Help removing virus

Hi there, I have been getting a pop up message stating that my computer is infected critical system error, system detected virus activities they may cause critical system failure. please use antimalware software to clean and protect your system from parasite programs, if you click the message i get resirected to a web site to download some adaware removers! I have run mcafee/xoftspy/and registry fix which have removed many infected files but im still getting this annoying pop up message. All of the software ive run now show my computer as unifected but there must still be something there! One of the files i remember deleting with xoftspyse was called smitfraud. If anyone could help i would be greatfull, I am quite a beginner with pc's so please explain any advice.

many thanks

colin

 

Welcome to BBS forums Colin.

To ensure we know you have a SmithFraud, and it does indeed sound as if you do, please run an analysis tool for us HijackThis! It will give us some detail and then we can give you the first part of the fix, if it is indeed one of the many variants of SmithFraud.

It would also help if you ran a couple of other more dependable anti-spyware apps as well.

Here is how we like to begin our analysis of your pc:

For starters, if you do not have them yet, please DL and run AdAware & Spybot Search & Destroy.AdAware and Spybot Search & Destroy are 2 of the most trusted apps in the security area. They are both free, compliment each other nicely, and do not use a lot of resources. They can be found here:

Spybot Search & Destroy v.1.4
AdAware SE Free v1.06r

With AdAware and Spybot: DL, follow the install instructions, check for updates, then scan, repair/remove/quarantine anything found. Reboot before next scan with whichever app is next. The reason for running these apps, is to clean up some of the other 'crapware' on your pc, which, in turn, will make deciphering your HJT log, easier.

Then we use HiJackThis v:1.99.1zip.
DL the zip file to your desktop, then create a new folder on your C drive, called 'HJT' or 'HijackThis'. Then unzip the files to the new folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.
Run the program, and press Scan. You will notice the Scan button will turn into a "Save Log" button. Save the log and Post that log onto this topic. DO NOT DELETE or modify anything yet, as some of it is needed to keep your system in proper working order.

 

Hi again and thanks for the welcome. I have downloaded the programs and are running them now. My only question is that when i attempt to install highjackthis as instructed my virus scanner states that the file is infected with a trojan? Is it possible i have an infected copy? just i dont really want to install more viruses. Sorry if this is obvious still learning.

many thanks

colin

 

I'll take a wild guess and say you're running McAfee av? they have a history of flagging HJT as malicious, this is why I ask. Just allow HJT to run, it is of course, not malicious and post the log file, sorry for inconvenience.

 

Ok will do and yeah you are totally right mcafee av

thanks

colin

 

Ok i had to disable mcafee virus scan to install HJT kept blocking the file transfer. This is the log file it creates.

Logfile of HijackThis v1.99.1
Scan saved at 19:53:05, on 27/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.ntlworld.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts...dir2.dll?s=consumer&ap=b201&c=1c02&lc=0809&ac
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.ntlworld.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.ntlworld.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R3 - Default URLSearchHook is missing
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe "
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/7.20.0003/OCI/setup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125265645825
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,23/mcgdmgr.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: avpe32 - avpe32.dll (file missing)
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\hI23msp.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - (no file)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Freeloader Monthly Subscription Service - Unknown owner - C:\Program Files\Common Files\Freeloader Shared\Service\Freeloader Monthly Subscription Service File.exe
O23 - Service: Freeloader Subscription Service - Unknown owner - C:\Program Files\Common Files\Freeloader Shared\Service\Freeloader Subscription Service File.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe


Hope this helps

colin

 

OK, based on the 2 files listed in the logfile 020 section we may be dealing with 2 different infections, Look2Me and Haxdoor.

We'll deal with Look2Me first, as the toll will reset some things in the registry which need to be done before we run the Haxdoor fix.

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/L2mfix.exe
http://www.downloads.subratam.org/L2mfix.exe

Save the file to your desktop and double click L2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added L2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! This Fix must NOT be run in safe mode for it to work.

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and Microsoft windows applications. choose close to terminate the application.. "...then please use option 5 or the web page link in the L2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

 

Ok to update the second of your links to look2me.exe is dead and all i can find on the first is a file download called look2medestroyer.exe. I gather you mean this. I have downloaded and double clicked on the icon and it loads up but i don't get the steps you are explaining. these are the steps on the link 1st link

Written by Atribune
Saturday, 11 February 2006
Please download Look2Me-Destroyer.exe to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of Look2Me-Destroyer.txt and a new HiJackThis log.

should i follow this or am i using the wrong program?

colin

 

No, we don't want to use that fix, the combination of the L2M and Haxddoor requires us to use the one I gave you.

This link should work:

http://www.atribune.org/downloads/l2mfix.exe

Follow my instructions with this file, sorry about that.

 

Ok glad i didnt use that one then. this is the report from the software you said. Its a long one!!!

L2MFIX find log 051206
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avpe32]
"secureUID "= "[42466872441205044031] "
"DllName "=hex(2):61,00,76,00,70,00,65,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,\
00,00
"Startup "= "MmPageFree "
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001
"MaxWait "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous "=dword:00000000
"Impersonate "=dword:00000000
"DllName "=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff "= "ChainWlxLogoffEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous "=dword:00000000
"Impersonate "=dword:00000000
"DllName "=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff "= "CryptnetWlxLogoffEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName "= "cscdll.dll "
"Logon "= "WinlogonLogonEvent "
"Logoff "= "WinlogonLogoffEvent "
"ScreenSaver "= "WinlogonScreenSaverEvent "
"Startup "= "WinlogonStartupEvent "
"Shutdown "= "WinlogonShutdownEvent "
"StartShell "= "WinlogonStartShellEvent "
"Impersonate "=dword:00000000
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Internet Settings]
"Asynchronous "=dword:00000000
"DllName "= "C:\\WINDOWS\\system32\\hI23msp.dll "
"Impersonate "=dword:00000000
"Logon "= "WinLogon "
"Logoff "= "WinLogoff "
"Shutdown "= "WinShutdown "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName "= "wlnotify.dll "
"Logon "= "SCardStartCertProp "
"Logoff "= "SCardStopCertProp "
"Lock "= "SCardSuspendCertProp "
"Unlock "= "SCardResumeCertProp "
"Enabled "=dword:00000001
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous "=dword:00000000
"DllName "=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate "=dword:00000000
"StartShell "= "SchedStartShell "
"Logoff "= "SchedEventLogOff "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff "= "WLEventLogoff "
"Impersonate "=dword:00000000
"Asynchronous "=dword:00000001
"DllName "=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName "= "WlNotify.dll "
"Lock "= "SensLockEvent "
"Logon "= "SensLogonEvent "
"Logoff "= "SensLogoffEvent "
"Safe "=dword:00000001
"MaxWait "=dword:00000258
"StartScreenSaver "= "SensStartScreenSaverEvent "
"StopScreenSaver "= "SensStopScreenSaverEvent "
"Startup "= "SensStartupEvent "
"Shutdown "= "SensShutdownEvent "
"StartShell "= "SensStartShellEvent "
"PostShell "= "SensPostShellEvent "
"Disconnect "= "SensDisconnectEvent "
"Reconnect "= "SensReconnectEvent "
"Unlock "= "SensUnlockEvent "
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous "=dword:00000000
"DllName "=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate "=dword:00000000
"Logoff "= "TSEventLogoff "
"Logon "= "TSEventLogon "
"PostShell "= "TSEventPostShell "
"Shutdown "= "TSEventShutdown "
"StartShell "= "TSEventStartShell "
"Startup "= "TSEventStartup "
"MaxWait "=dword:00000258
"Reconnect "= "TSEventReconnect "
"Disconnect "= "TSEventDisconnect "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon "= "WLEventLogon "
"Logoff "= "WLEventLogoff "
"Startup "= "WLEventStartup "
"Shutdown "= "WLEventShutdown "
"StartScreenSaver "= "WLEventStartScreenSaver "
"StopScreenSaver "= "WLEventStopScreenSaver "
"Lock "= "WLEventLock "
"Unlock "= "WLEventUnlock "
"StartShell "= "WLEventStartShell "
"PostShell "= "WLEventPostShell "
"Disconnect "= "WLEventDisconnect "
"Reconnect "= "WLEventReconnect "
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000000
"SafeMode "=dword:00000001
"MaxWait "=dword:ffffffff
"DllName "=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event "=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data "=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,30,8f,c0,a2,a7,3d,1b,4b,8a,34,24,42,2c,ea,91,ab,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,f8,85,88,df,75,dc,f7,1a,\
42,18,13,84,9f,62,b4,bf,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,5e,\
1a,98,ed,6f,58,36,4b,c5,b0,db,e0,48,57,44,f2,08,06,00,00,b4,39,48,ec,b4,50,\
b7,61,61,3a,41,28,13,de,8c,a8,96,6a,e4,7f,e8,c7,9b,d4,f4,71,14,a6,ca,19,4e,\
0c,1b,e8,08,8d,19,c5,ed,14,86,b6,97,2f,c7,63,91,2c,a1,6a,71,b5,3a,88,15,f5,\
3f,52,a3,b1,16,1b,2e,40,45,41,0c,4a,75,4b,ef,de,79,27,16,b7,2a,95,31,4a,46,\
51,73,e9,e4,bd,de,37,43,5c,30,bd,3b,38,97,52,00,76,d1,7d,05,a0,6b,ec,f1,1d,\
ee,1d,76,5c,ed,3a,9a,4a,3f,20,12,82,ed,d4,ee,fe,1a,54,2b,8c,f0,e1,d5,ff,21,\
97,79,ba,eb,38,b6,cd,0b,52,ac,1b,13,d0,1c,04,dd,ee,87,4c,7f,03,16,75,43,92,\
be,16,17,b5,62,df,d1,b7,bb,04,c9,1a,72,b3,5f,a8,72,a7,39,43,ac,bb,d6,37,cb,\
88,55,02,99,14,fd,ee,27,ed,f8,4b,50,46,26,e9,28,e9,e5,22,9a,f5,1d,b0,31,da,\
3a,f3,97,29,36,04,c7,c5,9c,54,ee,93,5c,33,17,a4,37,c9,e7,48,51,6b,0b,36,c9,\
ff,3f,f4,44,ec,b0,5c,c6,f7,dd,13,ed,27,61,fb,b7,6d,f5,bc,ab,61,25,f8,b9,a0,\
f2,6e,72,bf,85,d0,5a,48,ce,4d,1f,dc,28,39,b1,92,f4,9f,0a,0f,99,01,32,72,7d,\
63,2e,a8,f8,88,f8,a3,08,c6,0c,8c,31,78,4c,ac,a4,f5,3f,aa,b4,2b,95,13,2e,b0,\
2e,6a,d4,9d,59,75,f2,85,75,c0,d9,4b,8b,56,00,6f,b1,ef,ec,ce,9d,53,d2,28,3b,\
a6,6a,b1,58,39,8f,5b,7c,4b,3e,4f,2b,db,39,8f,25,1f,c1,62,48,ea,a2,b5,f9,c1,\
3d,28,97,88,48,0b,68,d5,9a,c3,8d,27,05,5c,7f,b0,f4,db,cb,7c,0d,76,bb,bf,fd,\
b2,e0,66,17,47,59,db,a2,a9,d1,8b,2e,72,9d,9b,61,63,56,c3,cf,1e,49,78,f8,97,\
0c,ef,ae,4e,d0,59,1a,1d,5f,5f,bb,7a,56,27,a9,c1,ad,d7,77,d4,86,1c,55,06,97,\
2a,4d,b6,97,fa,5a,95,35,a0,f2,d0,61,b1,9e,7f,8a,f4,d4,db,e8,95,34,8e,52,fa,\
ec,8a,76,1f,44,29,63,a4,e3,93,25,74,fd,60,65,1f,23,e7,0e,08,1e,27,8f,4a,cc,\
30,2e,c9,86,13,dd,21,e9,89,53,34,b7,a9,57,dd,21,e5,47,a0,f5,07,8f,3b,01,9c,\
31,70,8b,97,db,d0,93,30,96,05,02,bb,44,73,74,b7,8c,a1,49,1d,c1,08,e8,c8,e3,\
97,82,c4,e4,c9,16,3d,67,72,b9,fc,76,2b,88,10,27,f8,1a,90,0e,90,3c,47,5a,84,\
72,db,9b,c9,6a,ff,2a,ca,c8,f8,60,59,8a,9c,47,29,fd,68,7d,23,21,95,3f,36,15,\
c9,21,99,da,b3,d2,59,a9,ec,d3,29,1a,fc,13,4b,07,c1,26,d3,b5,70,e4,e5,f9,8a,\
87,8a,6b,3c,54,3e,16,77,e4,d6,aa,bb,e5,81,d9,e5,7e,7e,52,5e,4f,e3,0e,0b,97,\
8d,46,b8,15,da,6b,d0,fd,1e,7b,5f,13,27,db,b4,98,b0,a8,61,de,43,b6,8e,d6,40,\
45,28,c8,9f,53,86,d6,e3,ae,ba,3b,7f,89,5b,89,6a,58,2f,65,39,0a,6b,fa,d8,2c,\
9c,9f,02,ea,3e,2f,6f,84,a3,1f,25,f5,e7,67,04,59,ef,a9,67,87,dc,3a,31,db,86,\
63,87,d6,2a,85,94,58,c5,54,eb,b6,66,bd,dd,f8,e7,f3,43,05,0e,bd,7e,b0,03,6b,\
cb,eb,5a,f2,76,2b,44,2c,77,7f,8a,fd,3e,5b,b9,fb,3b,75,40,4d,52,e1,99,d8,c9,\
f2,c8,82,ef,b8,32,e0,f6,17,ac,21,03,00,cd,3e,8f,59,3f,c8,c4,2b,96,65,99,7b,\
48,31,8b,9f,cf,49,76,ef,8f,9f,b7,56,ce,89,d5,72,21,99,b1,2d,2b,4a,83,8a,7c,\
56,6d,62,df,8d,7c,22,b7,6b,4d,37,28,de,07,89,58,02,c8,05,c4,d3,ea,8a,08,c7,\
56,e3,c2,bc,ea,4b,68,52,80,ed,cf,60,16,f0,61,47,d4,0b,3e,eb,0a,a7,fb,02,79,\
59,8e,84,80,bf,77,c7,13,de,59,ce,92,37,86,90,99,c0,8d,ff,2c,52,7c,65,45,da,\
c3,48,1a,e2,41,9b,41,ac,35,c2,54,30,ba,0b,03,fe,72,12,d2,d8,f9,19,13,b2,a5,\
5a,63,03,ee,bb,68,49,89,e9,ad,fb,94,f1,c6,c3,33,1b,01,6b,ec,c0,1f,c1,1a,3b,\
9d,57,5f,97,c3,a4,2c,65,29,49,df,d8,74,10,4d,a9,6d,c4,fe,ce,f3,31,3c,f9,15,\
16,ec,c4,dc,be,dc,b3,39,82,54,45,86,42,61,60,89,86,d4,b5,dd,63,e3,a2,1e,65,\
37,02,82,37,17,22,67,68,d8,0f,e7,31,ba,90,02,0c,99,bf,38,fa,95,d6,8e,45,5a,\
38,f0,62,7d,f0,49,5a,cd,e0,29,58,a4,36,8c,e8,9a,4b,74,df,79,3d,f3,81,73,d8,\
8e,c8,1f,40,db,d1,ae,27,cd,6a,2c,89,69,15,5c,d5,ce,88,fd,95,58,dd,05,f2,8b,\
d6,19,25,6e,5c,39,d1,c8,d1,bd,70,e6,00,4b,d1,29,c0,52,b7,49,99,72,8e,81,ea,\
97,ab,3d,30,4e,35,ef,2f,00,18,e8,62,25,58,c1,d4,b4,15,47,b1,8d,49,d2,8d,0a,\
27,b6,ec,34,44,bb,59,e2,ee,a4,b3,7d,a4,f1,8e,49,17,05,49,de,4a,33,c0,08,0d,\
49,8f,67,a4,af,3a,42,ea,f4,b7,eb,0b,c0,fe,92,23,f5,20,e6,bc,1b,3e,c7,87,f9,\
ed,b1,e6,0b,15,de,04,3f,74,f0,df,bb,44,a4,87,72,53,08,8a,52,34,7a,ac,92,65,\
0d,b9,05,b8,df,b0,89,c7,0e,62,0e,94,c2,26,ec,7f,92,f7,ea,75,7d,31,5f,07,94,\
0a,16,68,6b,03,c6,a8,54,10,9b,73,1c,e2,83,e1,86,fb,44,f8,a1,01,9f,1b,13,e8,\
68,65,6e,23,49,96,08,f7,b1,c6,0e,b4,1a,03,4e,12,fa,bd,8e,e0,9c,eb,dc,d7,62,\
34,20,1e,28,8a,07,eb,cc,05,62,6a,7a,b9,06,01,8a,93,57,11,e5,cf,18,d8,68,08,\
79,1b,19,ba,fd,74,a3,33,4b,e2,6d,fa,f5,9d,75,47,82,5c,f0,8a,c0,d1,81,27,88,\
f6,89,67,24,81,78,96,55,9d,c9,8e,e1,64,c0,12,c0,f8,fd,8f,d5,5f,8e,f5,f5,1f,\
01,95,42,7c,90,e3,77,ec,4b,ba,86,3f,10,89,64,47,95,3b,f5,3d,2d,70,2c,50,9a,\
d7,ed,19,cd,37,ce,42,b4,1c,bd,74,b9,f3,d5,56,84,f1,d9,27,42,6f,ae,62,1d,e9,\
0c,54,b0,e3,cd,44,52,48,6f,a2,9c,b3,04,50,4b,d7,e9,33,16,66,9e,84,d2,ea,ee,\
79,34,a0,87,27,57,8e,33,3e,46,ae,72,81,a3,fd,14,66,50,ba,d5,3a,d1,7f,b3,86,\
06,c1,9e,95,c2,13,a9,6f,e3,a6,e9,f6,79,04,1b,5b,a4,38,f9,97,3b,0b,02,95,e5,\
fc,73,e8,70,5f,1f,d4,1f,e2,24,d5,e6,4f,6d,51,d4,73,e1,b5,d0,e8,c1,44,2e,64,\
46,56,c1,e3,ee,e4,22,1c,0c,47,cc,ac,b9,6e,4b,fd,00,b4,b2,fb,4b,bf,3b,d6,22,\
d4,81,b8,39,cf,6a,56,cb,80,b8,c5,c1,f2,61,6d,cb,d2,b0,ae,23,15,da,a5,ac,e6,\
d8,b6,82,12,79,f7,24,8a,99,cb,b2,58,81,14,00,00,00,17,55,92,73,03,2f,29,4d,\
bc,34,b4,ca,bc,7e,47,df,cf,ca,fe,7c

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName "= "wlnotify.dll "
"Logon "= "RegisterTicketExpiredNotificationEvent "
"Logoff "= "UnregisterTicketExpiredNotificationEvent "
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{C9E078A7-32D0-1400-DCAE-CF448F6DDC2A} "=" "

too long needs to be on another post see next

 

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046} "= "Multimedia File Property Sheet "
"{176d6597-26d3-11d1-b350-080036a75b03} "= "ICM Scanner Management "
"{1F2E5C40-9550-11CE-99D2-00AA006E086C} "= "NTFS Security Page "
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32} "= "OLE Docfile Property Page "
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6} "= "Shell extensions for sharing "
"{41E300E0-78B6-11ce-849B-444553540000} "= "PlusPack CPL Extension "
"{42071712-76d4-11d1-8b24-00a0c9068ff3} "= "Display Adapter CPL Extension "
"{42071713-76d4-11d1-8b24-00a0c9068ff3} "= "Display Monitor CPL Extension "
"{42071714-76d4-11d1-8b24-00a0c9068ff3} "= "Display Panning CPL Extension "
"{4E40F770-369C-11d0-8922-00A024AB2DBB} "= "DS Security Page "
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8} "= "Compatibility Page "
"{56117100-C0CD-101B-81E2-00AA004AE837} "= "Shell Scrap DataHandler "
"{59099400-57FF-11CE-BD94-0020AF85B590} "= "Disk Copy Extension "
"{59be4990-f85c-11ce-aff7-00aa003ca9f6} "= "Shell extensions for Microsoft Windows Network objects "
"{5DB2625A-54DF-11D0-B6C4-0800091AA605} "= "ICM Monitor Management "
"{675F097E-4C4D-11D0-B6C1-0800091AA605} "= "ICM Printer Management "
"{764BF0E1-F219-11ce-972D-00AA00A14F56} "= "Shell extensions for file compression "
"{77597368-7b15-11d0-a0c2-080036af3f03} "= "Web Printer Shell Extension "
"{7988B573-EC89-11cf-9C00-00AA00A14F56} "= "Disk Quota UI "
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "= "Encryption Context Menu "
"{85BBD920-42A0-1069-A2E4-08002B30309D} "= "Briefcase "
"{88895560-9AA2-1069-930E-00AA0030EBC8} "= "HyperTerminal Icon Ext "
"{BD84B380-8CA2-1069-AB1D-08000948F534} "= "Fonts "
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27} "= "ICC Profile "
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723} "= "Printers Security Page "
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} "= "Shell extensions for sharing "
"{f92e8c40-3d33-11d2-b1aa-080036a75b03} "= "Display TroubleShoot CPL Extension "
"{7444C717-39BF-11D1-8CD9-00C04FC29D45} "= "Crypto PKO Extension "
"{7444C719-39BF-11D1-8CD9-00C04FC29D45} "= "Crypto Sign Extension "
"{7007ACC7-3202-11D1-AAD2-00805FC1270E} "= "Network Connections "
"{992CFFA0-F557-101A-88EC-00DD010CCC48} "= "Network Connections "
"{E211B736-43FD-11D1-9EFB-0000F8757FCD} "= "Scanners & Cameras "
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD} "= "Scanners & Cameras "
"{905667aa-acd6-11d2-8080-00805f6596d2} "= "Scanners & Cameras "
"{3F953603-1008-4f6e-A73A-04AAC7A992F1} "= "Scanners & Cameras "
"{83bbcbf3-b28a-4919-a5aa-73027445d672} "= "Scanners & Cameras "
"{F0152790-D56E-4445-850E-4F3117DB740C} "= "Remote Sessions CPL Extension "
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED} "= "Auto Update Property Sheet Extension "
"{60254CA5-953B-11CF-8C96-00AA00B8708C} "= "Shell extensions for Windows Script Host "
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829} "= "Microsoft Data Link "
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF} "= "Tasks Folder Icon Handler "
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF} "= "Tasks Folder Shell Extension "
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF} "= "Scheduled Tasks "
"{0DF44EAA-FF21-4412-828E-260A8728E7F1} "= "Taskbar and Start Menu "
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0} "= "Search "
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0} "= "Help and Support "
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0} "= "Help and Support "
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0} "= "Run... "
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0} "= "Internet "
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0} "= "E-mail "
"{D20EA4E1-3957-11d2-A40B-0C5020524152} "= "Fonts "
"{D20EA4E1-3957-11d2-A40B-0C5020524153} "= "Administrative Tools "
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78} "= "Audio Media Properties Handler "
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817} "= "Video Media Properties Handler "
"{E4B29F9D-D390-480b-92FD-7DDB47101D71} "= "Wav Properties Handler "
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E} "= "Avi Properties Handler "
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9} "= "Midi Properties Handler "
"{c5a40261-cd64-4ccf-84cb-c394da41d590} "= "Video Thumbnail Extractor "
"{5E6AB780-7743-11CF-A12B-00AA004AE837} "= "Microsoft Internet Toolbar "
"{22BF0C20-6DA7-11D0-B373-00A0C9034938} "= "Download Status "
"{91EA3F8B-C99B-11d0-9815-00C04FD91972} "= "Augmented Shell Folder "
"{6413BA2C-B461-11d1-A18A-080036B11A03} "= "Augmented Shell Folder 2 "
"{F61FFEC1-754F-11d0-80CA-00AA005B4383} "= "BandProxy "
"{7BA4C742-9E81-11CF-99D3-00AA004AE837} "= "Microsoft BrowserBand "
"{30D02401-6A81-11d0-8274-00C04FD5AE38} "= "Search Band "
"{32683183-48a0-441b-a342-7c2a440a9478} "= "Media Band "
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13} "= "In-pane search "
"{07798131-AF23-11d1-9111-00A0C98BA67D} "= "Web Search "
"{AF4F6510-F982-11d0-8595-00AA004CD6D8} "= "Registry Tree Options Utility "
"{01E04581-4EEE-11d0-BFE9-00AA005B4383} "= "&Address "
"{A08C11D2-A228-11d0-825B-00AA005B4383} "= "Address EditBox "
"{00BB2763-6A77-11D0-A535-00C04FD7D062} "= "Microsoft AutoComplete "
"{7376D660-C583-11d0-A3A5-00C04FD706EC} "= "TridentImageExtractor "
"{6756A641-DE71-11d0-831B-00AA005B4383} "= "MRU AutoComplete List "
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A} "= "Custom MRU AutoCompleted List "
"{7e653215-fa25-46bd-a339-34a2790f3cb7} "= "Accessible "
"{acf35015-526e-4230-9596-becbe19f0ac9} "= "Track Popup Bar "
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2} "= "Address Bar Parser "
"{00BB2764-6A77-11D0-A535-00C04FD7D062} "= "Microsoft History AutoComplete List "
"{03C036F1-A186-11D0-824A-00AA005B4383} "= "Microsoft Shell Folder AutoComplete List "
"{00BB2765-6A77-11D0-A535-00C04FD7D062} "= "Microsoft Multiple AutoComplete List Container "
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1} "= "Shell Band Site Menu "
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF} "= "Shell DeskBarApp "
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1} "= "Shell DeskBar "
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1} "= "Shell Rebar BandSite "
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C} "= "User Assist "
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11} "= "Global Folder Settings "
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E} "= "Favorites Band "
"{0A89A860-D7B1-11CE-8350-444553540000} "= "Shell Automation Inproc Service "
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} "= "Shell DocObject Viewer "
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61} "= "Microsoft Browser Architecture "
"{FBF23B40-E3F0-101B-8488-00AA003E56F8} "= "InternetShortcut "
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE} "= "Microsoft Url History Service "
"{FF393560-C2A7-11CF-BFF4-444553540000} "= "History "
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933} "= "Temporary Internet Files "
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933} "= "Temporary Internet Files "
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497} "= "Microsoft Url Search Hook "
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC} "= "IE4 Suite Splash Screen "
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13} "= "CDF Extension Copy Hook "
"{131A6951-7F78-11D0-A979-00C04FD705A2} "= "ISFBand OC "
"{9461b922-3c5a-11d2-bf8b-00c04fb93661} "= "Search Assistant OC "
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} "= "The Internet "
"{871C5380-42A0-1069-A2EA-08002B30309D} "= "Internet Name Space "
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E} "= "Explorer Band "
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} "= "Sendmail service "
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} "= "Sendmail service "
"{88C6C381-2E85-11D0-94DE-444553540000} "= "ActiveX Cache Folder "
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "= "WebCheck "
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE} "= "Subscription Mgr "
"{F5175861-2688-11d0-9C5E-00AA00A45957} "= "Subscription Folder "
"{08165EA0-E946-11CF-9C87-00AA005127ED} "= "WebCheckWebCrawler "
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB} "= "WebCheckChannelAgent "
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7} "= "TrayAgent "
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02} "= "Code Download Agent "
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE} "= "ConnectionAgent "
"{D8BD2030-6FC9-11D0-864F-00AA006809D9} "= "PostAgent "
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB} "= "WebCheck SyncMgr Handler "
"{352EC2B7-8B9A-11D1-B8AE-006008059382} "= "Shell Application Manager "
"{0B124F8F-91F0-11D1-B8B5-006008059382} "= "Installed Apps Enumerator "
"{CFCCC7A0-A282-11D1-9082-006008059382} "= "Darwin App Publisher "
"{e84fda7c-1d6a-45f6-b725-cb260c236066} "= "Shell Image Verbs "
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178} "= "Shell Image Data Factory "
"{3F30C968-480A-4C6C-862D-EFC0897BB84B} "= "GDI+ file thumbnail extractor "
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC} "= "Summary Info Thumbnail handler (DOCFILES) "
"{EAB841A0-9550-11cf-8C16-00805F1408F3} "= "HTML Thumbnail Extractor "
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe} "= "Shell Image Property Handler "
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D} "= "Web Publishing Wizard "
"{add36aa8-751a-4579-a266-d66f5202ccbb} "= "Print Ordering via the Web "
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1} "= "Shell Publishing Wizard Object "
"{58f1f272-9240-4f51-b6d4-fd63d1618591} "= "Get a Passport Wizard "
"{7A9D77BD-5403-11d2-8785-2E0420524153} "= "User Accounts "
"{BD472F60-27FA-11cf-B8B4-444553540000} "= "Compressed (zipped) Folder Right Drag Handler "
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} "= "Compressed (zipped) Folder SendTo Target "
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433} "= "Channel File "
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434} "= "Channel Shortcut "
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435} "= "Channel Handler Object "
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437} "= "Channel Menu "
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438} "= "Channel Properties "
"{63da6ec0-2e98-11cf-8d82-444553540000} "= "FTP Folders Webview "
"{883373C3-BF89-11D1-BE35-080036B11A03} "= "Microsoft DocProp Shell Ext "
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D} "= "Microsoft DocProp Inplace Edit Box Control "
"{8EE97210-FD1F-4B19-91DA-67914005F020} "= "Microsoft DocProp Inplace ML Edit Box Control "
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB} "= "Microsoft DocProp Inplace Droplist Combo Control "
"{6A205B57-2567-4A2C-B881-F787FAB579A3} "= "Microsoft DocProp Inplace Calendar Control "
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33} "= "Microsoft DocProp Inplace Time Control "
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB} "= "Directory Query UI "
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} "= "Shell properties for a DS object "
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB} "= "Directory Object Find "
"{F020E586-5264-11d1-A532-0000F8757D7E} "= "Directory Start/Search Find "
"{0D45D530-764B-11d0-A1CA-00AA00C16E65} "= "Directory Property UI "
"{62AE1F9A-126A-11D0-A14B-0800361B1103} "= "Directory Context Menu Verbs "
"{ECF03A33-103D-11d2-854D-006008059367} "= "MyDocs Copy Hook "
"{ECF03A32-103D-11d2-854D-006008059367} "= "MyDocs Drop Target "
"{4a7ded0a-ad25-11d0-98a8-0800361b1103} "= "MyDocs Properties "
"{750fdf0e-2a26-11d1-a3ea-080036587f03} "= "Offline Files Menu "
"{10CFC467-4392-11d2-8DB4-00C04FA31A66} "= "Offline Files Folder Options "
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E} "= "Offline Files Folder "
"{143A62C8-C33B-11D1-84FE-00C04FA34A14} "= "Microsoft Agent Character Property Sheet Handler "
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6} "= "DfsShell "
"{60fd46de-f830-4894-a628-6fa81bc0190d} "= "%DESC_PublishDropTarget% "
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717} "= "MMC Icon Handler "
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262} "= ".CAB file viewer "
"{32714800-2E5F-11d0-8B85-00AA0044F941} "= "For &People... "
"{8DD448E6-C188-4aed-AF92-44956194EB1F} "= "Windows Media Player Play as Playlist Context Menu Handler "
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C} "= "Windows Media Player Burn Audio CD Context Menu Handler "
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD} "= "Windows Media Player Add to Playlist Context Menu Handler "
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F} "= "Web Folders "
"{42042206-2D85-11D3-8CFF-005004838597} "= "Microsoft Office HTML Icon Handler "
"{92085AD4-F48A-450D-BD93-B28CC7DF67CE} "= "eBay Toolbar "
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0} "= "Set Program Access and Defaults "
"{596AB062-B4D2-4215-9F74-E9109B0A8153} "= "Previous Versions Property Page "
"{9DB7A13C-F208-4981-8353-73CC61AE2783} "= "Previous Versions "
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87} "= "Extensions Manager Folder "
"{2F860D81-AF3C-11D4-BDB3-00E0987D8540} "= "UltimateZip Shell Extension "
"{2F860D82-AF3C-11D4-BDB3-00E0987D8540} "= "UltimateZip Drag Drop Handler "
"{5CA3D70E-1895-11CF-8E15-001234567890} "= "DriveLetterAccess "
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04} "= "RecordNow! SendToExt "
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} "= "iTunes "
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} "= "Shell Extensions for RealOne Player "
"{B41DB860-8EE4-11D2-9906-E49FADC173CA} "= "WinRAR shell extension "
"{A70C977A-BF00-412C-90B7-034C51DA2439} "= "NvCpl DesktopContext Class "
"{1CDB2949-8F65-4355-8456-263E7C208A5D} "= "Desktop Explorer "
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47} "= "Desktop Explorer Menu "
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48} "= "nView Desktop Context Menu "
"{640167b4-59b0-47a6-b335-a6b3c0695aea} "= "Portable Media Devices "
"{cc86590a-b60a-48e6-996b-41d25ed39a1e} "= "Portable Media Devices Menu "
"{21569614-B795-46b1-85F4-E737A8DC09AD} "= "Shell Search Band "
"{FED7043D-346A-414D-ACD7-550D052499A7} "= "dBpowerAMP Music Converter 1 "
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5} "= "dBpowerAMP Music Converter "
"{0006F045-0000-0000-C000-000000000046} "= "Microsoft Outlook Custom Icon Handler "
"{B4B3001E-0F56-4E51-8250-BDE11547EC55} "= "Super Ad Blocker Toolbar "
"{5E44E225-A408-11CF-B581-008029601108} "= "Roxio DragToDisc Shell Extension "
"{FFB699E0-306A-11d3-8BD1-00104B6F7516} "= "Play on my TV helper "
"{B8323370-FF27-11D2-97B6-204C4F4F5020} "= "SmartFTP Shell Extension DLL "

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Wed 10 May 2006 6:25:20 A.... 1,022,976 999.00 K
cdfview.dll Wed 10 May 2006 6:25:20 A.... 151,040 147.50 K
danim.dll Wed 10 May 2006 6:25:20 A.... 1,054,208 1.00 M
dxtmsft.dll Wed 10 May 2006 6:25:22 A.... 357,888 349.50 K
dxtrans.dll Wed 10 May 2006 6:25:22 A.... 205,312 200.50 K
extmgr.dll Wed 10 May 2006 6:25:22 ..... 55,808 54.50 K
iepeers.dll Wed 10 May 2006 6:25:22 A.... 251,904 246.00 K
inseng.dll Wed 10 May 2006 6:25:22 A.... 96,256 94.00 K
jgdw400.dll Thu 1 Jun 2006 19:47:08 A.... 163,840 160.00 K
jgpl400.dll Thu 1 Jun 2006 19:47:08 A.... 27,648 27.00 K
jscript.dll Thu 18 May 2006 6:24:26 A.... 450,560 440.00 K
jsproxy.dll Wed 10 May 2006 6:25:22 A.... 15,872 15.50 K
legitc~1.dll Tue 23 May 2006 17:26:00 A.... 579,888 566.30 K
mshtml.dll Fri 19 May 2006 16:06:04 A.... 3,055,104 2.91 M
mshtmled.dll Wed 10 May 2006 6:25:22 A.... 448,512 438.00 K
msrating.dll Wed 10 May 2006 6:25:22 A.... 146,432 143.00 K
mstime.dll Wed 10 May 2006 6:25:22 A.... 532,480 520.00 K
pngfilt.dll Wed 10 May 2006 6:25:22 A.... 39,424 38.50 K
rasmans.dll Sun 14 May 2006 9:44:08 A.... 181,248 177.00 K
shdocvw.dll Mon 29 May 2006 16:32:10 A.... 1,496,576 1.43 M
shlwapi.dll Wed 10 May 2006 6:25:22 A.... 474,112 463.00 K
urlmon.dll Wed 10 May 2006 6:25:22 A.... 615,424 601.00 K
wgalogon.dll Tue 23 May 2006 17:25:52 A.... 402,736 393.30 K
wininet.dll Wed 10 May 2006 6:25:22 A.... 663,552 648.00 K
wmp.dll Sat 29 Apr 2006 6:07:48 A.... 5,533,696 5.28 M
xpsp3res.dll Thu 11 May 2006 9:37:26 A.... 90,112 88.00 K

26 items found: 26 files, 0 directories.
Total of file sizes: 18,112,608 bytes 17.27 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is A851-7B52

Directory of C:\WINDOWS\System32

27/06/2006 21:59 <DIR> ..
27/06/2006 21:59 <DIR> .
15/06/2006 13:32 <DIR> dllcache
28/08/2005 21:46 <DIR> Microsoft
0 File(s) 0 bytes
4 Dir(s) 9,560,875,008 bytes free

 

Second part of fix.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Do Not run in safe mode!!
If after the reboot the log does not open double click on it in the l2mfix folder.

 

Log from L2mfix:

L2mfix 051206
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!
Killing 'smss.exe'
\SystemRoot\System32\smss.exe (624)
Killing 'winlogon.exe'
winlogon.exe (700)
Killing 'explorer.exe'
C:\WINDOWS\Explorer.EXE (1976)
Killing 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avpe32]
"secureUID "= "[42466872441205044031] "
"DllName "=hex(2):61,00,76,00,70,00,65,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,\
00,00
"Startup "= "MmPageFree "
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001
"MaxWait "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous "=dword:00000000
"Impersonate "=dword:00000000
"DllName "=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff "= "ChainWlxLogoffEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous "=dword:00000000
"Impersonate "=dword:00000000
"DllName "=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff "= "CryptnetWlxLogoffEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName "= "cscdll.dll "
"Logon "= "WinlogonLogonEvent "
"Logoff "= "WinlogonLogoffEvent "
"ScreenSaver "= "WinlogonScreenSaverEvent "
"Startup "= "WinlogonStartupEvent "
"Shutdown "= "WinlogonShutdownEvent "
"StartShell "= "WinlogonStartShellEvent "
"Impersonate "=dword:00000000
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Internet Settings]
"Asynchronous "=dword:00000000
"DllName "= "C:\\WINDOWS\\system32\\hI23msp.dll "
"Impersonate "=dword:00000000
"Logon "= "WinLogon "
"Logoff "= "WinLogoff "
"Shutdown "= "WinShutdown "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName "= "wlnotify.dll "
"Logon "= "SCardStartCertProp "
"Logoff "= "SCardStopCertProp "
"Lock "= "SCardSuspendCertProp "
"Unlock "= "SCardResumeCertProp "
"Enabled "=dword:00000001
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous "=dword:00000000
"DllName "=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate "=dword:00000000
"StartShell "= "SchedStartShell "
"Logoff "= "SchedEventLogOff "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff "= "WLEventLogoff "
"Impersonate "=dword:00000000
"Asynchronous "=dword:00000001
"DllName "=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName "= "WlNotify.dll "
"Lock "= "SensLockEvent "
"Logon "= "SensLogonEvent "
"Logoff "= "SensLogoffEvent "
"Safe "=dword:00000001
"MaxWait "=dword:00000258
"StartScreenSaver "= "SensStartScreenSaverEvent "
"StopScreenSaver "= "SensStopScreenSaverEvent "
"Startup "= "SensStartupEvent "
"Shutdown "= "SensShutdownEvent "
"StartShell "= "SensStartShellEvent "
"PostShell "= "SensPostShellEvent "
"Disconnect "= "SensDisconnectEvent "
"Reconnect "= "SensReconnectEvent "
"Unlock "= "SensUnlockEvent "
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous "=dword:00000000
"DllName "=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate "=dword:00000000
"Logoff "= "TSEventLogoff "
"Logon "= "TSEventLogon "
"PostShell "= "TSEventPostShell "
"Shutdown "= "TSEventShutdown "
"StartShell "= "TSEventStartShell "
"Startup "= "TSEventStartup "
"MaxWait "=dword:00000258
"Reconnect "= "TSEventReconnect "
"Disconnect "= "TSEventDisconnect "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon "= "WLEventLogon "
"Logoff "= "WLEventLogoff "
"Startup "= "WLEventStartup "
"Shutdown "= "WLEventShutdown "
"StartScreenSaver "= "WLEventStartScreenSaver "
"StopScreenSaver "= "WLEventStopScreenSaver "
"Lock "= "WLEventLock "
"Unlock "= "WLEventUnlock "
"StartShell "= "WLEventStartShell "
"PostShell "= "WLEventPostShell "
"Disconnect "= "WLEventDisconnect "
"Reconnect "= "WLEventReconnect "
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000000
"SafeMode "=dword:00000001
"MaxWait "=dword:ffffffff
"DllName "=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event "=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data "=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,30,8f,c0,a2,a7,3d,1b,4b,8a,34,24,42,2c,ea,91,ab,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,f8,85,88,df,75,dc,f7,1a,\
42,18,13,84,9f,62,b4,bf,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,5e,\
1a,98,ed,6f,58,36,4b,c5,b0,db,e0,48,57,44,f2,08,06,00,00,b4,39,48,ec,b4,50,\
b7,61,61,3a,41,28,13,de,8c,a8,96,6a,e4,7f,e8,c7,9b,d4,f4,71,14,a6,ca,19,4e,\
0c,1b,e8,08,8d,19,c5,ed,14,86,b6,97,2f,c7,63,91,2c,a1,6a,71,b5,3a,88,15,f5,\
3f,52,a3,b1,16,1b,2e,40,45,41,0c,4a,75,4b,ef,de,79,27,16,b7,2a,95,31,4a,46,\
51,73,e9,e4,bd,de,37,43,5c,30,bd,3b,38,97,52,00,76,d1,7d,05,a0,6b,ec,f1,1d,\
ee,1d,76,5c,ed,3a,9a,4a,3f,20,12,82,ed,d4,ee,fe,1a,54,2b,8c,f0,e1,d5,ff,21,\
97,79,ba,eb,38,b6,cd,0b,52,ac,1b,13,d0,1c,04,dd,ee,87,4c,7f,03,16,75,43,92,\
be,16,17,b5,62,df,d1,b7,bb,04,c9,1a,72,b3,5f,a8,72,a7,39,43,ac,bb,d6,37,cb,\
88,55,02,99,14,fd,ee,27,ed,f8,4b,50,46,26,e9,28,e9,e5,22,9a,f5,1d,b0,31,da,\
3a,f3,97,29,36,04,c7,c5,9c,54,ee,93,5c,33,17,a4,37,c9,e7,48,51,6b,0b,36,c9,\
ff,3f,f4,44,ec,b0,5c,c6,f7,dd,13,ed,27,61,fb,b7,6d,f5,bc,ab,61,25,f8,b9,a0,\
f2,6e,72,bf,85,d0,5a,48,ce,4d,1f,dc,28,39,b1,92,f4,9f,0a,0f,99,01,32,72,7d,\
63,2e,a8,f8,88,f8,a3,08,c6,0c,8c,31,78,4c,ac,a4,f5,3f,aa,b4,2b,95,13,2e,b0,\
2e,6a,d4,9d,59,75,f2,85,75,c0,d9,4b,8b,56,00,6f,b1,ef,ec,ce,9d,53,d2,28,3b,\
a6,6a,b1,58,39,8f,5b,7c,4b,3e,4f,2b,db,39,8f,25,1f,c1,62,48,ea,a2,b5,f9,c1,\
3d,28,97,88,48,0b,68,d5,9a,c3,8d,27,05,5c,7f,b0,f4,db,cb,7c,0d,76,bb,bf,fd,\
b2,e0,66,17,47,59,db,a2,a9,d1,8b,2e,72,9d,9b,61,63,56,c3,cf,1e,49,78,f8,97,\
0c,ef,ae,4e,d0,59,1a,1d,5f,5f,bb,7a,56,27,a9,c1,ad,d7,77,d4,86,1c,55,06,97,\
2a,4d,b6,97,fa,5a,95,35,a0,f2,d0,61,b1,9e,7f,8a,f4,d4,db,e8,95,34,8e,52,fa,\
ec,8a,76,1f,44,29,63,a4,e3,93,25,74,fd,60,65,1f,23,e7,0e,08,1e,27,8f,4a,cc,\
30,2e,c9,86,13,dd,21,e9,89,53,34,b7,a9,57,dd,21,e5,47,a0,f5,07,8f,3b,01,9c,\
31,70,8b,97,db,d0,93,30,96,05,02,bb,44,73,74,b7,8c,a1,49,1d,c1,08,e8,c8,e3,\
97,82,c4,e4,c9,16,3d,67,72,b9,fc,76,2b,88,10,27,f8,1a,90,0e,90,3c,47,5a,84,\
72,db,9b,c9,6a,ff,2a,ca,c8,f8,60,59,8a,9c,47,29,fd,68,7d,23,21,95,3f,36,15,\
c9,21,99,da,b3,d2,59,a9,ec,d3,29,1a,fc,13,4b,07,c1,26,d3,b5,70,e4,e5,f9,8a,\
87,8a,6b,3c,54,3e,16,77,e4,d6,aa,bb,e5,81,d9,e5,7e,7e,52,5e,4f,e3,0e,0b,97,\
8d,46,b8,15,da,6b,d0,fd,1e,7b,5f,13,27,db,b4,98,b0,a8,61,de,43,b6,8e,d6,40,\
45,28,c8,9f,53,86,d6,e3,ae,ba,3b,7f,89,5b,89,6a,58,2f,65,39,0a,6b,fa,d8,2c,\
9c,9f,02,ea,3e,2f,6f,84,a3,1f,25,f5,e7,67,04,59,ef,a9,67,87,dc,3a,31,db,86,\
63,87,d6,2a,85,94,58,c5,54,eb,b6,66,bd,dd,f8,e7,f3,43,05,0e,bd,7e,b0,03,6b,\
cb,eb,5a,f2,76,2b,44,2c,77,7f,8a,fd,3e,5b,b9,fb,3b,75,40,4d,52,e1,99,d8,c9,\
f2,c8,82,ef,b8,32,e0,f6,17,ac,21,03,00,cd,3e,8f,59,3f,c8,c4,2b,96,65,99,7b,\
48,31,8b,9f,cf,49,76,ef,8f,9f,b7,56,ce,89,d5,72,21,99,b1,2d,2b,4a,83,8a,7c,\
56,6d,62,df,8d,7c,22,b7,6b,4d,37,28,de,07,89,58,02,c8,05,c4,d3,ea,8a,08,c7,\
56,e3,c2,bc,ea,4b,68,52,80,ed,cf,60,16,f0,61,47,d4,0b,3e,eb,0a,a7,fb,02,79,\
59,8e,84,80,bf,77,c7,13,de,59,ce,92,37,86,90,99,c0,8d,ff,2c,52,7c,65,45,da,\
c3,48,1a,e2,41,9b,41,ac,35,c2,54,30,ba,0b,03,fe,72,12,d2,d8,f9,19,13,b2,a5,\
5a,63,03,ee,bb,68,49,89,e9,ad,fb,94,f1,c6,c3,33,1b,01,6b,ec,c0,1f,c1,1a,3b,\
9d,57,5f,97,c3,a4,2c,65,29,49,df,d8,74,10,4d,a9,6d,c4,fe,ce,f3,31,3c,f9,15,\
16,ec,c4,dc,be,dc,b3,39,82,54,45,86,42,61,60,89,86,d4,b5,dd,63,e3,a2,1e,65,\
37,02,82,37,17,22,67,68,d8,0f,e7,31,ba,90,02,0c,99,bf,38,fa,95,d6,8e,45,5a,\
38,f0,62,7d,f0,49,5a,cd,e0,29,58,a4,36,8c,e8,9a,4b,74,df,79,3d,f3,81,73,d8,\
8e,c8,1f,40,db,d1,ae,27,cd,6a,2c,89,69,15,5c,d5,ce,88,fd,95,58,dd,05,f2,8b,\
d6,19,25,6e,5c,39,d1,c8,d1,bd,70,e6,00,4b,d1,29,c0,52,b7,49,99,72,8e,81,ea,\
97,ab,3d,30,4e,35,ef,2f,00,18,e8,62,25,58,c1,d4,b4,15,47,b1,8d,49,d2,8d,0a,\
27,b6,ec,34,44,bb,59,e2,ee,a4,b3,7d,a4,f1,8e,49,17,05,49,de,4a,33,c0,08,0d,\
49,8f,67,a4,af,3a,42,ea,f4,b7,eb,0b,c0,fe,92,23,f5,20,e6,bc,1b,3e,c7,87,f9,\
ed,b1,e6,0b,15,de,04,3f,74,f0,df,bb,44,a4,87,72,53,08,8a,52,34,7a,ac,92,65,\
0d,b9,05,b8,df,b0,89,c7,0e,62,0e,94,c2,26,ec,7f,92,f7,ea,75,7d,31,5f,07,94,\
0a,16,68,6b,03,c6,a8,54,10,9b,73,1c,e2,83,e1,86,fb,44,f8,a1,01,9f,1b,13,e8,\
68,65,6e,23,49,96,08,f7,b1,c6,0e,b4,1a,03,4e,12,fa,bd,8e,e0,9c,eb,dc,d7,62,\
34,20,1e,28,8a,07,eb,cc,05,62,6a,7a,b9,06,01,8a,93,57,11,e5,cf,18,d8,68,08,\
79,1b,19,ba,fd,74,a3,33,4b,e2,6d,fa,f5,9d,75,47,82,5c,f0,8a,c0,d1,81,27,88,\
f6,89,67,24,81,78,96,55,9d,c9,8e,e1,64,c0,12,c0,f8,fd,8f,d5,5f,8e,f5,f5,1f,\
01,95,42,7c,90,e3,77,ec,4b,ba,86,3f,10,89,64,47,95,3b,f5,3d,2d,70,2c,50,9a,\
d7,ed,19,cd,37,ce,42,b4,1c,bd,74,b9,f3,d5,56,84,f1,d9,27,42,6f,ae,62,1d,e9,\
0c,54,b0,e3,cd,44,52,48,6f,a2,9c,b3,04,50,4b,d7,e9,33,16,66,9e,84,d2,ea,ee,\
79,34,a0,87,27,57,8e,33,3e,46,ae,72,81,a3,fd,14,66,50,ba,d5,3a,d1,7f,b3,86,\
06,c1,9e,95,c2,13,a9,6f,e3,a6,e9,f6,79,04,1b,5b,a4,38,f9,97,3b,0b,02,95,e5,\
fc,73,e8,70,5f,1f,d4,1f,e2,24,d5,e6,4f,6d,51,d4,73,e1,b5,d0,e8,c1,44,2e,64,\
46,56,c1,e3,ee,e4,22,1c,0c,47,cc,ac,b9,6e,4b,fd,00,b4,b2,fb,4b,bf,3b,d6,22,\
d4,81,b8,39,cf,6a,56,cb,80,b8,c5,c1,f2,61,6d,cb,d2,b0,ae,23,15,da,a5,ac,e6,\
d8,b6,82,12,79,f7,24,8a,99,cb,b2,58,81,14,00,00,00,17,55,92,73,03,2f,29,4d,\
bc,34,b4,ca,bc,7e,47,df,cf,ca,fe,7c

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName "= "wlnotify.dll "
"Logon "= "RegisterTicketExpiredNotificationEvent "
"Logoff "= "UnregisterTicketExpiredNotificationEvent "
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1 "=" "
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/notibac.reg (140 bytes security) (deflated 79%)

 

Log from HJT:

Logfile of HijackThis v1.99.1
Scan saved at 22:32:41, on 27/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.ntlworld.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts...dir2.dll?s=consumer&ap=b201&c=1c02&lc=0809&ac
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.ntlworld.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.ntlworld.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R3 - Default URLSearchHook is missing
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe "
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/7.20.0003/OCI/setup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125265645825
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,23/mcgdmgr.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: avpe32 - avpe32.dll (file missing)
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\hI23msp.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - (no file)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Freeloader Monthly Subscription Service - Unknown owner - C:\Program Files\Common Files\Freeloader Shared\Service\Freeloader Monthly Subscription Service File.exe
O23 - Service: Freeloader Subscription Service - Unknown owner - C:\Program Files\Common Files\Freeloader Shared\Service\Freeloader Subscription Service File.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

Thanks for all your help so far

colin

 

Now we get to the Haxdoor fix part.

Download haxfix.exe
and save it to your desktop.

• Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
• Checkmark "Create a desktop icon "
• Click "Next "
• When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
• Click "Finish "

A red "dos window" (dos box) will open with options:

• 
  1. Make logfile
  2. Run auto fix
  3. Run manual fix
  E. Exit Haxfix

• Select option 1. Make logfile by typing 1 and then pressing Enter
• Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt
• Copy the contents of that logfile and paste it into this thread. (c:\haxfix.txt)

 

HAXFIX logfile - by Marckie
______________
version 3.02
28/06/2006 8:11:19.93

checking for haxdoor
--------------------
checking for a3d files....
a3d files not found

checking for matching notify keys....
matching notify keys found
avpe

checking for matching services....
no matching services found

checking for matching safeboot services....
matching safeboot services found
avpe32.sys
avpe64.sys


Checking for goldun
-------------------
checking for notify keys....
no notify keys found

checking for services....
no services found


Finished

 

OK I needed to get some help with this one. Registry hack not something I'm up on. We shouldn't have any problems at all though.


Copy the text below to Notepad, and save in a location of your choice as Fix.reg (make sure you save as type: 'all files')

REGEDIT4

[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\avpe32.sys]
[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\avpe64.sys]
[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Network\avpe32.sys]
[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Network\avpe64.sys]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avpe32]

Doubleclick Fix.reg, and answer yes when prompted to add its contents to the Registry.

Reboot then post a new HJT log file please.

 

Right sorry for the delay i was at work, i have saved the file and double clicked and selected yes to add to the registry and rebooted this is my new
HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 18:41:43, on 28/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.ntlworld.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts...dir2.dll?s=consumer&ap=b201&c=1c02&lc=0809&ac
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.ntlworld.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.ntlworld.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R3 - Default URLSearchHook is missing
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe "
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/7.20.0003/OCI/setup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125265645825
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,23/mcgdmgr.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\hI23msp.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - (no file)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Freeloader Monthly Subscription Service - Unknown owner - C:\Program Files\Common Files\Freeloader Shared\Service\Freeloader Monthly Subscription Service File.exe
O23 - Service: Freeloader Subscription Service - Unknown owner - C:\Program Files\Common Files\Freeloader Shared\Service\Freeloader Subscription Service File.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

 

Heh...and I was asleep for most of the time.

OK looks like we have a couple more lines to fix, remnants of the L2M infection and we should be done.

Run HJT, and place a check next to the following lines, then, with all browsers and windows closed, hit 'Fix checked':

R3 - Default URLSearchHook is missing


O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\hI23msp.dll (file missing)


O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - (no file)

Reboot, into 'Safe mode',and search for, then delete, if found, the following files/folders:
C:\WINDOWS\system32\hI23msp.dll <<<--this file

Reboot into Normal mode and post a new HJT log back into this thread please.

 

Hi Temerc

I have ran HJT and selected the files instructed then clicked fix selected. After this i rebooted in safe mode but cannot find the file hI23msp.dll or folder C:\WINDOWS\system32 any help on these?

thanks again

colin