View Full Version : CmdService, Hijacked Browser...
I have no idea what all is going on. My computer is slower than it should be, every scan I run tells me I have CmdService that I cannot get rid of and my browser gets hijacked constantly by some type of adware - I am sure that is not the extent of it. I am going nuts, to the point of considering reformatting my hard drive and being done with it.
It may take me a day or so to respond at times, my dsl is out and the guy who built my computer did not think it was important to have a decent dial-up modem for back-up so I am working with a 28K if you can imagine. So downloading progs you may recommend will take time. Couple that with being a work at home mom and you can see just how possible it is that my response time may not be what I would like.
Here is my HJT log and thanks in advance for your help. I am really looking forward to it and am grateful already for this forum.
----------------
Logfile of HijackThis v1.99.1
Scan saved at 1:38:23 AM, on 1/28/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\chache32.exe
C:\WINDOWS\Q2hhZCBKb2huc29u\command.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\msappview32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://shepherdess-ministries.org/smBB/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd3.exe
O4 - HKLM\..\Run: [winsystems25] winsystems.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban3.exe
O4 - HKLM\..\Run: [syscat] syscat.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\HP\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [updatesys] updateauto.exe
O4 - HKLM\..\Run: [cc32] C:\WINDOWS\System32\cc32.exe
O4 - HKLM\..\Run: [Microsoft Application Viewer] msappview32.exe
O4 - HKLM\..\Run: [WinDLL (steam.dll)] rundll32.exe C:\WINDOWS\System32\steam.dll,start
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\bm22.exe
O4 - HKLM\..\Run: [WindowsUpdatetes] justest.exe
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\System32\lass.exe
O4 - HKLM\..\Run: [cd64] C:\WINDOWS\System32\cd64.exe
O4 - HKLM\..\RunServices: [winsystems25] winsystems.exe
O4 - HKLM\..\RunServices: [msconfig38] mssvcc.exe
O4 - HKLM\..\RunServices: [secures23] lattt.exe
O4 - HKLM\..\RunServices: [Microsoft Application Viewer] msappview32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [EssentialPIM Pro] "C:\Program Files\EssentialPIM Pro\EssentialPIM.exe" /autorun
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {1223B679-3A38-4EB0-A170-A58F703ACCA5} (ImStarter Class) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {456181F4-E9D0-4365-92AB-1169AF02A7B4} (Ccompctrl Object) - https://www.insiderpages.com/download/wizard/atlcomp.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - http://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXCab.CAB
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://workfrmhomemom.multiply.com/photos/uploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.19/ttinst.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E7D2E83-3BD7-4711-AD4E-EA30D971BB3D}: NameServer = 205.152.144.235 205.152.37.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E7D2E83-3BD7-4711-AD4E-EA30D971BB3D}: NameServer = 205.152.144.235 205.152.37.254
O20 - AppInit_DLLs: r!3.cpl
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\n6n60g5se6.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Service Chache (chache32) - Unknown owner - C:\WINDOWS\System32\chache32.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hhZCBKb2huc29u\command.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: mswmf32 - Unknown owner - C:\WINDOWS\mswmf32.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
hi
welcome to the forums..
that log looks badly infected, looks like there are several backdoors and viruses. you may want to contact you bank and credit card company for possible unauthorised transactions!!
IMPORTANT- You need to disconnect this PC from the internet and from your network if it is on a network. Then, acceess this information from a non-compromised computer to follow the steps needed.
you need to take steps to protect your information that may have been compromised. I recommend these steps for action:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
I am going nuts, to the point of considering reformatting my hard drive and being done with it.
this is something i dont like to recommend normally, but with a computer this badly infected it would be the best solution for your safety
if you still wish to continue cleaning this, it would be best to use another conputer to download the necessary tools, it will take time on a 28k
has your ISP been contacted?
Please follow the instructions provided, you may want to print out these instructions and use them as a reference. Or copy the text here to an empty notepad window, then save as txt to a convenient place
Please download ewido anti malware (http://www.ewido.net/en/download/) it is a free version of the program.
Install ewido security suite
When installing, under "Additional Options" uncheck..
Install background guard
Install scan via context menu
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates (http://www.ewido.net/en/download/updates/)
Once the updates are installed do the following:
reboot your computer in SafeMode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.
then launch ewido:
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.
reboot back to normal mode,
next: do an online virus scan:
go to http://www.bitdefender.com/scan/licence.php
do a full scan of system, allow it to clean infections
once the scan is complete it will show a report page, copy the text of the page into a notepd window, then save it as text to a place where you will easily find it later
then reboot the computer to complete the removal
do another scan with hijackthis, post its log , the ewido report and the results of the bitdefender scan thank you
NOTE: the scan logs can be rather large, you may need several posts to include them all. alternately you may send them to my email as attachments:
address is illukka#usermaildotcom (where #=@ and dot = . )
Please include in your mail a link to here so i know where its from
thank you and good luck for the cleaning :bigthumb:
Thank you very much. I am going to take some time this morning and decide what I should do - clean it or reformat it.
Thanks again. LOL not quite the news I wanted to hear, but not much of a surprise either.
Let me ask you a question. I was on dsl forever and had not the first issue. Scans showed a few minor issues here and there, but never like it is now. Then my dsl went down and I have been working with dial-up and bam my computer started having problems. This has only been about two weeks. Is it possible my computer has become so badly infected in that short amount of time? Or is it some of these problems have existed for longer and the effects are simply catching up with me?
Thanks again. Will let you know how I decide to handle this shortly.
hi
do you know why your dsl went down? was it a hardware issue, or did your ISP close your line because the machine was doing port scans and sending spam because of the infections?
It was a wiring problem outside of the house. It has been down and disconnected since December 27th and I have been working with dial-up since maybe the second week of January.
the major problem is this:
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
an unpatched system: no windows service packs
i think the dsl modem likely had a built-in hardware firewall or router in it
and unpatched system will last only minutes on the internet without a firewall
whether you decide to clean it or format it the first thing you must do is to get a software or hardware firewall
Okay - guess I am not as net savvy as I thought - probably more of an understatement than I realize :)
I think for the time being I am going to attempt to clean this until I can get to a point that I can effectually do a reformat.
I am about to reboot and run ewido in Safe Mode like you suggested.
In the meantime - what firewalls do you recommend - possibly freeware and also hardware.
Thanks so much
Liberty
Oh I also forgot to ask/mention -
I had a computer that was set up for the automatic updates. When it would do an update my computer would act stupid so I stopped getting the automatic updates and just got in the habit of not worrying about it.
When I got this computer I never thought to worry about the updates.
At what point during this cleanup process should I get the patches?
Okay off to reboot.
Liberty
first thing is a firewall, it will stop those network worms, then when we're almost through the cleaning process we can go for the updates ( on a 28 downloading them will last ages :confused: , there will be hundreds of megabytes of updates )
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls (http://www.bleepingcomputer.com/forums/tutorial60.html)
Logfile of HijackThis v1.99.1
Scan saved at 3:55:27 PM, on 1/28/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\syscat.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\updateauto.exe
C:\WINDOWS\System32\justest.exe
C:\WINDOWS\System32\picviewer.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\Program Files\EssentialPIM Pro\EssentialPIM.exe
C:\Program Files\EssentialPIM Pro\EssentialPIM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [syscat] syscat.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\HP\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [updatesys] updateauto.exe
O4 - HKLM\..\Run: [WinDLL (steam.dll)] rundll32.exe C:\WINDOWS\System32\steam.dll,start
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\bm22.exe
O4 - HKLM\..\Run: [WindowsUpdatetes] justest.exe
O4 - HKLM\..\Run: [securitysys] picviewer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [EssentialPIM Pro] "C:\Program Files\EssentialPIM Pro\EssentialPIM.exe" /autorun
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {1223B679-3A38-4EB0-A170-A58F703ACCA5} (ImStarter Class) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {456181F4-E9D0-4365-92AB-1169AF02A7B4} (Ccompctrl Object) - https://www.insiderpages.com/download/wizard/atlcomp.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - http://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXCab.CAB
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://workfrmhomemom.multiply.com/photos/uploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.19/ttinst.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} -
O20 - AppInit_DLLs: r!3.cpl
O20 - Winlogon Notify: Group Policy - C:\WINDOWS\system32\i0240afqed2e0.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Service Chache (chache32) - Unknown owner - C:\WINDOWS\System32\chache32.exe (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hhZCBKb2huc29u\command.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: mswmf32 - Unknown owner - C:\WINDOWS\mswmf32.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
I have the BitDefender one too - I will be back with that one shortly.
I am almost embarrassed to post the ewido report. Good Grief.
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 1:44:22 PM, 1/28/2006
+ Report-Checksum: DDD8AF9B
+ Scan result:
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
[604] C:\WINDOWS\system32\pqrfts.dll -> Spyware.Look2Me : Cleaned with backup
C:\!KillBox\drsmartload1.exe -> Downloader.Adload.j : Cleaned with backup
C:\!KillBox\drsmartload46a.exe -> Downloader.Adload.j : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Chad\Application Data\Mozilla\Firefox\Profiles\gf4458xx.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Chad\Application Data\Mozilla\Firefox\Profiles\gf4458xx.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Chad\Application Data\Mozilla\Firefox\Profiles\gf4458xx.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Chad\Application Data\Mozilla\Firefox\Profiles\gf4458xx.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Chad\Application Data\Mozilla\Firefox\Profiles\gf4458xx.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Chad\Application Data\Mozilla\Firefox\Profiles\gf4458xx.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Chad\Application Data\Mozilla\Firefox\Profiles\gf4458xx.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Chad\Application Data\Mozilla\Firefox\Profiles\gf4458xx.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Chad\Cookies\chad@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Chad\ddddreve.exe -> Downloader.Adload.j : Cleaned with backup
C:\Documents and Settings\Chad\Local Settings\Temp\temp.fr1363 -> Spyware.CommAd : Cleaned with backup
C:\Documents and Settings\Chad\Local Settings\Temp\temp.frC74D -> Adware.CommAd : Cleaned with backup
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\CT6B092J\drsmartload46a[1].exe -> Downloader.Adload.j : Cleaned with backup
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\CT6B092J\MTE3MTk6ODoxNg[1].exe -> Downloader.Small.buy : Cleaned with backup
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\CT6B092J\winsysupd3[1].exe -> Hijacker.StartPage.ahg : Cleaned with backup
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\OTYF45UF\winsysban3[1].exe -> Hijacker.VB.kc : Cleaned with backup
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\YXP9LRQ3\drevil[1].exe -> Downloader.Adload.j : Cleaned with backup
C:\Documents and Settings\Chad\sadf.exe -> Downloader.Adload.j : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\G9UF896F\cashme[1].exe -> Downloader.Adload.j : Cleaned with backup
C:\drsmartload46a.exe -> Downloader.Adload.j : Cleaned with backup
C:\Program Files\Network Monitor\netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup
:mozilla.32:C:\RECYCLER\NPROTECT\01610499.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\01610499.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\01610499.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\01610499.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.46:C:\RECYCLER\NPROTECT\01610499.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.48:C:\RECYCLER\NPROTECT\01610499.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.49:C:\RECYCLER\NPROTECT\01610499.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\01610499.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\01610499.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\01610499.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.67:C:\RECYCLER\NPROTECT\01610499.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.133:C:\RECYCLER\NPROTECT\01610499.MOZ -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\01610606.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\01610606.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\01610606.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.46:C:\RECYCLER\NPROTECT\01610606.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.48:C:\RECYCLER\NPROTECT\01610606.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.49:C:\RECYCLER\NPROTECT\01610606.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\01610606.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\01610606.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\01610606.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.67:C:\RECYCLER\NPROTECT\01610606.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.133:C:\RECYCLER\NPROTECT\01610606.MOZ -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\01610608.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\01610608.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\01610608.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.46:C:\RECYCLER\NPROTECT\01610608.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.48:C:\RECYCLER\NPROTECT\01610608.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.49:C:\RECYCLER\NPROTECT\01610608.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\01610608.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\01610608.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\01610608.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.67:C:\RECYCLER\NPROTECT\01610608.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.133:C:\RECYCLER\NPROTECT\01610608.MOZ -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\01610609.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\01610609.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\01610609.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.46:C:\RECYCLER\NPROTECT\01610609.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.48:C:\RECYCLER\NPROTECT\01610609.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.49:C:\RECYCLER\NPROTECT\01610609.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\01610609.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\01610609.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\01610609.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.67:C:\RECYCLER\NPROTECT\01610609.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.133:C:\RECYCLER\NPROTECT\01610609.MOZ -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\01610612.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\01610612.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\01610612.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.46:C:\RECYCLER\NPROTECT\01610612.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.48:C:\RECYCLER\NPROTECT\01610612.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.49:C:\RECYCLER\NPROTECT\01610612.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\01610612.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\01610612.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\01610612.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.67:C:\RECYCLER\NPROTECT\01610612.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.133:C:\RECYCLER\NPROTECT\01610612.MOZ -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\01610613.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\01610613.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\01610613.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.46:C:\RECYCLER\NPROTECT\01610613.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.48:C:\RECYCLER\NPROTECT\01610613.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.49:C:\RECYCLER\NPROTECT\01610613.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\01610613.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\01610613.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\01610613.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.67:C:\RECYCLER\NPROTECT\01610613.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.133:C:\RECYCLER\NPROTECT\01610613.MOZ -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\01610614.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\01610614.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\01610614.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.46:C:\RECYCLER\NPROTECT\01610614.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.48:C:\RECYCLER\NPROTECT\01610614.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.49:C:\RECYCLER\NPROTECT\01610614.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\01610614.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\01610614.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\01610614.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.67:C:\RECYCLER\NPROTECT\01610614.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.133:C:\RECYCLER\NPROTECT\01610614.MOZ -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\01610615.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\01610615.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\01610615.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.46:C:\RECYCLER\NPROTECT\01610615.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.48:C:\RECYCLER\NPROTECT\01610615.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.49:C:\RECYCLER\NPROTECT\01610615.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\01610615.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\01610615.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\01610615.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.67:C:\RECYCLER\NPROTECT\01610615.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.133:C:\RECYCLER\NPROTECT\01610615.MOZ -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\01610620.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\01610620.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\01610620.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.46:C:\RECYCLER\NPROTECT\01610620.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.48:C:\RECYCLER\NPROTECT\01610620.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.49:C:\RECYCLER\NPROTECT\01610620.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\01610620.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\01610620.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\01610620.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.67:C:\RECYCLER\NPROTECT\01610620.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.133:C:\RECYCLER\NPROTECT\01610620.MOZ -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\01610621.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\01610621.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\01610621.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.46:C:\RECYCLER\NPROTECT\01610621.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.48:C:\RECYCLER\NPROTECT\01610621.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.49:C:\RECYCLER\NPROTECT\01610621.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\01610621.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\01610621.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\01610621.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.67:C:\RECYCLER\NPROTECT\01610621.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.133:C:\RECYCLER\NPROTECT\01610621.MOZ -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\01610622.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\01610622.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\01610622.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.46:C:\RECYCLER\NPROTECT\01610622.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.48:C:\RECYCLER\NPROTECT\01610622.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.49:C:\RECYCLER\NPROTECT\01610622.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\01610622.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\01610622.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\01610622.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.67:C:\RECYCLER\NPROTECT\01610622.MOZ ->
Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.133:C:\RECYCLER\NPROTECT\01610622.MOZ -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\01610623.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\01610623.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\01610623.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.46:C:\RECYCLER\NPROTECT\01610623.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.48:C:\RECYCLER\NPROTECT\01610623.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.49:C:\RECYCLER\NPROTECT\01610623.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\01610623.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\01610623.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\01610623.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.67:C:\RECYCLER\NPROTECT\01610623.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.133:C:\RECYCLER\NPROTECT\01610623.MOZ -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\01610624.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\01610624.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\01610624.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.46:C:\RECYCLER\NPROTECT\01610624.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.48:C:\RECYCLER\NPROTECT\01610624.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.49:C:\RECYCLER\NPROTECT\01610624.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\01610624.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\01610624.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\01610624.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.67:C:\RECYCLER\NPROTECT\01610624.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.133:C:\RECYCLER\NPROTECT\01610624.MOZ -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\01610625.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\01610625.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\01610625.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.46:C:\RECYCLER\NPROTECT\01610625.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.48:C:\RECYCLER\NPROTECT\01610625.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.49:C:\RECYCLER\NPROTECT\01610625.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\01610625.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\01610625.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\01610625.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.67:C:\RECYCLER\NPROTECT\01610625.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.133:C:\RECYCLER\NPROTECT\01610625.MOZ -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\01610626.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\01610626.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\01610626.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.46:C:\RECYCLER\NPROTECT\01610626.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.48:C:\RECYCLER\NPROTECT\01610626.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.49:C:\RECYCLER\NPROTECT\01610626.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\01610626.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\01610626.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\01610626.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.67:C:\RECYCLER\NPROTECT\01610626.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.133:C:\RECYCLER\NPROTECT\01610626.MOZ -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\01610629.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\01610629.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\01610629.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.46:C:\RECYCLER\NPROTECT\01610629.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.48:C:\RECYCLER\NPROTECT\01610629.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.49:C:\RECYCLER\NPROTECT\01610629.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\01610629.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\01610629.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\01610629.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.67:C:\RECYCLER\NPROTECT\01610629.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.133:C:\RECYCLER\NPROTECT\01610629.MOZ -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\01610630.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\01610630.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\01610630.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.46:C:\RECYCLER\NPROTECT\01610630.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.48:C:\RECYCLER\NPROTECT\01610630.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.49:C:\RECYCLER\NPROTECT\01610630.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\01610630.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\01610630.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\01610630.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.67:C:\RECYCLER\NPROTECT\01610630.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.133:C:\RECYCLER\NPROTECT\01610630.MOZ -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\01610631.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\01610631.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\01610631.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.46:C:\RECYCLER\NPROTECT\01610631.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.48:C:\RECYCLER\NPROTECT\01610631.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.49:C:\RECYCLER\NPROTECT\01610631.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\01610631.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\01610631.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\01610631.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.67:C:\RECYCLER\NPROTECT\01610631.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.133:C:\RECYCLER\NPROTECT\01610631.MOZ -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\01610636.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\01610636.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\01610636.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.46:C:\RECYCLER\NPROTECT\01610636.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.48:C:\RECYCLER\NPROTECT\01610636.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.49:C:\RECYCLER\NPROTECT\01610636.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\01610636.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\01610636.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\01610636.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.67:C:\RECYCLER\NPROTECT\01610636.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.133:C:\RECYCLER\NPROTECT\01610636.MOZ -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\01610637.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\01610637.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\01610637.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.46:C:\RECYCLER\NPROTECT\01610637.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.48:C:\RECYCLER\NPROTECT\01610637.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.49:C:\RECYCLER\NPROTECT\01610637.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\01610637.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\01610637.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\01610637.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.67:C:\RECYCLER\NPROTECT\01610637.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.133:C:\RECYCLER\NPROTECT\01610637.MOZ -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\01610638.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\01610638.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\01610638.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.46:C:\RECYCLER\NPROTECT\01610638.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.48:C:\RECYCLER\NPROTECT\01610638.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.49:C:\RECYCLER\NPROTECT\01610638.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\01610638.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\01610638.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\01610638.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.67:C:\RECYCLER\NPROTECT\01610638.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.133:C:\RECYCLER\NPROTECT\01610638.MOZ -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\01610677.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\01610677.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\01610677.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.46:C:\RECYCLER\NPROTECT\01610677.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.48:C:\RECYCLER\NPROTECT\01610677.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.49:C:\RECYCLER\NPROTECT\01610677.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\01610677.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\01610677.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\01610677.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.67:C:\RECYCLER\NPROTECT\01610677.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.133:C:\RECYCLER\NPROTECT\01610677.MOZ -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.37:C:\RECYCLER\NPROTECT\01610680.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.38:C:\RECYCLER\NPROTECT\01610680.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.39:C:\RECYCLER\NPROTECT\01610680.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\01610680.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.52:C:\RECYCLER\NPROTECT\01610680.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.53:C:\RECYCLER\NPROTECT\01610680.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.54:C:\RECYCLER\NPROTECT\01610680.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.55:C:\RECYCLER\NPROTECT\01610680.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.68:C:\RECYCLER\NPROTECT\01610680.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.69:C:\RECYCLER\NPROTECT\01610680.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.135:C:\RECYCLER\NPROTECT\01610680.MOZ -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.38:C:\RECYCLER\NPROTECT\01612154.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.39:C:\RECYCLER\NPROTECT\01612154.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.40:C:\RECYCLER\NPROTECT\01612154.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\01612154.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.53:C:\RECYCLER\NPROTECT\01612154.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.54:C:\RECYCLER\NPROTECT\01612154.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.55:C:\RECYCLER\NPROTECT\01612154.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.56:C:\RECYCLER\NPROTECT\01612154.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.69:C:\RECYCLER\NPROTECT\01612154.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.70:C:\RECYCLER\NPROTECT\01612154.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.136:C:\RECYCLER\NPROTECT\01612154.MOZ -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.38:C:\RECYCLER\NPROTECT\01612242.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.39:C:\RECYCLER\NPROTECT\01612242.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.40:C:\RECYCLER\NPROTECT\01612242.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\01612242.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.52:C:\RECYCLER\NPROTECT\01612242.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.53:C:\RECYCLER\NPROTECT\01612242.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.54:C:\RECYCLER\NPROTECT\01612242.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.55:C:\RECYCLER\NPROTECT\01612242.MOZ -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.68:C:\RECYCLER\NPROTECT\01612242.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.69:C:\RECYCLER\NPROTECT\01612242.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.135:C:\RECYCLER\NPROTECT\01612242.MOZ -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\WINDOWS\cashmeex.exe -> Downloader.Adload.j : Cleaned with backup
C:\WINDOWS\cpbrkpie.ocx -> Spyware.Coupons : Cleaned with backup
C:\WINDOWS\system32\aziiiexx.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\cachemonie.exe/rasermset.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\cachemonie.exe/drset.exe -> Downloader.Adload.j : Cleaned with backup
C:\WINDOWS\system32\cashme.exe -> Downloader.Adload.j : Cleaned with backup
C:\WINDOWS\system32\cc32.exe -> Proxy.Agent.ic : Cleaned with backup
C:\WINDOWS\system32\cd64.exe -> Proxy.Agent.ic : Cleaned with backup
C:\WINDOWS\system32\chache32.exe -> Backdoor.Agent.po : Cleaned with backup
C:\WINDOWS\system32\dFdramp.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\drset.exe -> Downloader.Adload.j : Cleaned with backup
C:\WINDOWS\system32\kgdbu.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ktdtat.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\lass.exe -> Proxy.Ranky.dy : Cleaned with backup
C:\WINDOWS\system32\lattt.exe -> Backdoor.Rbot.aeu : Cleaned with backup
C:\WINDOWS\system32\mhutb.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mpdxmlc.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\msappview32.exe -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\system32\mssvcc.exe -> Backdoor.Rbot.aeu : Cleaned with backup
C:\WINDOWS\system32\mvnql9551.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\oltext32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\p2n80c5uef.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\pqrfts.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\qgery.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\rasermset.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\rmcdll.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\spread.exe -> Backdoor.Rbot.aeu : Cleaned with backup
C:\WINDOWS\system32\steam.dll -> Backdoor.Akbot.a : Cleaned with backup
C:\WINDOWS\system32\tmflog.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\winsystems.exe -> Backdoor.Rbot.aeu : Cleaned with backup
C:\WINDOWS\winsysban2.exe -> Hijacker.VB.kc : Cleaned with backup
C:\WINDOWS\winsysban3.exe -> Hijacker.VB.kc : Cleaned with backup
C:\WINDOWS\winsysupd2.exe -> Hijacker.StartPage.ahg : Cleaned with backup
C:\WINDOWS\winsysupd3.exe -> Hijacker.StartPage.ahg : Cleaned with backup
::Report End
After I ran Ewido in Safe Mode and rebooted to do the online scan at BitDefender I had no issue with the hijacking of the browser. But somewhere in the midst of running the online virus scan the hijacking started again. I don't know if that is important or not. Just thought I would let you know.
Okay I have to format the BD log and I will post it shortly. It saved in html and goes on forever if I just copy and paste it.
Thanks
Liberty
I just sent the log(s) to you via email rather than try to make it work for the forum.
Liberty
I am almost embarrassed to post the ewido report. Good Grief.
dont be, its not the longest ive seen
check that firewall link, if you connect an unpatched windows machine to the internet you get a new worm in just minutes
a firewall is your best friend
Okay I have Sunbelt Kerio installed and running.
What should I do next? :)
Liberty
hi
thanks for the logs
print this, or save the text into a convenient place to be viewed in safe mode when this page is not available
download killbox from here: http://www.downloads.subratam.org/KillBox.zip
unzip it to a folder on your desktop
reboot into safe mode
run hijackthis, click scan, put checkmarks next to these:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O4 - HKLM\..\Run: [syscat] syscat.exe
O4 - HKLM\..\Run: [updatesys] updateauto.exe
O4 - HKLM\..\Run: [WinDLL (steam.dll)] rundll32.exe C:\WINDOWS\System32\steam.dll,start
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\bm22.exe
O4 - HKLM\..\Run: [WindowsUpdatetes] justest.exe
O4 - HKLM\..\Run: [securitysys] picviewer.exe
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.19/ttinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} -
O20 - AppInit_DLLs: r!3.cpl
O23 - Service: Service Chache (chache32) - Unknown owner - C:\WINDOWS\System32\chache32.exe (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hhZCBKb2huc29u\command.exe (file missing)
O23 - Service: mswmf32 - Unknown owner - C:\WINDOWS\mswmf32.exe (file missing)
close all browser and exlplorer windows
and click fix checked
doubleclick on killbox.exe to run it
tick delete on reboot, click process all files
highlight the following list, then press ctrl+c to copy it to the clipboard
C:\WINDOWS\system32\updateauto.exe
C:\WINDOWS\system32\syscat.exe
C:\WINDOWS\system32\mswwmf.exe
C:\WINDOWS\system32\i
C:\WINDOWS\System32\updateauto.exe
C:\WINDOWS\System32\justest.exe
C:\WINDOWS\System32\picviewer.exe
C:\WINDOWS\mswmf32.exe
C:\WINDOWS\Q2hhZCBKb2huc29u\command.exe
C:\WINDOWS\System32\chache32.exe
then click the button that looks like a stop sign
allow the reboot, if it doesnt happen automatically do it yourself
when back to normal mode post a new hjt log
report all error messages, thank you
Logfile of HijackThis v1.99.1
Scan saved at 7:39:23 PM, on 1/28/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\mdxlnmq32.exe
C:\WINDOWS\System32\msappview32.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\EssentialPIM Pro\EssentialPIM.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\EssentialPIM Pro\EssentialPIM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\HP\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Network Host Service] mdxlnmq32.exe
O4 - HKLM\..\Run: [Microsoft Application Viewer] msappview32.exe
O4 - HKLM\..\RunServices: [Network Host Service] mdxlnmq32.exe
O4 - HKLM\..\RunServices: [Microsoft Application Viewer] msappview32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [EssentialPIM Pro] "C:\Program Files\EssentialPIM Pro\EssentialPIM.exe" /autorun
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {1223B679-3A38-4EB0-A170-A58F703ACCA5} (ImStarter Class) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {456181F4-E9D0-4365-92AB-1169AF02A7B4} (Ccompctrl Object) - https://www.insiderpages.com/download/wizard/atlcomp.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138486157543
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138486091434
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - http://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXCab.CAB
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://workfrmhomemom.multiply.com/photos/uploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\m6lslg3716.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Service Chache (chache32) - Unknown owner - C:\WINDOWS\System32\chache32.exe (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hhZCBKb2huc29u\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
hi
there still are a lot of infected items.. looks like some viruses have still got through
i dont see an antivirus software, take a look at this free anti virus:
http://www.avast.com/eng/download-avast-home.html
download, install and
update it, then scan, let it remove what it finds
reboot
post a new hjt log
now that you have an antivirus and a firewall we have some hope of cleaning the machine
without these you will just pick up new infections faster than we can clean them
Am getting on that ty. I did have both a firewall and a anti-virus through Bellsouth, but when my dsl went down the Bellsouth Internet Security did not work with my dial-up and prevented me from using it. Sigh.
Hindsight is always 20/20.
Logfile of HijackThis v1.99.1
Scan saved at 5:09:34 PM, on 1/29/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\mdxlnmq32.exe
C:\WINDOWS\System32\msappview32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\Program Files\EssentialPIM Pro\EssentialPIM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\EssentialPIM Pro\EssentialPIM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\HP\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Network Host Service] mdxlnmq32.exe
O4 - HKLM\..\Run: [Microsoft Application Viewer] msappview32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [Network Host Service] mdxlnmq32.exe
O4 - HKLM\..\RunServices: [Microsoft Application Viewer] msappview32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [EssentialPIM Pro] "C:\Program Files\EssentialPIM Pro\EssentialPIM.exe" /autorun
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {1223B679-3A38-4EB0-A170-A58F703ACCA5} (ImStarter Class) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {456181F4-E9D0-4365-92AB-1169AF02A7B4} (Ccompctrl Object) - https://www.insiderpages.com/download/wizard/atlcomp.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138486157543
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138486091434
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - http://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXCab.CAB
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://workfrmhomemom.multiply.com/photos/uploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\hr6405jqe.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Service Chache (chache32) - Unknown owner - C:\WINDOWS\System32\chache32.exe (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hhZCBKb2huc29u\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
hi
much better looking log :)
Download System Security Suite here:System Security Suite Download & Tutorial (http://www.igorshpak.net/). Unzip it to your desktop. Install the program. Don't use it yet.
Run HijackThis!, press Do A System Scan Only, and put a check mark next to all these:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Network Host Service] mdxlnmq32.exe
O4 - HKLM\..\Run: [Microsoft Application Viewer] msappview32.exe
O4 - HKLM\..\RunServices: [Network Host Service] mdxlnmq32.exe
O4 - HKLM\..\RunServices: [Microsoft Application Viewer] msappview32.exe
O23 - Service: Service Chache (chache32) - Unknown owner - C:\WINDOWS\System32\chache32.exe (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hhZCBKb2huc29u\command.exe (file missing)
Close all other windows and browsers, and press the Fix Checked button.
enable showing of system and hidden files:
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Reboot into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode (http://www.bleepingcomputer.com/forums/index.php?showtutorial=61#winxo)
locate and delete the following files and folders, if still there:
C:\WINDOWS\System32\mdxlnmq32.exe<<--this file
C:\WINDOWS\System32\msappview32.exe<<--this file
C:\WINDOWS\System32\chache32.exe<<--this file
C:\WINDOWS\Q2hhZCBKb2huc29u<<--this folder
With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab select for cleaning:
- Internet Explorer (left pane): Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program
Open Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button.
reboot back to normal mode
post a fresh hijackthis log
I made sure my system and hidden files were visable
and tried to delete those files in safe mode but couldnt find them
I rebooted and ran HJT and several of them are still there.
Logfile of HijackThis v1.99.1
Scan saved at 10:23:25 AM, on 1/30/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\rasautou.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\Program Files\EssentialPIM Pro\EssentialPIM.exe
C:\Program Files\EssentialPIM Pro\EssentialPIM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\HP\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [EssentialPIM Pro] "C:\Program Files\EssentialPIM Pro\EssentialPIM.exe" /autorun
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {1223B679-3A38-4EB0-A170-A58F703ACCA5} (ImStarter Class) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {456181F4-E9D0-4365-92AB-1169AF02A7B4} (Ccompctrl Object) - https://www.insiderpages.com/download/wizard/atlcomp.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138486157543
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138486091434
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - http://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXCab.CAB
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://workfrmhomemom.multiply.com/photos/uploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\en6ml1j11.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Service Chache (chache32) - Unknown owner - C:\WINDOWS\System32\chache32.exe (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hhZCBKb2huc29u\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
hi
well done !
there are still infections, but this time it shows no new ones :bigthumb:
there is look2me, we are attempthing to get rid of it next:
Download L2mfix from one of these two locations:
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! This Fix must NOT be run in safe mode for it to work.
if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.
the lof will be long, you may have to use several posts to fit it in, every piece of the info in the log is necessary though
L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnceEx]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\k680lglm16qa.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
**********************************************************************************
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{5DF6D3BF-DE75-942C-BD69-33F1FB365BDF}"=""
**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{950FF917-7A57-46BC-8017-59D9BF474000}"="Shell Extension for CDRW"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{DCA04635-8950-48D5-8404-35A5ADCE3E3B}"="Google Deskbar"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{A6D4F18B-978B-4B12-A152-141211D47F91}"=""
"{ECF84DA1-B202-4A1B-A7EB-23A82D3351D5}"=""
"{57F69AEB-9738-40E3-8BC2-8E9CB759FEAC}"=""
"{198A6BE1-00B9-43BE-9091-736E4EE79338}"=""
"{4EBCFCD7-6438-43B3-AD8D-C877390D1A1D}"=""
"{2E35DE5D-1A6C-4802-B9AF-5CAF1D37AA36}"=""
"{47220045-D21A-4AF4-86B5-286F854CB2AB}"=""
"{A3AC5752-5AD3-428C-85FF-EA0EB27EF60C}"=""
"{CD5A72CF-DEA1-4204-AA36-16561ECB54EF}"=""
"{472083B0-C522-11CF-8763-00608CC02F24}"="avast"
"{8B5DF0FE-E483-4663-BEEE-64ABCD991D1F}"=""
"{183485C5-9C92-43D2-BCDF-FE6E8462CDC0}"=""
**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{57F69AEB-9738-40E3-8BC2-8E9CB759FEAC}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{57F69AEB-9738-40E3-8BC2-8E9CB759FEAC}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{57F69AEB-9738-40E3-8BC2-8E9CB759FEAC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{57F69AEB-9738-40E3-8BC2-8E9CB759FEAC}\InprocServer32]
@="C:\\WINDOWS\\system32\\tmflog.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{198A6BE1-00B9-43BE-9091-736E4EE79338}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{198A6BE1-00B9-43BE-9091-736E4EE79338}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{198A6BE1-00B9-43BE-9091-736E4EE79338}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{198A6BE1-00B9-43BE-9091-736E4EE79338}\InprocServer32]
@="C:\\WINDOWS\\system32\\mhutb.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{4EBCFCD7-6438-43B3-AD8D-C877390D1A1D}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{4EBCFCD7-6438-43B3-AD8D-C877390D1A1D}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{4EBCFCD7-6438-43B3-AD8D-C877390D1A1D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{4EBCFCD7-6438-43B3-AD8D-C877390D1A1D}\InprocServer32]
@="C:\\WINDOWS\\system32\\saell.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{2E35DE5D-1A6C-4802-B9AF-5CAF1D37AA36}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{2E35DE5D-1A6C-4802-B9AF-5CAF1D37AA36}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{2E35DE5D-1A6C-4802-B9AF-5CAF1D37AA36}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{2E35DE5D-1A6C-4802-B9AF-5CAF1D37AA36}\InprocServer32]
@="C:\\WINDOWS\\system32\\pqrfts.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{47220045-D21A-4AF4-86B5-286F854CB2AB}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{47220045-D21A-4AF4-86B5-286F854CB2AB}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{47220045-D21A-4AF4-86B5-286F854CB2AB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{47220045-D21A-4AF4-86B5-286F854CB2AB}\InprocServer32]
@="C:\\WINDOWS\\system32\\rwmotepg.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{A3AC5752-5AD3-428C-85FF-EA0EB27EF60C}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A3AC5752-5AD3-428C-85FF-EA0EB27EF60C}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A3AC5752-5AD3-428C-85FF-EA0EB27EF60C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A3AC5752-5AD3-428C-85FF-EA0EB27EF60C}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{CD5A72CF-DEA1-4204-AA36-16561ECB54EF}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{CD5A72CF-DEA1-4204-AA36-16561ECB54EF}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{CD5A72CF-DEA1-4204-AA36-16561ECB54EF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{CD5A72CF-DEA1-4204-AA36-16561ECB54EF}\InprocServer32]
@="C:\\WINDOWS\\system32\\FW20.DLL"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{8B5DF0FE-E483-4663-BEEE-64ABCD991D1F}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{8B5DF0FE-E483-4663-BEEE-64ABCD991D1F}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{8B5DF0FE-E483-4663-BEEE-64ABCD991D1F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{8B5DF0FE-E483-4663-BEEE-64ABCD991D1F}\InprocServer32]
@="C:\\WINDOWS\\system32\\nrapi32.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{183485C5-9C92-43D2-BCDF-FE6E8462CDC0}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{183485C5-9C92-43D2-BCDF-FE6E8462CDC0}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{183485C5-9C92-43D2-BCDF-FE6E8462CDC0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{183485C5-9C92-43D2-BCDF-FE6E8462CDC0}\InprocServer32]
@="C:\\WINDOWS\\system32\\MEC71ENU.DLL"
"ThreadingModel"="Apartment"
**********************************************************************************
Files Found are not all bad files:
C:\WINDOWS\SYSTEM32\
00kk03qo.dll Mon Jan 23 2006 6:39:18p A.... 12,868 12.57 K
0o8w0320.dll Tue Jan 17 2006 11:36:26a A.... 0 0.00 K
0o8wodui.dll Tue Jan 17 2006 11:01:18a A.... 44,544 43.50 K
ctbcatex.dll Sat Jan 28 2006 5:31:40p ..S.R 236,665 231.12 K
fw20.dll Sat Jan 28 2006 7:30:04p ..S.R 236,141 230.61 K
hrjo05~1.dll Tue Jan 31 2006 1:37:42a ..S.R 234,004 228.52 K
iemui.dll Sat Jan 28 2006 7:16:04p ..S.R 237,053 231.50 K
iosetup.dll Wed Feb 1 2006 8:12:30a ..S.R 236,832 231.28 K
iwsrad.dll Sun Jan 29 2006 11:38:12a ..S.R 236,697 231.15 K
k680lg~1.dll Tue Jan 31 2006 1:23:48a ..S.R 236,832 231.28 K
lpfil12n.dll Tue Jan 31 2006 1:36:42a ..S.R 234,004 228.52 K
mec71enu.dll Mon Jan 30 2006 10:19:22a ..S.R 235,671 230.14 K
nrapi32.dll Mon Jan 30 2006 10:13:30a ..S.R 235,261 229.75 K
rwmotepg.dll Sat Jan 28 2006 7:19:50p ..S.R 235,261 229.75 K
saell.dll Mon Jan 30 2006 10:21:46a ..S.R 236,832 231.28 K
sporder.dll Mon Jan 23 2006 7:02:52p A.... 8,464 8.27 K
16 items found: 16 files (12 H/S), 0 directories.
Total of file sizes: 2,897,129 bytes 2.76 M
Locate .tmp files:
C:\WINDOWS\SYSTEM32\
atmtdd~1.tmp Fri Jan 27 2006 1:04:52p A.... 0 0.00 K
guard.tmp Wed Feb 1 2006 8:13:30a ..S.R 236,832 231.28 K
2 items found: 2 files (1 H/S), 0 directories.
Total of file sizes: 236,832 bytes 231.28 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is CC81-113B
Directory of C:\WINDOWS\System32
02/01/2006 08:13 AM 236,832 guard.tmp
02/01/2006 08:12 AM 236,832 iosetup.dll
01/31/2006 01:37 AM 234,004 hrjo0513e.dll
01/31/2006 01:36 AM 234,004 lpfil12n.DLL
01/31/2006 01:23 AM 236,832 k680lglm16qa.dll
01/30/2006 10:21 AM 236,832 saell.dll
01/30/2006 10:19 AM 235,671 MEC71ENU.DLL
01/30/2006 10:13 AM 235,261 nrapi32.dll
01/29/2006 05:29 PM 0 .exe
01/29/2006 11:38 AM 236,697 iWsrad.dll
01/28/2006 07:30 PM 236,141 FW20.DLL
01/28/2006 07:19 PM 235,261 rwmotepg.dll
01/28/2006 07:16 PM 237,053 iemui.dll
01/28/2006 05:31 PM 236,665 ctbcatex.dll
01/28/2006 05:18 PM <DIR> dllcache
01/28/2006 10:24 AM 16,384 helperpicviewer.exe
01/24/2006 09:51 AM 16,384 helperjustes.exe
01/20/2006 01:02 PM 16,384 helperupdateauto.exe
01/18/2006 02:51 PM 16,384 helpersyscat.exe
01/17/2006 10:49 PM 16,384 helpermswwmf.exe
05/23/2005 09:51 PM 7,332,114 req.txt
11/22/2004 10:23 AM <DIR> Microsoft
08/23/2001 10:00 AM 118,441 msappview32.exe
08/23/2001 10:00 AM 100,864 mdxlnmq32.exe
22 File(s) 10,701,424 bytes
2 Dir(s) 28,516,089,856 bytes free
Close any programs you have open since this step requires a reboot.
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.
IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Do Not run in safe mode!!
If after the reboot the log does not open double click on it in the l2mfix folder.
L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot.
After I did this, after the process was complete the L2mfix said -
Please fix the missing file 020 with hijackthis after reboot.
Is that of concern?
here is the L2M log
L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnceEx]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\k680lglm16qa.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
**********************************************************************************
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{5DF6D3BF-DE75-942C-BD69-33F1FB365BDF}"=""
**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{950FF917-7A57-46BC-8017-59D9BF474000}"="Shell Extension for CDRW"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{DCA04635-8950-48D5-8404-35A5ADCE3E3B}"="Google Deskbar"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{A6D4F18B-978B-4B12-A152-141211D47F91}"=""
"{ECF84DA1-B202-4A1B-A7EB-23A82D3351D5}"=""
"{57F69AEB-9738-40E3-8BC2-8E9CB759FEAC}"=""
"{198A6BE1-00B9-43BE-9091-736E4EE79338}"=""
"{4EBCFCD7-6438-43B3-AD8D-C877390D1A1D}"=""
"{2E35DE5D-1A6C-4802-B9AF-5CAF1D37AA36}"=""
"{47220045-D21A-4AF4-86B5-286F854CB2AB}"=""
"{A3AC5752-5AD3-428C-85FF-EA0EB27EF60C}"=""
"{CD5A72CF-DEA1-4204-AA36-16561ECB54EF}"=""
"{472083B0-C522-11CF-8763-00608CC02F24}"="avast"
"{8B5DF0FE-E483-4663-BEEE-64ABCD991D1F}"=""
"{183485C5-9C92-43D2-BCDF-FE6E8462CDC0}"=""
**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{57F69AEB-9738-40E3-8BC2-8E9CB759FEAC}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{57F69AEB-9738-40E3-8BC2-8E9CB759FEAC}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{57F69AEB-9738-40E3-8BC2-8E9CB759FEAC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{57F69AEB-9738-40E3-8BC2-8E9CB759FEAC}\InprocServer32]
@="C:\\WINDOWS\\system32\\tmflog.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{198A6BE1-00B9-43BE-9091-736E4EE79338}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{198A6BE1-00B9-43BE-9091-736E4EE79338}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{198A6BE1-00B9-43BE-9091-736E4EE79338}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{198A6BE1-00B9-43BE-9091-736E4EE79338}\InprocServer32]
@="C:\\WINDOWS\\system32\\mhutb.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{4EBCFCD7-6438-43B3-AD8D-C877390D1A1D}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{4EBCFCD7-6438-43B3-AD8D-C877390D1A1D}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{4EBCFCD7-6438-43B3-AD8D-C877390D1A1D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{4EBCFCD7-6438-43B3-AD8D-C877390D1A1D}\InprocServer32]
@="C:\\WINDOWS\\system32\\saell.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{2E35DE5D-1A6C-4802-B9AF-5CAF1D37AA36}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{2E35DE5D-1A6C-4802-B9AF-5CAF1D37AA36}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{2E35DE5D-1A6C-4802-B9AF-5CAF1D37AA36}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{2E35DE5D-1A6C-4802-B9AF-5CAF1D37AA36}\InprocServer32]
@="C:\\WINDOWS\\system32\\pqrfts.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{47220045-D21A-4AF4-86B5-286F854CB2AB}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{47220045-D21A-4AF4-86B5-286F854CB2AB}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{47220045-D21A-4AF4-86B5-286F854CB2AB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{47220045-D21A-4AF4-86B5-286F854CB2AB}\InprocServer32]
@="C:\\WINDOWS\\system32\\rwmotepg.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{A3AC5752-5AD3-428C-85FF-EA0EB27EF60C}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A3AC5752-5AD3-428C-85FF-EA0EB27EF60C}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A3AC5752-5AD3-428C-85FF-EA0EB27EF60C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A3AC5752-5AD3-428C-85FF-EA0EB27EF60C}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{CD5A72CF-DEA1-4204-AA36-16561ECB54EF}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{CD5A72CF-DEA1-4204-AA36-16561ECB54EF}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{CD5A72CF-DEA1-4204-AA36-16561ECB54EF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{CD5A72CF-DEA1-4204-AA36-16561ECB54EF}\InprocServer32]
@="C:\\WINDOWS\\system32\\FW20.DLL"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{8B5DF0FE-E483-4663-BEEE-64ABCD991D1F}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{8B5DF0FE-E483-4663-BEEE-64ABCD991D1F}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{8B5DF0FE-E483-4663-BEEE-64ABCD991D1F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{8B5DF0FE-E483-4663-BEEE-64ABCD991D1F}\InprocServer32]
@="C:\\WINDOWS\\system32\\nrapi32.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{183485C5-9C92-43D2-BCDF-FE6E8462CDC0}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{183485C5-9C92-43D2-BCDF-FE6E8462CDC0}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{183485C5-9C92-43D2-BCDF-FE6E8462CDC0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{183485C5-9C92-43D2-BCDF-FE6E8462CDC0}\InprocServer32]
@="C:\\WINDOWS\\system32\\MEC71ENU.DLL"
"ThreadingModel"="Apartment"
**********************************************************************************
Files Found are not all bad files:
C:\WINDOWS\SYSTEM32\
00kk03qo.dll Mon Jan 23 2006 6:39:18p A.... 12,868 12.57 K
0o8w0320.dll Tue Jan 17 2006 11:36:26a A.... 0 0.00 K
0o8wodui.dll Tue Jan 17 2006 11:01:18a A.... 44,544 43.50 K
ctbcatex.dll Sat Jan 28 2006 5:31:40p ..S.R 236,665 231.12 K
fw20.dll Sat Jan 28 2006 7:30:04p ..S.R 236,141 230.61 K
hrjo05~1.dll Tue Jan 31 2006 1:37:42a ..S.R 234,004 228.52 K
iemui.dll Sat Jan 28 2006 7:16:04p ..S.R 237,053 231.50 K
iosetup.dll Wed Feb 1 2006 8:12:30a ..S.R 236,832 231.28 K
iwsrad.dll Sun Jan 29 2006 11:38:12a ..S.R 236,697 231.15 K
k680lg~1.dll Tue Jan 31 2006 1:23:48a ..S.R 236,832 231.28 K
lpfil12n.dll Tue Jan 31 2006 1:36:42a ..S.R 234,004 228.52 K
mec71enu.dll Mon Jan 30 2006 10:19:22a ..S.R 235,671 230.14 K
nrapi32.dll Mon Jan 30 2006 10:13:30a ..S.R 235,261 229.75 K
rwmotepg.dll Sat Jan 28 2006 7:19:50p ..S.R 235,261 229.75 K
saell.dll Mon Jan 30 2006 10:21:46a ..S.R 236,832 231.28 K
sporder.dll Mon Jan 23 2006 7:02:52p A.... 8,464 8.27 K
16 items found: 16 files (12 H/S), 0 directories.
Total of file sizes: 2,897,129 bytes 2.76 M
Locate .tmp files:
C:\WINDOWS\SYSTEM32\
atmtdd~1.tmp Fri Jan 27 2006 1:04:52p A.... 0 0.00 K
guard.tmp Wed Feb 1 2006 8:13:30a ..S.R 236,832 231.28 K
2 items found: 2 files (1 H/S), 0 directories.
Total of file sizes: 236,832 bytes 231.28 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is CC81-113B
Directory of C:\WINDOWS\System32
02/01/2006 08:13 AM 236,832 guard.tmp
02/01/2006 08:12 AM 236,832 iosetup.dll
01/31/2006 01:37 AM 234,004 hrjo0513e.dll
01/31/2006 01:36 AM 234,004 lpfil12n.DLL
01/31/2006 01:23 AM 236,832 k680lglm16qa.dll
01/30/2006 10:21 AM 236,832 saell.dll
01/30/2006 10:19 AM 235,671 MEC71ENU.DLL
01/30/2006 10:13 AM 235,261 nrapi32.dll
01/29/2006 05:29 PM 0 .exe
01/29/2006 11:38 AM 236,697 iWsrad.dll
01/28/2006 07:30 PM 236,141 FW20.DLL
01/28/2006 07:19 PM 235,261 rwmotepg.dll
01/28/2006 07:16 PM 237,053 iemui.dll
01/28/2006 05:31 PM 236,665 ctbcatex.dll
01/28/2006 05:18 PM <DIR> dllcache
01/28/2006 10:24 AM 16,384 helperpicviewer.exe
01/24/2006 09:51 AM 16,384 helperjustes.exe
01/20/2006 01:02 PM 16,384 helperupdateauto.exe
01/18/2006 02:51 PM 16,384 helpersyscat.exe
01/17/2006 10:49 PM 16,384 helpermswwmf.exe
05/23/2005 09:51 PM 7,332,114 req.txt
11/22/2004 10:23 AM <DIR> Microsoft
08/23/2001 10:00 AM 118,441 msappview32.exe
08/23/2001 10:00 AM 100,864 mdxlnmq32.exe
22 File(s) 10,701,424 bytes
2 Dir(s) 28,516,089,856 bytes free
Logfile of HijackThis v1.99.1
Scan saved at 2:12:37 PM, on 2/1/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\Program Files\EssentialPIM Pro\EssentialPIM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\EssentialPIM Pro\EssentialPIM.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Google\deskbar-0.5.95.0\ggviewer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\HP\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [EssentialPIM Pro] "C:\Program Files\EssentialPIM Pro\EssentialPIM.exe" /autorun
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://moretime.wordpress.com
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {1223B679-3A38-4EB0-A170-A58F703ACCA5} (ImStarter Class) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {456181F4-E9D0-4365-92AB-1169AF02A7B4} (Ccompctrl Object) - https://www.insiderpages.com/download/wizard/atlcomp.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138486157543
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138486091434
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - http://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXCab.CAB
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://workfrmhomemom.multiply.com/photos/uploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\k680lglm16qa.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Service Chache (chache32) - Unknown owner - C:\WINDOWS\System32\chache32.exe (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hhZCBKb2huc29u\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
hi
we're making progress :bigthumb:
open a command prompt window by clicking start> run > and typing cmd
then hit enter
into the cmd window type sc disable chache32 and hit enter
next type sc delete chache32and hit enter
again type sc disable cmdService and hit enter
next type sc delete cmdService and hit enter
report if you get errors
open hijackthis, with all browser and explorer windows closed checkmark/fix this line
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\k680lglm16qa.dll (file missing)
reboot
run l2mefix again, select option 1, scan for log and post it here :D
LonnyRJones
2006-02-11, 07:11
This topic will now be closed and archived. If a problem related to malware, spyware or adware returns and you need this topic re-opened, please send a message to myself or Tashi with a link to this thread.