PDA

View Full Version : I'm totally stuck.



Edward Skylover
2006-03-24, 21:31
I'm fairly new to things like this on computers and that's why I'm posting here. Any help would be appreciated.

Basically, my computer's been infected with many problems, such as; Network Monitor, Command Service, several ISearchTech infections and SurfSideKick and SurfAccuracy.

I've tried deleting them with SpyBot Search & Destroy but the infections keep arising again and some can never be deleted. Namely, the ones above.

Here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 19:20:23, on 24/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\U3VzYW4\command.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Media Gateway\MediaGateway.exe
C:\Program Files\Hzfxgig\Ahns.exe
C:\WINDOWS\system32\nrlyxwlt\winsp3.exe
C:\WINDOWS\system32\nrlyxwlt\nat.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\iluvjk.exe
C:\WINDOWS\enrpjqn.exe
C:\windows\mousepad5.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\COMMON~1\uzuo\uzuom.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe
C:\PROGRA~1\COMMON~1\uzuo\uzuoa.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\etb\pokapoka79.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\DOCUME~1\Susan\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Ins3DT] E:\INSTALL4\INS3DT.EXE
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O5 "LPT1:" /M "Stylus C64"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [dkb] C:\WINDOWS\dkb.exe
O4 - HKLM\..\Run: [Bzgkv] C:\Program Files\Hzfxgig\Ahns.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\WINDOWS\system32\nrlyxwlt\winsp3.exe
O4 - HKLM\..\Run: [Services] C:\WINDOWS\system32\nrlyxwlt\nat.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [X0DCja] C:\WINDOWS\iluvjk.exe
O4 - HKLM\..\Run: [ReJf5vH] C:\WINDOWS\enrpjqn.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard5.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad5.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname5.exe
O4 - HKLM\..\Run: [Á²# *{"h'þ9ÓœÇ3rÅ WC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\iluvjk.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [uzuo] C:\PROGRA~1\COMMON~1\uzuo\uzuom.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: svchost.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O4 - Global Startup: wmplayer.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.co.uk
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E861860-46B1-4391-8745-983F9CD36025}: NameServer = 194.74.65.68 194.72.9.34
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: repairs303169554.dll
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\p48q0el5ehq.dll
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\en4sl1h71.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3VzYW4\command.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edward Skylover
2006-03-25, 15:24
Hi. I've been reading posts on this forum and I've managed to delete everything except something called Elite.Bar. Or something along those lines. Help would be appreciated. :)

LonnyRJones
2006-03-25, 16:43
I hope you put hijackthis in a folder of its own not in a temp and unziped it to ?
I hope you didnt fix any nessesary items there will be no backups

If not please do so then post another log
What version of SpyBot is it you have and when was it last updated ?

Edward Skylover
2006-03-25, 17:21
I hope you put hijackthis in a folder of its own not in a temp and unziped it to ?
I hope you didnt fix any nessesary items there will be no backups

If not please do so then post another log
What version of SpyBot is it you have and when was it last updated ?


I updated a couple of days ago, I have Spybot 1.4

Here is a the new log:

Logfile of HijackThis v1.99.1
Scan saved at 15:20:09, on 25/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Media Gateway\MediaGateway.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\COMMON~1\uzuo\uzuom.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe
C:\PROGRA~1\COMMON~1\uzuo\uzuoa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\WINDOWS\etb\pokapoka79.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Susan\Desktop\family folder\Edward's folder\Computer downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - Default URLSearchHook is missing
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [uzuo] C:\PROGRA~1\COMMON~1\uzuo\uzuom.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - Global Startup: svchost.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O4 - Global Startup: wmplayer.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.co.uk
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://evidenceeraserpro.com/landings/EEProInstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E861860-46B1-4391-8745-983F9CD36025}: NameServer = 194.74.65.68 194.72.9.34
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\j6n20g5oe6.dll
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\en4sl1h71.dll
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

LonnyRJones
2006-03-25, 18:51
Several infection's

Lets get an L2Mfix log as a first step
Download L2mfix (new version) from one of these two locations:
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
Note:
If you receive while running option #1, an error similar to: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.
If it is to large to post in one reply do so in two please

LonnyRJones
2006-03-25, 18:53
I might be away for a bit so (ONLY) after that log is posted proceed as fallows

Close any programs you have open since this step requires a reboot.
Close the internet connection, Unplug your modem !! if on cable or satalite.
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot.
Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

Edward Skylover
2006-03-25, 20:25
I tried to get into the l2mfix.bat but when i clicked on it, it just said "another program is currently using this file". What does that mean?

thanks. :)

LonnyRJones
2006-03-25, 20:48
Not sure, you did download (save then run) the program not open it from the link correct ?

Edward Skylover
2006-03-25, 20:56
Yeah, I followed the instructions. I saved it, then opened and ran it. but when I clicked on l2mfix.bat, it just said "another program is currently using this file"...

LonnyRJones
2006-03-25, 21:00
Odd

Try again after restarting the PC

Edward Skylover
2006-03-25, 21:06
Unfortunately it's still not working. :scratch:

LonnyRJones
2006-03-26, 09:42
Make a new folder at this location,
C:\ called "BFU"
Download Brute Force Uninstaller. By Merijn author of Hijackthis.
http://www.merijn.org/files/bfu.zip
Unzip it to it’s own folder (c:\BFU)
Rightclick on this link and choose save target as, save as type all files
save it to that BFU folder

http://metallica.geekstogo.com/alcanshorty.bfu
If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html

Download LQfix.zip http://www.downloads.subratam.org/LQfix.zip
Unzip it and save it to your desktop, don't use it yet!!

Reboot into safe mode Click here if needed (http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx) For instructions.

Doubleclick on BFU.exe, Click the folder icon, choose alcanshorty.bfu
Press execute and let it do it’s job.
Wait for the complete script execution box to popup and press OK.
If the script is really executed you should have seen a progress bar.
Press exit to exit the BFU program.

Doubleclick LQfix.bat that you saved on your desktop before.


While still in safe mode
Start Hijackthis and place a check next to these items If there.
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [uzuo] C:\PROGRA~1\COMMON~1\uzuo\uzuom.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - Global Startup: svchost.exe
O4 - Global Startup: wmplayer.exe
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://evidenceeraserpro.com/landing...oInstaller.cab
====================================
Hit fix checked and close Hijackthis.

Restart back to a normal windows session, run L2mfix and try option two once again and post a hijackthis log

Edward Skylover
2006-03-26, 16:16
Thanks. :) Was I supposed to post the log from the LQfix.bat thing or HiJackThis?

Here is the LQfix.bat log:



L2MFIX find log 032106
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\enp8l17u1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en4sl1h71.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{BAD7AC33-D3EC-77DD-7DC5-A768F0C24B67}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

Edward Skylover
2006-03-26, 16:18
Here is the second half as I couldn't fit them on 1 post:


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{4A775D64-ACE1-4189-90B5-EC98F2D68852}"=""
"{406E445A-90ED-49AC-BBF6-B8FC8E487A24}"=""
"{1A41FAB7-60A0-4626-AE4A-60A05AD76C8A}"=""

**********************************************************************************

Edward Skylover
2006-03-26, 16:20
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4A775D64-ACE1-4189-90B5-EC98F2D68852}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4A775D64-ACE1-4189-90B5-EC98F2D68852}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4A775D64-ACE1-4189-90B5-EC98F2D68852}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4A775D64-ACE1-4189-90B5-EC98F2D68852}\InprocServer32]
@="C:\\WINDOWS\\system32\\mkcat32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{406E445A-90ED-49AC-BBF6-B8FC8E487A24}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{406E445A-90ED-49AC-BBF6-B8FC8E487A24}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{406E445A-90ED-49AC-BBF6-B8FC8E487A24}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{406E445A-90ED-49AC-BBF6-B8FC8E487A24}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1A41FAB7-60A0-4626-AE4A-60A05AD76C8A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1A41FAB7-60A0-4626-AE4A-60A05AD76C8A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1A41FAB7-60A0-4626-AE4A-60A05AD76C8A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1A41FAB7-60A0-4626-AE4A-60A05AD76C8A}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
bszip.dll Sun 1 Jan 2006 21:09:04 A.... 62,464 61.00 K
c600lg~1.dll Thu 23 Mar 2006 22:22:20 ..S.R 235,171 229.66 K
dn8o01~1.dll Thu 23 Mar 2006 19:16:26 ..S.R 236,045 230.51 K
dnn801~1.dll Sun 26 Mar 2006 14:08:04 ..S.R 236,960 231.41 K
en4sl1~1.dll Mon 20 Mar 2006 23:11:18 ..S.R 236,045 230.51 K
enp8l1~1.dll Sun 26 Mar 2006 13:46:04 ..S.R 234,183 228.69 K
f20o0c~1.dll Mon 20 Mar 2006 22:44:14 ..S.R 236,347 230.80 K
fvcfg.dll Mon 20 Mar 2006 22:58:18 ..S.R 236,045 230.51 K
gdi32.dll Thu 29 Dec 2005 3:54:36 A.... 280,064 273.50 K
gp0ol3~1.dll Mon 20 Mar 2006 22:58:18 ..S.R 233,899 228.41 K
hol.dll Sun 26 Mar 2006 13:41:18 ..S.R 236,960 231.41 K
hrp405~1.dll Thu 23 Mar 2006 22:19:12 ..S.R 234,640 229.14 K
ikrop.dll Thu 23 Mar 2006 22:19:12 ..S.R 234,165 228.68 K
irjul5~1.dll Wed 22 Mar 2006 18:23:02 ..S.R 234,205 228.71 K
j84oli~1.dll Thu 23 Mar 2006 18:22:40 ..S.R 233,922 228.44 K
llcdll.dll Mon 20 Mar 2006 8:43:54 ..S.R 234,272 228.78 K
lv0s09~1.dll Mon 20 Mar 2006 22:28:04 ..S.R 236,754 231.20 K
lvadperf.dll Mon 20 Mar 2006 22:28:04 ..S.R 236,045 230.51 K
lvjo09~1.dll Thu 23 Mar 2006 19:54:38 ..S.R 234,844 229.34 K
lzrt.dll Sun 26 Mar 2006 13:36:04 ..S.R 235,625 230.10 K
macndmgr.dll Sun 26 Mar 2006 13:42:52 ..S.R 235,625 230.10 K
mkcat32.dll Sun 26 Mar 2006 14:08:38 ..S.R 234,183 228.69 K
mpconf.dll Thu 23 Mar 2006 22:39:48 ..S.R 234,165 228.68 K
n4l80e~1.dll Thu 23 Mar 2006 22:14:48 ..S.R 234,999 229.49 K
nftui1.dll Thu 23 Mar 2006 21:24:16 ..S.R 234,165 228.68 K
npwdev.dll Thu 23 Mar 2006 22:14:48 ..S.R 234,165 228.68 K
oaeaccrc.dll Thu 23 Mar 2006 23:06:10 ..S.R 235,937 230.41 K
ogpdx32.dll Sun 26 Mar 2006 13:37:32 ..S.R 234,085 228.60 K
pjd.dll Mon 20 Mar 2006 19:11:06 ..S.R 234,433 228.94 K
pncrt.dll Sat 18 Mar 2006 23:45:54 A.... 278,528 272.00 K
pndx5016.dll Sat 18 Mar 2006 23:45:56 A.... 6,656 6.50 K
pndx5032.dll Sat 18 Mar 2006 23:45:56 A.... 5,632 5.50 K
pzrpnsp.dll Mon 20 Mar 2006 19:17:26 ..S.R 234,272 228.78 K
qodit.dll Sun 26 Mar 2006 9:13:20 ..S.R 234,085 228.60 K
rmoc3260.dll Sat 18 Mar 2006 23:46:08 A.... 176,167 172.04 K
sgnscfg.dll Wed 22 Mar 2006 18:23:02 ..S.R 236,045 230.51 K
sirenacm.dll Tue 24 Jan 2006 20:34:24 A.... 118,784 116.00 K
swcur32.dll Thu 23 Mar 2006 18:25:24 ..S.R 236,045 230.51 K
syell32.dll Mon 20 Mar 2006 22:44:14 ..S.R 236,045 230.51 K
tmemeui.dll Sun 26 Mar 2006 13:38:46 ..S.R 235,625 230.10 K
w32view.dll Fri 10 Mar 2006 11:51:50 A.... 47,864 46.74 K
wctdecod.dll Thu 23 Mar 2006 19:17:06 ..S.R 236,173 230.64 K
webclnt.dll Wed 4 Jan 2006 4:35:06 A.... 68,096 66.50 K
wtbvw.dll Wed 22 Mar 2006 17:52:24 ..S.R 236,045 230.51 K
xvidcore.dll Fri 30 Dec 2005 21:10:30 A.... 761,856 744.00 K
xvidvfw.dll Fri 30 Dec 2005 21:18:26 A.... 180,224 176.00 K

46 items found: 46 files (35 H/S), 0 directories.
Total of file sizes: 10,218,554 bytes 9.74 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
atmtdd~1.tmp Sat 25 Mar 2006 13:34:24 A.... 0 0.00 K
guard~1.tmp Fri 24 Mar 2006 19:16:18 ..... 236,521 230.98 K

2 items found: 2 files, 0 directories.
Total of file sizes: 236,521 bytes 230.98 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 183A-7F4F

Directory of C:\WINDOWS\System32

26/03/2006 14:08 234,183 mkcat32.dll
26/03/2006 14:08 236,960 dnn8015ue.dll
26/03/2006 13:46 234,183 enp8l17u1.dll
26/03/2006 13:42 235,625 macndmgr.dll
26/03/2006 13:41 236,960 hOl.dll
26/03/2006 13:38 235,625 tmemeui.dll
26/03/2006 13:37 234,085 ogpdx32.dll
26/03/2006 13:36 235,625 lzrt.dll
26/03/2006 09:13 234,085 qodit.dll
23/03/2006 23:06 235,937 oaeaccrc.dll
23/03/2006 22:39 234,165 mpconf.dll
23/03/2006 22:22 235,171 c600lgdm160a.dll
23/03/2006 22:19 234,165 ikrop.dll
23/03/2006 22:19 234,640 hrp4057qe.dll
23/03/2006 22:14 234,165 npwdev.dll
23/03/2006 22:14 234,999 n4l80e3ueh.dll
23/03/2006 21:24 234,165 nftui1.dll
23/03/2006 19:54 234,844 lvjo0913e.dll
23/03/2006 19:17 236,173 wctdecod.dll
23/03/2006 19:16 236,045 dn8o01l3e.dll
23/03/2006 18:25 236,045 swcur32.dll
23/03/2006 18:22 233,922 j84olih3184.dll
22/03/2006 18:23 236,045 sgnscfg.dll
22/03/2006 18:23 234,205 irjul5191.dll
22/03/2006 17:52 236,045 wtbvw.dll
20/03/2006 23:11 236,045 en4sl1h71.dll
20/03/2006 22:58 236,045 fvcfg.dll
20/03/2006 22:58 233,899 gp0ol3d31.dll
20/03/2006 22:44 236,045 syell32.dll
20/03/2006 22:44 236,347 f20o0cd3ef0.dll
20/03/2006 22:28 236,045 lvadperf.dll
20/03/2006 22:28 236,754 lv0s09d7e.dll
20/03/2006 19:17 234,272 pzrpnsp.dll
20/03/2006 19:11 234,433 pjd.dll
20/03/2006 08:43 234,272 llcdll.dll
17/02/2006 10:47 <DIR> dllcache
11/01/2006 12:46 <DIR> brodlw
21/11/2005 22:36 <DIR> ouhpeihkrk
24/10/2005 11:25 <DIR> nrlyxwlt
23/09/2004 07:36 <DIR> Microsoft
35 File(s) 8,232,219 bytes
5 Dir(s) 46,562,336,768 bytes free

LonnyRJones
2006-03-26, 16:26
Good

Now L2Mfix option two, after the PC is restarted its log and a brand new hijackthis log

Edward Skylover
2006-03-26, 17:20
:) Well firstly, here is the l2mfix log:

L2mfix 032106
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 540 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 644 'winlogon.exe'
Killing PID 644 'winlogon.exe'
Killing PID 644 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 152 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1260 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\c600lgdm160a.dll
Successfully Deleted: C:\WINDOWS\system32\c600lgdm160a.dll
Deleting: C:\WINDOWS\system32\dn8o01l3e.dll
Successfully Deleted: C:\WINDOWS\system32\dn8o01l3e.dll
Deleting: C:\WINDOWS\system32\dnn8015ue.dll
Successfully Deleted: C:\WINDOWS\system32\dnn8015ue.dll
Deleting: C:\WINDOWS\system32\enp8l17u1.dll
Successfully Deleted: C:\WINDOWS\system32\enp8l17u1.dll
Deleting: C:\WINDOWS\system32\f20o0cd3ef0.dll
Successfully Deleted: C:\WINDOWS\system32\f20o0cd3ef0.dll
Deleting: C:\WINDOWS\system32\fvcfg.dll
Successfully Deleted: C:\WINDOWS\system32\fvcfg.dll
Deleting: C:\WINDOWS\system32\gp0ol3d31.dll
Successfully Deleted: C:\WINDOWS\system32\gp0ol3d31.dll
Deleting: C:\WINDOWS\system32\hOl.dll
Successfully Deleted: C:\WINDOWS\system32\hOl.dll
Deleting: C:\WINDOWS\system32\hrp4057qe.dll
Successfully Deleted: C:\WINDOWS\system32\hrp4057qe.dll
Deleting: C:\WINDOWS\system32\ikrop.dll
Successfully Deleted: C:\WINDOWS\system32\ikrop.dll
Deleting: C:\WINDOWS\system32\irjul5191.dll
Successfully Deleted: C:\WINDOWS\system32\irjul5191.dll
Deleting: C:\WINDOWS\system32\j84olih3184.dll
Successfully Deleted: C:\WINDOWS\system32\j84olih3184.dll
Deleting: C:\WINDOWS\system32\llcdll.dll
Successfully Deleted: C:\WINDOWS\system32\llcdll.dll
Deleting: C:\WINDOWS\system32\lv0s09d7e.dll
Successfully Deleted: C:\WINDOWS\system32\lv0s09d7e.dll
Deleting: C:\WINDOWS\system32\lvadperf.dll
Successfully Deleted: C:\WINDOWS\system32\lvadperf.dll
Deleting: C:\WINDOWS\system32\lvjo0913e.dll
Successfully Deleted: C:\WINDOWS\system32\lvjo0913e.dll
Deleting: C:\WINDOWS\system32\lzrt.dll
Successfully Deleted: C:\WINDOWS\system32\lzrt.dll
Deleting: C:\WINDOWS\system32\macndmgr.dll
Successfully Deleted: C:\WINDOWS\system32\macndmgr.dll
Deleting: C:\WINDOWS\system32\mkcat32.dll
Successfully Deleted: C:\WINDOWS\system32\mkcat32.dll
Deleting: C:\WINDOWS\system32\mpconf.dll
Successfully Deleted: C:\WINDOWS\system32\mpconf.dll
Deleting: C:\WINDOWS\system32\n4l80e3ueh.dll
Successfully Deleted: C:\WINDOWS\system32\n4l80e3ueh.dll
Deleting: C:\WINDOWS\system32\nftui1.dll
Successfully Deleted: C:\WINDOWS\system32\nftui1.dll
Deleting: C:\WINDOWS\system32\npwdev.dll
Successfully Deleted: C:\WINDOWS\system32\npwdev.dll
Deleting: C:\WINDOWS\system32\oaeaccrc.dll
Successfully Deleted: C:\WINDOWS\system32\oaeaccrc.dll
Deleting: C:\WINDOWS\system32\ogpdx32.dll
Successfully Deleted: C:\WINDOWS\system32\ogpdx32.dll
Deleting: C:\WINDOWS\system32\pjd.dll
Successfully Deleted: C:\WINDOWS\system32\pjd.dll
Deleting: C:\WINDOWS\system32\pzrpnsp.dll
Successfully Deleted: C:\WINDOWS\system32\pzrpnsp.dll
Deleting: C:\WINDOWS\system32\qodit.dll
Successfully Deleted: C:\WINDOWS\system32\qodit.dll
Deleting: C:\WINDOWS\system32\sgnscfg.dll
Successfully Deleted: C:\WINDOWS\system32\sgnscfg.dll
Deleting: C:\WINDOWS\system32\swcur32.dll
Successfully Deleted: C:\WINDOWS\system32\swcur32.dll
Deleting: C:\WINDOWS\system32\syell32.dll
Successfully Deleted: C:\WINDOWS\system32\syell32.dll
Deleting: C:\WINDOWS\system32\tmemeui.dll
Successfully Deleted: C:\WINDOWS\system32\tmemeui.dll
Deleting: C:\WINDOWS\system32\wctdecod.dll
Successfully Deleted: C:\WINDOWS\system32\wctdecod.dll
Deleting: C:\WINDOWS\system32\wtbvw.dll
Successfully Deleted: C:\WINDOWS\system32\wtbvw.dll
Deleting: C:\WINDOWS\system32\guard.tmp_tobedeleted
Successfully Deleted: C:\WINDOWS\system32\guard.tmp_tobedeleted

msg11?.dll
0 file(s) copied.

Edward Skylover
2006-03-26, 17:21
Here's the second part:

Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\enp8l17u1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en4sl1h71.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\c600lgdm160a.dll
C:\WINDOWS\system32\dn8o01l3e.dll
C:\WINDOWS\system32\dnn8015ue.dll
C:\WINDOWS\system32\enp8l17u1.dll
C:\WINDOWS\system32\f20o0cd3ef0.dll
C:\WINDOWS\system32\fvcfg.dll
C:\WINDOWS\system32\gp0ol3d31.dll
C:\WINDOWS\system32\hOl.dll
C:\WINDOWS\system32\hrp4057qe.dll
C:\WINDOWS\system32\ikrop.dll
C:\WINDOWS\system32\irjul5191.dll
C:\WINDOWS\system32\j84olih3184.dll
C:\WINDOWS\system32\llcdll.dll
C:\WINDOWS\system32\lv0s09d7e.dll
C:\WINDOWS\system32\lvadperf.dll
C:\WINDOWS\system32\lvjo0913e.dll
C:\WINDOWS\system32\lzrt.dll
C:\WINDOWS\system32\macndmgr.dll
C:\WINDOWS\system32\mkcat32.dll
C:\WINDOWS\system32\mpconf.dll
C:\WINDOWS\system32\n4l80e3ueh.dll
C:\WINDOWS\system32\nftui1.dll
C:\WINDOWS\system32\npwdev.dll
C:\WINDOWS\system32\oaeaccrc.dll
C:\WINDOWS\system32\ogpdx32.dll
C:\WINDOWS\system32\pjd.dll
C:\WINDOWS\system32\pzrpnsp.dll
C:\WINDOWS\system32\qodit.dll
C:\WINDOWS\system32\sgnscfg.dll
C:\WINDOWS\system32\swcur32.dll
C:\WINDOWS\system32\syell32.dll
C:\WINDOWS\system32\tmemeui.dll
C:\WINDOWS\system32\wctdecod.dll
C:\WINDOWS\system32\wtbvw.dll
C:\WINDOWS\system32\guard.tmp_tobedeleted

Edward Skylover
2006-03-26, 17:21
3rd part:

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4A775D64-ACE1-4189-90B5-EC98F2D68852}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4A775D64-ACE1-4189-90B5-EC98F2D68852}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4A775D64-ACE1-4189-90B5-EC98F2D68852}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4A775D64-ACE1-4189-90B5-EC98F2D68852}\InprocServer32]
@="C:\\WINDOWS\\system32\\mkcat32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{406E445A-90ED-49AC-BBF6-B8FC8E487A24}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{406E445A-90ED-49AC-BBF6-B8FC8E487A24}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{406E445A-90ED-49AC-BBF6-B8FC8E487A24}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{406E445A-90ED-49AC-BBF6-B8FC8E487A24}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1A41FAB7-60A0-4626-AE4A-60A05AD76C8A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1A41FAB7-60A0-4626-AE4A-60A05AD76C8A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1A41FAB7-60A0-4626-AE4A-60A05AD76C8A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1A41FAB7-60A0-4626-AE4A-60A05AD76C8A}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{4A775D64-ACE1-4189-90B5-EC98F2D68852}"=-
"{406E445A-90ED-49AC-BBF6-B8FC8E487A24}"=-
"{1A41FAB7-60A0-4626-AE4A-60A05AD76C8A}"=-
[-HKEY_CLASSES_ROOT\CLSID\{4A775D64-ACE1-4189-90B5-EC98F2D68852}]
[-HKEY_CLASSES_ROOT\CLSID\{406E445A-90ED-49AC-BBF6-B8FC8E487A24}]
[-HKEY_CLASSES_ROOT\CLSID\{1A41FAB7-60A0-4626-AE4A-60A05AD76C8A}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/c600lgdm160a.dll (164 bytes security) (deflated 5%)
adding: dlls/dn8o01l3e.dll (164 bytes security) (deflated 5%)
adding: dlls/dnn8015ue.dll (164 bytes security) (deflated 5%)
adding: dlls/enp8l17u1.dll (164 bytes security) (deflated 4%)
adding: dlls/f20o0cd3ef0.dll (164 bytes security) (deflated 5%)
adding: dlls/fvcfg.dll (164 bytes security) (deflated 5%)
adding: dlls/gp0ol3d31.dll (164 bytes security) (deflated 4%)
adding: dlls/guard.tmp_tobedeleted (164 bytes security) (deflated 5%)
adding: dlls/hOl.dll (164 bytes security) (deflated 5%)
adding: dlls/hrp4057qe.dll (164 bytes security) (deflated 5%)
adding: dlls/ikrop.dll (164 bytes security) (deflated 4%)
adding: dlls/irjul5191.dll (164 bytes security) (deflated 4%)
adding: dlls/j84olih3184.dll (164 bytes security) (deflated 4%)
adding: dlls/llcdll.dll (164 bytes security) (deflated 4%)
adding: dlls/lv0s09d7e.dll (164 bytes security) (deflated 5%)
adding: dlls/lvadperf.dll (164 bytes security) (deflated 5%)
adding: dlls/lvjo0913e.dll (164 bytes security) (deflated 5%)
adding: dlls/lzrt.dll (164 bytes security) (deflated 5%)
adding: dlls/macndmgr.dll (164 bytes security) (deflated 5%)
adding: dlls/mkcat32.dll (164 bytes security) (deflated 4%)
adding: dlls/mpconf.dll (164 bytes security) (deflated 4%)
adding: dlls/n4l80e3ueh.dll (164 bytes security) (deflated 5%)
adding: dlls/nftui1.dll (164 bytes security) (deflated 4%)
adding: dlls/npwdev.dll (164 bytes security) (deflated 4%)
adding: dlls/oaeaccrc.dll (164 bytes security) (deflated 5%)
adding: dlls/ogpdx32.dll (164 bytes security) (deflated 4%)
adding: dlls/pjd.dll (164 bytes security) (deflated 4%)
adding: dlls/pzrpnsp.dll (164 bytes security) (deflated 4%)
adding: dlls/qodit.dll (164 bytes security) (deflated 4%)
adding: dlls/sgnscfg.dll (164 bytes security) (deflated 5%)
adding: dlls/swcur32.dll (164 bytes security) (deflated 5%)
adding: dlls/syell32.dll (164 bytes security) (deflated 5%)
adding: dlls/tmemeui.dll (164 bytes security) (deflated 5%)
adding: dlls/wctdecod.dll (164 bytes security) (deflated 5%)
adding: dlls/wtbvw.dll (164 bytes security) (deflated 5%)
adding: backregs/1A41FAB7-60A0-4626-AE4A-60A05AD76C8A.reg (188 bytes security) (deflated 70%)
adding: backregs/406E445A-90ED-49AC-BBF6-B8FC8E487A24.reg (188 bytes security) (deflated 70%)
adding: backregs/4A775D64-ACE1-4189-90B5-EC98F2D68852.reg (188 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 88%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)

Edward Skylover
2006-03-26, 17:22
Secondly, here is the Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 15:18:16, on 26/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Susan\Desktop\family folder\Edward's folder\Computer downloads\hijackthis\HijackThis.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.co.uk
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\enp8l17u1.dll (file missing)
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\en4sl1h71.dll
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

LonnyRJones
2006-03-26, 17:44
Scan and fix these two items with hijackthis
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\enp8l17u1.dll (file missing)
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\en4sl1h71.dll
==============
Delete these folders if present
C:\Program Files\Common Files\uzuo
C:\Program Files\Common Files\VCClient
C:\Program Files\SurfSideKick 3
C:\Program Files\ISTsvc
C:\Program Files\Hzfxgig
C:\WINDOWS\system32\nrlyxwlt
How did that go ?

Why dont we see signs of an antivirus program ?

Post a new hijackthis log and one from this free online scan
Panda ActiveScan-Free online scanner,
http://www.pandasoftware.com/products/activescan.htm
Save the report and post it back here please

Edward Skylover
2006-03-26, 18:17
I don't know why it hasn't shown that. I use SpyBot.

I just did a check on SpyBot and it deleted all the viruses. It worked great!! :) Thanks for your help.

Is it done now?

Here is the HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 16:04:57, on 26/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Susan\Desktop\family folder\Edward's folder\Computer downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.co.uk
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E861860-46B1-4391-8745-983F9CD36025}: NameServer = 194.74.65.68 194.72.9.34
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

The PandaActiveScan says that I have a few adware problems that need to be fixed....

LonnyRJones
2006-03-26, 18:39
Where is that panda scan log ?

"I don't know why it hasn't shown that. I use SpyBot."

SpyBot is not an antivirus program, I see a part of Symantec's Security Center, where is its antivirus ?

Edward Skylover
2006-03-26, 19:02
oh. :scratch: I'm not sure. Where could it be? :buried:

Edward Skylover
2006-03-26, 19:32
Here is the log from the PandaActiveScan:

Incident Status Location

Adware:adware/deskwizz Not disinfected C:\WINDOWS\SYSTEM32\ad.html
Adware:adware/ncase Not disinfected C:\TEMP\180SAInstaller.exe
Potentially unwanted tool:application/winfixer2005 Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\UWAS6_0001_N68M2301NetInstaller.exe
Adware:adware/elitebar Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\v3.dll
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Susan\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/wupd Not disinfected C:\PROGRAM FILES\Media Gateway
Adware:adware/webhancer Not disinfected C:\PROGRAM FILES\whInstall
Potentially unwanted tool:application/winantivirus2006 Not disinfected C:\PROGRAM FILES\WinAntiVirus Pro 2006
Adware:adware/maxifiles Not disinfected C:\PROGRAM FILES\COMMON FILES\Windows
Adware:adware/dluxde Not disinfected C:\PROGRAM FILES\SCOM\dialers
Spyware:spyware/dluca Not disinfected Windows Registry
Potentially unwanted tool:application/winantispyware2006 Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\WINANTISPYWARE 2006 SCANNER
Adware:adware/dyfuca Not disinfected Windows Registry
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Susan\Cookies\susan@112.2o7[2].txt
Spyware:Cookie/24/7 Realmedia Not disinfected C:\Documents and Settings\Susan\Cookies\susan@247realmedia[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Susan\Cookies\susan@2o7[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Susan\Cookies\susan@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Susan\Cookies\susan@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Susan\Cookies\susan@ad.yieldmanager[2].txt
Spyware:Cookie/SearchingBooth Not disinfected C:\Documents and Settings\Susan\Cookies\susan@adamg[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Susan\Cookies\susan@adopt.hbmediapro[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Susan\Cookies\susan@adrevolver[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Susan\Cookies\susan@adrevolver[3].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Susan\Cookies\susan@ads.pointroll[1].txt
Spyware:Cookie/ads.tripod.lycos.com Not disinfected C:\Documents and Settings\Susan\Cookies\susan@ads.tripod.lycos[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Susan\Cookies\susan@adtech[2].txt
Spyware:Cookie/SearchingBooth Not disinfected C:\Documents and Settings\Susan\Cookies\susan@aff506[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Susan\Cookies\susan@apmebf[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Susan\Cookies\susan@as-eu.falkag[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Susan\Cookies\susan@as-us.falkag[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Susan\Cookies\susan@as1.falkag[2].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Susan\Cookies\susan@banners.searchingbooth[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Susan\Cookies\susan@belnk[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Susan\Cookies\susan@bluestreak[2].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Susan\Cookies\susan@bravenet[2].txt
Spyware:Cookie/Bs.serving-sys Not disinfected C:\Documents and Settings\Susan\Cookies\susan@bs.serving-sys[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Susan\Cookies\susan@burstnet[1].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Susan\Cookies\susan@c.enhance[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Susan\Cookies\susan@c5.zedo[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Susan\Cookies\susan@casalemedia[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Susan\Cookies\susan@cassava[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Susan\Cookies\susan@ccbill[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Susan\Cookies\susan@cgi-bin[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Susan\Cookies\susan@cgi-bin[4].txt

Edward Skylover
2006-03-26, 19:34
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Susan\Cookies\susan@clickbank[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Susan\Cookies\susan@com[2].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Susan\Cookies\susan@cs.sexcounter[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Susan\Cookies\susan@dist.belnk[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Susan\Cookies\susan@errorsafe[2].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Susan\Cookies\susan@fe.lea.lycos[1].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Susan\Cookies\susan@fortunecity[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Susan\Cookies\susan@i.screensavers[1].txt
Spyware:Cookie/Itrack Not disinfected C:\Documents and Settings\Susan\Cookies\susan@ilead.itrack[1].txt
Spyware:Cookie/Kmpads Not disinfected C:\Documents and Settings\Susan\Cookies\susan@kmpads[2].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Susan\Cookies\susan@landing.domainsponsor[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Susan\Cookies\susan@maxserving[2].txt
Spyware:Cookie/MetriWeb Not disinfected C:\Documents and Settings\Susan\Cookies\susan@metriweb[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Susan\Cookies\susan@overture[1].txt
Spyware:Cookie/AspinallsOnlineCasino Not disinfected C:\Documents and Settings\Susan\Cookies\susan@pacificpoker[3].txt
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\Susan\Cookies\susan@paycounter[1].txt
Spyware:Cookie/Paypopup Not disinfected C:\Documents and Settings\Susan\Cookies\susan@paypopup[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Susan\Cookies\susan@perf.overture[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Susan\Cookies\susan@qksrv[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Susan\Cookies\susan@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Susan\Cookies\susan@realmedia[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Susan\Cookies\susan@revenue[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Susan\Cookies\susan@rn11[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Susan\Cookies\susan@sel.as-eu.falkag[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Susan\Cookies\susan@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Susan\Cookies\susan@serving-sys[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Susan\Cookies\susan@statcounter[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Susan\Cookies\susan@stats1.reliablestats[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Susan\Cookies\susan@tradedoubler[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Susan\Cookies\susan@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Susan\Cookies\susan@tribalfusion[2].txt
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\Susan\Cookies\susan@weborama[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Susan\Cookies\susan@www.burstbeacon[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Susan\Cookies\susan@www.errorsafe[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Susan\Cookies\susan@xiti[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Susan\Cookies\susan@xmts[2].txt
Spyware:Cookie/XXXCounter Not disinfected C:\Documents and Settings\Susan\Cookies\susan@xxxcounter[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Susan\Cookies\susan@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Susan\Cookies\susan@zedo[2].txt
Adware:Adware/Deskwizz Not disinfected C:\bintheredunthat\DR140306.exe
Adware:Adware/ConsumerAlertSystem Not disinfected C:\bintheredunthat\WinFrgn.exe
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\LocalService\Cookies\system@c.enhance[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\LocalService\Cookies\system@statcounter[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Susan\Cookies\susan@112.2o7[2].txt
Spyware:Cookie/24/7 Realmedia Not disinfected C:\Documents and Settings\Susan\Cookies\susan@247realmedia[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Susan\Cookies\susan@2o7[2].txt

Edward Skylover
2006-03-26, 19:35
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Susan\Cookies\susan@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Susan\Cookies\susan@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Susan\Cookies\susan@ad.yieldmanager[2].txt
Spyware:Cookie/SearchingBooth Not disinfected C:\Documents and Settings\Susan\Cookies\susan@adamg[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Susan\Cookies\susan@adopt.hbmediapro[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Susan\Cookies\susan@adrevolver[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Susan\Cookies\susan@adrevolver[3].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Susan\Cookies\susan@ads.pointroll[1].txt
Spyware:Cookie/ads.tripod.lycos.com Not disinfected C:\Documents and Settings\Susan\Cookies\susan@ads.tripod.lycos[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Susan\Cookies\susan@adtech[2].txt
Spyware:Cookie/SearchingBooth Not disinfected C:\Documents and Settings\Susan\Cookies\susan@aff506[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Susan\Cookies\susan@apmebf[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Susan\Cookies\susan@as-eu.falkag[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Susan\Cookies\susan@as-us.falkag[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Susan\Cookies\susan@as1.falkag[2].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Susan\Cookies\susan@banners.searchingbooth[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Susan\Cookies\susan@belnk[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Susan\Cookies\susan@bluestreak[2].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Susan\Cookies\susan@bravenet[2].txt
Spyware:Cookie/Bs.serving-sys Not disinfected C:\Documents and Settings\Susan\Cookies\susan@bs.serving-sys[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Susan\Cookies\susan@burstnet[1].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Susan\Cookies\susan@c.enhance[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Susan\Cookies\susan@c5.zedo[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Susan\Cookies\susan@casalemedia[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Susan\Cookies\susan@cassava[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Susan\Cookies\susan@ccbill[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Susan\Cookies\susan@cgi-bin[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Susan\Cookies\susan@cgi-bin[4].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Susan\Cookies\susan@clickbank[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Susan\Cookies\susan@com[2].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Susan\Cookies\susan@cs.sexcounter[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Susan\Cookies\susan@dist.belnk[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Susan\Cookies\susan@errorsafe[2].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Susan\Cookies\susan@fe.lea.lycos[1].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Susan\Cookies\susan@fortunecity[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Susan\Cookies\susan@i.screensavers[1].txt
Spyware:Cookie/Itrack Not disinfected C:\Documents and Settings\Susan\Cookies\susan@ilead.itrack[1].txt
Spyware:Cookie/Kmpads Not disinfected C:\Documents and Settings\Susan\Cookies\susan@kmpads[2].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Susan\Cookies\susan@landing.domainsponsor[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Susan\Cookies\susan@maxserving[2].txt
Spyware:Cookie/MetriWeb Not disinfected C:\Documents and Settings\Susan\Cookies\susan@metriweb[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Susan\Cookies\susan@overture[1].txt
Spyware:Cookie/AspinallsOnlineCasino Not disinfected C:\Documents and Settings\Susan\Cookies\susan@pacificpoker[3].txt
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\Susan\Cookies\susan@paycounter[1].txt
Spyware:Cookie/Paypopup Not disinfected C:\Documents and Settings\Susan\Cookies\susan@paypopup[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Susan\Cookies\susan@perf.overture[1].txt

Edward Skylover
2006-03-26, 19:35
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Susan\Cookies\susan@qksrv[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Susan\Cookies\susan@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Susan\Cookies\susan@realmedia[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Susan\Cookies\susan@revenue[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Susan\Cookies\susan@rn11[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Susan\Cookies\susan@sel.as-eu.falkag[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Susan\Cookies\susan@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Susan\Cookies\susan@serving-sys[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Susan\Cookies\susan@statcounter[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Susan\Cookies\susan@stats1.reliablestats[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Susan\Cookies\susan@tradedoubler[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Susan\Cookies\susan@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Susan\Cookies\susan@tribalfusion[2].txt
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\Susan\Cookies\susan@weborama[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Susan\Cookies\susan@www.burstbeacon[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Susan\Cookies\susan@www.errorsafe[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Susan\Cookies\susan@xiti[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Susan\Cookies\susan@xmts[2].txt
Spyware:Cookie/XXXCounter Not disinfected C:\Documents and Settings\Susan\Cookies\susan@xxxcounter[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Susan\Cookies\susan@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Susan\Cookies\susan@zedo[2].txt
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[c600lgdm160a.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[dn8o01l3e.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[dnn8015ue.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[enp8l17u1.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[f20o0cd3ef0.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[fvcfg.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[gp0ol3d31.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[guard.tmp_tobedeleted]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[hOl.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[hrp4057qe.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[ikrop.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[irjul5191.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[j84olih3184.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[llcdll.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[lv0s09d7e.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[lvadperf.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[lvjo0913e.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[lzrt.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[macndmgr.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[mkcat32.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[mpconf.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[n4l80e3ueh.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[nftui1.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[npwdev.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[oaeaccrc.dll]

Edward Skylover
2006-03-26, 19:36
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[ogpdx32.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[pjd.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[pzrpnsp.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[qodit.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[sgnscfg.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[swcur32.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[syell32.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[tmemeui.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[wctdecod.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\backup.zip[wtbvw.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\c600lgdm160a.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\dn8o01l3e.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\dnn8015ue.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\enp8l17u1.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\f20o0cd3ef0.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\fvcfg.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\gp0ol3d31.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\guard.tmp_tobedeleted
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\hOl.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\hrp4057qe.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\ikrop.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\irjul5191.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\j84olih3184.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\llcdll.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\lv0s09d7e.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\lvadperf.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\lvjo0913e.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\lzrt.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\macndmgr.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\mkcat32.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\mpconf.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\n4l80e3ueh.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\nftui1.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\npwdev.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\oaeaccrc.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\ogpdx32.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\pjd.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\pzrpnsp.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\qodit.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\sgnscfg.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\swcur32.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\syell32.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\tmemeui.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\wctdecod.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\dlls\wtbvw.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix\Process.exe

Edward Skylover
2006-03-26, 19:36
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Susan\Desktop\l2mfix.exe[Process.exe]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Susan\Local Settings\Temp\Cookies\susan@stats1.reliablestats[2].txt
Adware:Adware/Dyfuca Not disinfected C:\Program Files\Hzfxgig\Ahns.exe
Adware:Adware/MediaTickets Not disinfected C:\Program Files\Media Gateway\MediaGateway.exe
Adware:Adware/Sqwire Not disinfected C:\RECYCLER\S-1-5-21-1306497120-335948203-3689621361-1005\Dc1\uzuoa.exe
Adware:Adware/Sqwire Not disinfected C:\RECYCLER\S-1-5-21-1306497120-335948203-3689621361-1005\Dc1\uzuod\uzuoc.dll
Adware:Adware/Sqwire Not disinfected C:\RECYCLER\S-1-5-21-1306497120-335948203-3689621361-1005\Dc1\uzuol.exe
Adware:Adware/Sqwire Not disinfected C:\RECYCLER\S-1-5-21-1306497120-335948203-3689621361-1005\Dc1\uzuom.exe
Adware:Adware/Sqwire Not disinfected C:\RECYCLER\S-1-5-21-1306497120-335948203-3689621361-1005\Dc1\uzuop.exe
Adware:Adware/nCase Not disinfected C:\temp\180SAInstaller.exe
Adware:Adware/WinTools Not disinfected C:\temp\ZCWEDowST3.exe
Adware:Adware/PurityScan Not disinfected C:\Veracruz.exe
Adware:Adware/WebHancer Not disinfected C:\WHCC2.exe
Adware:Adware/WebHancer Not disinfected C:\WHCC2.exe[whAgent.exe]
Adware:Adware/WebHancer Not disinfected C:\WHCC2.exe[whInstaller.exe]
Adware:Adware/WebHancer Not disinfected C:\WHCC2.exe[whSurvey.exe]
Adware:Adware/WebHancer Not disinfected C:\WHCC2.exe[webhdll.dll]
Adware:Adware/WebHancer Not disinfected C:\WHCC2.exe[whiehlpr.dll]
Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\WINDOWS\Downloaded Program Files\UWAS6_0001_N68M2301NetInstaller.exe
Adware:Adware/EliteBar Not disinfected C:\WINDOWS\Downloaded Program Files\v3.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\Installer.exe
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\mc-110-12-0000228.exe
Adware:Adware/Deskwizz Not disinfected C:\WINDOWS\system32\ad.html
Spyware:Cookie/2o7 Not disinfected C:\WINDOWS\Temp\Cookies\susan@112.2o7[2].txt
Spyware:Cookie/888 Not disinfected C:\WINDOWS\Temp\Cookies\susan@888[1].txt
Spyware:Cookie/888 Not disinfected C:\WINDOWS\Temp\Cookies\susan@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\Temp\Cookies\susan@ad.yieldmanager[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\WINDOWS\Temp\Cookies\susan@adopt.hbmediapro[1].txt
Spyware:Cookie/Falkag Not disinfected C:\WINDOWS\Temp\Cookies\susan@as-eu.falkag[1].txt
Spyware:Cookie/Falkag Not disinfected C:\WINDOWS\Temp\Cookies\susan@as1.falkag[1].txt
Spyware:Cookie/Cassava Not disinfected C:\WINDOWS\Temp\Cookies\susan@cassava[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\WINDOWS\Temp\Cookies\susan@errorsafe[2].txt
Spyware:Cookie/Kmpads Not disinfected C:\WINDOWS\Temp\Cookies\susan@kmpads[2].txt
Spyware:Cookie/Paypopup Not disinfected C:\WINDOWS\Temp\Cookies\susan@paypopup[1].txt
Spyware:Cookie/Overture Not disinfected C:\WINDOWS\Temp\Cookies\susan@perf.overture[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\WINDOWS\Temp\Cookies\susan@realmedia[1].txt
Spyware:Cookie/WUpd Not disinfected C:\WINDOWS\Temp\Cookies\susan@revenue[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\WINDOWS\Temp\Cookies\susan@rn11[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\WINDOWS\Temp\Cookies\susan@server.iad.liveperson[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\WINDOWS\Temp\Cookies\susan@statcounter[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\WINDOWS\Temp\Cookies\susan@stats1.reliablestats[1].txt
Spyware:Cookie/TargetSaver Not disinfected C:\WINDOWS\Temp\Cookies\susan@targetsaver[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\WINDOWS\Temp\Cookies\susan@trafficmp[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\WINDOWS\Temp\Cookies\susan@winfixer[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\WINDOWS\Temp\Cookies\susan@www.errorsafe[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Temp\Cookies\susan@www.myaffiliateprogram[1].txt
Spyware:Cookie/Zedo Not disinfected C:\WINDOWS\Temp\Cookies\susan@zedo[2].txt
Adware:Adware/CommAd Not disinfected C:\WINDOWS\U3VzYW4\asappsrv.dll
Adware:Adware/CommAd Not disinfected C:\WINDOWS\U3VzYW4\command.exe
Adware:Adware/ISearch Not disinfected C:\WINDOWS\U3VzYW4\oapWsqb.vbs
Dialer:Dialer.FUJ Not disinfected C:\WINDOWS\UnitedKingdom.exe
Dialer:Dialer.DQT Not disinfected C:\WINDOWS\yseti.exe

LonnyRJones
2006-03-26, 22:11
Download System Security Suite.
http://www.igorshpak.net/
Extract it from the zip file and run setup.exe
after the install you can delete setup.exe and the downloaded zip file
Start the program Check all the boxes under the 'Items to Clear' (even cookies, this time) tab and click
'Clear Selected Items'. You will be prompted to reboot, do so.

Download Pocket Killbox to the desktop
http://www.downloads.subratam.org/KillBox.exe
If you already have killbox what version is it ?
Start Killbox place a tick next to [x]Delete on reboot Press the ALL Files button
Copy this whole list into the windows clipboard, all the Bolded below.

C:\WINDOWS\UnitedKingdom.exe
C:\WINDOWS\yseti.exe
C:\WHCC2.exe
C:\WINDOWS\Downloaded Program Files\UWAS6_0001_N68M2301NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\v3.dll
C:\WINDOWS\Installer.exe
C:\WINDOWS\mc-110-12-0000228.exe
C:\WINDOWS\system32\ad.html
C:\temp\180SAInstaller.exe
C:\temp\ZCWEDowST3.exe

Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the prompt to restart the pc.


manualy delete these folders
C:\WINDOWS\U3VzYW4
C:\Program Files\Hzfxgig
C:\PROGRAM FILES\Media Gateway
C:\PROGRAM FILES\whInstall
C:\PROGRAM FILES\WinAntiVirus Pro 2006
=============================================
C:\PROGRAM FILES\SCOM << what are the contents ?

Install atleast a free anti virus and firewall program
Dont make the common mistake of installing more than one anti virus or firewall
AVG Anti-Virus-Free: http://www.grisoft.com/us/us_dwnl_free.php
AntiVir Personal Edition: http://www.free-av.com/
avast! 4 Home - Free antivirus software :
http://www.asw.cz/eng/free_virus_protectio.html
Understanding and Using Firewalls:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=60
ZoneAlarm provide's a paid for and free version http://www.zonelabs.com/
http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za
Kerio Personal Firewall
For home users, Kerio Personal Firewall 4 is available in two flavors -
the full edition and the limited free edition.
http://www.kerio.com/us/kpf_download.html
Sygate free for personal/home http://soho.sygate.com/products/spf_standard.htm
Outpost http://www.outpost.uk.com/download/outpost1.html



Post another Hiajckthis log afterwards and let us know of any problems

Edward Skylover
2006-03-27, 00:10
Here is the log from HiJackThis, I'm not sure if there are any problems or not. :)


Logfile of HijackThis v1.99.1
Scan saved at 22:07:47, on 26/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Documents and Settings\Susan\Desktop\family folder\Edward's folder\Computer downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.co.uk
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E861860-46B1-4391-8745-983F9CD36025}: NameServer = 194.74.65.68 194.72.9.34
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thankyou for your help so far. :)

LonnyRJones
2006-03-27, 01:42
Its great to see an AV in your logs. :D

Post back in a couples days to let us know whats going on please

In the meantime
Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly to keep it updated

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

Edward Skylover
2006-03-27, 19:35
Ok. Thanks for your help. You've been great! :)

tashi
2006-04-02, 21:49
This topic will now be archived to prevent others with similar issues posting in it.
If you need it re-opened please send me a pm and provide a link to the thread.