View Full Version : CoolWWWSearch.Feat2Installer Keeps coming back
jay hulka
2006-04-02, 20:08
Hello! I am new to this forum, as I am also new to the problems of malware. Here are the details:
I have used spybot for a while and find it to be quite effective. However, there is this recurring problem I have had with popups, little things turning off protective measures on IE and Spybot, etc... I scan with spybot, it recognizes it, then removes it. But it comes back time and time again. FYI...I tried manually removing "guarnset" via hijackthis prior to reading this forum (sorry!) Here is my hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 1:57:01 PM, on 4/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\hramebe.exe
C:\WINDOWS\system32\hribycb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.apple.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O1 - Hosts: 17.250.248.77 idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\system32\guarnset.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: Helper - https://www.ubspwmobile.com/CWM/helper.cab
O16 - DPF: Java Mainframe Display (MFD) - https://www.wm-mobile.ubs.com/W2H/w2h/applet/wdmfd.cab
O16 - DPF: PCGMC Client - https://www.wm-mobile.ubs.com/PCGMC/PCGMCClient.CAB
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {10DB6D21-8915-11D2-8E3A-006008D1E01C} (Reuters Plus - Web 1.5.1.39) - https://www.ubspwmobile.com/md/jnavigator.cab
O16 - DPF: {138A4B11-6BBA-4EF3-B333-0515F67729DB} (Reuters PlusWeb Agent Java Classes - 1.6.0.33) - https://www.wm-mobile.ubs.com/md/pluswebagentjava.cab
O16 - DPF: {18D29F69-AD28-450E-8EC4-AD3F8632D4FE} (qqagent Class) - https://www.wm-mobile.ubs.com/md/pluswebagent.cab
O16 - DPF: {24F7A9CC-4EEB-49A7-8592-95E66A7C24A8} (Java ScrollingHeadlines Widget - 1.0.0.21) - https://www.ubspwmobile.com/md/classes/java/shdown.cab
O16 - DPF: {2FCFDAB1-F134-11D2-97C6-00104B659322} (Java Monitor - 1.0.2.28) - https://www.ubspwmobile.com/md/classes/monitor/monclassdown.cab
O16 - DPF: {3005838E-2A00-11D2-B701-006008D1E01C} (webctl Class) - https://www.ubspwmobile.com/md/Navigator.cab
O16 - DPF: {3D5F4B42-A6AD-4F31-BC6B-C4BA6AAEF08B} (Reuters PlusWeb Excel Macro 1,5,0,1) - https://www.ubspwmobile.com/md/plugin/excel_mobil/excel.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093137400467
O16 - DPF: {766190C9-CF9B-11D5-92EA-00805FC7E991} (Java MarketAtGlance - 1.0.0.9) - https://www.wm-mobile.ubs.com/md/classes/java/dyncompdown.cab
O16 - DPF: {77E94DB3-EF12-40BE-9AC5-96E2A140900E} (Java jExit - 1.0.0.4) - https://www.ubspwmobile.com/md/jexitdown.cab
O16 - DPF: {7B70A888-E8AC-4757-B454-766DA6B0B761} (Reuters PlusWeb Excel PreCheck 1,5,0,1) - https://www.ubspwmobile.com/md/plugin/excel_mobil/precheck.cab
O16 - DPF: {89F7D494-DA30-4207-9318-49D6E60BD805} (Reuters Webchart Class) - https://www.wm-mobile.ubs.com/md/webchart.cab
O16 - DPF: {93972343-C012-11D4-A8E1-0060976A74AE} (Java Quote Widget - 1.0.1.28) - https://www.ubspwmobile.com/md/classes/java/jquotedown.cab
O16 - DPF: {B5C6E4C0-F9DB-11D2-B126-00104B0EB7AE} (Java Dialogs - 1.6.1.6) - https://www.wm-mobile.ubs.com/md/classes/java/dialogsdown.cab
O16 - DPF: {C0966447-1276-46EF-A5BB-1D5BCB6E8935} (PWSweep Class) - https://www.ubspwmobile.com/CWM/pluswebsweeper.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D439B6E0-1838-11D2-A461-00A0C968EE5F} (Java QQagent - 1.0.6.05) - https://www.wm-mobile.ubs.com/md/classes/java/qqagentdown.cab
O16 - DPF: {E041DA00-21AF-11D2-A465-00A0C968EE5F} (Java MLSOFT package) - https://www.ubspwmobile.com/md/classes/monitor/mlsoftdown.cab
O16 - DPF: {F436C877-B085-4871-BADD-D23A6E630581} (Reuters PlusWeb Versions - 1,5,0,34) - https://www.ubspwmobile.com/md/pluswebverdown.cab
O16 - DPF: {F822CC94-9D2F-4914-9CBB-8FBB9EDB1BF0} (PWAgent Class) - https://www.wm-mobile.ubs.com/md/pwagentclient.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O16 - DPF: {FF2B96CA-23B8-4B6F-8B90-873770F0D537} (PlusWebLocator Class) - https://www.ubspwmobile.com/md/plusweblocator.cab
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\fn4021hmg.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: hdiceai - Unknown owner - C:\WINDOWS\system32\hdiceai.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
Thanks a bunch for your help!!
JH
LonnyRJones
2006-04-07, 16:55
Welcome jay hulka
Sorry for the delay, Unless your being assisted at another forum ?
Download L2mfix (new version) from one of these two locations:
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
Note:
If you receive while running option #1, an error similar to: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.
If it is to large to post in one reply do so in two please
jay hulka
2006-04-07, 23:47
Hello! No worries on the delay, as I know you guys are busy. Thanks so much for your help with this issue. I have completed the steps that you suggested, and here is the log (in two posts):
L2MFIX find log 032106
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Telephony]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lvpq0975e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
**********************************************************************************
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{7482BD95-0B59-05CA-9925-B6F91CB6CAF2}"=""
**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{BEB5F380-5501-11d3-BFDE-ADC2F2AAE920}"="Rage3DTweak"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{A695DDBF-EC30-43CE-8341-7080D657A9C9}"=""
"{3EB756B8-1A16-489C-8939-8E4078BBADED}"=""
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{DC7E53E5-CED0-4839-8778-D9FC93579C3A}"=""
"{A847E43E-6E5C-4B5C-9FAC-39DF507BFB79}"=""
"{0B0AE582-3021-4000-9528-C6A2CB66D413}"=""
**********************************************************************************
jay hulka
2006-04-07, 23:48
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{A695DDBF-EC30-43CE-8341-7080D657A9C9}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A695DDBF-EC30-43CE-8341-7080D657A9C9}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A695DDBF-EC30-43CE-8341-7080D657A9C9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A695DDBF-EC30-43CE-8341-7080D657A9C9}\InprocServer32]
@="C:\\WINDOWS\\system32\\RYSMXS.DLL"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{3EB756B8-1A16-489C-8939-8E4078BBADED}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{3EB756B8-1A16-489C-8939-8E4078BBADED}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{3EB756B8-1A16-489C-8939-8E4078BBADED}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{3EB756B8-1A16-489C-8939-8E4078BBADED}\InprocServer32]
@="C:\\WINDOWS\\system32\\nftlogon.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{DC7E53E5-CED0-4839-8778-D9FC93579C3A}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{DC7E53E5-CED0-4839-8778-D9FC93579C3A}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{DC7E53E5-CED0-4839-8778-D9FC93579C3A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{DC7E53E5-CED0-4839-8778-D9FC93579C3A}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{A847E43E-6E5C-4B5C-9FAC-39DF507BFB79}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A847E43E-6E5C-4B5C-9FAC-39DF507BFB79}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A847E43E-6E5C-4B5C-9FAC-39DF507BFB79}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A847E43E-6E5C-4B5C-9FAC-39DF507BFB79}\InprocServer32]
@="C:\\WINDOWS\\system32\\KLDLT1.DLL"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{0B0AE582-3021-4000-9528-C6A2CB66D413}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{0B0AE582-3021-4000-9528-C6A2CB66D413}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{0B0AE582-3021-4000-9528-C6A2CB66D413}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{0B0AE582-3021-4000-9528-C6A2CB66D413}\InprocServer32]
@="C:\\WINDOWS\\system32\\MJRECR40.DLL"
"ThreadingModel"="Apartment"
**********************************************************************************
Files Found are not all bad files:
C:\WINDOWS\SYSTEM32\
0g64noxg.dll Mon Feb 20 2006 4:25:24p A.... 45,568 44.50 K
abl71.dll Sat Mar 11 2006 11:01:32a ..S.R 237,262 231.70 K
agifil32.dll Fri Feb 24 2006 8:05:08a ..S.R 235,422 229.90 K
aoi2evxx.dll Fri Feb 24 2006 8:06:28p ..S.R 235,422 229.90 K
dnnhupnp.dll Sun Feb 26 2006 3:11:36p ..S.R 234,978 229.47 K
dtmsadsn.dll Sat Feb 25 2006 1:46:22p ..S.R 234,263 228.77 K
elent.dll Wed Feb 22 2006 9:13:40p ..S.R 235,422 229.90 K
en08l1~1.dll Sun Feb 26 2006 9:23:42p ..S.R 234,906 229.40 K
en0sl1~1.dll Thu Mar 9 2006 11:29:18p ..S.R 234,616 229.12 K
en84l1~1.dll Mon Feb 20 2006 6:40:00p ..S.R 236,088 230.55 K
enjql1~1.dll Mon Feb 20 2006 5:00:14p ..S.R 234,003 228.52 K
enpsl1~1.dll Tue Feb 21 2006 9:06:52p ..S.R 234,547 229.05 K
fnl021~1.dll Fri Mar 3 2006 11:37:50a ..S.R 234,906 229.40 K
g0jola~1.dll Tue Feb 21 2006 11:30:06p ..S.R 236,732 231.18 K
h0j4la~1.dll Fri Mar 10 2006 10:15:34p ..S.R 233,953 228.47 K
h4j40e~1.dll Sun Feb 26 2006 9:04:26p ..S.R 234,906 229.40 K
ideshare.dll Tue Feb 21 2006 9:07:48p ..S.R 235,422 229.90 K
ilengine.dll Sun Feb 26 2006 3:39:06p ..S.R 234,263 228.77 K
ir8ml5~1.dll Fri Apr 7 2006 4:51:32p ..S.R 233,912 228.43 K
irengine.dll Wed Feb 22 2006 9:07:44p ..S.R 235,422 229.90 K
jcmkd.dll Sat Feb 25 2006 1:23:26p A.... 98,816 96.50 K
kldlt1.dll Sat Mar 11 2006 12:10:26p ..S.R 233,840 228.36 K
kqdtuf.dll Sat Feb 25 2006 1:41:24p ..S.R 234,978 229.47 K
ktuser.dll Mon Feb 20 2006 6:41:00p ..S.R 236,392 230.85 K
legitc~1.dll Tue Feb 14 2006 10:20:14a A.... 550,120 537.23 K
lvj009~1.dll Sun Feb 26 2006 9:14:26p ..S.R 234,492 228.99 K
lvpq09~1.dll Wed Apr 5 2006 9:57:52a ..S.R 233,894 228.41 K
m4460e~1.dll Mon Feb 20 2006 4:34:20p ..S.R 234,916 229.41 K
mfaudite.dll Sat Feb 25 2006 12:20:16p ..S.R 235,422 229.90 K
mjrecr40.dll Fri Apr 7 2006 4:52:48p ..S.R 233,894 228.41 K
mlvcp50.dll Wed Feb 22 2006 9:02:48p ..S.R 235,422 229.90 K
mlw3prt.dll Fri Mar 10 2006 10:15:34p ..S.R 236,242 230.70 K
mtaatext.dll Sun Feb 26 2006 9:28:16p ..S.R 234,906 229.40 K
mwrepl40.dll Mon Feb 20 2006 5:30:04p ..S.R 236,088 230.55 K
n0r2la~1.dll Mon Feb 20 2006 5:30:04p ..S.R 233,893 228.41 K
njlanui2.dll Wed Feb 22 2006 6:48:46p ..S.R 235,422 229.90 K
nso1b.dll Thu Feb 9 2006 9:16:30a A.... 76,800 75.00 K
ojuninst.dll Wed Mar 29 2006 11:16:52p ..S.R 233,894 228.41 K
pacifisy.dll Sat Feb 25 2006 1:21:26p A.... 22 0.02 K
q6nulg~1.dll Thu Mar 30 2006 7:55:38p ..S.R 235,074 229.56 K
rgnd.dll Fri Feb 24 2006 8:16:02a ..S.R 235,686 230.16 K
s32evnt1.dll Tue Feb 14 2006 1:10:52p A.... 91,904 89.75 K
scclogon.dll Sat Mar 4 2006 2:05:24p ..S.R 235,405 229.89 K
seeio.dll Tue Feb 21 2006 8:18:28p ..S.R 234,118 228.63 K
sfnscfg.dll Tue Feb 21 2006 7:15:56p ..S.R 236,392 230.85 K
smdocvw.dll Tue Feb 21 2006 8:44:52p ..S.R 234,547 229.05 K
spmapi.dll Tue Feb 21 2006 6:49:50p ..S.R 236,392 230.85 K
spmsg.dll Mon Feb 13 2006 8:03:38p ..... 8,632 8.43 K
sporder.dll Mon Feb 20 2006 4:25:06p A.... 8,464 8.27 K
sxful.dll Sat Feb 25 2006 1:21:34p A.... 98,816 96.50 K
vear332.dll Sun Apr 2 2006 10:48:48a ..S.R 233,894 228.41 K
vzscript.dll Sun Mar 5 2006 9:39:22p ..S.R 234,272 228.78 K
wcnscard.dll Sun Feb 26 2006 9:04:26p ..S.R 234,492 228.99 K
wessvc.dll Tue Mar 7 2006 10:03:00p ..S.R 234,272 228.78 K
winapi32.dll Sat Feb 25 2006 12:09:30p A.... 0 0.00 K
winbl32.dll Sat Feb 25 2006 12:09:30p A.... 0 0.00 K
wonbl32.dll Fri Mar 3 2006 8:42:44p ..S.R 235,405 229.89 K
wwdsp.dll Sat Mar 11 2006 1:41:50p ..S.R 233,562 228.09 K
wx2n50.dll Sat Feb 25 2006 1:18:10p ..S.R 234,272 228.78 K
59 items found: 59 files (48 H/S), 0 directories.
Total of file sizes: 12,257,065 bytes 11.69 M
Locate .tmp files:
C:\WINDOWS\SYSTEM32\
lat13.tmp Wed Feb 22 2006 8:45:08p A.... 0 0.00 K
lat21.tmp Mon Feb 20 2006 5:57:58p A.... 0 0.00 K
lat22.tmp Mon Feb 20 2006 5:59:00p A.... 0 0.00 K
lat23.tmp Mon Feb 20 2006 6:00:02p A.... 0 0.00 K
lat7.tmp Wed Feb 22 2006 7:11:36p A.... 0 0.00 K
5 items found: 5 files, 0 directories.
Total of file sizes: 0 bytes 0.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 1CA4-B152
Directory of C:\WINDOWS\System32
04/07/2006 04:52 PM 233,894 MJRECR40.DLL
04/07/2006 04:51 PM 233,912 ir8ml5l11.dll
04/05/2006 09:57 AM 233,894 lvpq0975e.dll
04/02/2006 10:48 AM 233,894 VEAR332.DLL
03/30/2006 07:55 PM 235,074 q6nulg5916.dll
03/29/2006 11:16 PM 233,894 ojuninst.dll
03/11/2006 01:41 PM 233,562 wwdsp.dll
03/11/2006 12:10 PM 233,840 KLDLT1.DLL
03/11/2006 11:01 AM 237,262 abl71.dll
03/10/2006 10:15 PM 236,242 mlw3prt.dll
03/10/2006 10:15 PM 233,953 h0j4la1q1d.dll
03/09/2006 11:29 PM 234,616 en0sl1d71.dll
03/07/2006 10:02 PM 234,272 wessvc.dll
03/05/2006 09:39 PM 234,272 vzscript.dll
03/04/2006 02:05 PM 235,405 scclogon.dll
03/03/2006 08:42 PM 235,405 wonbl32.dll
03/03/2006 11:37 AM 234,906 fnl0213mg.dll
02/26/2006 09:28 PM 234,906 MTAATEXT.DLL
02/26/2006 09:23 PM 234,906 en08l1du1.dll
02/26/2006 09:14 PM 234,492 lvj0091me.dll
02/26/2006 09:04 PM 234,492 wcnscard.dll
02/26/2006 09:04 PM 234,906 h4j40e1qeh.dll
02/26/2006 03:39 PM 234,263 ilengine.dll
02/26/2006 03:11 PM 234,978 dnnhupnp.dll
02/25/2006 01:46 PM 234,263 DTMSADSN.DLL
02/25/2006 01:41 PM 234,978 KQDTUF.DLL
02/25/2006 01:18 PM 234,272 WX2N50.dll
02/25/2006 12:20 PM 235,422 MFAUDITE.DLL
02/24/2006 08:06 PM 235,422 aoi2evxx.dll
02/24/2006 08:16 AM 235,686 RGND.DLL
02/24/2006 08:05 AM 235,422 agifil32.dll
02/22/2006 09:13 PM 235,422 elent.dll
02/22/2006 09:07 PM 235,422 irengine.dll
02/22/2006 09:02 PM 235,422 MLVCP50.DLL
02/22/2006 06:48 PM 235,422 NJLANUI2.DLL
02/21/2006 11:30 PM 236,732 g0jola131d.dll
02/21/2006 09:07 PM 235,422 ideshare.dll
02/21/2006 09:06 PM 234,547 enpsl1771.dll
02/21/2006 08:44 PM 234,547 smdocvw.dll
02/21/2006 08:18 PM 234,118 seeio.dll
02/21/2006 07:15 PM 236,392 SFNSCFG.DLL
02/21/2006 06:49 PM 236,392 SPMAPI.DLL
02/20/2006 06:40 PM 236,392 ktuser.dll
02/20/2006 06:39 PM 236,088 en84l1lq1.dll
02/20/2006 05:30 PM 236,088 mwrepl40.dll
02/20/2006 05:30 PM 233,893 n0r2la9o1d.dll
02/20/2006 05:00 PM 234,003 enjql1151.dll
02/20/2006 04:55 PM <DIR> DLLCACHE
02/20/2006 04:34 PM 234,916 m4460ehseh460.dll
03/17/2003 03:21 AM <DIR> Microsoft
48 File(s) 11,277,923 bytes
2 Dir(s) 14,736,781,312 bytes free
jay hulka
2006-04-07, 23:51
I did run the fix portion, as I did in fact have the error associated with #1 on l2mfix.exe. After running #2 (fix), I was instructed to remove "020 missing file" via hijackthis after reboot. I did do that as well.
Thanks!!!
LonnyRJones
2006-04-07, 23:53
OK
Post that option Two log and a fresh hijackthis log
jay hulka
2006-04-08, 17:17
Here is the option 2 log (in two posts). Thanks once again for your prompt reply:
L2mfix 032106
Creating Account.
The command completed successfully.
Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Running From:
C:\WINDOWS\system32
Killing Processes!
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 420 'smss.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 508 'winlogon.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 364 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1156 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\abl71.dll
Successfully Deleted: C:\WINDOWS\system32\abl71.dll
Deleting: C:\WINDOWS\system32\agifil32.dll
Successfully Deleted: C:\WINDOWS\system32\agifil32.dll
Deleting: C:\WINDOWS\system32\aoi2evxx.dll
Successfully Deleted: C:\WINDOWS\system32\aoi2evxx.dll
Deleting: C:\WINDOWS\system32\dnnhupnp.dll
Successfully Deleted: C:\WINDOWS\system32\dnnhupnp.dll
Deleting: C:\WINDOWS\system32\DTMSADSN.DLL
Successfully Deleted: C:\WINDOWS\system32\DTMSADSN.DLL
Deleting: C:\WINDOWS\system32\elent.dll
Successfully Deleted: C:\WINDOWS\system32\elent.dll
Deleting: C:\WINDOWS\system32\en08l1du1.dll
Successfully Deleted: C:\WINDOWS\system32\en08l1du1.dll
Deleting: C:\WINDOWS\system32\en0sl1d71.dll
Successfully Deleted: C:\WINDOWS\system32\en0sl1d71.dll
Deleting: C:\WINDOWS\system32\en84l1lq1.dll
Successfully Deleted: C:\WINDOWS\system32\en84l1lq1.dll
Deleting: C:\WINDOWS\system32\enjql1151.dll
Successfully Deleted: C:\WINDOWS\system32\enjql1151.dll
Deleting: C:\WINDOWS\system32\enpsl1771.dll
Successfully Deleted: C:\WINDOWS\system32\enpsl1771.dll
Deleting: C:\WINDOWS\system32\fnl0213mg.dll
Successfully Deleted: C:\WINDOWS\system32\fnl0213mg.dll
Deleting: C:\WINDOWS\system32\g0jola131d.dll
Successfully Deleted: C:\WINDOWS\system32\g0jola131d.dll
Deleting: C:\WINDOWS\system32\h0j4la1q1d.dll
Successfully Deleted: C:\WINDOWS\system32\h0j4la1q1d.dll
Deleting: C:\WINDOWS\system32\h4j40e1qeh.dll
Successfully Deleted: C:\WINDOWS\system32\h4j40e1qeh.dll
Deleting: C:\WINDOWS\system32\ideshare.dll
Successfully Deleted: C:\WINDOWS\system32\ideshare.dll
Deleting: C:\WINDOWS\system32\ilengine.dll
Successfully Deleted: C:\WINDOWS\system32\ilengine.dll
Deleting: C:\WINDOWS\system32\ir8ml5l11.dll
Successfully Deleted: C:\WINDOWS\system32\ir8ml5l11.dll
Deleting: C:\WINDOWS\system32\irengine.dll
Successfully Deleted: C:\WINDOWS\system32\irengine.dll
Deleting: C:\WINDOWS\system32\KLDLT1.DLL
Successfully Deleted: C:\WINDOWS\system32\KLDLT1.DLL
Deleting: C:\WINDOWS\system32\KQDTUF.DLL
Successfully Deleted: C:\WINDOWS\system32\KQDTUF.DLL
Deleting: C:\WINDOWS\system32\ktuser.dll
Successfully Deleted: C:\WINDOWS\system32\ktuser.dll
Deleting: C:\WINDOWS\system32\lvj0091me.dll
Successfully Deleted: C:\WINDOWS\system32\lvj0091me.dll
Deleting: C:\WINDOWS\system32\lvpq0975e.dll
Successfully Deleted: C:\WINDOWS\system32\lvpq0975e.dll
Deleting: C:\WINDOWS\system32\m4460ehseh460.dll
Successfully Deleted: C:\WINDOWS\system32\m4460ehseh460.dll
Deleting: C:\WINDOWS\system32\MFAUDITE.DLL
Successfully Deleted: C:\WINDOWS\system32\MFAUDITE.DLL
Deleting: C:\WINDOWS\system32\MJRECR40.DLL
Successfully Deleted: C:\WINDOWS\system32\MJRECR40.DLL
Deleting: C:\WINDOWS\system32\MLVCP50.DLL
Successfully Deleted: C:\WINDOWS\system32\MLVCP50.DLL
Deleting: C:\WINDOWS\system32\mlw3prt.dll
Successfully Deleted: C:\WINDOWS\system32\mlw3prt.dll
Deleting: C:\WINDOWS\system32\MTAATEXT.DLL
Successfully Deleted: C:\WINDOWS\system32\MTAATEXT.DLL
Deleting: C:\WINDOWS\system32\mwrepl40.dll
Successfully Deleted: C:\WINDOWS\system32\mwrepl40.dll
Deleting: C:\WINDOWS\system32\n0r2la9o1d.dll
Successfully Deleted: C:\WINDOWS\system32\n0r2la9o1d.dll
Deleting: C:\WINDOWS\system32\NJLANUI2.DLL
Successfully Deleted: C:\WINDOWS\system32\NJLANUI2.DLL
Deleting: C:\WINDOWS\system32\ojuninst.dll
Successfully Deleted: C:\WINDOWS\system32\ojuninst.dll
Deleting: C:\WINDOWS\system32\q6nulg5916.dll
Successfully Deleted: C:\WINDOWS\system32\q6nulg5916.dll
Deleting: C:\WINDOWS\system32\RGND.DLL
Successfully Deleted: C:\WINDOWS\system32\RGND.DLL
Deleting: C:\WINDOWS\system32\scclogon.dll
Successfully Deleted: C:\WINDOWS\system32\scclogon.dll
Deleting: C:\WINDOWS\system32\seeio.dll
Successfully Deleted: C:\WINDOWS\system32\seeio.dll
Deleting: C:\WINDOWS\system32\SFNSCFG.DLL
Successfully Deleted: C:\WINDOWS\system32\SFNSCFG.DLL
Deleting: C:\WINDOWS\system32\smdocvw.dll
Successfully Deleted: C:\WINDOWS\system32\smdocvw.dll
Deleting: C:\WINDOWS\system32\SPMAPI.DLL
Successfully Deleted: C:\WINDOWS\system32\SPMAPI.DLL
Deleting: C:\WINDOWS\system32\VEAR332.DLL
Successfully Deleted: C:\WINDOWS\system32\VEAR332.DLL
Deleting: C:\WINDOWS\system32\vzscript.dll
Successfully Deleted: C:\WINDOWS\system32\vzscript.dll
Deleting: C:\WINDOWS\system32\wcnscard.dll
Successfully Deleted: C:\WINDOWS\system32\wcnscard.dll
Deleting: C:\WINDOWS\system32\wessvc.dll
Successfully Deleted: C:\WINDOWS\system32\wessvc.dll
Deleting: C:\WINDOWS\system32\wonbl32.dll
Successfully Deleted: C:\WINDOWS\system32\wonbl32.dll
Deleting: C:\WINDOWS\system32\wwdsp.dll
Successfully Deleted: C:\WINDOWS\system32\wwdsp.dll
Deleting: C:\WINDOWS\system32\WX2N50.dll
Successfully Deleted: C:\WINDOWS\system32\WX2N50.dll
msg11?.dll
0 file(s) copied.
Restoring Windows Update Certificates.:
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Telephony]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lvpq0975e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\abl71.dll
C:\WINDOWS\system32\agifil32.dll
C:\WINDOWS\system32\aoi2evxx.dll
C:\WINDOWS\system32\dnnhupnp.dll
C:\WINDOWS\system32\DTMSADSN.DLL
C:\WINDOWS\system32\elent.dll
C:\WINDOWS\system32\en08l1du1.dll
C:\WINDOWS\system32\en0sl1d71.dll
C:\WINDOWS\system32\en84l1lq1.dll
C:\WINDOWS\system32\enjql1151.dll
C:\WINDOWS\system32\enpsl1771.dll
C:\WINDOWS\system32\fnl0213mg.dll
C:\WINDOWS\system32\g0jola131d.dll
C:\WINDOWS\system32\h0j4la1q1d.dll
C:\WINDOWS\system32\h4j40e1qeh.dll
C:\WINDOWS\system32\ideshare.dll
C:\WINDOWS\system32\ilengine.dll
C:\WINDOWS\system32\ir8ml5l11.dll
C:\WINDOWS\system32\irengine.dll
C:\WINDOWS\system32\KLDLT1.DLL
C:\WINDOWS\system32\KQDTUF.DLL
C:\WINDOWS\system32\ktuser.dll
C:\WINDOWS\system32\lvj0091me.dll
C:\WINDOWS\system32\lvpq0975e.dll
C:\WINDOWS\system32\m4460ehseh460.dll
C:\WINDOWS\system32\MFAUDITE.DLL
C:\WINDOWS\system32\MJRECR40.DLL
C:\WINDOWS\system32\MLVCP50.DLL
C:\WINDOWS\system32\mlw3prt.dll
C:\WINDOWS\system32\MTAATEXT.DLL
C:\WINDOWS\system32\mwrepl40.dll
C:\WINDOWS\system32\n0r2la9o1d.dll
C:\WINDOWS\system32\NJLANUI2.DLL
C:\WINDOWS\system32\ojuninst.dll
C:\WINDOWS\system32\q6nulg5916.dll
C:\WINDOWS\system32\RGND.DLL
C:\WINDOWS\system32\scclogon.dll
C:\WINDOWS\system32\seeio.dll
C:\WINDOWS\system32\SFNSCFG.DLL
C:\WINDOWS\system32\smdocvw.dll
C:\WINDOWS\system32\SPMAPI.DLL
C:\WINDOWS\system32\VEAR332.DLL
C:\WINDOWS\system32\vzscript.dll
C:\WINDOWS\system32\wcnscard.dll
C:\WINDOWS\system32\wessvc.dll
C:\WINDOWS\system32\wonbl32.dll
C:\WINDOWS\system32\wwdsp.dll
C:\WINDOWS\system32\WX2N50.dll
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{A695DDBF-EC30-43CE-8341-7080D657A9C9}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A695DDBF-EC30-43CE-8341-7080D657A9C9}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A695DDBF-EC30-43CE-8341-7080D657A9C9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A695DDBF-EC30-43CE-8341-7080D657A9C9}\InprocServer32]
@="C:\\WINDOWS\\system32\\RYSMXS.DLL"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{3EB756B8-1A16-489C-8939-8E4078BBADED}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{3EB756B8-1A16-489C-8939-8E4078BBADED}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{3EB756B8-1A16-489C-8939-8E4078BBADED}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{3EB756B8-1A16-489C-8939-8E4078BBADED}\InprocServer32]
@="C:\\WINDOWS\\system32\\nftlogon.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{DC7E53E5-CED0-4839-8778-D9FC93579C3A}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{DC7E53E5-CED0-4839-8778-D9FC93579C3A}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{DC7E53E5-CED0-4839-8778-D9FC93579C3A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{DC7E53E5-CED0-4839-8778-D9FC93579C3A}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{A847E43E-6E5C-4B5C-9FAC-39DF507BFB79}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A847E43E-6E5C-4B5C-9FAC-39DF507BFB79}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A847E43E-6E5C-4B5C-9FAC-39DF507BFB79}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A847E43E-6E5C-4B5C-9FAC-39DF507BFB79}\InprocServer32]
@="C:\\WINDOWS\\system32\\KLDLT1.DLL"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{0B0AE582-3021-4000-9528-C6A2CB66D413}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{0B0AE582-3021-4000-9528-C6A2CB66D413}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{0B0AE582-3021-4000-9528-C6A2CB66D413}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{0B0AE582-3021-4000-9528-C6A2CB66D413}\InprocServer32]
@="C:\\WINDOWS\\system32\\MJRECR40.DLL"
"ThreadingModel"="Apartment"
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{A695DDBF-EC30-43CE-8341-7080D657A9C9}"=-
"{3EB756B8-1A16-489C-8939-8E4078BBADED}"=-
"{DC7E53E5-CED0-4839-8778-D9FC93579C3A}"=-
"{A847E43E-6E5C-4B5C-9FAC-39DF507BFB79}"=-
"{0B0AE582-3021-4000-9528-C6A2CB66D413}"=-
[-HKEY_CLASSES_ROOT\CLSID\{A695DDBF-EC30-43CE-8341-7080D657A9C9}]
[-HKEY_CLASSES_ROOT\CLSID\{3EB756B8-1A16-489C-8939-8E4078BBADED}]
[-HKEY_CLASSES_ROOT\CLSID\{DC7E53E5-CED0-4839-8778-D9FC93579C3A}]
[-HKEY_CLASSES_ROOT\CLSID\{A847E43E-6E5C-4B5C-9FAC-39DF507BFB79}]
[-HKEY_CLASSES_ROOT\CLSID\{0B0AE582-3021-4000-9528-C6A2CB66D413}]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
jay hulka
2006-04-08, 17:17
****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/abl71.dll (164 bytes security) (deflated 6%)
adding: dlls/agifil32.dll (164 bytes security) (deflated 5%)
adding: dlls/aoi2evxx.dll (164 bytes security) (deflated 5%)
adding: dlls/dnnhupnp.dll (164 bytes security) (deflated 5%)
adding: dlls/DTMSADSN.DLL (164 bytes security) (deflated 4%)
adding: dlls/elent.dll (164 bytes security) (deflated 5%)
adding: dlls/en08l1du1.dll (164 bytes security) (deflated 5%)
adding: dlls/en0sl1d71.dll (164 bytes security) (deflated 4%)
adding: dlls/en84l1lq1.dll (164 bytes security) (deflated 5%)
adding: dlls/enjql1151.dll (164 bytes security) (deflated 4%)
adding: dlls/enpsl1771.dll (164 bytes security) (deflated 5%)
adding: dlls/fnl0213mg.dll (164 bytes security) (deflated 5%)
adding: dlls/g0jola131d.dll (164 bytes security) (deflated 5%)
adding: dlls/h0j4la1q1d.dll (164 bytes security) (deflated 4%)
adding: dlls/h4j40e1qeh.dll (164 bytes security) (deflated 5%)
adding: dlls/ideshare.dll (164 bytes security) (deflated 5%)
adding: dlls/ilengine.dll (164 bytes security) (deflated 4%)
adding: dlls/ir8ml5l11.dll (164 bytes security) (deflated 4%)
adding: dlls/irengine.dll (164 bytes security) (deflated 5%)
adding: dlls/KLDLT1.DLL (164 bytes security) (deflated 4%)
adding: dlls/KQDTUF.DLL (164 bytes security) (deflated 5%)
adding: dlls/ktuser.dll (164 bytes security) (deflated 5%)
adding: dlls/lvj0091me.dll (164 bytes security) (deflated 4%)
adding: dlls/lvpq0975e.dll (164 bytes security) (deflated 4%)
adding: dlls/m4460ehseh460.dll (164 bytes security) (deflated 5%)
adding: dlls/MFAUDITE.DLL (164 bytes security) (deflated 5%)
adding: dlls/MJRECR40.DLL (164 bytes security) (deflated 4%)
adding: dlls/MLVCP50.DLL (164 bytes security) (deflated 5%)
adding: dlls/mlw3prt.dll (164 bytes security) (deflated 5%)
adding: dlls/MTAATEXT.DLL (164 bytes security) (deflated 5%)
adding: dlls/mwrepl40.dll (164 bytes security) (deflated 5%)
adding: dlls/n0r2la9o1d.dll (164 bytes security) (deflated 4%)
adding: dlls/NJLANUI2.DLL (164 bytes security) (deflated 5%)
adding: dlls/ojuninst.dll (164 bytes security) (deflated 4%)
adding: dlls/q6nulg5916.dll (164 bytes security) (deflated 5%)
adding: dlls/RGND.DLL (164 bytes security) (deflated 5%)
adding: dlls/scclogon.dll (164 bytes security) (deflated 5%)
adding: dlls/seeio.dll (164 bytes security) (deflated 4%)
adding: dlls/SFNSCFG.DLL (164 bytes security) (deflated 5%)
adding: dlls/smdocvw.dll (164 bytes security) (deflated 5%)
adding: dlls/SPMAPI.DLL (164 bytes security) (deflated 5%)
adding: dlls/VEAR332.DLL (164 bytes security) (deflated 4%)
adding: dlls/vzscript.dll (164 bytes security) (deflated 4%)
adding: dlls/wcnscard.dll (164 bytes security) (deflated 4%)
adding: dlls/wessvc.dll (164 bytes security) (deflated 4%)
adding: dlls/wonbl32.dll (164 bytes security) (deflated 5%)
adding: dlls/wwdsp.dll (164 bytes security) (deflated 4%)
adding: dlls/WX2N50.dll (164 bytes security) (deflated 4%)
adding: backregs/0B0AE582-3021-4000-9528-C6A2CB66D413.reg (188 bytes security) (deflated 70%)
adding: backregs/3EB756B8-1A16-489C-8939-8E4078BBADED.reg (188 bytes security) (deflated 70%)
adding: backregs/A695DDBF-EC30-43CE-8341-7080D657A9C9.reg (188 bytes security) (deflated 70%)
adding: backregs/A847E43E-6E5C-4B5C-9FAC-39DF507BFB79.reg (188 bytes security) (deflated 70%)
adding: backregs/DC7E53E5-CED0-4839-8778-D9FC93579C3A.reg (188 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)
jay hulka
2006-04-08, 17:21
Here is the hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 11:18:58 AM, on 4/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\hramebe.exe
C:\WINDOWS\system32\hribycb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.apple.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O1 - Hosts: 17.250.248.77 idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com
O2 - BHO: SDWin32 Class - {28308351-8788-4C11-BE17-0D4E7A1977C9} - C:\WINDOWS\system32\sxful.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\system32\guarnset.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: Helper - https://www.ubspwmobile.com/CWM/helper.cab
O16 - DPF: Java Mainframe Display (MFD) - https://www.wm-mobile.ubs.com/W2H/w2h/applet/wdmfd.cab
O16 - DPF: PCGMC Client - https://www.wm-mobile.ubs.com/PCGMC/PCGMCClient.CAB
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {10DB6D21-8915-11D2-8E3A-006008D1E01C} (Reuters Plus - Web 1.6.1.12) - https://www.ubspwmobile.com/md/jnavigator.cab
O16 - DPF: {138A4B11-6BBA-4EF3-B333-0515F67729DB} (Reuters PlusWeb Agent Java Classes - 1.6.0.33) - https://www.wm-mobile.ubs.com/md/pluswebagentjava.cab
O16 - DPF: {18D29F69-AD28-450E-8EC4-AD3F8632D4FE} (qqagent Class) - https://www.wm-mobile.ubs.com/md/pluswebagent.cab
O16 - DPF: {24F7A9CC-4EEB-49A7-8592-95E66A7C24A8} (Java ScrollingHeadlines Widget - 1.0.1.8) - https://www.wm-mobile.ubs.com/md/classes/java/shdown.cab
O16 - DPF: {2FCFDAB1-F134-11D2-97C6-00104B659322} (Java Monitor - 1.0.3.11) - https://www.wm-mobile.ubs.com/md/classes/monitor/monclassdown.cab
O16 - DPF: {3005838E-2A00-11D2-B701-006008D1E01C} (webctl Class) - https://www.ubspwmobile.com/md/Navigator.cab
O16 - DPF: {3D5F4B42-A6AD-4F31-BC6B-C4BA6AAEF08B} (Reuters PlusWeb Excel Macro 1,5,0,9) - https://www.ubspwmobile.com/md/plugin/excel_mobil/excel.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093137400467
O16 - DPF: {766190C9-CF9B-11D5-92EA-00805FC7E991} (Java MarketAtGlance - 1.0.0.9) - https://www.wm-mobile.ubs.com/md/classes/java/dyncompdown.cab
O16 - DPF: {77E94DB3-EF12-40BE-9AC5-96E2A140900E} (Java jExit - 1.0.0.4) - https://www.ubspwmobile.com/md/jexitdown.cab
O16 - DPF: {7B70A888-E8AC-4757-B454-766DA6B0B761} (Reuters PlusWeb Excel PreCheck 1,5,0,1) - https://www.ubspwmobile.com/md/plugin/excel_mobil/precheck.cab
O16 - DPF: {89F7D494-DA30-4207-9318-49D6E60BD805} (Reuters Webchart Class) - https://www.wm-mobile.ubs.com/md/webchart.cab
O16 - DPF: {93972343-C012-11D4-A8E1-0060976A74AE} (Java Quote Widget - 1.1.6.11) - https://www.wm-mobile.ubs.com/md/classes/java/jquotedown.cab
O16 - DPF: {B5C6E4C0-F9DB-11D2-B126-00104B0EB7AE} (Java Dialogs - 1.6.1.6) - https://www.wm-mobile.ubs.com/md/classes/java/dialogsdown.cab
O16 - DPF: {C0966447-1276-46EF-A5BB-1D5BCB6E8935} (PWSweep Class) - https://www.ubspwmobile.com/CWM/pluswebsweeper.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D439B6E0-1838-11D2-A461-00A0C968EE5F} (Java QQagent - 1.0.6.05) - https://www.wm-mobile.ubs.com/md/classes/java/qqagentdown.cab
O16 - DPF: {E041DA00-21AF-11D2-A465-00A0C968EE5F} (Java MLSOFT package) - https://www.ubspwmobile.com/md/classes/monitor/mlsoftdown.cab
O16 - DPF: {F436C877-B085-4871-BADD-D23A6E630581} (Reuters PlusWeb Versions - 1,6,0,22) - https://www.wm-mobile.ubs.com/md/pluswebverdown.cab
O16 - DPF: {F822CC94-9D2F-4914-9CBB-8FBB9EDB1BF0} (PWAgent Class) - https://www.wm-mobile.ubs.com/md/pwagentclient.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O16 - DPF: {FF2B96CA-23B8-4B6F-8B90-873770F0D537} (PlusWebLocator Class) - https://www.ubspwmobile.com/md/plusweblocator.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: hdiceai - Unknown owner - C:\WINDOWS\system32\hdiceai.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
**********************************************************
Thank you once again for your help...you guys are the best!!!
LonnyRJones
2006-04-08, 17:47
Open a command prompt (start run type cmd press enter) type
sc stop hdiceai
press enter, type in
sc delete hdiceai
press enter, type exit and press enter to exit the command prompt
Start Hijackthis and place a check next to these items If there.
O2 - BHO: SDWin32 Class - {28308351-8788-4C11-BE17-0D4E7A1977C9} - C:\WINDOWS\system32\sxful.dll
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\system32\guarnset.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Go here http://www.virustotal.com/flash/index_en.html
and submit these files
C:\WINDOWS\system32\hramebe.exe
C:\WINDOWS\system32\hribycb.exe
Post a fresh hijackthis log please, be sure to mention any current problems.
jay hulka
2006-04-08, 23:22
Thanks once again. I have done as you suggested, and have posted the fresh hijackthis log. As you will see...those pesky 02, 04 items keep coming back. I also submitted files to virustotal as requested. I keep getting "web crawler" and "way to find" pop ups, among other ones. It happens for a while, then stops and I can stay online and not get popups...wierd, huh? Anyway, here is the log:
Logfile of HijackThis v1.99.1
Scan saved at 5:18:54 PM, on 4/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\hramebe.exe
C:\WINDOWS\system32\hribycb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.apple.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O1 - Hosts: 17.250.248.77 idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com
O2 - BHO: SDWin32 Class - {28308351-8788-4C11-BE17-0D4E7A1977C9} - C:\WINDOWS\system32\sxful.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\system32\guarnset.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: Helper - https://www.ubspwmobile.com/CWM/helper.cab
O16 - DPF: Java Mainframe Display (MFD) - https://www.wm-mobile.ubs.com/W2H/w2h/applet/wdmfd.cab
O16 - DPF: PCGMC Client - https://www.wm-mobile.ubs.com/PCGMC/PCGMCClient.CAB
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {10DB6D21-8915-11D2-8E3A-006008D1E01C} (Reuters Plus - Web 1.6.1.12) - https://www.ubspwmobile.com/md/jnavigator.cab
O16 - DPF: {138A4B11-6BBA-4EF3-B333-0515F67729DB} (Reuters PlusWeb Agent Java Classes - 1.6.0.33) - https://www.wm-mobile.ubs.com/md/pluswebagentjava.cab
O16 - DPF: {18D29F69-AD28-450E-8EC4-AD3F8632D4FE} (qqagent Class) - https://www.wm-mobile.ubs.com/md/pluswebagent.cab
O16 - DPF: {24F7A9CC-4EEB-49A7-8592-95E66A7C24A8} (Java ScrollingHeadlines Widget - 1.0.1.8) - https://www.wm-mobile.ubs.com/md/classes/java/shdown.cab
O16 - DPF: {2FCFDAB1-F134-11D2-97C6-00104B659322} (Java Monitor - 1.0.3.11) - https://www.wm-mobile.ubs.com/md/classes/monitor/monclassdown.cab
O16 - DPF: {3005838E-2A00-11D2-B701-006008D1E01C} (webctl Class) - https://www.ubspwmobile.com/md/Navigator.cab
O16 - DPF: {3D5F4B42-A6AD-4F31-BC6B-C4BA6AAEF08B} (Reuters PlusWeb Excel Macro 1,5,0,9) - https://www.ubspwmobile.com/md/plugin/excel_mobil/excel.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093137400467
O16 - DPF: {766190C9-CF9B-11D5-92EA-00805FC7E991} (Java MarketAtGlance - 1.0.0.9) - https://www.wm-mobile.ubs.com/md/classes/java/dyncompdown.cab
O16 - DPF: {77E94DB3-EF12-40BE-9AC5-96E2A140900E} (Java jExit - 1.0.0.4) - https://www.ubspwmobile.com/md/jexitdown.cab
O16 - DPF: {7B70A888-E8AC-4757-B454-766DA6B0B761} (Reuters PlusWeb Excel PreCheck 1,5,0,1) - https://www.ubspwmobile.com/md/plugin/excel_mobil/precheck.cab
O16 - DPF: {89F7D494-DA30-4207-9318-49D6E60BD805} (Reuters Webchart Class) - https://www.wm-mobile.ubs.com/md/webchart.cab
O16 - DPF: {93972343-C012-11D4-A8E1-0060976A74AE} (Java Quote Widget - 1.1.6.11) - https://www.wm-mobile.ubs.com/md/classes/java/jquotedown.cab
O16 - DPF: {B5C6E4C0-F9DB-11D2-B126-00104B0EB7AE} (Java Dialogs - 1.6.1.6) - https://www.wm-mobile.ubs.com/md/classes/java/dialogsdown.cab
O16 - DPF: {C0966447-1276-46EF-A5BB-1D5BCB6E8935} (PWSweep Class) - https://www.ubspwmobile.com/CWM/pluswebsweeper.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D439B6E0-1838-11D2-A461-00A0C968EE5F} (Java QQagent - 1.0.6.05) - https://www.wm-mobile.ubs.com/md/classes/java/qqagentdown.cab
O16 - DPF: {E041DA00-21AF-11D2-A465-00A0C968EE5F} (Java MLSOFT package) - https://www.ubspwmobile.com/md/classes/monitor/mlsoftdown.cab
O16 - DPF: {F436C877-B085-4871-BADD-D23A6E630581} (Reuters PlusWeb Versions - 1,6,0,22) - https://www.wm-mobile.ubs.com/md/pluswebverdown.cab
O16 - DPF: {F822CC94-9D2F-4914-9CBB-8FBB9EDB1BF0} (PWAgent Class) - https://www.wm-mobile.ubs.com/md/pwagentclient.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O16 - DPF: {FF2B96CA-23B8-4B6F-8B90-873770F0D537} (PlusWebLocator Class) - https://www.ubspwmobile.com/md/plusweblocator.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: hdiceai - Unknown owner - C:\WINDOWS\system32\hdiceai.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
LonnyRJones
2006-04-09, 01:04
What did virus total say about them ?
Download Pocket Killbox to the desktop
http://www.downloads.subratam.org/KillBox.exe
If you already have killbox what version is it ?
Start Killbox place a tick next to [x]Delete on reboot Press the ALL Files button
Copy this whole list into the windows clipboard, all the Bolded below.
C:\WINDOWS\system32\hramebe.exe
C:\WINDOWS\system32\hribycb.exe
C:\WINDOWS\system32\sxful.dll
C:\WINDOWS\system32\guarnset.exe
Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the prompt to restart the pc.
Post back with a new HJT log
jay hulka
2006-04-09, 19:10
And again thanks! I did not have Killbox and therefore downloaded and followed your instructions. I have also posted what virustotal said of the two files along with a fresh hijackthis log. Thanks again! So far, no pop ups.
Results of a file scan
This is a report processed by VirusTotal on 04/08/2006 at 23:18:14 (CET) after scanning the file "hramebe.exe" file.
Antivirus Version Update Result
AntiVir 6.34.0.24 04.08.2006 TR/Painwin.A.8
Avast 4.6.695.0 04.03.2006 Win32:Adware-gen.
AVG 386 04.08.2006 Adware Generic.AUQ
Avira 6.34.0.56 04.08.2006 TR/Painwin.A.8
BitDefender 7.2 04.08.2006 Application.Bho.Adlogix.D
CAT-QuickHeal 8.00 04.06.2006 Trojan.Painwin.a
ClamAV devel-20060202 04.08.2006 no virus found
DrWeb 4.33 04.08.2006 no virus found
eTrust-InoculateIT 23.71.123 04.07.2006 no virus found
eTrust-Vet 12.4.2153 04.07.2006 no virus found
Ewido 3.5 04.08.2006 Trojan.Painwin.a
Fortinet 2.71.0.0 04.08.2006 W32/Painwin.A-tr
F-Prot 3.16c 04.07.2006 no virus found
Ikarus 0.2.59.0 04.07.2006 Trojan.Win32.Painwin.A
Kaspersky 4.0.2.24 04.08.2006 Trojan.Win32.Painwin.a
McAfee 4736 04.07.2006 potentially unwanted program Adware-Adlog
NOD32v2 1.1477 04.08.2006 no virus found
Norman 5.90.15 04.07.2006 W32/Painwin.F
Panda 9.0.0.4 04.08.2006 Adware/AdLogix
Sophos 4.04.0 04.08.2006 no virus found
Symantec 8.0 04.08.2006 no virus found
TheHacker 5.9.7.126 04.07.2006 Trojan/Painwin.a
UNA 1.83 04.07.2006 Trojan.Win32.Painwin
VBA32 3.10.5 04.07.2006 Trojan.Win32.Painwin.a
Results of a file scan
This is a report processed by VirusTotal on 04/08/2006 at 23:20:28 (CET) after scanning the file "hribycb.exe" file.
Antivirus Version Update Result
AntiVir 6.34.0.24 04.08.2006 TR/Painwin.A.7
Avast 4.6.695.0 04.03.2006 Win32:Adware-gen.
AVG 386 04.08.2006 Adware Generic.AUP
Avira 6.34.0.56 04.08.2006 TR/Painwin.A.7
BitDefender 7.2 04.08.2006 Application.Bho.Adlogix.B
CAT-QuickHeal 8.00 04.06.2006 Trojan.Painwin.a
ClamAV devel-20060202 04.08.2006 no virus found
DrWeb 4.33 04.08.2006 Trojan.DownLoader.7012
eTrust-InoculateIT 23.71.123 04.07.2006 no virus found
eTrust-Vet 12.4.2153 04.07.2006 no virus found
Ewido 3.5 04.08.2006 Trojan.Painwin.a
Fortinet 2.71.0.0 04.08.2006 W32/Painwin.A-tr
F-Prot 3.16c 04.07.2006 no virus found
Ikarus 0.2.59.0 04.07.2006 Trojan.Win32.Painwin.A
Kaspersky 4.0.2.24 04.08.2006 Trojan.Win32.Painwin.a
McAfee 4736 04.07.2006 potentially unwanted program Adware-Adlog
NOD32v2 1.1477 04.08.2006 no virus found
Norman 5.90.15 04.07.2006 W32/Painwin.E
Panda 9.0.0.4 04.08.2006 Adware/AdLogix
Sophos 4.04.0 04.08.2006 no virus found
Symantec 8.0 04.08.2006 no virus found
TheHacker 5.9.7.126 04.07.2006 Trojan/Painwin.a
UNA 1.83 04.07.2006 Trojan.Win32.Painwin
VBA32 3.10.5 04.07.2006 Trojan.Win32.Painwin.a
Logfile of HijackThis v1.99.1
Scan saved at 1:07:00 PM, on 4/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.apple.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O1 - Hosts: 17.250.248.77 idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com
O2 - BHO: SDWin32 Class - {28308351-8788-4C11-BE17-0D4E7A1977C9} - C:\WINDOWS\system32\sxful.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: Helper - https://www.ubspwmobile.com/CWM/helper.cab
O16 - DPF: Java Mainframe Display (MFD) - https://www.wm-mobile.ubs.com/W2H/w2h/applet/wdmfd.cab
O16 - DPF: PCGMC Client - https://www.wm-mobile.ubs.com/PCGMC/PCGMCClient.CAB
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {10DB6D21-8915-11D2-8E3A-006008D1E01C} (Reuters Plus - Web 1.6.1.12) - https://www.ubspwmobile.com/md/jnavigator.cab
O16 - DPF: {138A4B11-6BBA-4EF3-B333-0515F67729DB} (Reuters PlusWeb Agent Java Classes - 1.6.0.33) - https://www.wm-mobile.ubs.com/md/pluswebagentjava.cab
O16 - DPF: {18D29F69-AD28-450E-8EC4-AD3F8632D4FE} (qqagent Class) - https://www.wm-mobile.ubs.com/md/pluswebagent.cab
O16 - DPF: {24F7A9CC-4EEB-49A7-8592-95E66A7C24A8} (Java ScrollingHeadlines Widget - 1.0.1.8) - https://www.wm-mobile.ubs.com/md/classes/java/shdown.cab
O16 - DPF: {2FCFDAB1-F134-11D2-97C6-00104B659322} (Java Monitor - 1.0.3.11) - https://www.wm-mobile.ubs.com/md/classes/monitor/monclassdown.cab
O16 - DPF: {3005838E-2A00-11D2-B701-006008D1E01C} (webctl Class) - https://www.ubspwmobile.com/md/Navigator.cab
O16 - DPF: {3D5F4B42-A6AD-4F31-BC6B-C4BA6AAEF08B} (Reuters PlusWeb Excel Macro 1,5,0,9) - https://www.ubspwmobile.com/md/plugin/excel_mobil/excel.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093137400467
O16 - DPF: {766190C9-CF9B-11D5-92EA-00805FC7E991} (Java MarketAtGlance - 1.0.0.9) - https://www.wm-mobile.ubs.com/md/classes/java/dyncompdown.cab
O16 - DPF: {77E94DB3-EF12-40BE-9AC5-96E2A140900E} (Java jExit - 1.0.0.4) - https://www.ubspwmobile.com/md/jexitdown.cab
O16 - DPF: {7B70A888-E8AC-4757-B454-766DA6B0B761} (Reuters PlusWeb Excel PreCheck 1,5,0,1) - https://www.ubspwmobile.com/md/plugin/excel_mobil/precheck.cab
O16 - DPF: {89F7D494-DA30-4207-9318-49D6E60BD805} (Reuters Webchart Class) - https://www.wm-mobile.ubs.com/md/webchart.cab
O16 - DPF: {93972343-C012-11D4-A8E1-0060976A74AE} (Java Quote Widget - 1.1.6.11) - https://www.wm-mobile.ubs.com/md/classes/java/jquotedown.cab
O16 - DPF: {B5C6E4C0-F9DB-11D2-B126-00104B0EB7AE} (Java Dialogs - 1.6.1.6) - https://www.wm-mobile.ubs.com/md/classes/java/dialogsdown.cab
O16 - DPF: {C0966447-1276-46EF-A5BB-1D5BCB6E8935} (PWSweep Class) - https://www.ubspwmobile.com/CWM/pluswebsweeper.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D439B6E0-1838-11D2-A461-00A0C968EE5F} (Java QQagent - 1.0.6.05) - https://www.wm-mobile.ubs.com/md/classes/java/qqagentdown.cab
O16 - DPF: {E041DA00-21AF-11D2-A465-00A0C968EE5F} (Java MLSOFT package) - https://www.ubspwmobile.com/md/classes/monitor/mlsoftdown.cab
O16 - DPF: {F436C877-B085-4871-BADD-D23A6E630581} (Reuters PlusWeb Versions - 1,6,0,22) - https://www.wm-mobile.ubs.com/md/pluswebverdown.cab
O16 - DPF: {F822CC94-9D2F-4914-9CBB-8FBB9EDB1BF0} (PWAgent Class) - https://www.wm-mobile.ubs.com/md/pwagentclient.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O16 - DPF: {FF2B96CA-23B8-4B6F-8B90-873770F0D537} (PlusWebLocator Class) - https://www.ubspwmobile.com/md/plusweblocator.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: hdiceai - Unknown owner - C:\WINDOWS\system32\hdiceai.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
jay hulka
2006-04-09, 19:18
Also, I "fixed" the 02 missing file in the hijackthis log above, rebooted and ran another fresh hijackthis log. It seems as though the entries are finally gone, and I am no longer having popups. Thanks so much for all of your help. If there is anything else I should do (other than make a donation to spybot), please let me know. Regards,
Jay
Logfile of HijackThis v1.99.1
Scan saved at 1:13:40 PM, on 4/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.apple.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O1 - Hosts: 17.250.248.77 idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: Helper - https://www.ubspwmobile.com/CWM/helper.cab
O16 - DPF: Java Mainframe Display (MFD) - https://www.wm-mobile.ubs.com/W2H/w2h/applet/wdmfd.cab
O16 - DPF: PCGMC Client - https://www.wm-mobile.ubs.com/PCGMC/PCGMCClient.CAB
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {10DB6D21-8915-11D2-8E3A-006008D1E01C} (Reuters Plus - Web 1.6.1.12) - https://www.ubspwmobile.com/md/jnavigator.cab
O16 - DPF: {138A4B11-6BBA-4EF3-B333-0515F67729DB} (Reuters PlusWeb Agent Java Classes - 1.6.0.33) - https://www.wm-mobile.ubs.com/md/pluswebagentjava.cab
O16 - DPF: {18D29F69-AD28-450E-8EC4-AD3F8632D4FE} (qqagent Class) - https://www.wm-mobile.ubs.com/md/pluswebagent.cab
O16 - DPF: {24F7A9CC-4EEB-49A7-8592-95E66A7C24A8} (Java ScrollingHeadlines Widget - 1.0.1.8) - https://www.wm-mobile.ubs.com/md/classes/java/shdown.cab
O16 - DPF: {2FCFDAB1-F134-11D2-97C6-00104B659322} (Java Monitor - 1.0.3.11) - https://www.wm-mobile.ubs.com/md/classes/monitor/monclassdown.cab
O16 - DPF: {3005838E-2A00-11D2-B701-006008D1E01C} (webctl Class) - https://www.ubspwmobile.com/md/Navigator.cab
O16 - DPF: {3D5F4B42-A6AD-4F31-BC6B-C4BA6AAEF08B} (Reuters PlusWeb Excel Macro 1,5,0,9) - https://www.ubspwmobile.com/md/plugin/excel_mobil/excel.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093137400467
O16 - DPF: {766190C9-CF9B-11D5-92EA-00805FC7E991} (Java MarketAtGlance - 1.0.0.9) - https://www.wm-mobile.ubs.com/md/classes/java/dyncompdown.cab
O16 - DPF: {77E94DB3-EF12-40BE-9AC5-96E2A140900E} (Java jExit - 1.0.0.4) - https://www.ubspwmobile.com/md/jexitdown.cab
O16 - DPF: {7B70A888-E8AC-4757-B454-766DA6B0B761} (Reuters PlusWeb Excel PreCheck 1,5,0,1) - https://www.ubspwmobile.com/md/plugin/excel_mobil/precheck.cab
O16 - DPF: {89F7D494-DA30-4207-9318-49D6E60BD805} (Reuters Webchart Class) - https://www.wm-mobile.ubs.com/md/webchart.cab
O16 - DPF: {93972343-C012-11D4-A8E1-0060976A74AE} (Java Quote Widget - 1.1.6.11) - https://www.wm-mobile.ubs.com/md/classes/java/jquotedown.cab
O16 - DPF: {B5C6E4C0-F9DB-11D2-B126-00104B0EB7AE} (Java Dialogs - 1.6.1.6) - https://www.wm-mobile.ubs.com/md/classes/java/dialogsdown.cab
O16 - DPF: {C0966447-1276-46EF-A5BB-1D5BCB6E8935} (PWSweep Class) - https://www.ubspwmobile.com/CWM/pluswebsweeper.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D439B6E0-1838-11D2-A461-00A0C968EE5F} (Java QQagent - 1.0.6.05) - https://www.wm-mobile.ubs.com/md/classes/java/qqagentdown.cab
O16 - DPF: {E041DA00-21AF-11D2-A465-00A0C968EE5F} (Java MLSOFT package) - https://www.ubspwmobile.com/md/classes/monitor/mlsoftdown.cab
O16 - DPF: {F436C877-B085-4871-BADD-D23A6E630581} (Reuters PlusWeb Versions - 1,6,0,22) - https://www.wm-mobile.ubs.com/md/pluswebverdown.cab
O16 - DPF: {F822CC94-9D2F-4914-9CBB-8FBB9EDB1BF0} (PWAgent Class) - https://www.wm-mobile.ubs.com/md/pwagentclient.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O16 - DPF: {FF2B96CA-23B8-4B6F-8B90-873770F0D537} (PlusWebLocator Class) - https://www.ubspwmobile.com/md/plusweblocator.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: hdiceai - Unknown owner - C:\WINDOWS\system32\hdiceai.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
LonnyRJones
2006-04-09, 23:14
Open a command prompt (start run type cmd press enter) type
sc delete hdiceai
press enter, type exit and press enter to exit the command prompt
Install SpywareBlaster (By JavaCool): http://www.javacoolsoftware.com/spywareblaster.html
Ewido
Please download Ewido AntiMalware
Install Ewido AntiMalware
http://www.ewido.net/en/download/
Launch Ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
You will need to update Ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display "Update successful")
Note: Your firewall may say "Antimalware wants to access the internet" It may not say Ewido.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates
http://www.ewido.net/en/download/updates/
When the trial runs out you can continue to use the program but without its resident protection.
Click on scanner.
Click on Complete System Scan and the scan will begin.
If Ewido finds anything, it will pop up a notification. You can select "remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Ewido automatically saves the report here on every scan:
(default program installation folder)
C:\Program Files\ewido\security suite\Reports
Now close Ewido AntiMalware and post that report
jay hulka
2006-04-10, 05:47
Lonny,
I followed all of your instructions and have posted the Ewido report below. A quick run of spybot and hijackthis after reboot does not find the Feat2Installer anymore. Thank you so much for freeing my computer and putting it back to normal. You guys are the best! Here is the log in two posts:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 7:04:50 PM, 4/9/2006
+ Report-Checksum: 35C08F08
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{39C78B50-7E98-4aa0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
C:\!KillBox\hramebe.exe -> Trojan.Painwin.a : Cleaned with backup
C:\!KillBox\hribycb.exe -> Trojan.Painwin.a : Cleaned with backup
C:\!KillBox\sxful.dll -> Adware.Adstart : Cleaned with backup
:mozilla.20:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.21:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.22:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.23:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.24:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.25:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.26:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.27:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.28:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.29:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.30:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.31:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.32:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.33:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.34:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.35:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.36:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.44:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.45:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.46:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.47:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.48:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.49:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.50:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.51:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.52:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.53:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.54:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.55:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.56:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.57:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.58:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.59:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.60:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.61:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.72:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
:mozilla.75:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Linksynergy : Cleaned with backup
:mozilla.76:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Linksynergy : Cleaned with backup
:mozilla.77:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.78:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.80:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.82:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.83:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.84:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.85:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.88:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.89:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.97:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.98:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.110:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.111:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.112:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.114:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.115:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.116:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.117:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.124:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.125:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.126:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.140:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.141:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.142:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.143:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.144:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.145:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.146:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.147:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.148:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.149:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.150:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.151:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.159:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.160:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.162:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.163:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.164:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.165:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.175:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Realtracker : Cleaned with backup
:mozilla.176:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Realtracker : Cleaned with backup
:mozilla.185:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.186:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.187:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.188:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.189:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.190:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.197:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.198:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.199:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.200:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.201:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.202:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.203:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.204:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.209:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.210:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.211:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.213:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Hypertracker : Cleaned with backup
:mozilla.217:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.218:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.229:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.237:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup
:mozilla.241:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.242:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.245:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.246:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
jay hulka
2006-04-10, 05:51
:mozilla.247:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.248:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.249:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.250:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.251:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.252:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.253:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.254:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.255:C:\Documents and Settings\John Hulcher\Application Data\Mozilla\Firefox\Profiles\kt3e04mm.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\John Hulcher\Cookies\john hulcher@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\John Hulcher\Cookies\john hulcher@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\John Hulcher\Cookies\john hulcher@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\John Hulcher\Cookies\john hulcher@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\John Hulcher\Cookies\john hulcher@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Documents and Settings\John Hulcher\Cookies\john hulcher@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\John Hulcher\Cookies\john hulcher@e-2dj6wflogoc5seo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\John Hulcher\Cookies\john hulcher@e-2dj6wjk4qmdjilp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\John Hulcher\Cookies\john hulcher@e-2dj6wjnyckc5geo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\John Hulcher\Cookies\john hulcher@e-2dj6wjnyokazcgq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\John Hulcher\Cookies\john hulcher@e-2dj6wjnysnajwbp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\John Hulcher\Cookies\john hulcher@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\John Hulcher\Cookies\john hulcher@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\Documents and Settings\John Hulcher\Cookies\john hulcher@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\John Hulcher\Cookies\john hulcher@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\John Hulcher\Cookies\john hulcher@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\John Hulcher\Cookies\john hulcher@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\!update.exe -> Downloader.PurityScan.bx : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\bw2.com -> Adware.AdURL : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\C8F7.tmp/titno.exe -> Adware.MDH : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\Cookies\john hulcher@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\Cookies\john hulcher@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\Cookies\john hulcher@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\Cookies\john hulcher@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\Cookies\john hulcher@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\Cookies\john hulcher@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\Cookies\john hulcher@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\Cookies\john hulcher@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\Cookies\john hulcher@e-2dj6wjlyencpelp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\Cookies\john hulcher@microsoftwga.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\Cookies\john hulcher@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\Cookies\john hulcher@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\Cookies\john hulcher@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\Cookies\john hulcher@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\Cookies\john hulcher@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\Cookies\john hulcher@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\Cookies\john hulcher@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\Cookies\john hulcher@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\Cookies\john hulcher@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\Cookies\john hulcher@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\Cookies\john hulcher@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\F8B9.tmp/dgfgql.exe -> Adware.Suggestor : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\F8B9.tmp/u1um0id.exe -> Adware.Suggestor : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\i7.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\iC.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\mit16.tmp/NNBar_VCSetup_876029.exe -> Adware.Mirar : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\mit16.tmp.cab/NNBar_VCSetup_876029.exe -> Adware.Mirar : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\msin_installer1\gb.exe -> Downloader.Agent.wx : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temp\temp.frB41C -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temporary Internet Files\Content.IE5\CB0NK9SX\AppWrap[1].exe -> Adware.AdURL : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temporary Internet Files\Content.IE5\CB0NK9SX\AppWrap[2].exe -> Adware.AdURL : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temporary Internet Files\Content.IE5\CB0NK9SX\AppWrap[3].exe -> Adware.Zestyfind : Cleaned with backup
C:\Documents and Settings\John Hulcher\Local Settings\Temporary Internet Files\Content.IE5\CB0NK9SX\AppWrap[4].exe -> Adware.AdURL : Cleaned with backup
jay hulka
2006-04-10, 05:52
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\abl71.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\agifil32.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\aoi2evxx.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\dnnhupnp.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\DTMSADSN.DLL -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\elent.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\en08l1du1.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\en0sl1d71.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\en84l1lq1.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\enjql1151.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\enpsl1771.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\fnl0213mg.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\g0jola131d.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\h0j4la1q1d.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\h4j40e1qeh.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\ideshare.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\ilengine.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\ir8ml5l11.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\irengine.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\KLDLT1.DLL -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\KQDTUF.DLL -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\ktuser.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\lvj0091me.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\lvpq0975e.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\m4460ehseh460.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\MFAUDITE.DLL -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\MJRECR40.DLL -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\MLVCP50.DLL -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\mlw3prt.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\MTAATEXT.DLL -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\mwrepl40.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\n0r2la9o1d.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\NJLANUI2.DLL -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\ojuninst.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\q6nulg5916.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\RGND.DLL -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\scclogon.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\seeio.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\SFNSCFG.DLL -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\smdocvw.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\SPMAPI.DLL -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\VEAR332.DLL -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\vzscript.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\wcnscard.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\wessvc.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\wonbl32.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\wwdsp.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\John Hulcher\My Documents\Anti Mal Stuff\l2mfix\dlls\WX2N50.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\gimmygames11.exe -> Downloader.Adload.u : Cleaned with backup
C:\hijackthis\backups\backup-20060408-171247-915.dll -> Adware.Adstart : Cleaned with backup
C:\hijackthis\backups\backup-20060408-173441-113.dll -> Adware.Adstart : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\Jalmp\uninstall.exe -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\7020.exe/eee2.exe -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\dlgb.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\eee2.exe -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\gimmygames11.exe -> Downloader.Adload.u : Cleaned with backup
C:\WINDOWS\icont.exe -> Adware.AdURL : Cleaned with backup
C:\WINDOWS\letn.exe/eee2.exe -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\mynexus.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\Sm9obiBIdWxjaGVy\asappsrv.dll -> Adware.CommAd : Cleaned with backup
C:\WINDOWS\Sm9obiBIdWxjaGVy\command.exe -> Adware.CommAd : Cleaned with backup
C:\WINDOWS\SYSTEM32\adsetup.exe -> Dropper.Agent.abb : Cleaned with backup
C:\WINDOWS\SYSTEM32\hdacyfa.vxd -> Trojan.Painwin.a : Cleaned with backup
C:\WINDOWS\SYSTEM32\hdiceai.exe -> Trojan.Painwin.a : Cleaned with backup
C:\WINDOWS\SYSTEM32\jcmkd.dll -> Adware.Adstart : Cleaned with backup
C:\WINDOWS\SYSTEM32\jcmkdc.exe -> Adware.Adstart : Cleaned with backup
C:\WINDOWS\SYSTEM32\jcmkdd.exe -> Adware.Adstart : Cleaned with backup
C:\WINDOWS\SYSTEM32\jcmkdf.exe -> Adware.Adstart : Cleaned with backup
C:\WINDOWS\SYSTEM32\qsdsregp.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\sxfulc.exe -> Adware.Adstart : Cleaned with backup
C:\WINDOWS\SYSTEM32\sxfuld.exe -> Adware.Adstart : Cleaned with backup
C:\WINDOWS\SYSTEM32\sxfulf.exe -> Adware.Adstart : Cleaned with backup
C:\WINDOWS\SYSTEM32\ttbitt.exe -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\SYSTEM32\u1um0id.exe -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\SYSTEM32\unpack.exe -> Trojan.Painwin.a : Cleaned with backup
C:\WINDOWS\SYSTEM32\ѕеcurity\rundll32.exe -> Downloader.PurityScan.bx : Cleaned with backup
C:\WINDOWS\Temp\bw2.com -> Adware.AdURL : Cleaned with backup
C:\WINDOWS\Temp\Cookies\john hulcher@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\john hulcher@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\WINDOWS\whCC-GIANT.exe/WhAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\ZICORN001.exe -> Adware.ZenoSearch : Cleaned with backup
::Report End
LonnyRJones
2006-04-10, 06:05
Thats good to here ;)
Keep an eye out for these to in Ewido scan over the next few day's
C:\WINDOWS\system32\hramebe.exe
C:\WINDOWS\system32\hribycb.exe
and let me know if they return
Is this line gone in a hijackthis log ?
O23 - Service: hdiceai - Unknown owner - C:\WINDOWS\system32\hdiceai.exe
Delete these two folders
C:\WINDOWS\Sm9obiBIdWxjaGVy
C:\Program Files\Jalmp
Also delete the l2mfix folder/l2mfix.exe, if ever needed again it will probaly have been updated
If your PC is running Ok now flush out the old system restore points
Purge System Restore
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Then Reboot. < Dont skip that step.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
jay hulka
2006-04-14, 02:34
Hello! Sorry about the delay in getting back to you. I have completed your instructions.
Upon running hijackthis, I did not find the 023 hdiceai item you refer to (yeah!). I did find and delete the two folders (though I had to turn on view hidden files to find one of them). I also deleted the l2mfix, as well as flushed the system restore. I will continue to check ewido scans for those files and let you know if they return. I can't thank you enough for all of your help. :bigthumb: You have gone above and beyond. Please advise if I need to do anything else. Here is a recent hijackthis log for your final review.
Thanks!!
Logfile of HijackThis v1.99.1
Scan saved at 8:33:36 PM, on 4/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.apple.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O1 - Hosts: 17.250.248.77 idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: Helper - https://www.ubspwmobile.com/CWM/helper.cab
O16 - DPF: Java Mainframe Display (MFD) - https://www.wm-mobile.ubs.com/W2H/w2h/applet/wdmfd.cab
O16 - DPF: PCGMC Client - https://www.wm-mobile.ubs.com/PCGMC/PCGMCClient.CAB
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {10DB6D21-8915-11D2-8E3A-006008D1E01C} (Reuters Plus - Web 1.6.1.12) - https://www.ubspwmobile.com/md/jnavigator.cab
O16 - DPF: {138A4B11-6BBA-4EF3-B333-0515F67729DB} (Reuters PlusWeb Agent Java Classes - 1.6.0.33) - https://www.wm-mobile.ubs.com/md/pluswebagentjava.cab
O16 - DPF: {18D29F69-AD28-450E-8EC4-AD3F8632D4FE} (qqagent Class) - https://www.wm-mobile.ubs.com/md/pluswebagent.cab
O16 - DPF: {24F7A9CC-4EEB-49A7-8592-95E66A7C24A8} (Java ScrollingHeadlines Widget - 1.0.1.8) - https://www.wm-mobile.ubs.com/md/classes/java/shdown.cab
O16 - DPF: {2FCFDAB1-F134-11D2-97C6-00104B659322} (Java Monitor - 1.0.3.11) - https://www.wm-mobile.ubs.com/md/classes/monitor/monclassdown.cab
O16 - DPF: {3005838E-2A00-11D2-B701-006008D1E01C} (webctl Class) - https://www.ubspwmobile.com/md/Navigator.cab
O16 - DPF: {3D5F4B42-A6AD-4F31-BC6B-C4BA6AAEF08B} (Reuters PlusWeb Excel Macro 1,5,0,9) - https://www.ubspwmobile.com/md/plugin/excel_mobil/excel.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093137400467
O16 - DPF: {766190C9-CF9B-11D5-92EA-00805FC7E991} (Java MarketAtGlance - 1.0.0.9) - https://www.wm-mobile.ubs.com/md/classes/java/dyncompdown.cab
O16 - DPF: {77E94DB3-EF12-40BE-9AC5-96E2A140900E} (Java jExit - 1.0.0.4) - https://www.ubspwmobile.com/md/jexitdown.cab
O16 - DPF: {7B70A888-E8AC-4757-B454-766DA6B0B761} (Reuters PlusWeb Excel PreCheck 1,5,0,1) - https://www.ubspwmobile.com/md/plugin/excel_mobil/precheck.cab
O16 - DPF: {89F7D494-DA30-4207-9318-49D6E60BD805} (Reuters Webchart Class) - https://www.wm-mobile.ubs.com/md/webchart.cab
O16 - DPF: {93972343-C012-11D4-A8E1-0060976A74AE} (Java Quote Widget - 1.1.6.11) - https://www.wm-mobile.ubs.com/md/classes/java/jquotedown.cab
O16 - DPF: {B5C6E4C0-F9DB-11D2-B126-00104B0EB7AE} (Java Dialogs - 1.6.1.6) - https://www.wm-mobile.ubs.com/md/classes/java/dialogsdown.cab
O16 - DPF: {C0966447-1276-46EF-A5BB-1D5BCB6E8935} (PWSweep Class) - https://www.ubspwmobile.com/CWM/pluswebsweeper.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D439B6E0-1838-11D2-A461-00A0C968EE5F} (Java QQagent - 1.0.6.05) - https://www.wm-mobile.ubs.com/md/classes/java/qqagentdown.cab
O16 - DPF: {E041DA00-21AF-11D2-A465-00A0C968EE5F} (Java MLSOFT package) - https://www.ubspwmobile.com/md/classes/monitor/mlsoftdown.cab
O16 - DPF: {F436C877-B085-4871-BADD-D23A6E630581} (Reuters PlusWeb Versions - 1,6,0,22) - https://www.wm-mobile.ubs.com/md/pluswebverdown.cab
O16 - DPF: {F822CC94-9D2F-4914-9CBB-8FBB9EDB1BF0} (PWAgent Class) - https://www.wm-mobile.ubs.com/md/pwagentclient.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O16 - DPF: {FF2B96CA-23B8-4B6F-8B90-873770F0D537} (PlusWebLocator Class) - https://www.ubspwmobile.com/md/plusweblocator.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
LonnyRJones
2006-04-14, 04:42
Looks fine
Safe surfing
jay hulka
2006-04-15, 02:49
I have had zero problems over the past few days. I will be surfing safe thanks to you.
J
LonnyRJones
2006-04-15, 04:38
Great :)
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me or Tashi know.