SPYWARE reboots XP-machine (HJ-log inc.)

Hello ,

Our family has a XP-Home-Edi-machine with four users:

* Within one user's session the machine just reboots every ten minutes or so.
* Another user's session just go dark for a short while before logging in.
* Another user has TWO IEEXPLORE.EXE running, and lots of Microsoft's "Send Report" were popping-up and Task-Manager shows 90% to 100% most of the time.
* In any one session, I noticed many svchost.exe running : is it normal?


* I have installed Ad-Aware + Spy-Bot (with updates) and scanned MANY times with some improvements but the reboots still occur....sigh...sigh...

* Spy-Bot still reports multiple "CoolWWWBranch" no matter how many times I have tried to execute "Fix The Problems ".

* Hoping that some of you can advise me of what to do to remove those "pesty" adware/spyware.

MANY thanks in advance.

* Last night, I had installed HijackThis and here is the log:

Logfile of HijackThis v1.99.0
Scan saved at 10:15:56 PM, on 2/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\NuCam\CamCheck\CamCheck.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe
C:\Program Files\QuickTime6\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Netscape\Netscape 6\Netscp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:\WINDOWS\s.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {59A61955-C9FE-41C7-238A-6949A77ACF5E} - C:\WINDOWS\system32\kdwchqqe.dll
O2 - BHO: (no name) - {D8523B64-55B4-58E2-6FD1-3D811ED8E8ED} - C:\WINDOWS\system32\lqenorty.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [CamCheck] C:\Program Files\NuCam\CamCheck\CamCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe "
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime6\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CorelDRAW ESSENTIALS14] C:\Program Files\Corel\CorelDRAW ESSENTIALS 2\Register\Registration.exe /title= "CorelDRAW ESSENTIALS" /date=020805 serial=ES02WBD-0090061-FBU
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [adjwxoco] C:\WINDOWS\system32\adjwxoco.exe
O4 - HKLM\..\Run: [zmkscmmd] C:\WINDOWS\system32\zmkscmmd.exe
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\system32\pc32.exe bg
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: SmartUI.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F09D8339-7814-49F9-B768-919AD353C650}: NameServer = 206.47.244.90 206.47.244.104
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GroovePnP - Unknown - C:\WINDOWS\twain_32\SiPix\Groove\Srvany.exe (file missing)
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: ctoaihqkcfoy - Unknown - C:\WINDOWS\system32\msupd5.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Iomega Active Disk - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

 

Welcome to WindowsBBS charperus

Lets start with getting rid of the Look2Me infection. Please download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

 

L2MFIX log enclosed (1 of 2)

noahdfear,

Here is the first portion of L2MFIX-log:

L2MFIX find log 1.02a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous "=dword:00000000
"DllName "=" "
"Impersonate "=dword:00000000
"Logon "= "WinLogon "
"Logoff "= "WinLogoff "
"Shutdown "= "WinShutdown "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reinstall]
"Asynchronous "=dword:00000000
"DllName "= "C:\\WINDOWS\\system32\\m8juli1918.dll "
"Impersonate "=dword:00000000
"Logon "= "WinLogon "
"Logoff "= "WinLogoff "
"Shutdown "= "WinShutdown "

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{35C4CF88-2D49-4FE1-AE99-1D8A178C3FCC} "=" "

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046} "= "Multimedia File Property Sheet "
"{176d6597-26d3-11d1-b350-080036a75b03} "= "ICM Scanner Management "
"{1F2E5C40-9550-11CE-99D2-00AA006E086C} "= "NTFS Security Page "
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32} "= "OLE Docfile Property Page "
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6} "= "Shell extensions for sharing "
"{41E300E0-78B6-11ce-849B-444553540000} "= "PlusPack CPL Extension "
"{42071712-76d4-11d1-8b24-00a0c9068ff3} "= "Display Adapter CPL Extension "
"{42071713-76d4-11d1-8b24-00a0c9068ff3} "= "Display Monitor CPL Extension "
"{42071714-76d4-11d1-8b24-00a0c9068ff3} "= "Display Panning CPL Extension "
"{4E40F770-369C-11d0-8922-00A024AB2DBB} "= "DS Security Page "
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8} "= "Compatibility Page "
"{56117100-C0CD-101B-81E2-00AA004AE837} "= "Shell Scrap DataHandler "
"{59099400-57FF-11CE-BD94-0020AF85B590} "= "Disk Copy Extension "
"{59be4990-f85c-11ce-aff7-00aa003ca9f6} "= "Shell extensions for Microsoft Windows Network objects "
"{5DB2625A-54DF-11D0-B6C4-0800091AA605} "= "ICM Monitor Management "
"{675F097E-4C4D-11D0-B6C1-0800091AA605} "= "ICM Printer Management "
"{764BF0E1-F219-11ce-972D-00AA00A14F56} "= "Shell extensions for file compression "
"{77597368-7b15-11d0-a0c2-080036af3f03} "= "Web Printer Shell Extension "
"{7988B573-EC89-11cf-9C00-00AA00A14F56} "= "Disk Quota UI "
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "= "Encryption Context Menu "
"{85BBD920-42A0-1069-A2E4-08002B30309D} "= "Briefcase "
"{88895560-9AA2-1069-930E-00AA0030EBC8} "= "HyperTerminal Icon Ext "
"{BD84B380-8CA2-1069-AB1D-08000948F534} "= "Fonts "
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27} "= "ICC Profile "
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723} "= "Printers Security Page "
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} "= "Shell extensions for sharing "
"{f92e8c40-3d33-11d2-b1aa-080036a75b03} "= "Display TroubleShoot CPL Extension "
"{7444C717-39BF-11D1-8CD9-00C04FC29D45} "= "Crypto PKO Extension "
"{7444C719-39BF-11D1-8CD9-00C04FC29D45} "= "Crypto Sign Extension "
"{7007ACC7-3202-11D1-AAD2-00805FC1270E} "= "Network Connections "
"{992CFFA0-F557-101A-88EC-00DD010CCC48} "= "Network Connections "
"{E211B736-43FD-11D1-9EFB-0000F8757FCD} "= "Scanners & Cameras "
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD} "= "Scanners & Cameras "
"{905667aa-acd6-11d2-8080-00805f6596d2} "= "Scanners & Cameras "
"{3F953603-1008-4f6e-A73A-04AAC7A992F1} "= "Scanners & Cameras "
"{83bbcbf3-b28a-4919-a5aa-73027445d672} "= "Scanners & Cameras "
"{F0152790-D56E-4445-850E-4F3117DB740C} "= "Remote Sessions CPL Extension "
"{60254CA5-953B-11CF-8C96-00AA00B8708C} "= "Shell extensions for Windows Script Host "
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829} "= "Microsoft Data Link "
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF} "= "Tasks Folder Icon Handler "
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF} "= "Tasks Folder Shell Extension "
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF} "= "Scheduled Tasks "
"{0DF44EAA-FF21-4412-828E-260A8728E7F1} "= "Taskbar and Start Menu "
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0} "= "Search "
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0} "= "Help and Support "
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0} "= "Help and Support "
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0} "= "Run... "
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0} "= "Internet "
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0} "= "E-mail "
"{D20EA4E1-3957-11d2-A40B-0C5020524152} "= "Fonts "
"{D20EA4E1-3957-11d2-A40B-0C5020524153} "= "Administrative Tools "
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78} "= "Audio Media Properties Handler "
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817} "= "Video Media Properties Handler "
"{E4B29F9D-D390-480b-92FD-7DDB47101D71} "= "Wav Properties Handler "
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E} "= "Avi Properties Handler "
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9} "= "Midi Properties Handler "
"{c5a40261-cd64-4ccf-84cb-c394da41d590} "= "Video Thumbnail Extractor "
"{5E6AB780-7743-11CF-A12B-00AA004AE837} "= "Microsoft Internet Toolbar "
"{22BF0C20-6DA7-11D0-B373-00A0C9034938} "= "Download Status "
"{91EA3F8B-C99B-11d0-9815-00C04FD91972} "= "Augmented Shell Folder "
"{6413BA2C-B461-11d1-A18A-080036B11A03} "= "Augmented Shell Folder 2 "
"{F61FFEC1-754F-11d0-80CA-00AA005B4383} "= "BandProxy "
"{7BA4C742-9E81-11CF-99D3-00AA004AE837} "= "Microsoft BrowserBand "
"{30D02401-6A81-11d0-8274-00C04FD5AE38} "= "Search Band "
"{32683183-48a0-441b-a342-7c2a440a9478} "= "Media Band "
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13} "= "In-pane search "
"{07798131-AF23-11d1-9111-00A0C98BA67D} "= "Web Search "
"{AF4F6510-F982-11d0-8595-00AA004CD6D8} "= "Registry Tree Options Utility "
"{01E04581-4EEE-11d0-BFE9-00AA005B4383} "= "&Address "
"{A08C11D2-A228-11d0-825B-00AA005B4383} "= "Address EditBox "
"{00BB2763-6A77-11D0-A535-00C04FD7D062} "= "Microsoft AutoComplete "
"{7376D660-C583-11d0-A3A5-00C04FD706EC} "= "TridentImageExtractor "
"{6756A641-DE71-11d0-831B-00AA005B4383} "= "MRU AutoComplete List "
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A} "= "Custom MRU AutoCompleted List "
"{7e653215-fa25-46bd-a339-34a2790f3cb7} "= "Accessible "
"{acf35015-526e-4230-9596-becbe19f0ac9} "= "Track Popup Bar "
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2} "= "Address Bar Parser "
"{00BB2764-6A77-11D0-A535-00C04FD7D062} "= "Microsoft History AutoComplete List "
"{03C036F1-A186-11D0-824A-00AA005B4383} "= "Microsoft Shell Folder AutoComplete List "
"{00BB2765-6A77-11D0-A535-00C04FD7D062} "= "Microsoft Multiple AutoComplete List Container "
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1} "= "Shell Band Site Menu "
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF} "= "Shell DeskBarApp "
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1} "= "Shell DeskBar "
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1} "= "Shell Rebar BandSite "
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C} "= "User Assist "
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11} "= "Global Folder Settings "
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E} "= "Favorites Band "
"{0A89A860-D7B1-11CE-8350-444553540000} "= "Shell Automation Inproc Service "
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} "= "Shell DocObject Viewer "
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61} "= "Microsoft Browser Architecture "
"{FBF23B40-E3F0-101B-8488-00AA003E56F8} "= "InternetShortcut "
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE} "= "Microsoft Url History Service "
"{FF393560-C2A7-11CF-BFF4-444553540000} "= "History "
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933} "= "Temporary Internet Files "
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933} "= "Temporary Internet Files "
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497} "= "Microsoft Url Search Hook "
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC} "= "IE4 Suite Splash Screen "
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13} "= "CDF Extension Copy Hook "
"{131A6951-7F78-11D0-A979-00C04FD705A2} "= "ISFBand OC "
"{9461b922-3c5a-11d2-bf8b-00c04fb93661} "= "Search Assistant OC "
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} "= "The Internet "
"{871C5380-42A0-1069-A2EA-08002B30309D} "= "Internet Name Space "
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E} "= "Explorer Band "
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} "= "Sendmail service "
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} "= "Sendmail service "
"{88C6C381-2E85-11D0-94DE-444553540000} "= "ActiveX Cache Folder "
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "= "WebCheck "
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE} "= "Subscription Mgr "
"{F5175861-2688-11d0-9C5E-00AA00A45957} "= "Subscription Folder "
"{08165EA0-E946-11CF-9C87-00AA005127ED} "= "WebCheckWebCrawler "
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB} "= "WebCheckChannelAgent "
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7} "= "TrayAgent "
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02} "= "Code Download Agent "
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE} "= "ConnectionAgent "
"{D8BD2030-6FC9-11D0-864F-00AA006809D9} "= "PostAgent "
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB} "= "WebCheck SyncMgr Handler "
"{352EC2B7-8B9A-11D1-B8AE-006008059382} "= "Shell Application Manager "
"{0B124F8F-91F0-11D1-B8B5-006008059382} "= "Installed Apps Enumerator "
"{CFCCC7A0-A282-11D1-9082-006008059382} "= "Darwin App Publisher "
"{e84fda7c-1d6a-45f6-b725-cb260c236066} "= "Shell Image Verbs "
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178} "= "Shell Image Data Factory "
"{3F30C968-480A-4C6C-862D-EFC0897BB84B} "= "GDI+ file thumbnail extractor "
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC} "= "Summary Info Thumbnail handler (DOCFILES) "
"{EAB841A0-9550-11cf-8C16-00805F1408F3} "= "HTML Thumbnail Extractor "
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe} "= "Shell Image Property Handler "
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D} "= "Web Publishing Wizard "
"{add36aa8-751a-4579-a266-d66f5202ccbb} "= "Print Ordering via the Web "
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1} "= "Shell Publishing Wizard Object "
"{58f1f272-9240-4f51-b6d4-fd63d1618591} "= "Get a Passport Wizard "
"{7A9D77BD-5403-11d2-8785-2E0420524153} "= "User Accounts "
"{BD472F60-27FA-11cf-B8B4-444553540000} "= "Compressed (zipped) Folder Right Drag Handler "
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} "= "Compressed (zipped) Folder SendTo Target "
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433} "= "Channel File "
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434} "= "Channel Shortcut "
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435} "= "Channel Handler Object "
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437} "= "Channel Menu "
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438} "= "Channel Properties "
"{63da6ec0-2e98-11cf-8d82-444553540000} "= "FTP Folders Webview "
"{883373C3-BF89-11D1-BE35-080036B11A03} "= "Microsoft DocProp Shell Ext "
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D} "= "Microsoft DocProp Inplace Edit Box Control "
"{8EE97210-FD1F-4B19-91DA-67914005F020} "= "Microsoft DocProp Inplace ML Edit Box Control "
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB} "= "Microsoft DocProp Inplace Droplist Combo Control "
"{6A205B57-2567-4A2C-B881-F787FAB579A3} "= "Microsoft DocProp Inplace Calendar Control "
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33} "= "Microsoft DocProp Inplace Time Control "
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB} "= "Directory Query UI "
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} "= "Shell properties for a DS object "
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB} "= "Directory Object Find "
"{F020E586-5264-11d1-A532-0000F8757D7E} "= "Directory Start/Search Find "
"{0D45D530-764B-11d0-A1CA-00AA00C16E65} "= "Directory Property UI "
"{62AE1F9A-126A-11D0-A14B-0800361B1103} "= "Directory Context Menu Verbs "
"{ECF03A33-103D-11d2-854D-006008059367} "= "MyDocs Copy Hook "
"{ECF03A32-103D-11d2-854D-006008059367} "= "MyDocs Drop Target "
"{4a7ded0a-ad25-11d0-98a8-0800361b1103} "= "MyDocs Properties "
"{750fdf0e-2a26-11d1-a3ea-080036587f03} "= "Offline Files Menu "
"{10CFC467-4392-11d2-8DB4-00C04FA31A66} "= "Offline Files Folder Options "
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E} "= "Offline Files Folder "
"{143A62C8-C33B-11D1-84FE-00C04FA34A14} "= "Microsoft Agent Character Property Sheet Handler "
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6} "= "DfsShell "
"{60fd46de-f830-4894-a628-6fa81bc0190d} "= "%DESC_PublishDropTarget% "
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717} "= "MMC Icon Handler "
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262} "= ".CAB file viewer "
"{32714800-2E5F-11d0-8B85-00AA0044F941} "= "For &People... "
"{8DD448E6-C188-4aed-AF92-44956194EB1F} "= "Windows Media Player Play as Playlist Context Menu Handler "
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C} "= "Windows Media Player Burn Audio CD Context Menu Handler "
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD} "= "Windows Media Player Add to Playlist Context Menu Handler "
"{D1FB6C78-10FD-45cd-8FF4-8267D62992FB} "= "CompuServe "
"{F802F260-519B-11D1-BB5D-0060974C6013} "= "ICQ Shell Extension "
"{BB7DF450-F119-11CD-8465-00AA00425D90} "= "Microsoft Access Custom Icon Handler "
"{59850401-6664-101B-B21C-00AA004BA90B} "= "Microsoft Office Binder Explode "
"{E0D79304-84BE-11CE-9641-444553540000} "= "WinZip "
"{E0D79305-84BE-11CE-9641-444553540000} "= "WinZip "
"{E0D79306-84BE-11CE-9641-444553540000} "= "WinZip "
"{E0D79307-84BE-11CE-9641-444553540000} "= "WinZip "
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0} "= "Set Program Access and Defaults "
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED} "= "Auto Update Property Sheet Extension "
"{14DCB44E-4ED3-467a-AF66-80D1E0E50425} "= "My Camera "
"{5464D816-CF16-4784-B9F3-75C0DB52B499} "= "Yahoo! Mail "
@= "CorelDRAW ESSENTIALS Shell Extension Component "
"{596AB062-B4D2-4215-9F74-E9109B0A8153} "= "Previous Versions Property Page "
"{9DB7A13C-F208-4981-8353-73CC61AE2783} "= "Previous Versions "
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87} "= "Extensions Manager Folder "
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} "= "Shell Extensions for RealOne Player "
"{EF9AFFA7-C2A8-4244-9658-FBF495940EF5} "=" "
"{D8A8D9C9-B406-4389-B638-8ACE16C54B30} "=" "
"{0AB66B7F-B55B-4567-BFF0-840AC5B92B5B} "=" "
"{F7D9A06F-370E-4F36-89A9-83EBFD65B4A4} "=" "
"{EDBD4794-C07B-4DF0-96E9-54757C38345F} "=" "
"{CD04A42D-4FBB-4040-92C0-3EEC5E76B57C} "=" "
"{1D869512-5431-48CF-B3CF-DBC1776C1D4D} "=" "
"{D563A51A-00AA-4E1D-A05B-C6959F4CA418} "=" "
"{9DE0E9DA-E50A-41DE-A493-F71FC9BDF1AB} "=" "
"{E0BE904C-FDCD-44D2-ACEA-B2CA6309E9F4} "=" "
"{F252563E-1313-4148-96A6-66E3A1560E29} "=" "
"{EB6420E5-DE24-4759-A8BF-C44BBEA4CC59} "=" "
"{B8BF1939-83F7-4C46-8E8F-2BBA6268BD30} "=" "
"{820CF481-8176-4E99-8387-0F102706C173} "=" "
"{643D29B6-ED94-462A-9AD1-5D35E3981AB5} "=" "
"{A6C918AB-C168-4A87-B878-4E1E1149155A} "=" "
"{38083005-F415-42D0-9287-A983F8752184} "=" "

 

L2MFIX log (2 of 2)

Hello noahdfear,

Here is the 2nd portion of L2MFIX-log:

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{EF9AFFA7-C2A8-4244-9658-FBF495940EF5}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{EF9AFFA7-C2A8-4244-9658-FBF495940EF5}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{EF9AFFA7-C2A8-4244-9658-FBF495940EF5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{EF9AFFA7-C2A8-4244-9658-FBF495940EF5}\InprocServer32]
@= "C:\\WINDOWS\\system32\\guard.tmp "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D8A8D9C9-B406-4389-B638-8ACE16C54B30}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{D8A8D9C9-B406-4389-B638-8ACE16C54B30}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{D8A8D9C9-B406-4389-B638-8ACE16C54B30}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{D8A8D9C9-B406-4389-B638-8ACE16C54B30}\InprocServer32]
@= "C:\\WINDOWS\\system32\\guard.tmp "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0AB66B7F-B55B-4567-BFF0-840AC5B92B5B}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{0AB66B7F-B55B-4567-BFF0-840AC5B92B5B}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{0AB66B7F-B55B-4567-BFF0-840AC5B92B5B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{0AB66B7F-B55B-4567-BFF0-840AC5B92B5B}\InprocServer32]
@= "C:\\WINDOWS\\system32\\rzcrt4.dll "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F7D9A06F-370E-4F36-89A9-83EBFD65B4A4}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{F7D9A06F-370E-4F36-89A9-83EBFD65B4A4}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{F7D9A06F-370E-4F36-89A9-83EBFD65B4A4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{F7D9A06F-370E-4F36-89A9-83EBFD65B4A4}\InprocServer32]
@= "C:\\WINDOWS\\system32\\hbtplug.dll "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{EDBD4794-C07B-4DF0-96E9-54757C38345F}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{EDBD4794-C07B-4DF0-96E9-54757C38345F}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{EDBD4794-C07B-4DF0-96E9-54757C38345F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{EDBD4794-C07B-4DF0-96E9-54757C38345F}\InprocServer32]
@= "C:\\WINDOWS\\system32\\guard.tmp "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{CD04A42D-4FBB-4040-92C0-3EEC5E76B57C}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{CD04A42D-4FBB-4040-92C0-3EEC5E76B57C}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{CD04A42D-4FBB-4040-92C0-3EEC5E76B57C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{CD04A42D-4FBB-4040-92C0-3EEC5E76B57C}\InprocServer32]
@= "C:\\WINDOWS\\system32\\guard.tmp "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1D869512-5431-48CF-B3CF-DBC1776C1D4D}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{1D869512-5431-48CF-B3CF-DBC1776C1D4D}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{1D869512-5431-48CF-B3CF-DBC1776C1D4D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{1D869512-5431-48CF-B3CF-DBC1776C1D4D}\InprocServer32]
@= "C:\\WINDOWS\\system32\\guard.tmp "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D563A51A-00AA-4E1D-A05B-C6959F4CA418}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{D563A51A-00AA-4E1D-A05B-C6959F4CA418}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{D563A51A-00AA-4E1D-A05B-C6959F4CA418}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{D563A51A-00AA-4E1D-A05B-C6959F4CA418}\InprocServer32]
@= "C:\\WINDOWS\\system32\\guard.tmp "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9DE0E9DA-E50A-41DE-A493-F71FC9BDF1AB}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{9DE0E9DA-E50A-41DE-A493-F71FC9BDF1AB}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{9DE0E9DA-E50A-41DE-A493-F71FC9BDF1AB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{9DE0E9DA-E50A-41DE-A493-F71FC9BDF1AB}\InprocServer32]
@= "C:\\WINDOWS\\system32\\ofeacc.dll "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E0BE904C-FDCD-44D2-ACEA-B2CA6309E9F4}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{E0BE904C-FDCD-44D2-ACEA-B2CA6309E9F4}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{E0BE904C-FDCD-44D2-ACEA-B2CA6309E9F4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{E0BE904C-FDCD-44D2-ACEA-B2CA6309E9F4}\InprocServer32]
@= "C:\\WINDOWS\\system32\\ewsvc.dll "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F252563E-1313-4148-96A6-66E3A1560E29}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{F252563E-1313-4148-96A6-66E3A1560E29}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{F252563E-1313-4148-96A6-66E3A1560E29}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{F252563E-1313-4148-96A6-66E3A1560E29}\InprocServer32]
@= "C:\\WINDOWS\\system32\\tjaffic.dll "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{EB6420E5-DE24-4759-A8BF-C44BBEA4CC59}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{EB6420E5-DE24-4759-A8BF-C44BBEA4CC59}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{EB6420E5-DE24-4759-A8BF-C44BBEA4CC59}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{EB6420E5-DE24-4759-A8BF-C44BBEA4CC59}\InprocServer32]
@= "C:\\WINDOWS\\system32\\guard.tmp "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B8BF1939-83F7-4C46-8E8F-2BBA6268BD30}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{B8BF1939-83F7-4C46-8E8F-2BBA6268BD30}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{B8BF1939-83F7-4C46-8E8F-2BBA6268BD30}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{B8BF1939-83F7-4C46-8E8F-2BBA6268BD30}\InprocServer32]
@= "C:\\WINDOWS\\system32\\guard.tmp "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{820CF481-8176-4E99-8387-0F102706C173}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{820CF481-8176-4E99-8387-0F102706C173}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{820CF481-8176-4E99-8387-0F102706C173}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{820CF481-8176-4E99-8387-0F102706C173}\InprocServer32]
@= "C:\\WINDOWS\\system32\\guard.tmp "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{643D29B6-ED94-462A-9AD1-5D35E3981AB5}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{643D29B6-ED94-462A-9AD1-5D35E3981AB5}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{643D29B6-ED94-462A-9AD1-5D35E3981AB5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{643D29B6-ED94-462A-9AD1-5D35E3981AB5}\InprocServer32]
@= "C:\\WINDOWS\\system32\\guard.tmp "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A6C918AB-C168-4A87-B878-4E1E1149155A}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{A6C918AB-C168-4A87-B878-4E1E1149155A}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{A6C918AB-C168-4A87-B878-4E1E1149155A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{A6C918AB-C168-4A87-B878-4E1E1149155A}\InprocServer32]
@= "C:\\WINDOWS\\system32\\guard.tmp "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{38083005-F415-42D0-9287-A983F8752184}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{38083005-F415-42D0-9287-A983F8752184}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{38083005-F415-42D0-9287-A983F8752184}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{38083005-F415-42D0-9287-A983F8752184}\InprocServer32]
@= "C:\\WINDOWS\\system32\\gntuname.dll "
"ThreadingModel "= "Apartment "

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
akcore.dll Tue Jan 25 2005 8:41:34p A.... 188,416 184.00 K
akivtmxx.dll Sat Jan 29 2005 8:26:42p ..S.R 228,905 223.54 K
aklsp.dll Tue Jan 25 2005 8:41:52p A.... 196,608 192.00 K
akrules.dll Tue Jan 25 2005 8:41:40p A.... 110,592 108.00 K
akupd.dll Tue Jan 25 2005 8:41:10p A.... 155,648 152.00 K
amsldp.dll Sun Feb 6 2005 11:13:26p ..S.R 230,910 225.50 K
cfmdlg32.dll Mon Feb 7 2005 8:00:08p ..S.R 229,261 223.89 K
dmlayx.dll Thu Jan 27 2005 10:27:56p ..S.R 230,454 225.05 K
docore.dll Wed Jan 26 2005 3:46:56p A.... 151,552 148.00 K
dolsp.dll Wed Jan 26 2005 3:47:04p A.... 139,264 136.00 K
dosync.dll Sun Feb 6 2005 8:31:08p A.... 114,688 112.00 K
en40l1~1.dll Mon Feb 7 2005 8:38:36p ..S.R 230,237 224.84 K
gntuname.dll Tue Feb 8 2005 11:22:10p ..S.R 229,261 223.89 K
gp08l3~1.dll Sun Feb 6 2005 8:25:38p ..S.R 231,543 226.11 K
gpj2l3~1.dll Tue Feb 1 2005 9:26:16p ..... 230,910 225.50 K
h80qli~1.dll Tue Feb 8 2005 10:45:28p ..S.R 229,261 223.89 K
hepertrm.dll Mon Feb 7 2005 2:00:56p ..S.R 228,931 223.56 K
hkllut32.dll Fri Jan 28 2005 4:28:40p ..S.R 231,348 225.93 K
hr0s05~1.dll Sat Jan 29 2005 4:25:48p ..... 228,905 223.54 K
hu23msp.dll Mon Feb 7 2005 8:08:18p ..S.R 229,261 223.89 K
hypertrm.dll Wed Nov 17 2004 12:41:24p A.... 347,136 339.00 K
i2420c~1.dll Mon Feb 7 2005 11:23:42p ..S.R 229,261 223.89 K
iglmco~1.dll Sat Jan 29 2005 6:50:24p ..S.R 230,952 225.54 K
ijsecsvc.dll Tue Feb 1 2005 11:09:50p ..S.R 231,262 225.84 K
j0p00a~1.dll Thu Feb 3 2005 4:28:16p ..S.R 231,137 225.72 K
j8j60i~1.dll Tue Feb 1 2005 4:50:22p ..S.R 230,315 224.91 K
jiproxy.dll Sat Jan 29 2005 2:40:24p ..S.R 231,508 226.08 K
jr2025~1.dll Sun Jan 30 2005 12:50:26p ..S.R 228,905 223.54 K
jt6o07~1.dll Mon Feb 7 2005 7:58:48p ..S.R 230,910 225.50 K
k608lg~1.dll Mon Jan 31 2005 6:35:12p ..... 228,905 223.54 K
kidfi.dll Tue Feb 1 2005 9:26:16p ..S.R 229,697 224.31 K
lvju09~1.dll Sat Jan 29 2005 7:15:30p ..S.R 230,952 225.54 K
m4280e~1.dll Sat Jan 29 2005 9:06:12p ..... 228,905 223.54 K
m8820i~1.dll Tue Feb 1 2005 5:00:44p ..... 229,697 224.31 K
m8juli~1.dll Tue Feb 8 2005 10:19:32p ..S.R 229,261 223.89 K
mvnql9~1.dll Sat Feb 5 2005 9:55:18p ..S.R 230,910 225.50 K
nbrrhook.dll Sun Jan 30 2005 2:16:50p ..S.R 228,905 223.54 K
nvj029~1.dll Thu Jan 27 2005 9:58:28p ..S.R 229,209 223.84 K
nwth.dll Mon Feb 7 2005 8:25:18p ..S.R 229,261 223.89 K
o2pq0c~1.dll Mon Feb 7 2005 10:07:36p ..S.R 229,261 223.89 K
o4ns0e~1.dll Sat Jan 29 2005 9:36:56p ..S.R 228,905 223.54 K
p6p60g~1.dll Sun Feb 6 2005 8:46:58p ..S.R 231,543 226.11 K
pbutoenr.dll Mon Feb 7 2005 8:11:32p ..S.R 229,582 224.20 K
q468le~1.dll Sat Jan 29 2005 9:11:18p ..S.R 228,905 223.54 K
rovpsp.dll Sat Jan 29 2005 8:53:12p ..... 228,905 223.54 K
smlsrv32.dll Sat Jan 29 2005 9:07:48p ..S.R 228,905 223.54 K
sporder.dll Tue Jan 25 2005 8:41:42p A.... 8,464 8.27 K
yxucsjhq.dll Mon Feb 7 2005 7:55:20p A.... 273,636 267.22 K

48 items found: 48 files (32 H/S), 0 directories.
Total of file sizes: 10,421,149 bytes 9.94 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is B06A-A60B

Directory of C:\WINDOWS\System32

02/08/2005 11:22 PM 229,261 gntuname.dll
02/08/2005 10:45 PM 229,261 h80qlid5180.dll
02/08/2005 10:23 PM <DIR> dllcache
02/08/2005 10:19 PM 229,261 m8juli1918.dll
02/07/2005 11:23 PM 229,261 i2420choef4c0.dll
02/07/2005 10:07 PM 229,261 o2pq0c75ef.dll
02/07/2005 08:38 PM 230,237 en40l1hm1.dll
02/07/2005 08:25 PM 229,261 nwth.dll
02/07/2005 08:11 PM 229,582 pButoenr.dll
02/07/2005 08:08 PM 229,261 hU23msp.dll
02/07/2005 08:00 PM 229,261 cfmdlg32.dll
02/07/2005 07:58 PM 230,910 jt6o07j3e.dll
02/07/2005 02:00 PM 228,931 hepertrm.dll
02/06/2005 11:13 PM 230,910 amsldp.dll
02/06/2005 08:46 PM 231,543 p6p60g7se6.dll
02/06/2005 08:25 PM 231,543 gp08l3du1.dll
02/05/2005 09:55 PM 230,910 mvnql9551.dll
02/03/2005 04:28 PM 231,137 j0p00a7med.dll
02/01/2005 11:09 PM 231,262 ijsecsvc.dll
02/01/2005 09:26 PM 229,697 kidfi.dll
02/01/2005 04:50 PM 230,315 j8j60i1se8.dll
01/30/2005 02:16 PM 228,905 nBrrhook.dll
01/30/2005 12:50 PM 228,905 jr2025fmg.dll
01/29/2005 09:36 PM 228,905 o4ns0e57eh.dll
01/29/2005 09:11 PM 228,905 q468leju1ho8.dll
01/29/2005 09:07 PM 228,905 smlsrv32.dll
01/29/2005 08:26 PM 228,905 akivtmxx.dll
01/29/2005 07:15 PM 230,952 lvju0919e.dll
01/29/2005 06:50 PM 230,952 iGlmCoIn_0_v8.dll
01/29/2005 02:40 PM 231,508 jiproxy.dll
01/28/2005 04:28 PM 231,348 HKLLUT32.DLL
01/27/2005 10:27 PM 230,454 dmlayx.dll
01/27/2005 09:58 PM 229,209 nvj0291mg.dll
02/11/2003 04:44 PM <DIR> Microsoft
02/11/2003 04:40 PM 32 {08B1803E-EB8A-4E3F-9C45-3EFA9DFE074B}.dat
02/11/2003 03:04 PM 8,192 Thumbs.db
34 File(s) 7,367,142 bytes
2 Dir(s) 38,456,487,936 bytes free

 

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

Going to bed and will check back in tomorrow evening.

 

Option#2-L2MFIX Log enclosed (1 of 2)

Hello Noahdfear,

Following your advice, I have ran Option 2 of L2MFIX:

L2Mfix 1.02a

Running From:
C:\Documents and Settings\Jack\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C access for really "Everyone "
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Jack\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Jack\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1308 'explorer.exe'
Killing PID 1308 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1600 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\akivtmxx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\amsldp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\arcups.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cfmdlg32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\deuiext.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dmlayx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en40l1hm1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gp08l3du1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gpj2l31o1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hepertrm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\HKLLUT32.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hr0s05d7e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hU23msp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i2420choef4c0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iGlmCoIn_0_v8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ijsecsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j0p00a7med.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j8j60i1se8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jiproxy.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jr2025fmg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jt6o07j3e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k608lgdu1608.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kidfi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvju0919e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m4280efueh280.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m8820iloe8qc0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mv0sl9d71.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvnql9551.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nBrrhook.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nvj0291mg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nwth.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o2pq0c75ef.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o4ns0e57eh.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p6p60g7se6.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pButoenr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\q468leju1ho8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rovpsp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\smlsrv32.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\akivtmxx.dll
Successfully Deleted: C:\WINDOWS\system32\akivtmxx.dll
deleting: C:\WINDOWS\system32\amsldp.dll
Successfully Deleted: C:\WINDOWS\system32\amsldp.dll
deleting: C:\WINDOWS\system32\arcups.dll
Successfully Deleted: C:\WINDOWS\system32\arcups.dll
deleting: C:\WINDOWS\system32\cfmdlg32.dll
Successfully Deleted: C:\WINDOWS\system32\cfmdlg32.dll
deleting: C:\WINDOWS\system32\deuiext.dll
Successfully Deleted: C:\WINDOWS\system32\deuiext.dll
deleting: C:\WINDOWS\system32\dmlayx.dll
Successfully Deleted: C:\WINDOWS\system32\dmlayx.dll
deleting: C:\WINDOWS\system32\en40l1hm1.dll
Successfully Deleted: C:\WINDOWS\system32\en40l1hm1.dll
deleting: C:\WINDOWS\system32\gp08l3du1.dll
Successfully Deleted: C:\WINDOWS\system32\gp08l3du1.dll
deleting: C:\WINDOWS\system32\gpj2l31o1.dll
Successfully Deleted: C:\WINDOWS\system32\gpj2l31o1.dll
deleting: C:\WINDOWS\system32\hepertrm.dll
Successfully Deleted: C:\WINDOWS\system32\hepertrm.dll
deleting: C:\WINDOWS\system32\HKLLUT32.DLL
Successfully Deleted: C:\WINDOWS\system32\HKLLUT32.DLL
deleting: C:\WINDOWS\system32\hr0s05d7e.dll
Successfully Deleted: C:\WINDOWS\system32\hr0s05d7e.dll
deleting: C:\WINDOWS\system32\hU23msp.dll
Successfully Deleted: C:\WINDOWS\system32\hU23msp.dll
deleting: C:\WINDOWS\system32\i2420choef4c0.dll
Successfully Deleted: C:\WINDOWS\system32\i2420choef4c0.dll
deleting: C:\WINDOWS\system32\iGlmCoIn_0_v8.dll
Successfully Deleted: C:\WINDOWS\system32\iGlmCoIn_0_v8.dll
deleting: C:\WINDOWS\system32\ijsecsvc.dll
Successfully Deleted: C:\WINDOWS\system32\ijsecsvc.dll
deleting: C:\WINDOWS\system32\j0p00a7med.dll
Successfully Deleted: C:\WINDOWS\system32\j0p00a7med.dll
deleting: C:\WINDOWS\system32\j8j60i1se8.dll
Successfully Deleted: C:\WINDOWS\system32\j8j60i1se8.dll
deleting: C:\WINDOWS\system32\jiproxy.dll
Successfully Deleted: C:\WINDOWS\system32\jiproxy.dll
deleting: C:\WINDOWS\system32\jr2025fmg.dll
Successfully Deleted: C:\WINDOWS\system32\jr2025fmg.dll
deleting: C:\WINDOWS\system32\jt6o07j3e.dll
Successfully Deleted: C:\WINDOWS\system32\jt6o07j3e.dll
deleting: C:\WINDOWS\system32\k608lgdu1608.dll
Successfully Deleted: C:\WINDOWS\system32\k608lgdu1608.dll
deleting: C:\WINDOWS\system32\kidfi.dll
Successfully Deleted: C:\WINDOWS\system32\kidfi.dll
deleting: C:\WINDOWS\system32\lvju0919e.dll
Successfully Deleted: C:\WINDOWS\system32\lvju0919e.dll
deleting: C:\WINDOWS\system32\m4280efueh280.dll
Successfully Deleted: C:\WINDOWS\system32\m4280efueh280.dll
deleting: C:\WINDOWS\system32\m8820iloe8qc0.dll
Successfully Deleted: C:\WINDOWS\system32\m8820iloe8qc0.dll
deleting: C:\WINDOWS\system32\mv0sl9d71.dll
Successfully Deleted: C:\WINDOWS\system32\mv0sl9d71.dll
deleting: C:\WINDOWS\system32\mvnql9551.dll
Successfully Deleted: C:\WINDOWS\system32\mvnql9551.dll
deleting: C:\WINDOWS\system32\nBrrhook.dll
Successfully Deleted: C:\WINDOWS\system32\nBrrhook.dll
deleting: C:\WINDOWS\system32\nvj0291mg.dll
Successfully Deleted: C:\WINDOWS\system32\nvj0291mg.dll
deleting: C:\WINDOWS\system32\nwth.dll
Successfully Deleted: C:\WINDOWS\system32\nwth.dll
deleting: C:\WINDOWS\system32\o2pq0c75ef.dll
Successfully Deleted: C:\WINDOWS\system32\o2pq0c75ef.dll
deleting: C:\WINDOWS\system32\o4ns0e57eh.dll
Successfully Deleted: C:\WINDOWS\system32\o4ns0e57eh.dll
deleting: C:\WINDOWS\system32\p6p60g7se6.dll
Successfully Deleted: C:\WINDOWS\system32\p6p60g7se6.dll
deleting: C:\WINDOWS\system32\pButoenr.dll
Successfully Deleted: C:\WINDOWS\system32\pButoenr.dll
deleting: C:\WINDOWS\system32\q468leju1ho8.dll
Successfully Deleted: C:\WINDOWS\system32\q468leju1ho8.dll
deleting: C:\WINDOWS\system32\rovpsp.dll
Successfully Deleted: C:\WINDOWS\system32\rovpsp.dll
deleting: C:\WINDOWS\system32\smlsrv32.dll
Successfully Deleted: C:\WINDOWS\system32\smlsrv32.dll

Desktop.ini sucessfully removed

The Second Part of this log will follow on the next post.

THANKS

Chris.

 

Option-2 L2MFIX (2 of 2)

Here is the second part of Option#2 L2MFIX:

Zipping up files for submission:
adding: akivtmxx.dll (164 bytes security) (deflated 4%)
adding: amsldp.dll (164 bytes security) (deflated 5%)
adding: arcups.dll (164 bytes security) (deflated 5%)
adding: cfmdlg32.dll (164 bytes security) (deflated 5%)
adding: deuiext.dll (164 bytes security) (deflated 5%)
adding: dmlayx.dll (164 bytes security) (deflated 5%)
adding: en40l1hm1.dll (164 bytes security) (deflated 5%)
adding: gp08l3du1.dll (164 bytes security) (deflated 6%)
adding: gpj2l31o1.dll (164 bytes security) (deflated 5%)
adding: hepertrm.dll (164 bytes security) (deflated 4%)
adding: HKLLUT32.DLL (164 bytes security) (deflated 5%)
adding: hr0s05d7e.dll (164 bytes security) (deflated 4%)
adding: hU23msp.dll (164 bytes security) (deflated 5%)
adding: i2420choef4c0.dll (164 bytes security) (deflated 5%)
adding: iGlmCoIn_0_v8.dll (164 bytes security) (deflated 5%)
adding: ijsecsvc.dll (164 bytes security) (deflated 5%)
adding: j0p00a7med.dll (164 bytes security) (deflated 5%)
adding: j8j60i1se8.dll (164 bytes security) (deflated 5%)
adding: jiproxy.dll (164 bytes security) (deflated 5%)
adding: jr2025fmg.dll (164 bytes security) (deflated 4%)
adding: jt6o07j3e.dll (164 bytes security) (deflated 5%)
adding: k608lgdu1608.dll (164 bytes security) (deflated 4%)
adding: kidfi.dll (164 bytes security) (deflated 5%)
adding: lvju0919e.dll (164 bytes security) (deflated 5%)
adding: m4280efueh280.dll (164 bytes security) (deflated 4%)
adding: m8820iloe8qc0.dll (164 bytes security) (deflated 5%)
adding: mv0sl9d71.dll (164 bytes security) (deflated 5%)
adding: mvnql9551.dll (164 bytes security) (deflated 5%)
adding: nBrrhook.dll (164 bytes security) (deflated 4%)
adding: nvj0291mg.dll (164 bytes security) (deflated 4%)
adding: nwth.dll (164 bytes security) (deflated 5%)
adding: o2pq0c75ef.dll (164 bytes security) (deflated 5%)
adding: o4ns0e57eh.dll (164 bytes security) (deflated 4%)
adding: p6p60g7se6.dll (164 bytes security) (deflated 6%)
adding: pButoenr.dll (164 bytes security) (deflated 5%)
adding: q468leju1ho8.dll (164 bytes security) (deflated 4%)
adding: rovpsp.dll (164 bytes security) (deflated 4%)
adding: smlsrv32.dll (164 bytes security) (deflated 4%)
adding: clear.reg (164 bytes security) (deflated 68%)
adding: echo.reg (164 bytes security) (deflated 8%)
adding: desktop.ini (164 bytes security) (deflated 14%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 85%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 72%)
adding: report_Feb082005.txt (164 bytes security) (deflated 71%)
adding: test.txt (164 bytes security) (deflated 80%)
adding: test2.txt (164 bytes security) (deflated 48%)
adding: test3.txt (164 bytes security) (deflated 48%)
adding: test5.txt (164 bytes security) (deflated 48%)
adding: xfind.txt (164 bytes security) (deflated 75%)
adding: backregs/0AB66B7F-B55B-4567-BFF0-840AC5B92B5B.reg (164 bytes security) (deflated 70%)
adding: backregs/1D869512-5431-48CF-B3CF-DBC1776C1D4D.reg (164 bytes security) (deflated 70%)
adding: backregs/38083005-F415-42D0-9287-A983F8752184.reg (164 bytes security) (deflated 70%)
adding: backregs/643D29B6-ED94-462A-9AD1-5D35E3981AB5.reg (164 bytes security) (deflated 70%)
adding: backregs/820CF481-8176-4E99-8387-0F102706C173.reg (164 bytes security) (deflated 70%)
adding: backregs/9DE0E9DA-E50A-41DE-A493-F71FC9BDF1AB.reg (164 bytes security) (deflated 70%)
adding: backregs/A6C918AB-C168-4A87-B878-4E1E1149155A.reg (164 bytes security) (deflated 70%)
adding: backregs/B8BF1939-83F7-4C46-8E8F-2BBA6268BD30.reg (164 bytes security) (deflated 70%)
adding: backregs/CD04A42D-4FBB-4040-92C0-3EEC5E76B57C.reg (164 bytes security) (deflated 70%)
adding: backregs/D563A51A-00AA-4E1D-A05B-C6959F4CA418.reg (164 bytes security) (deflated 70%)
adding: backregs/D8A8D9C9-B406-4389-B638-8ACE16C54B30.reg (164 bytes security) (deflated 70%)
adding: backregs/E0BE904C-FDCD-44D2-ACEA-B2CA6309E9F4.reg (164 bytes security) (deflated 70%)
adding: backregs/EB6420E5-DE24-4759-A8BF-C44BBEA4CC59.reg (164 bytes security) (deflated 70%)
adding: backregs/EDBD4794-C07B-4DF0-96E9-54757C38345F.reg (164 bytes security) (deflated 70%)
adding: backregs/EF9AFFA7-C2A8-4244-9658-FBF495940EF5.reg (164 bytes security) (deflated 70%)
adding: backregs/F252563E-1313-4148-96A6-66E3A1560E29.reg (164 bytes security) (deflated 70%)
adding: backregs/F7D9A06F-370E-4F36-89A9-83EBFD65B4A4.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for really "Everyone "


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: akivtmxx.dll
deleting local copy: amsldp.dll
deleting local copy: arcups.dll
deleting local copy: cfmdlg32.dll
deleting local copy: deuiext.dll
deleting local copy: dmlayx.dll
deleting local copy: en40l1hm1.dll
deleting local copy: gp08l3du1.dll
deleting local copy: gpj2l31o1.dll
deleting local copy: hepertrm.dll
deleting local copy: HKLLUT32.DLL
deleting local copy: hr0s05d7e.dll
deleting local copy: hU23msp.dll
deleting local copy: i2420choef4c0.dll
deleting local copy: iGlmCoIn_0_v8.dll
deleting local copy: ijsecsvc.dll
deleting local copy: j0p00a7med.dll
deleting local copy: j8j60i1se8.dll
deleting local copy: jiproxy.dll
deleting local copy: jr2025fmg.dll
deleting local copy: jt6o07j3e.dll
deleting local copy: k608lgdu1608.dll
deleting local copy: kidfi.dll
deleting local copy: lvju0919e.dll
deleting local copy: m4280efueh280.dll
deleting local copy: m8820iloe8qc0.dll
deleting local copy: mv0sl9d71.dll
deleting local copy: mvnql9551.dll
deleting local copy: nBrrhook.dll
deleting local copy: nvj0291mg.dll
deleting local copy: nwth.dll
deleting local copy: o2pq0c75ef.dll
deleting local copy: o4ns0e57eh.dll
deleting local copy: p6p60g7se6.dll
deleting local copy: pButoenr.dll
deleting local copy: q468leju1ho8.dll
deleting local copy: rovpsp.dll
deleting local copy: smlsrv32.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous "=dword:00000000
"DllName "=" "
"Impersonate "=dword:00000000
"Logon "= "WinLogon "
"Logoff "= "WinLogoff "
"Shutdown "= "WinShutdown "


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\akivtmxx.dll
C:\WINDOWS\system32\amsldp.dll
C:\WINDOWS\system32\arcups.dll
C:\WINDOWS\system32\cfmdlg32.dll
C:\WINDOWS\system32\deuiext.dll
C:\WINDOWS\system32\dmlayx.dll
C:\WINDOWS\system32\en40l1hm1.dll
C:\WINDOWS\system32\gp08l3du1.dll
C:\WINDOWS\system32\gpj2l31o1.dll
C:\WINDOWS\system32\hepertrm.dll
C:\WINDOWS\system32\HKLLUT32.DLL
C:\WINDOWS\system32\hr0s05d7e.dll
C:\WINDOWS\system32\hU23msp.dll
C:\WINDOWS\system32\i2420choef4c0.dll
C:\WINDOWS\system32\iGlmCoIn_0_v8.dll
C:\WINDOWS\system32\ijsecsvc.dll
C:\WINDOWS\system32\j0p00a7med.dll
C:\WINDOWS\system32\j8j60i1se8.dll
C:\WINDOWS\system32\jiproxy.dll
C:\WINDOWS\system32\jr2025fmg.dll
C:\WINDOWS\system32\jt6o07j3e.dll
C:\WINDOWS\system32\k608lgdu1608.dll
C:\WINDOWS\system32\kidfi.dll
C:\WINDOWS\system32\lvju0919e.dll
C:\WINDOWS\system32\m4280efueh280.dll
C:\WINDOWS\system32\m8820iloe8qc0.dll
C:\WINDOWS\system32\mv0sl9d71.dll
C:\WINDOWS\system32\mvnql9551.dll
C:\WINDOWS\system32\nBrrhook.dll
C:\WINDOWS\system32\nvj0291mg.dll
C:\WINDOWS\system32\nwth.dll
C:\WINDOWS\system32\o2pq0c75ef.dll
C:\WINDOWS\system32\o4ns0e57eh.dll
C:\WINDOWS\system32\p6p60g7se6.dll
C:\WINDOWS\system32\pButoenr.dll
C:\WINDOWS\system32\q468leju1ho8.dll
C:\WINDOWS\system32\rovpsp.dll
C:\WINDOWS\system32\smlsrv32.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{EF9AFFA7-C2A8-4244-9658-FBF495940EF5} "=-
"{D8A8D9C9-B406-4389-B638-8ACE16C54B30} "=-
"{0AB66B7F-B55B-4567-BFF0-840AC5B92B5B} "=-
"{F7D9A06F-370E-4F36-89A9-83EBFD65B4A4} "=-
"{EDBD4794-C07B-4DF0-96E9-54757C38345F} "=-
"{CD04A42D-4FBB-4040-92C0-3EEC5E76B57C} "=-
"{1D869512-5431-48CF-B3CF-DBC1776C1D4D} "=-
"{D563A51A-00AA-4E1D-A05B-C6959F4CA418} "=-
"{9DE0E9DA-E50A-41DE-A493-F71FC9BDF1AB} "=-
"{E0BE904C-FDCD-44D2-ACEA-B2CA6309E9F4} "=-
"{F252563E-1313-4148-96A6-66E3A1560E29} "=-
"{EB6420E5-DE24-4759-A8BF-C44BBEA4CC59} "=-
"{B8BF1939-83F7-4C46-8E8F-2BBA6268BD30} "=-
"{820CF481-8176-4E99-8387-0F102706C173} "=-
"{643D29B6-ED94-462A-9AD1-5D35E3981AB5} "=-
"{A6C918AB-C168-4A87-B878-4E1E1149155A} "=-
"{38083005-F415-42D0-9287-A983F8752184} "=-
[-HKEY_CLASSES_ROOT\CLSID\{EF9AFFA7-C2A8-4244-9658-FBF495940EF5}]
[-HKEY_CLASSES_ROOT\CLSID\{D8A8D9C9-B406-4389-B638-8ACE16C54B30}]
[-HKEY_CLASSES_ROOT\CLSID\{0AB66B7F-B55B-4567-BFF0-840AC5B92B5B}]
[-HKEY_CLASSES_ROOT\CLSID\{F7D9A06F-370E-4F36-89A9-83EBFD65B4A4}]
[-HKEY_CLASSES_ROOT\CLSID\{EDBD4794-C07B-4DF0-96E9-54757C38345F}]
[-HKEY_CLASSES_ROOT\CLSID\{CD04A42D-4FBB-4040-92C0-3EEC5E76B57C}]
[-HKEY_CLASSES_ROOT\CLSID\{1D869512-5431-48CF-B3CF-DBC1776C1D4D}]
[-HKEY_CLASSES_ROOT\CLSID\{D563A51A-00AA-4E1D-A05B-C6959F4CA418}]
[-HKEY_CLASSES_ROOT\CLSID\{9DE0E9DA-E50A-41DE-A493-F71FC9BDF1AB}]
[-HKEY_CLASSES_ROOT\CLSID\{E0BE904C-FDCD-44D2-ACEA-B2CA6309E9F4}]
[-HKEY_CLASSES_ROOT\CLSID\{F252563E-1313-4148-96A6-66E3A1560E29}]
[-HKEY_CLASSES_ROOT\CLSID\{EB6420E5-DE24-4759-A8BF-C44BBEA4CC59}]
[-HKEY_CLASSES_ROOT\CLSID\{B8BF1939-83F7-4C46-8E8F-2BBA6268BD30}]
[-HKEY_CLASSES_ROOT\CLSID\{820CF481-8176-4E99-8387-0F102706C173}]
[-HKEY_CLASSES_ROOT\CLSID\{643D29B6-ED94-462A-9AD1-5D35E3981AB5}]
[-HKEY_CLASSES_ROOT\CLSID\{A6C918AB-C168-4A87-B878-4E1E1149155A}]
[-HKEY_CLASSES_ROOT\CLSID\{38083005-F415-42D0-9287-A983F8752184}]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{35C4CF88-2D49-4FE1-AE99-1D8A178C3FCC} "=-
"SV1 "=" "
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{35C4CF88-2D49-4FE1-AE99-1D8A178C3FCC}</IDone>
<IDtwo>VT00</IDtwo>
<VERSION>200</VERSION>
****************************************************************************


 

HiJackThis second Log (AFTER L2MFIX-Option2) (1of2)

Noahadfear,

Here is the second log of HiJackThis (AFTER option-2 of L2MFIX):

Logfile of HijackThis v1.99.0
Scan saved at 9:22:14 PM, on 2/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\NuCam\CamCheck\CamCheck.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe
C:\Program Files\QuickTime6\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HiJackThis\HijackThis.exe

 

HiJackThis second Log (AFTER option-2L2MFIX) (2of2)

Here is the second & last part of HiJackThis-log:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O2 - BHO: (no name) - {59A61955-C9FE-41C7-238A-6949A77ACF5E} - C:\WINDOWS\system32\kdwchqqe.dll
O2 - BHO: (no name) - {82817A13-CCB0-C237-5BA1-596CB3A00A77} - C:\WINDOWS\system32\obpbgzaz.dll (file missing)
O2 - BHO: (no name) - {D8523B64-55B4-58E2-6FD1-3D811ED8E8ED} - C:\WINDOWS\system32\yxucsjhq.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [CamCheck] C:\Program Files\NuCam\CamCheck\CamCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe "
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime6\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CorelDRAW ESSENTIALS14] C:\Program Files\Corel\CorelDRAW ESSENTIALS 2\Register\Registration.exe /title= "CorelDRAW ESSENTIALS" /date=022305 serial=ES02WBD-0090061-FBU
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [adjwxoco] C:\WINDOWS\system32\adjwxoco.exe
O4 - HKLM\..\Run: [zmkscmmd] C:\WINDOWS\system32\zmkscmmd.exe
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\system32\pc32.exe bg
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: SmartUI.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GroovePnP - Unknown - C:\WINDOWS\twain_32\SiPix\Groove\Srvany.exe (file missing)
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: ctoaihqkcfoy - Unknown - C:\WINDOWS\system32\msupd5.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Iomega Active Disk - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe


THANKS for your patience & efforts,

Chris

 

Make sure you're using the newest version of Ad-aware (SE Personal 1.5) and check for updates.

Download LSPFix.exe.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.yahoo.com/....optional......leave if you set this as homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com....optional......not Microsoft default, but OEM default
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/....optional......not Microsoft default, but OEM default
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O2 - BHO: (no name) - {59A61955-C9FE-41C7-238A-6949A77ACF5E} - C:\WINDOWS\system32\kdwchqqe.dll
O2 - BHO: (no name) - {82817A13-CCB0-C237-5BA1-596CB3A00A77} - C:\WINDOWS\system32\obpbgzaz.dll (file missing)
O2 - BHO: (no name) - {D8523B64-55B4-58E2-6FD1-3D811ED8E8ED} - C:\WINDOWS\system32\yxucsjhq.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe "
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime6\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CorelDRAW ESSENTIALS14] C:\Program Files\Corel\CorelDRAW ESSENTIALS 2\Register\Registration.exe /title= "CorelDRAW ESSENTIALS" /date=022305 serial=ES02WBD-0090061-FBU
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [adjwxoco] C:\WINDOWS\system32\adjwxoco.exe
O4 - HKLM\..\Run: [zmkscmmd] C:\WINDOWS\system32\zmkscmmd.exe
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\system32\pc32.exe bg
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan Fake/rogue Antispyware program...aggressive advertising; false positives work as goad to purchase; free scanner uses out of date ref database; same company as Spyware Vanisher
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE........more info on findfast here
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com....optional......not Microsoft default, but OEM default
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab

O23 - Service: ctoaihqkcfoy - Unknown - C:\WINDOWS\system32\msupd5.exe


Open LSPFix, move the files aklsp.dll and dolsp.dll
to the remove column, check the box I know what I'm doing and click finish.

Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Yes to restart. This will restart your computer in safe mode. Logon to your user account.

Now in safe mode, you will need to show hidden files and folders, as well as system files and extensions for known file types.

Open C: and delete the folder freescan.
Open C:\WINDOWS\system32 and delete the files adjwxoco.exe, zmkscmmd.exe, msupd5.exe and pc32.exe if present.
Open C:\Program Files\Common Files\Real\Update_OB and rename realsched.exe to realsched.old
Open C:\Temp if present, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Windows\Prefetch, select all and delete.
Open C:\Documents and Settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open the control panel, then internet options and delete the temporary internet files, checking the box for offline content. Then open the Java Plug-in, click the cache tab and then clear. This will only apply if you have installed Sun Java.
Open Ad-aware and run in full scan mode. Delete all it finds.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.
Uncheck the /safeboot box in msconfig and ok to reboot.

Scan your PC with RAV. If any files are infected, click the report button then copy and paste it here.

Run another HijackThis scan and post the log.

 

Spring Cleaning successful (?) HJT-log inc.

Hello Noahdfear,

WOW! it was amazing with ALL the action-items that you had suggested. And the last Ad-Aware-scan showed nothing...

RAV does NOT let me download their software anymore, and "onLine-scan" seems to be "tedious" (one file at a time) ...I will look around ... for some other ANTI-VIRUS-software on this site.

MANY THANKS for your patience & efforts,

Chris.

Here is the last HJT-log:

Logfile of HijackThis v1.99.0
Scan saved at 2:25:11 PM, on 2/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\NuCam\CamCheck\CamCheck.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {59A61955-C9FE-41C7-238A-6949A77ACF5E} - (no file)
O2 - BHO: (no name) - {82817A13-CCB0-C237-5BA1-596CB3A00A77} - (no file)
O2 - BHO: (no name) - {D8523B64-55B4-58E2-6FD1-3D811ED8E8ED} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [CamCheck] C:\Program Files\NuCam\CamCheck\CamCheck.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: SmartUI.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GroovePnP - Unknown - C:\WINDOWS\twain_32\SiPix\Groove\Srvany.exe (file missing)
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Iomega Active Disk - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

 

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

O2 - BHO: (no name) - {59A61955-C9FE-41C7-238A-6949A77ACF5E} - (no file)
O2 - BHO: (no name) - {82817A13-CCB0-C237-5BA1-596CB3A00A77} - (no file)
O2 - BHO: (no name) - {D8523B64-55B4-58E2-6FD1-3D811ED8E8ED} - (no file)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O23 - Service: GroovePnP - Unknown - C:\WINDOWS\twain_32\SiPix\Groove\Srvany.exe (file missing)

Reboot.

To scan your computer with RAV, click where it says to continue without subscribing click here. Wait for the definitions to load, then click scan my computer.

Post a new HJT log along with the online scan results.

I also recommend you Uninstall Windows Messenger, immediately after using Task Manager to stop the msmsgs.exe
process. Norton Instant Messaging Monitor will restart the process rather quickly, which may interfere with the uninstallation.

 

AVG-scan resulted in multiple Trojan Horse Downloader.Agent.7.F

Hello Noahdfear,

After trying unsuccessfully with RAV's On-Line-Scan (my bad...), I have downloaded AVG and scan the whole system and by the end AVG found deleted six Trojan Horse Downloader.Agent.7.F the first time.

After reboot, I scan again and AVG found so far two more (of the same).

At this moment, I am doing the HJT as you had suggested and will send the HJT-log ASAP.

THANKS

Chris

Here is the HJT-log ; and the three BHO (no name) still showed up AFTER several HiJackThis' attempts:

Logfile of HijackThis v1.99.0
Scan saved at 9:19:00 PM, on 2/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\NuCam\CamCheck\CamCheck.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {59A61955-C9FE-41C7-238A-6949A77ACF5E} - (no file)
O2 - BHO: (no name) - {82817A13-CCB0-C237-5BA1-596CB3A00A77} - (no file)
O2 - BHO: (no name) - {D8523B64-55B4-58E2-6FD1-3D811ED8E8ED} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [CamCheck] C:\Program Files\NuCam\CamCheck\CamCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: SmartUI.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Iomega Active Disk - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

 

Download: supershell.zip
http://p-nand-q.com/download/tools/supershell.zip

Unzip supershell.zip to it's own folder.

Make sure you are logged in under an Administrator account.
(or are a user with Administrator privledges)
Open the unzipped SuperShell folder.
Double-click (launch) SuperShell.exe.

This will launch a Command Prompt window.
Type regedit and press ENTER to open the registry editor.

Click Edit on the toolbar and paste the following:

{59A61955-C9FE-41C7-238A-6949A77ACF5E}

Click Find Now, once located, right-click the entry and select: Delete (Ok the prompt).
Next, press "F3" to continue searching, if another instance is found, repeat the above steps, until you see the "completed searching" message.

Click edit again and repeat the above steps for the following.

{82817A13-CCB0-C237-5BA1-596CB3A00A77}

then

{D8523B64-55B4-58E2-6FD1-3D811ED8E8ED}

Close REGEDIT and then in SuperShell (type and press ENTER) EXIT.

Reboot and run another HJT scan. Let us know if the BHOs are still present.

Try running Panda ActiveScan.

 

BHO (no name) deletion UNSUCCESSFUL

Hello Noahdfear,

After double-checking that I logged in as Administrator, downloaded/installed Supershell.exe in a Folder...executed ALL the Registry edit-actions as you had described, then after reboot, the THREE BHO (no names) still showed up in HJT-log.

I have reapeated MANY times , but to no avail , the three BHO's are still displayed in HJT-log.

THANKS for your patience & efforts,

Chris

 

This is a permissions problem on those registry entries (malware's latest tricks ) and will take some manual steps in the registry to remove. Supershell is supposed to overcome those permission problems, but obviously didn't in this case. If you're comfortable with going into the registry, I'll post the necessary steps to remove them. They can't really hurt anything at this point since there is no file for them to point to and use. Your call whether or not to procede.

Were you able to run Panda?

 

PANDA Active Scan & Registry-Editing

Hello Noahdfear,

I am quite comfortable with using any tool to edit the Registry...please advise me further ... so far I am having a "ball" and learning from a Master like you is really worth it....!!!.

As for Panda Active Scan, I am doing it right now...will post any results to you later on....

THANKS again "Master ",

Chris

 

Repeat the supershell instuctions to search for each entry, and before trying to delete, right click each key and select properties. Click Advanced button, then owner tab. Select Administrators, check the box to Replace owner on subcontainers and objects, click apply and OK. Click the Administrators entry under Groups or user names and make sure full control is checked below. Click OK, then right click and delete the key.

Let us know how it goes.

 

Panda Active Scan & Supershell's regedit.

Hello Noahdfear,

Panda Active Scan 'ed my computer the first time and found (and disinfected automatically during the scan) three infected files and unfortunately my pop up blocker was activated at the time and PandaActiveScan could NOT send me a report.
So I tried a second PandaSacn and it came clean...with ZERO infected.

As for Supershell + regedit of the three register's keys (BHO - no name - no file) following exactly your instructions ... after a reboot the three BHO's are still there...And like you had mentionned the BHO's are "HARMLESS" now, let's leave them as they are (until some day some new version of REGISTRY's editor can take care of the little "knack ").

In resume, since the last three days with a combination of SpyBot + Ad-Aware + AVG + HiJackThis, my computer is healthy and does NOT have any symptom or abnormalcies.

Many , Many , Many THANKS for your patience & efforts,

Chris

 

Glad to help, Chris.