DMVlite...geez...HJT log included

Hi lets go about it this way
do not use l2mfix option2 unless instructed to please.
* Download the txt file i have attached, near the bottom of this post to your desktop
Right click on it >rename to > fixme.reg

Copy these instructions to a text document for reference.
Disconnect from the internet (unplug your modem or router from the computer).
Close all Browsers and programs that show in the windows taskbar

The following list of files is very long. I recommend you copy the list to notepad, use cut to take it out of the notepad document and then paste it into killbox, that way you won't miss any. You must get them all or the infection will reinstate itself.

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information.

Double-click on KillBox.exe.
Select the "Replace on Reboot" option.
For each of the files listed below:
Make sure Replace on Reboot is selected
Click to check mark the Use Dummy box
Paste the path in the Full Path of File to Delete box.

C:\WINNT\system32\h44m0e~1.dll

Click the red highlighted X button and say yes to the first prompt
Answer No to the "Reboot Now?" prompt.
Do these steps for all files in the following listenter one file at a time)

C:\WINNT\system32\l06ola~1.dll
C:\WINNT\system32\ij1xdnt5.dll
C:\WINNT\system32\lv8009~1.dll
C:\WINNT\system32\j60slg~1.dll
C:\WINNT\system32\fp6003~1.dll


for these files use delete on reboot (enter one file at a time)
C:\WINNT\system32\guard.tmp
C:\WINNT\system32\drivers\etc\hosts
C:\WINNT\system32\sysfile.dll
C:\WINNT\system32\nrtapi32.dll
C:\WINNT\system32\aklsp.dll
C:\WINNT\system32\tv2.dll
C:\WINNT\system32\casync.dll
C:\WINNT\system32\cacore.dll
C:\WINNT\system32\NWMSMGR.DLL
Answer yes at first prompt and no at second


Exit KillBox

===============================
Restart your PC

After windows has started run Killbox paste in
C:\WINNT\system32\Guard.tmp
if its blue use standard file kill and delete it



Important
Delete the contents of all your temp folders, as in. Open C:\ then >
C:\documents and settings\(all your pc users)\local settings\temp
Note: Some systems have temporary internet files, Application Data and History in that temp, if so leave them and delete all other folders and files inside that temp..
Delete the contents of the C:\windows\temp folder

Clear Internet Explorers's cache
1. In Control Panel, open Internet Options.
2. Click the General tab, and then under Temporary Internet files, click Delete Files.
3. In the Delete Files dialog box, click to select the Delete all offline content check box.
4. wait for the hourglass to disapear
5. Click OK.

I need you to run l2mfix.bat and choose option 1 again please.
Make and post a fresh Hijackthis log.

To be extra thorough (post this in another post)
MicroWorld - Free AntiVirus standalone scanner
Make a folder called c:\bases
Download mwav.exe http://www.mwti.net/antivirus/free_utilities.asp
to that new folder, run mwav.exe, run mwavscan.com select all files, press scan when it is completed view log, but here the catch since the log is so large, we only need to see the lines with "action taken" in them.
It will only report but is thurough. dont post sections in they are in antimaleware backups folders.

 

Wow...done

L2mfix log:

L2MFIX find log 1.01
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous "=dword:00000000
"Impersonate "=dword:00000000
"DllName "=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff "= "ChainWlxLogoffEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous "=dword:00000000
"Impersonate "=dword:00000000
"DllName "=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff "= "CryptnetWlxLogoffEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName "= "cscdll.dll "
"Logon "= "WinlogonLogonEvent "
"Logoff "= "WinlogonLogoffEvent "
"ScreenSaver "= "WinlogonScreenSaverEvent "
"Startup "= "WinlogonStartupEvent "
"Shutdown "= "WinlogonShutdownEvent "
"StartShell "= "WinlogonStartShellEvent "
"Impersonate "=dword:00000000
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName "= "C:\\WINNT\\System32\\NavLogon.dll "
"Logoff "= "NavLogoffEvent "
"StartShell "= "NavStartShellEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\policies]
"Asynchronous "=dword:00000000
"DllName "= "C:\\WINNT\\system32\\guard.tmp "
"Impersonate "=dword:00000000
"Logon "= "WinLogon "
"Logoff "= "WinLogoff "
"Shutdown "= "WinShutdown "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff "= "WLEventLogoff "
"Impersonate "=dword:00000000
"Asynchronous "=dword:00000001
"DllName "=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName "= "WlNotify.dll "
"Lock "= "SensLockEvent "
"Logon "= "SensLogonEvent "
"Logoff "= "SensLogoffEvent "
"Safe "=dword:00000001
"MaxWait "=dword:00000258
"StartScreenSaver "= "SensStartScreenSaverEvent "
"StopScreenSaver "= "SensStopScreenSaverEvent "
"Startup "= "SensStartupEvent "
"Shutdown "= "SensShutdownEvent "
"StartShell "= "SensStartShellEvent "
"Unlock "= "SensUnlockEvent "
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName "= "wzcdlg.dll "
"Logon "= "WZCEventLogon "
"Logoff "= "WZCEventLogoff "
"Impersonate "=dword:00000000
"Asynchronous "=dword:00000000

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
shdocvw.dll Thu Nov 11 2004 11:20:56p A.... 1,332,224 1.27 M
h44m0e~1.dll Thu Jan 20 2005 11:37:46a A.... 56 0.05 K
l06ola~1.dll Thu Jan 20 2005 11:38:48a A.... 56 0.05 K
urlmon.dll Mon Oct 25 2004 10:39:52a A.... 450,048 439.50 K
mshtml.dll Mon Oct 25 2004 10:39:16a A.... 2,693,120 2.57 M
booknew.dll Tue Dec 28 2004 1:52:22p A.... 327,680 320.00 K
pop5.dll Tue Dec 28 2004 1:52:22p A.... 53,760 52.50 K
ij1xdnt5.dll Thu Jan 20 2005 11:39:06a A.... 56 0.05 K
lv8009~1.dll Thu Jan 20 2005 11:39:18a A.... 56 0.05 K
j60slg~1.dll Thu Jan 20 2005 11:39:30a A.... 56 0.05 K
fp6003~1.dll Thu Jan 20 2005 11:39:44a A.... 56 0.05 K
exact.dll Wed Dec 22 2004 3:45:02p A.... 380,928 372.00 K
sporder.dll Tue Jan 4 2005 8:57:38a A.... 8,464 8.27 K
hypertrm.dll Tue Nov 16 2004 5:47:02a A.... 576,784 563.27 K
ciodm.dll Thu Nov 4 2004 11:41:52p A.... 68,880 67.27 K
user32.dll Wed Dec 29 2004 4:14:10a A.... 380,688 371.77 K
sp3res.dll Thu Dec 2 2004 9:27:18a A.... 6,272,512 5.98 M

17 items found: 17 files, 0 directories.
Total of file sizes: 12,545,424 bytes 11.96 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is WINDOWS 2K
Volume Serial Number is 07D1-080F

Directory of C:\WINNT\System32

08/16/2001 12:04a <DIR> dllcache
0 File(s) 0 bytes
1 Dir(s) 33,519,304,704 bytes free
-------------------------------------------------------------------------
hjt log:

Logfile of HijackThis v1.99.0
Scan saved at 11:58:02 AM, on 1/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\NavNT\defwatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINNT\system32\SxgTkBar.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\printkey.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\adudley\My Documents\highjack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: printkey.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - https://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLHelper/version7/DLHelper.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab33902.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: 3Com DMI Agent - 3Com Corporation - C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control - DameWare Development - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Netropa NHK Server - Unknown - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe
O23 - Service: Win6l5oahder - Intel - (no file)

------------------------------------------------------------------------
MWAV log in next post...

 

MWAV log (just the lines with "action taken" in them):

Thu Jan 20 12:00:58 2005 => File C:\WINNT\SSK_B5.EXE infected by "Trojan-Dropper.Win32.SurfSide.a" Virus. Action Taken: No Action Taken.

Thu Jan 20 12:00:59 2005 => File C:\WINNT\iconu.exe infected by "not-a-virus:AdWare.Zestyfind" Virus. Action Taken: No Action Taken.

Thu Jan 20 12:01:02 2005 => File C:\WINNT\protector_update.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.

Thu Jan 20 12:02:38 2005 => File C:\WINNT\system32\booknew.dll infected by "Trojan-Dropper.Win32.Miewer.a" Virus. Action Taken: No Action Taken.

Thu Jan 20 12:02:38 2005 => File C:\WINNT\system32\pop5.dll infected by "Trojan-Dropper.Win32.Miewer.a" Virus. Action Taken: No Action Taken.

Thu Jan 20 12:02:40 2005 => File C:\WINNT\system32\msedpb.exe infected by "Trojan.Win32.Small.i" Virus. Action Taken: No Action Taken.

Thu Jan 20 12:02:42 2005 => File C:\WINNT\system32\msfaol.dll infected by "not-a-virus:AdWare.ClientMan" Virus. Action Taken: No Action Taken.

Thu Jan 20 12:02:42 2005 => File C:\WINNT\system32\doolsav.dat infected by "not-a-virus:AdWare.ToolBat.EliteBar.z" Virus. Action Taken: No Action Taken.

Thu Jan 20 12:02:43 2005 => File C:\WINNT\system32\msiaih.dll infected by "not-a-virus:AdWare.Ipend" Virus. Action Taken: No Action Taken.

Thu Jan 20 12:02:44 2005 => File C:\WINNT\system32\msnimk.gif infected by "not-a-virus:AdWare.Ipend" Virus. Action Taken: No Action Taken.

Thu Jan 20 12:02:44 2005 => File C:\WINNT\system32\mseggo.gif infected by "TrojanSpy.Win32.Delf.dx" Virus. Action Taken: No Action Taken.

Thu Jan 20 12:02:44 2005 => File C:\WINNT\system32\msfdje.gif infected by "not-a-virus:AdWare.ClientMan" Virus. Action Taken: No Action Taken.

Thu Jan 20 12:02:45 2005 => File C:\WINNT\system32\exact.dll infected by "Trojan-Dropper.Win32.Miewer.a" Virus. Action Taken: No Action Taken.

Thu Jan 20 12:02:46 2005 => File C:\WINNT\system32\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.

Thu Jan 20 12:02:47 2005 => File C:\WINNT\system32\Uninstaller.exe infected by "not-a-virus:AdWare.DealHelper.u" Virus. Action Taken: No Action Taken.

Thu Jan 20 12:03:46 2005 => Total Files Scanned: 3438
Thu Jan 20 12:03:46 2005 => Total Virus(es) Found: 15
Thu Jan 20 12:03:46 2005 => Total Disinfected Files: 0
Thu Jan 20 12:03:46 2005 => Total Files Renamed: 0
Thu Jan 20 12:03:46 2005 => Total Deleted Files: 0
Thu Jan 20 12:03:46 2005 => Total Errors: 3
Thu Jan 20 12:03:46 2005 => Time Elapsed: 00:03:42
Thu Jan 20 12:03:46 2005 => Virus Database Date: 2005/01/20
Thu Jan 20 12:03:46 2005 => Virus Database Count: 116055

Thu Jan 20 12:03:46 2005 => Scan Completed.

 

Good Job


Put in place a good hosts file
Blocking Unwanted Parasites with a Hosts File: http://www.mvps.org/winhelp2002/hosts.htm
delete all those found by that scanner.
C:\WINNT\SSK_B5.EXE
C:\WINNT\iconu.exe
C:\WINNT\protector_update.exe
C:\WINNT\system32\booknew.dll
C:\WINNT\system32\pop5.dll
C:\WINNT\system32\msedpb.exe
C:\WINNT\system32\msfaol.dll
C:\WINNT\system32\doolsav.dat
C:\WINNT\system32\msiaih.dll
C:\WINNT\system32\msnimk.gif
C:\WINNT\system32\mseggo.gif
C:\WINNT\system32\msfdje.gif
C:\WINNT\system32\exact.dll
C:\WINNT\system32\Process.exe
C:\WINNT\system32\Uninstaller.exe

Make a list of any you cant delete and kill them with Killbox delet on reboot
Use Killbox standard file kill on these leftover L2M files
h44m0e~1.dll
l06ola~1.dll
ij1xdnt5.dll
lv8009~1.dll
ij1xdnt5.dll
lv8009~1.dll
j60slg~1.dll
fp6003~1.dll


Download this attachment then rename this last reg file and merge it into the registry.


Are there any problems now ?

 

L2mfix log (look how short!):

L2MFIX find log 1.01
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous "=dword:00000000
"Impersonate "=dword:00000000
"DllName "=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff "= "ChainWlxLogoffEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous "=dword:00000000
"Impersonate "=dword:00000000
"DllName "=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff "= "CryptnetWlxLogoffEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName "= "cscdll.dll "
"Logon "= "WinlogonLogonEvent "
"Logoff "= "WinlogonLogoffEvent "
"ScreenSaver "= "WinlogonScreenSaverEvent "
"Startup "= "WinlogonStartupEvent "
"Shutdown "= "WinlogonShutdownEvent "
"StartShell "= "WinlogonStartShellEvent "
"Impersonate "=dword:00000000
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName "= "C:\\WINNT\\System32\\NavLogon.dll "
"Logoff "= "NavLogoffEvent "
"StartShell "= "NavStartShellEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff "= "WLEventLogoff "
"Impersonate "=dword:00000000
"Asynchronous "=dword:00000001
"DllName "=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName "= "WlNotify.dll "
"Lock "= "SensLockEvent "
"Logon "= "SensLogonEvent "
"Logoff "= "SensLogoffEvent "
"Safe "=dword:00000001
"MaxWait "=dword:00000258
"StartScreenSaver "= "SensStartScreenSaverEvent "
"StopScreenSaver "= "SensStopScreenSaverEvent "
"Startup "= "SensStartupEvent "
"Shutdown "= "SensShutdownEvent "
"StartShell "= "SensStartShellEvent "
"Unlock "= "SensUnlockEvent "
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName "= "wzcdlg.dll "
"Logon "= "WZCEventLogon "
"Logoff "= "WZCEventLogoff "
"Impersonate "=dword:00000000
"Asynchronous "=dword:00000000

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
shdocvw.dll Thu Nov 11 2004 11:20:56p A.... 1,332,224 1.27 M
urlmon.dll Mon Oct 25 2004 10:39:52a A.... 450,048 439.50 K
mshtml.dll Mon Oct 25 2004 10:39:16a A.... 2,693,120 2.57 M
sporder.dll Tue Jan 4 2005 8:57:38a A.... 8,464 8.27 K
hypertrm.dll Tue Nov 16 2004 5:47:02a A.... 576,784 563.27 K
ciodm.dll Thu Nov 4 2004 11:41:52p A.... 68,880 67.27 K
user32.dll Wed Dec 29 2004 4:14:10a A.... 380,688 371.77 K
sp3res.dll Thu Dec 2 2004 9:27:18a A.... 6,272,512 5.98 M

8 items found: 8 files, 0 directories.
Total of file sizes: 11,782,720 bytes 11.23 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is WINDOWS 2K
Volume Serial Number is 07D1-080F

Directory of C:\WINNT\System32

08/16/2001 12:04a <DIR> dllcache
0 File(s) 0 bytes
1 Dir(s) 33,461,862,400 bytes free

-------------------------------------------------------------------------
ran escan again, and this time it found ZERO infected files! YEE HAW!

does this mean I'm actually DONE?

 

Yes i think we are done

Post back even if all is ok in a few days please

delete the L2mfix folder. and all those reg file's we have had you made to.

Regards

 

You are a Godsend, my dear Lonny.

I will be forever grateful

 

4 days and counting...

Pop-up-free surfing!!