/2006 22:12 236,173 igmontr.dll
05/08/2006 21:44 234,709 csmdlg32.dll
30/07/2006 23:13 234,472 qkvd.dll
30/07/2006 22:51 234,472 MVMBG.DLL
30/07/2006 22:51 236,027 irnql5551.dll
30/07/2006 21:48 234,472 mBpi32.dll
30/07/2006 21:16 235,196 m482lelo1hqc.dll
30/07/2006 18:29 234,775 fp0o03d3e.dll
25/07/2006 19:29 234,798 mvl8l93u1.dll
25/07/2006 19:26 234,798 dicpcsvc.dll
22/07/2006 20:49 235,957 m4rm0e91eh.dll
19/07/2006 20:27 235,000 lvp2097oe.dll
19/07/2006 18:36 235,000 idmp.dll
01/01/1999 00:13 235,847 irpql5751.dll
01/01/1999 00:13 236,317 jr4025hmg.dll
01/01/1999 00:03 235,614 s8puli7918.dll
01/01/1999 00:03 235,139 jt6807jue.dll
50 File(s) 11,749,589 bytes
1 Dir(s) 486,578,176 bytes free
lblondon
Active Member
 
Posts: 10
Joined: August 17th, 2006, 2:35 pm

Unread postby Navigator » August 18th, 2006, 5:15 pm

Hello lblondon...you are welcome!

1. Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your Desktop, double-click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing "Enter", then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2Mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new Hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Note : Once the PC has restarted if a log does not appear or the icons didn't disappear, run the "second.bat" located inside the L2Mfix folder.

2. Post back with the L2MFix log and a new HJT log...there will be more work to do!
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby lblondon » August 19th, 2006, 4:36 pm

Here you go, next log
L
L2mfix 032106
Creating Account.
The command completed successfully.


Adding Administrative privleges.
The command completed successfully.

Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 148 'smss.exe'
Killing PID 148 'smss.exe'
Error 0x5 : Access is denied.


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 196 'winlogon.exe'
Killing PID 196 'winlogon.exe'
Error 0x5 : Access is denied.


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 880 'explorer.exe'
Killing PID 880 'explorer.exe'
Error 0x5 : Access is denied.


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 780 'rundll32.exe'
Killing PID 780 'rundll32.exe'
Error 0x5 : Access is denied.

Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\cmrtc.dll
Successfully Deleted: C:\WINDOWS\system32\cmrtc.dll
Deleting: C:\WINDOWS\system32\csmdlg32.dll
Successfully Deleted: C:\WINDOWS\system32\csmdlg32.dll
Deleting: C:\WINDOWS\system32\dCnim.dll
Successfully Deleted: C:\WINDOWS\system32\dCnim.dll
Deleting: C:\WINDOWS\system32\dicpcsvc.dll
Successfully Deleted: C:\WINDOWS\system32\dicpcsvc.dll
Deleting: C:\WINDOWS\system32\dn4q01h5e.dll
Successfully Deleted: C:\WINDOWS\system32\dn4q01h5e.dll
Deleting: C:\WINDOWS\system32\dnauth.dll
Successfully Deleted: C:\WINDOWS\system32\dnauth.dll
Deleting: C:\WINDOWS\system32\enj2l11o1.dll
Successfully Deleted: C:\WINDOWS\system32\enj2l11o1.dll
Deleting: C:\WINDOWS\system32\fp0o03d3e.dll
Successfully Deleted: C:\WINDOWS\system32\fp0o03d3e.dll
Deleting: C:\WINDOWS\system32\fp2403fqe.dll
Successfully Deleted: C:\WINDOWS\system32\fp2403fqe.dll
Deleting: C:\WINDOWS\system32\fp6403jqe.dll
Successfully Deleted: C:\WINDOWS\system32\fp6403jqe.dll
Deleting: C:\WINDOWS\system32\fp8s03l7e.dll
Successfully Deleted: C:\WINDOWS\system32\fp8s03l7e.dll
Deleting: C:\WINDOWS\system32\fpnq0355e.dll
Successfully Deleted: C:\WINDOWS\system32\fpnq0355e.dll
Deleting: C:\WINDOWS\system32\fpr8039ue.dll
Successfully Deleted: C:\WINDOWS\system32\fpr8039ue.dll
Deleting: C:\WINDOWS\system32\fprq0395e.dll
Successfully Deleted: C:\WINDOWS\system32\fprq0395e.dll
Deleting: C:\WINDOWS\system32\h22o0cf3ef2.dll
Successfully Deleted: C:\WINDOWS\system32\h22o0cf3ef2.dll
Deleting: C:\WINDOWS\system32\h24m0ch1ef4.dll
Successfully Deleted: C:\WINDOWS\system32\h24m0ch1ef4.dll
Deleting: C:\WINDOWS\system32\idmp.dll
Successfully Deleted: C:\WINDOWS\system32\idmp.dll
Deleting: C:\WINDOWS\system32\igmontr.dll
Successfully Deleted: C:\WINDOWS\system32\igmontr.dll
Deleting: C:\WINDOWS\system32\iNssvcs.dll
Successfully Deleted: C:\WINDOWS\system32\iNssvcs.dll
Deleting: C:\WINDOWS\system32\ir8ul5l91.dll
Successfully Deleted: C:\WINDOWS\system32\ir8ul5l91.dll
Deleting: C:\WINDOWS\system32\irnql5551.dll
Successfully Deleted: C:\WINDOWS\system32\irnql5551.dll
Deleting: C:\WINDOWS\system32\irpql5751.dll
Successfully Deleted: C:\WINDOWS\system32\irpql5751.dll
Deleting: C:\WINDOWS\system32\j6p0lg7m16.dll
Successfully Deleted: C:\WINDOWS\system32\j6p0lg7m16.dll
Deleting: C:\WINDOWS\system32\jr4025hmg.dll
Successfully Deleted: C:\WINDOWS\system32\jr4025hmg.dll
Deleting: C:\WINDOWS\system32\jt6807jue.dll
Successfully Deleted: C:\WINDOWS\system32\jt6807jue.dll
Deleting: C:\WINDOWS\system32\jz4025hmg.dll
Successfully Deleted: C:\WINDOWS\system32\jz4025hmg.dll
Deleting: C:\WINDOWS\system32\k8js0i17e8.dll
Successfully Deleted: C:\WINDOWS\system32\k8js0i17e8.dll
Deleting: C:\WINDOWS\system32\ksdal.dll
Successfully Deleted: C:\WINDOWS\system32\ksdal.dll
Deleting: C:\WINDOWS\system32\lvp2097oe.dll
Successfully Deleted: C:\WINDOWS\system32\lvp2097oe.dll
Deleting: C:\WINDOWS\system32\m482lelo1hqc.dll
Successfully Deleted: C:\WINDOWS\system32\m482lelo1hqc.dll
Deleting: C:\WINDOWS\system32\m4rm0e91eh.dll
Successfully Deleted: C:\WINDOWS\system32\m4rm0e91eh.dll
Deleting: C:\WINDOWS\system32\m8460ihse8460.dll
Successfully Deleted: C:\WINDOWS\system32\m8460ihse8460.dll
Deleting: C:\WINDOWS\system32\mBpi32.dll
Successfully Deleted: C:\WINDOWS\system32\mBpi32.dll
Deleting: C:\WINDOWS\system32\modtcui.dll
Successfully Deleted: C:\WINDOWS\system32\modtcui.dll
Deleting: C:\WINDOWS\system32\mrexcl40.dll
Successfully Deleted: C:\WINDOWS\system32\mrexcl40.dll
Deleting: C:\WINDOWS\system32\mtrd2x40.dll
Successfully Deleted: C:\WINDOWS\system32\mtrd2x40.dll
Deleting: C:\WINDOWS\system32\MUT2FW95.DLL
Successfully Deleted: C:\WINDOWS\system32\MUT2FW95.DLL
Deleting: C:\WINDOWS\system32\muxoci.dll
Successfully Deleted: C:\WINDOWS\system32\muxoci.dll
Deleting: C:\WINDOWS\system32\mv0ml9d11.dll
Successfully Deleted: C:\WINDOWS\system32\mv0ml9d11.dll
Deleting: C:\WINDOWS\system32\mvl8l93u1.dll
Successfully Deleted: C:\WINDOWS\system32\mvl8l93u1.dll
Deleting: C:\WINDOWS\system32\MVMBG.DLL
Successfully Deleted: C:\WINDOWS\system32\MVMBG.DLL
Deleting: C:\WINDOWS\system32\mvnsl9571.dll
Successfully Deleted: C:\WINDOWS\system32\mvnsl9571.dll
Deleting: C:\WINDOWS\system32\mvrol9931.dll
Successfully Deleted: C:\WINDOWS\system32\mvrol9931.dll
Deleting: C:\WINDOWS\system32\n04slah71d4.dll
Successfully Deleted: C:\WINDOWS\system32\n04slah71d4.dll
Deleting: C:\WINDOWS\system32\o4pqle751h.dll
Successfully Deleted: C:\WINDOWS\system32\o4pqle751h.dll
Deleting: C:\WINDOWS\system32\ogesvr.dll
Successfully Deleted: C:\WINDOWS\system32\ogesvr.dll
Deleting: C:\WINDOWS\system32\opbc16gt.dll
Successfully Deleted: C:\WINDOWS\system32\opbc16gt.dll
Deleting: C:\WINDOWS\system32\p0n8la5u1d.dll
Successfully Deleted: C:\WINDOWS\system32\p0n8la5u1d.dll
Deleting: C:\WINDOWS\system32\p2r4lc9q1f.dll
Successfully Deleted: C:\WINDOWS\system32\p2r4lc9q1f.dll
Deleting: C:\WINDOWS\system32\qkvd.dll
Successfully Deleted: C:\WINDOWS\system32\qkvd.dll
Deleting: C:\WINDOWS\system32\s8puli7918.dll
Successfully Deleted: C:\WINDOWS\system32\s8puli7918.dll
Deleting: C:\WINDOWS\system32\u8ruli9918.dll
Successfully Deleted: C:\WINDOWS\system32\u8ruli9918.dll
Deleting: C:\WINDOWS\system32\YLRWin32.dll
Successfully Deleted: C:\WINDOWS\system32\YLRWin32.dll

msg11?.dll
0 file(s) copied.



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\dn4q01h5e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\i2420choef4c0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Screen Savers]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\iqfgnt5.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellServiceObjectDelayLoad]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ir68l5ju1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\cmrtc.dll
C:\WINDOWS\system32\csmdlg32.dll
C:\WINDOWS\system32\dCnim.dll
C:\WINDOWS\system32\dicpcsvc.dll
C:\WINDOWS\system32\dn4q01h5e.dll
C:\WINDOWS\system32\dnauth.dll
C:\WINDOWS\system32\enj2l11o1.dll
C:\WINDOWS\system32\fp0o03d3e.dll
C:\WINDOWS\system32\fp2403fqe.dll
C:\WINDOWS\system32\fp6403jqe.dll
C:\WINDOWS\system32\fp8s03l7e.dll
C:\WINDOWS\system32\fpnq0355e.dll
C:\WINDOWS\system32\fpr8039ue.dll
C:\WINDOWS\system32\fprq0395e.dll
C:\WINDOWS\system32\h22o0cf3ef2.dll
C:\WINDOWS\system32\h24m0ch1ef4.dll
C:\WINDOWS\system32\idmp.dll
C:\WINDOWS\system32\igmontr.dll
C:\WINDOWS\system32\iNssvcs.dll
C:\WINDOWS\system32\ir8ul5l91.dll
C:\WINDOWS\system32\irnql5551.dll
C:\WINDOWS\system32\irpql5751.dll
C:\WINDOWS\system32\j6p0lg7m16.dll
C:\WINDOWS\system32\jr4025hmg.dll
C:\WINDOWS\system32\jt6807jue.dll
C:\WINDOWS\system32\jz4025hmg.dll
C:\WINDOWS\system32\k8js0i17e8.dll
C:\WINDOWS\system32\ksdal.dll
C:\WINDOWS\system32\lvp2097oe.dll
C:\WINDOWS\system32\m482lelo1hqc.dll
C:\WINDOWS\system32\m4rm0e91eh.dll
C:\WINDOWS\system32\m8460ihse8460.dll
C:\WINDOWS\system32\mBpi32.dll
C:\WINDOWS\system32\modtcui.dll
C:\WINDOWS\system32\mrexcl40.dll
C:\WINDOWS\system32\mtrd2x40.dll
C:\WINDOWS\system32\MUT2FW95.DLL
C:\WINDOWS\system32\muxoci.dll
C:\WINDOWS\system32\mv0ml9d11.dll
C:\WINDOWS\system32\mvl8l93u1.dll
C:\WINDOWS\system32\MVMBG.DLL
C:\WINDOWS\system32\mvnsl9571.dll
C:\WINDOWS\system32\mvrol9931.dll
C:\WINDOWS\system32\n04slah71d4.dll
C:\WINDOWS\system32\o4pqle751h.dll
C:\WINDOWS\system32\ogesvr.dll
C:\WINDOWS\system32\opbc16gt.dll
C:\WINDOWS\system32\p0n8la5u1d.dll
C:\WINDOWS\system32\p2r4lc9q1f.dll
C:\WINDOWS\system32\qkvd.dll
C:\WINDOWS\system32\s8puli7918.dll
C:\WINDOWS\system32\u8ruli9918.dll
C:\WINDOWS\system32\YLRWin32.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{23985298-DC57-4F0F-ACDD-06A8ED462D83}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{23985298-DC57-4F0F-ACDD-06A8ED462D83}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{23985298-DC57-4F0F-ACDD-06A8ED462D83}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{23985298-DC57-4F0F-ACDD-06A8ED462D83}\InprocServer32]
@="C:\\WINDOWS\\system32\\iqfgnt5.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{12414AF9-F71A-4DF3-91F6-BFB600A1DD3D}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{12414AF9-F71A-4DF3-91F6-BFB600A1DD3D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{12414AF9-F71A-4DF3-91F6-BFB600A1DD3D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{12414AF9-F71A-4DF3-91F6-BFB600A1DD3D}\InprocServer32]
@="C:\\WINDOWS\\system32\\ixfgnt5.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2E2B9E67-AE1F-40E9-8CAB-F2A7CFB7E573}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2E2B9E67-AE1F-40E9-8CAB-F2A7CFB7E573}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2E2B9E67-AE1F-40E9-8CAB-F2A7CFB7E573}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2E2B9E67-AE1F-40E9-8CAB-F2A7CFB7E573}\InprocServer32]
@="C:\\WINDOWS\\system32\\DODRGCTL.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F627453C-EF38-4E9F-9665-D606FA6C1F7E}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{F627453C-EF38-4E9F-9665-D606FA6C1F7E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F627453C-EF38-4E9F-9665-D606FA6C1F7E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F627453C-EF38-4E9F-9665-D606FA6C1F7E}\InprocServer32]
@="C:\\WINDOWS\\system32\\mPcrovsn.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{EDA0B4B8-EDD2-4DE7-8301-1C5876E2E219}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{EDA0B4B8-EDD2-4DE7-8301-1C5876E2E219}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EDA0B4B8-EDD2-4DE7-8301-1C5876E2E219}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EDA0B4B8-EDD2-4DE7-8301-1C5876E2E219}\InprocServer32]
@="C:\\WINDOWS\\system32\\iXsuserr.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{16F9BE12-A3DA-475D-9110-2D44E3030BAE}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{16F9BE12-A3DA-475D-9110-2D44E3030BAE}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{16F9BE12-A3DA-475D-9110-2D44E3030BAE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{16F9BE12-A3DA-475D-9110-2D44E3030BAE}\InprocServer32]
@="C:\\WINDOWS\\system32\\idmp.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{87D67269-6E4F-4F4D-A213-34D1552A93D6}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{87D67269-6E4F-4F4D-A213-34D1552A93D6}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{87D67269-6E4F-4F4D-A213-34D1552A93D6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{87D67269-6E4F-4F4D-A213-34D1552A93D6}\InprocServer32]
@="C:\\WINDOWS\\system32\\dicpcsvc.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5A904DAD-2AA5-42C3-A379-769C04D2E3DE}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{5A904DAD-2AA5-42C3-A379-769C04D2E3DE}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5A904DAD-2AA5-42C3-A379-769C04D2E3DE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5A904DAD-2AA5-42C3-A379-769C04D2E3DE}\InprocServer32]
@="C:\\WINDOWS\\system32\\swrmdll.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{99D84535-B016-41B2-9F04-9BA66C525789}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{99D84535-B016-41B2-9F04-9BA66C525789}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{99D84535-B016-41B2-9F04-9BA66C525789}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{99D84535-B016-41B2-9F04-9BA66C525789}\InprocServer32]
@="C:\\WINDOWS\\system32\\tyolhelp.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{26DF2529-BF13-4B0E-B108-43F8FEEC1097}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{26DF2529-BF13-4B0E-B108-43F8FEEC1097}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{26DF2529-BF13-4B0E-B108-43F8FEEC1097}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{26DF2529-BF13-4B0E-B108-43F8FEEC1097}\InprocServer32]
@="C:\\WINDOWS\\system32\\cncui.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9D73BE8D-C6E8-4553-83DF-FC65C48B726E}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{9D73BE8D-C6E8-4553-83DF-FC65C48B726E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9D73BE8D-C6E8-4553-83DF-FC65C48B726E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9D73BE8D-C6E8-4553-83DF-FC65C48B726E}\InprocServer32]
@="C:\\WINDOWS\\system32\\dFd8thk.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DDEE6BA4-2194-461D-AE0A-41F1A21C187A}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{DDEE6BA4-2194-461D-AE0A-41F1A21C187A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DDEE6BA4-2194-461D-AE0A-41F1A21C187A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DDEE6BA4-2194-461D-AE0A-41F1A21C187A}\InprocServer32]
@="C:\\WINDOWS\\system32\\dheml.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7F3A1C96-4A40-4268-B4C2-B2E5B5A71F1E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7F3A1C96-4A40-4268-B4C2-B2E5B5A71F1E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7F3A1C96-4A40-4268-B4C2-B2E5B5A71F1E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7F3A1C96-4A40-4268-B4C2-B2E5B5A71F1E}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{592F920D-2C2A-44F0-934E-953306B0C1A3}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{592F920D-2C2A-44F0-934E-953306B0C1A3}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{592F920D-2C2A-44F0-934E-953306B0C1A3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{592F920D-2C2A-44F0-934E-953306B0C1A3}\InprocServer32]
@="C:\\WINDOWS\\system32\\mrexcl40.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{23985298-DC57-4F0F-ACDD-06A8ED462D83}"=-
"{12414AF9-F71A-4DF3-91F6-BFB600A1DD3D}"=-
"{2E2B9E67-AE1F-40E9-8CAB-F2A7CFB7E573}"=-
"{F627453C-EF38-4E9F-9665-D606FA6C1F7E}"=-
"{EDA0B4B8-EDD2-4DE7-8301-1C5876E2E219}"=-
"{16F9BE12-A3DA-475D-9110-2D44E3030BAE}"=-
"{87D67269-6E4F-4F4D-A213-34D1552A93D6}"=-
"{5A904DAD-2AA5-42C3-A379-769C04D2E3DE}"=-
"{99D84535-B016-41B2-9F04-9BA66C525789}"=-
"{26DF2529-BF13-4B0E-B108-43F8FEEC1097}"=-
"{9D73BE8D-C6E8-4553-83DF-FC65C48B726E}"=-
"{DDEE6BA4-2194-461D-AE0A-41F1A21C187A}"=-
"{7F3A1C96-4A40-4268-B4C2-B2E5B5A71F1E}"=-
"{592F920D-2C2A-44F0-934E-953306B0C1A3}"=-
[-HKEY_CLASSES_ROOT\CLSID\{23985298-DC57-4F0F-ACDD-06A8ED462D83}]
[-HKEY_CLASSES_ROOT\CLSID\{12414AF9-F71A-4DF3-91F6-BFB600A1DD3D}]
[-HKEY_CLASSES_ROOT\CLSID\{2E2B9E67-AE1F-40E9-8CAB-F2A7CFB7E573}]
[-HKEY_CLASSES_ROOT\CLSID\{F627453C-EF38-4E9F-9665-D606FA6C1F7E}]
[-HKEY_CLASSES_ROOT\CLSID\{EDA0B4B8-EDD2-4DE7-8301-1C5876E2E219}]
[-HKEY_CLASSES_ROOT\CLSID\{16F9BE12-A3DA-475D-9110-2D44E3030BAE}]
[-HKEY_CLASSES_ROOT\CLSID\{87D67269-6E4F-4F4D-A213-34D1552A93D6}]
[-HKEY_CLASSES_ROOT\CLSID\{5A904DAD-2AA5-42C3-A379-769C04D2E3DE}]
[-HKEY_CLASSES_ROOT\CLSID\{99D84535-B016-41B2-9F04-9BA66C525789}]
[-HKEY_CLASSES_ROOT\CLSID\{26DF2529-BF13-4B0E-B108-43F8FEEC1097}]
[-HKEY_CLASSES_ROOT\CLSID\{9D73BE8D-C6E8-4553-83DF-FC65C48B726E}]
[-HKEY_CLASSES_ROOT\CLSID\{DDEE6BA4-2194-461D-AE0A-41F1A21C187A}]
[-HKEY_CLASSES_ROOT\CLSID\{7F3A1C96-4A40-4268-B4C2-B2E5B5A71F1E}]
[-HKEY_CLASSES_ROOT\CLSID\{592F920D-2C2A-44F0-934E-953306B0C1A3}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/cmrtc.dll (152 bytes security) (deflated 4%)
adding: dlls/csmdlg32.dll (152 bytes security) (deflated 4%)
adding: dlls/dCnim.dll (152 bytes security) (deflated 6%)
adding: dlls/dicpcsvc.dll (152 bytes security) (deflated 5%)
adding: dlls/dn4q01h5e.dll (152 bytes security) (deflated 5%)
adding: dlls/dnauth.dll (152 bytes security) (deflated 5%)
adding: dlls/enj2l11o1.dll (152 bytes security) (deflated 4%)
adding: dlls/fp0o03d3e.dll (152 bytes security) (deflated 5%)
adding: dlls/fp2403fqe.dll (152 bytes security) (deflated 4%)
adding: dlls/fp6403jqe.dll (152 bytes security) (deflated 4%)
adding: dlls/fp8s03l7e.dll (152 bytes security) (deflated 5%)
adding: dlls/fpnq0355e.dll (152 bytes security) (deflated 5%)
adding: dlls/fpr8039ue.dll (152 bytes security) (deflated 5%)
adding: dlls/fprq0395e.dll (152 bytes security) (deflated 4%)
adding: dlls/h22o0cf3ef2.dll (152 bytes security) (deflated 6%)
adding: dlls/h24m0ch1ef4.dll (152 bytes security) (deflated 4%)
adding: dlls/idmp.dll (152 bytes security) (deflated 5%)
adding: dlls/igmontr.dll (152 bytes security) (deflated 5%)
adding: dlls/iNssvcs.dll (152 bytes security) (deflated 4%)
adding: dlls/ir8ul5l91.dll (152 bytes security) (deflated 4%)
adding: dlls/irnql5551.dll (152 bytes security) (deflated 5%)
adding: dlls/irpql5751.dll (152 bytes security) (deflated 5%)
adding: dlls/j6p0lg7m16.dll (152 bytes security) (deflated 4%)
adding: dlls/jr4025hmg.dll (152 bytes security) (deflated 5%)
adding: dlls/jt6807jue.dll (152 bytes security) (deflated 5%)
adding: dlls/jz4025hmg.dll (152 bytes security) (deflated 5%)
adding: dlls/k8js0i17e8.dll (152 bytes security) (deflated 5%)
adding: dlls/ksdal.dll (152 bytes security) (deflated 4%)
adding: dlls/lvp2097oe.dll (152 bytes security) (deflated 5%)
adding: dlls/m482lelo1hqc.dll (152 bytes security) (deflated 5%)
adding: dlls/m4rm0e91eh.dll (152 bytes security) (deflated 5%)
adding: dlls/m8460ihse8460.dll (152 bytes security) (deflated 4%)
adding: dlls/mBpi32.dll (152 bytes security) (deflated 4%)
adding: dlls/modtcui.dll (152 bytes security) (deflated 4%)
adding: dlls/mrexcl40.dll (152 bytes security) (deflated 5%)
adding: dlls/mtrd2x40.dll (152 bytes security) (deflated 6%)
adding: dlls/MUT2FW95.DLL (152 bytes security) (deflated 5%)
adding: dlls/muxoci.dll (152 bytes security) (deflated 4%)
adding: dlls/mv0ml9d11.dll (152 bytes security) (deflated 4%)
adding: dlls/mvl8l93u1.dll (152 bytes security) (deflated 5%)
adding: dlls/MVMBG.DLL (152 bytes security) (deflated 4%)
adding: dlls/mvnsl9571.dll (152 bytes security) (deflated 4%)
adding: dlls/mvrol9931.dll (152 bytes security) (deflated 5%)
adding: dlls/n04slah71d4.dll (152 bytes security) (deflated 5%)
adding: dlls/o4pqle751h.dll (152 bytes security) (deflated 4%)
adding: dlls/ogesvr.dll (152 bytes security) (deflated 4%)
adding: dlls/opbc16gt.dll (152 bytes security) (deflated 4%)
adding: dlls/p0n8la5u1d.dll (152 bytes security) (deflated 4%)
adding: dlls/p2r4lc9q1f.dll (152 bytes security) (deflated 5%)
adding: dlls/qkvd.dll (152 bytes security) (deflated 4%)
adding: dlls/s8puli7918.dll (152 bytes security) (deflated 5%)
adding: dlls/u8ruli9918.dll (152 bytes security) (deflated 4%)
adding: dlls/YLRWin32.dll (152 bytes security) (deflated 4%)
adding: backregs/12414AF9-F71A-4DF3-91F6-BFB600A1DD3D.reg (164 bytes security) (deflated 69%)
adding: backregs/16F9BE12-A3DA-475D-9110-2D44E3030BAE.reg (164 bytes security) (deflated 70%)
adding: backregs/23985298-DC57-4F0F-ACDD-06A8ED462D83.reg (164 bytes security) (deflated 69%)
adding: backregs/26DF2529-BF13-4B0E-B108-43F8FEEC1097.reg (164 bytes security) (deflated 70%)
adding: backregs/2E2B9E67-AE1F-40E9-8CAB-F2A7CFB7E573.reg (164 bytes security) (deflated 69%)
adding: backregs/592F920D-2C2A-44F0-934E-953306B0C1A3.reg (164 bytes security) (deflated 70%)
adding: backregs/5A904DAD-2AA5-42C3-A379-769C04D2E3DE.reg (164 bytes security) (deflated 69%)
adding: backregs/7F3A1C96-4A40-4268-B4C2-B2E5B5A71F1E.reg (164 bytes security) (deflated 70%)
adding: backregs/87D67269-6E4F-4F4D-A213-34D1552A93D6.reg (164 bytes security) (deflated 70%)
adding: backregs/99D84535-B016-41B2-9F04-9BA66C525789.reg (164 bytes security) (deflated 69%)
adding: backregs/9D73BE8D-C6E8-4553-83DF-FC65C48B726E.reg (164 bytes security) (deflated 69%)
adding: backregs/DDEE6BA4-2194-461D-AE0A-41F1A21C187A.reg (164 bytes security) (deflated 69%)
adding: backregs/EDA0B4B8-EDD2-4DE7-8301-1C5876E2E219.reg (164 bytes security) (deflated 69%)
adding: backregs/F627453C-EF38-4E9F-9665-D606FA6C1F7E.reg (164 bytes security) (deflated 69%)
adding: backregs/notibac.reg (152 bytes security) (deflated 87%)
adding: backregs/shell.reg (152 bytes security) (deflated 74%)
lblondon
Active Member
 
Posts: 10
Joined: August 17th, 2006, 2:35 pm

Unread postby Navigator » August 19th, 2006, 4:47 pm

I think the end of the L2MFix log got cut off due to it's length...if you need multiple replies to fit it all, that is OK...

I also need the new HJT log after running the L2MFix... :D
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby lblondon » August 19th, 2006, 4:52 pm

Checked the log and that is the last line? Where is the HJT log?
lblondon
Active Member
 
Posts: 10
Joined: August 17th, 2006, 2:35 pm

Unread postby Navigator » August 19th, 2006, 4:56 pm

Post a NEW HJT log like you did at the beginning of the thread....

Start HijackThis. Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy (Ctrl+C) and then paste (Ctrl+V) the log contents in a reply in this thread.

The HJT log will change as we remove the malware...I need to see what it contains...
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby lblondon » August 19th, 2006, 5:16 pm

Duh, sorry my attention span is obviously a little short ;) - see HJT log below

L

Logfile of HijackThis v1.99.1
Scan saved at 22:13:28, on 8/19/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\TGl6IEJyb3duYmlsbA\command.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\internat.exe
C:\PROGRA~1\COMMON~1\ozuz\ozuzm.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\PROGRA~1\COMMON~1\ozuz\ozuza.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
c:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redi ... 9&s=search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-GB\MSNTB.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [defender] C:\\dfndrff_8.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_8.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [McRegWiz] C:\Program Files\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [ozuz] C:\PROGRA~1\COMMON~1\ozuz\ozuzm.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - c:\WINDOWS\system32\SHDOCVW.DLL
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 9117949366
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://l00kl23.com/default.cab?uid=34&i ... d=4&tag=51
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD58CA12-8424-47D5-BD30-97C19F9BF87A}: NameServer = 62.6.40.178 194.72.9.38
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\dn4q01h5e.dll (file missing)
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\i2420choef4c0.dll (file missing)
O20 - Winlogon Notify: Screen Savers - C:\WINDOWS\system32\iqfgnt5.dll (file missing)
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\ir68l5ju1.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TGl6IEJyb3duYmlsbA\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Windows Idle Process - Unknown owner - C:\WINDOWS\system32\smsc.exe (file missing)
lblondon
Active Member
 
Posts: 10
Joined: August 17th, 2006, 2:35 pm

Unread postby Navigator » August 19th, 2006, 5:28 pm

Hey Liz...good work!




1. First download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

2. Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C: ) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

4. Once in Safe Mode, Open Ewido:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido.

5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Image and select alcanshorty.bfu
  • Press Execute and let the program do it's job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby lblondon » August 19th, 2006, 7:26 pm

Well, that was all working far too easily. Followed instructions 1,2 ,3 i.e
dowload ewido, bfu and other one, rebooted computer in safe mode, tried to run ewido but got an error message, rebooted in safe and tried again... nothing.

Rebooted uninstalled ewido, reinstalled and tried to open. Ewido.exe is still showing as an ongoing process - currently 8 mins - but not opening and CPU usage running at 100%, shortcuts on desktop etc.

HJT log attached.

Any ideas?
L
Logfile of HijackThis v1.99.1
Scan saved at 00:24:12, on 8/20/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\TGl6IEJyb3duYmlsbA\command.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\system32\internat.exe
C:\PROGRA~1\COMMON~1\ozuz\ozuzm.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\COMMON~1\ozuz\ozuza.exe
c:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redi ... 9&s=search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-GB\MSNTB.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [defender] C:\\dfndrff_8.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_8.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [McRegWiz] C:\Program Files\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [ozuz] C:\PROGRA~1\COMMON~1\ozuz\ozuzm.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - c:\WINDOWS\system32\SHDOCVW.DLL
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 9117949366
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://l00kl23.com/default.cab?uid=34&i ... d=4&tag=51
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD58CA12-8424-47D5-BD30-97C19F9BF87A}: NameServer = 62.6.40.178 194.72.9.38
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\dn4q01h5e.dll (file missing)
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\i2420choef4c0.dll (file missing)
O20 - Winlogon Notify: Screen Savers - C:\WINDOWS\system32\iqfgnt5.dll (file missing)
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\ir68l5ju1.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TGl6IEJyb3duYmlsbA\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Windows Idle Process - Unknown owner - C:\WINDOWS\system32\smsc.exe (file missing)
lblondon
Active Member
 
Posts: 10
Joined: August 17th, 2006, 2:35 pm

Unread postby Navigator » August 19th, 2006, 9:41 pm

Hello Liz...

Close out Ewido, reboot into safe mode and do the instructions for BFU (step 5.)

After doing step 5. in safe mode, try and run the Ewido scan again while still in safe mode...

If Ewido does not work in safe mode, then reboot to normal mode and try and run it from there.

Post back with another HJT log and the Ewido scan if you can get it to work.
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby lblondon » August 20th, 2006, 9:39 am

Ewido is having none of it! Ran bfu and below is the good ol HJT report
L
Logfile of HijackThis v1.99.1
Scan saved at 14:35:58, on 8/20/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\system32\internat.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
c:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redi ... 9&s=search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-GB\MSNTB.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [ozuz] C:\PROGRA~1\COMMON~1\ozuz\ozuzm.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - c:\WINDOWS\system32\SHDOCVW.DLL
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 9117949366
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://l00kl23.com/default.cab?uid=34&i ... d=4&tag=51
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD58CA12-8424-47D5-BD30-97C19F9BF87A}: NameServer = 62.6.40.178 194.72.9.38
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\dn4q01h5e.dll (file missing)
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\i2420choef4c0.dll (file missing)
O20 - Winlogon Notify: Screen Savers - C:\WINDOWS\system32\iqfgnt5.dll (file missing)
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\ir68l5ju1.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Windows Idle Process - Unknown owner - C:\WINDOWS\system32\smsc.exe (file missing)
lblondon
Active Member
 
Posts: 10
Joined: August 17th, 2006, 2:35 pm

Unread postby Navigator » August 20th, 2006, 3:45 pm

Hello lblondon....well, that got rid of the command service!

I'm not sure what is up with Ewido, but it would really help if we could run it...is it giving you an error message or just stalling at a certain point? Any information you can give me will be helpful...

1. Go to Start | Run and type this in the box: services.msc
  • Locate these services, 'Windows Idle Process' then right click and select properties.
  • Under Service Status: select Stop
  • In the drop down box labeled, Startup Type: select Disabled

2. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O4 - HKCU\..\Run: [ozuz] C:\PROGRA~1\COMMON~1\ozuz\ozuzm.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://l00kl23.com/default.cab?uid=34&i ... d=4&tag=51
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\dn4q01h5e.dll (file missing)
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\i2420choef4c0.dll (file missing)
O20 - Winlogon Notify: Screen Savers - C:\WINDOWS\system32\iqfgnt5.dll (file missing)
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\ir68l5ju1.dll (file missing)
O23 - Service: Windows Idle Process - Unknown owner - C:\WINDOWS\system32\smsc.exe (file missing)


Now close all windows other than HiJackThis, then click Fix Checked.

3. Reboot into safe mode by restarting your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Please delete these folders using Windows Explorer (if present):
  • Click Start>>All Programs>>Accessories>>Windows Explorer
  • Navigate to the listed folders, then right-click to select them and click delete


C:\PROGRAM FILES\COMMON FILES\ozuz

Please delete these files using Windows Explorer (if present):
  • Click Start>>All Programs>>Accessories>>Windows Explorer
  • Navigate to the listed files, then right-click to select them and click delete:


C:\WINDOWS\web\related.htm
C:\WINDOWS\system32\smsc.exe


5. Reboot into Windows normally.

6. Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction Here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


7. Post back with the F-Secure online scan report and a new HJT log....
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby lblondon » August 20th, 2006, 6:42 pm

Hey Navigator, hope your weekend's been cool, once again thanks for taking the time to do this for me it is really appreciated. Liz

Ediwo - just wont run, just leaves it hangs as a process but nothing happens.

Followed latest instructions, issues where:

Ccouldn't find this line in HiJack This to check
O23 - Service: Windows Idle Process - Unknown owner - C:\WINDOWS\system32\smsc.exe (file missing)

F_Secure Online Scanner wont run, works until starting to scan system then comes up with error and says need to try again error id:24
______
As I've no longer got command service which was the point of this excercise and McAfee is now working again, if your bored, please feel free to call it a day, lol
_______
So only log I have is HJT - see below
Logfile of HijackThis v1.99.1
Scan saved at 23:32:57, on 8/20/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\update\updmgr.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\WINDOWS\system32\internat.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
c:\program files\mcafee.com\vso\mcmnhdlr.exe
c:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdui.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redi ... 9&s=search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-GB\MSNTB.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINDOWS\system32\csrs.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Update Manager] C:\WINDOWS\update\updmgr.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\system32\spoolsvc.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [ozuz] C:\PROGRA~1\COMMON~1\ozuz\ozuzm.exe
O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] winsis32.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - c:\WINDOWS\system32\SHDOCVW.DLL
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 9117949366
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://l00kl23.com/default.cab?uid=34&i ... d=4&tag=51
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD58CA12-8424-47D5-BD30-97C19F9BF87A}: NameServer = 62.6.40.178 194.72.9.38
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\dn4q01h5e.dll (file missing)
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\i2420choef4c0.dll (file missing)
O20 - Winlogon Notify: Screen Savers - C:\WINDOWS\system32\iqfgnt5.dll (file missing)
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\ir68l5ju1.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe
lblondon
Active Member
 
Posts: 10
Joined: August 17th, 2006, 2:35 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 42 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware