CoolWWWSearch.Feat2Installer Keeps coming back

[jay hulka]

Hello! I am new to this forum, as I am also new to the problems of malware. Here are the details:

I have used spybot for a while and find it to be quite effective. However, there is this recurring problem I have had with popups, little things turning off protective measures on IE and Spybot, etc... I scan with spybot, it recognizes it, then removes it. But it comes back time and time again. FYI...I tried manually removing "guarnset" via hijackthis prior to reading this forum (sorry!) Here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:57:01 PM, on 4/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\hramebe.exe
C:\WINDOWS\system32\hribycb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.apple.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O1 - Hosts: 17.250.248.77 idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\system32\guarnset.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: Helper - https://www.ubspwmobile.com/CWM/helper.cab
O16 - DPF: Java Mainframe Display (MFD) - https://www.wm-mobile.ubs.com/W2H/w2h/applet/wdmfd.cab
O16 - DPF: PCGMC Client - https://www.wm-mobile.ubs.com/PCGMC/PCGMCClient.CAB
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {10DB6D21-8915-11D2-8E3A-006008D1E01C} (Reuters Plus - Web 1.5.1.39) - https://www.ubspwmobile.com/md/jnavigator.cab
O16 - DPF: {138A4B11-6BBA-4EF3-B333-0515F67729DB} (Reuters PlusWeb Agent Java Classes - 1.6.0.33) - https://www.wm-mobile.ubs.com/md/pluswebagentjava.cab
O16 - DPF: {18D29F69-AD28-450E-8EC4-AD3F8632D4FE} (qqagent Class) - https://www.wm-mobile.ubs.com/md/pluswebagent.cab
O16 - DPF: {24F7A9CC-4EEB-49A7-8592-95E66A7C24A8} (Java ScrollingHeadlines Widget - 1.0.0.21) - https://www.ubspwmobile.com/md/classes/java/shdown.cab
O16 - DPF: {2FCFDAB1-F134-11D2-97C6-00104B659322} (Java Monitor - 1.0.2.28) - https://www.ubspwmobile.com/md/class...nclassdown.cab
O16 - DPF: {3005838E-2A00-11D2-B701-006008D1E01C} (webctl Class) - https://www.ubspwmobile.com/md/Navigator.cab
O16 - DPF: {3D5F4B42-A6AD-4F31-BC6B-C4BA6AAEF08B} (Reuters PlusWeb Excel Macro 1,5,0,1) - https://www.ubspwmobile.com/md/plugi...obil/excel.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093137400467
O16 - DPF: {766190C9-CF9B-11D5-92EA-00805FC7E991} (Java MarketAtGlance - 1.0.0.9) - https://www.wm-mobile.ubs.com/md/cla...yncompdown.cab
O16 - DPF: {77E94DB3-EF12-40BE-9AC5-96E2A140900E} (Java jExit - 1.0.0.4) - https://www.ubspwmobile.com/md/jexitdown.cab
O16 - DPF: {7B70A888-E8AC-4757-B454-766DA6B0B761} (Reuters PlusWeb Excel PreCheck 1,5,0,1) - https://www.ubspwmobile.com/md/plugi...l/precheck.cab
O16 - DPF: {89F7D494-DA30-4207-9318-49D6E60BD805} (Reuters Webchart Class) - https://www.wm-mobile.ubs.com/md/webchart.cab
O16 - DPF: {93972343-C012-11D4-A8E1-0060976A74AE} (Java Quote Widget - 1.0.1.28) - https://www.ubspwmobile.com/md/class...jquotedown.cab
O16 - DPF: {B5C6E4C0-F9DB-11D2-B126-00104B0EB7AE} (Java Dialogs - 1.6.1.6) - https://www.wm-mobile.ubs.com/md/cla...ialogsdown.cab
O16 - DPF: {C0966447-1276-46EF-A5BB-1D5BCB6E8935} (PWSweep Class) - https://www.ubspwmobile.com/CWM/pluswebsweeper.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D439B6E0-1838-11D2-A461-00A0C968EE5F} (Java QQagent - 1.0.6.05) - https://www.wm-mobile.ubs.com/md/cla...qagentdown.cab
O16 - DPF: {E041DA00-21AF-11D2-A465-00A0C968EE5F} (Java MLSOFT package) - https://www.ubspwmobile.com/md/class...mlsoftdown.cab
O16 - DPF: {F436C877-B085-4871-BADD-D23A6E630581} (Reuters PlusWeb Versions - 1,5,0,34) - https://www.ubspwmobile.com/md/pluswebverdown.cab
O16 - DPF: {F822CC94-9D2F-4914-9CBB-8FBB9EDB1BF0} (PWAgent Class) - https://www.wm-mobile.ubs.com/md/pwagentclient.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O16 - DPF: {FF2B96CA-23B8-4B6F-8B90-873770F0D537} (PlusWebLocator Class) - https://www.ubspwmobile.com/md/plusweblocator.cab
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\fn4021hmg.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: hdiceai - Unknown owner - C:\WINDOWS\system32\hdiceai.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Thanks a bunch for your help!!
JH

[LonnyRJones]

Welcome jay hulka
Sorry for the delay, Unless your being assisted at another forum ?
Download L2mfix (new version) from one of these two locations:
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
Note:
If you receive while running option #1, an error similar to: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.
If it is to large to post in one reply do so in two please

[jay hulka]

Hello! No worries on the delay, as I know you guys are busy. Thanks so much for your help with this issue. I have completed the steps that you suggested, and here is the log (in two posts):

L2MFIX find log 032106
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Telephony]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lvpq0975e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{7482BD95-0B59-05CA-9925-B6F91CB6CAF2}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{BEB5F380-5501-11d3-BFDE-ADC2F2AAE920}"="Rage3DTweak"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{A695DDBF-EC30-43CE-8341-7080D657A9C9}"=""
"{3EB756B8-1A16-489C-8939-8E4078BBADED}"=""
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{DC7E53E5-CED0-4839-8778-D9FC93579C3A}"=""
"{A847E43E-6E5C-4B5C-9FAC-39DF507BFB79}"=""
"{0B0AE582-3021-4000-9528-C6A2CB66D413}"=""

**********************************************************************************

[jay hulka]

HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A695DDBF-EC30-43CE-8341-7080D657A9C9}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A695DDBF-EC30-43CE-8341-7080D657A9C9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A695DDBF-EC30-43CE-8341-7080D657A9C9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A695DDBF-EC30-43CE-8341-7080D657A9C9}\InprocServer32]
@="C:\\WINDOWS\\system32\\RYSMXS.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3EB756B8-1A16-489C-8939-8E4078BBADED}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3EB756B8-1A16-489C-8939-8E4078BBADED}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3EB756B8-1A16-489C-8939-8E4078BBADED}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3EB756B8-1A16-489C-8939-8E4078BBADED}\InprocServer32]
@="C:\\WINDOWS\\system32\\nftlogon.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DC7E53E5-CED0-4839-8778-D9FC93579C3A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DC7E53E5-CED0-4839-8778-D9FC93579C3A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DC7E53E5-CED0-4839-8778-D9FC93579C3A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DC7E53E5-CED0-4839-8778-D9FC93579C3A}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A847E43E-6E5C-4B5C-9FAC-39DF507BFB79}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A847E43E-6E5C-4B5C-9FAC-39DF507BFB79}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A847E43E-6E5C-4B5C-9FAC-39DF507BFB79}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A847E43E-6E5C-4B5C-9FAC-39DF507BFB79}\InprocServer32]
@="C:\\WINDOWS\\system32\\KLDLT1.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0B0AE582-3021-4000-9528-C6A2CB66D413}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0B0AE582-3021-4000-9528-C6A2CB66D413}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0B0AE582-3021-4000-9528-C6A2CB66D413}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0B0AE582-3021-4000-9528-C6A2CB66D413}\InprocServer32]
@="C:\\WINDOWS\\system32\\MJRECR40.DLL"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
0g64noxg.dll Mon Feb 20 2006 4:25:24p A.... 45,568 44.50 K
abl71.dll Sat Mar 11 2006 11:01:32a ..S.R 237,262 231.70 K
agifil32.dll Fri Feb 24 2006 8:05:08a ..S.R 235,422 229.90 K
aoi2evxx.dll Fri Feb 24 2006 8:06:28p ..S.R 235,422 229.90 K
dnnhupnp.dll Sun Feb 26 2006 3:11:36p ..S.R 234,978 229.47 K
dtmsadsn.dll Sat Feb 25 2006 1:46:22p ..S.R 234,263 228.77 K
elent.dll Wed Feb 22 2006 9:13:40p ..S.R 235,422 229.90 K
en08l1~1.dll Sun Feb 26 2006 9:23:42p ..S.R 234,906 229.40 K
en0sl1~1.dll Thu Mar 9 2006 11:29:18p ..S.R 234,616 229.12 K
en84l1~1.dll Mon Feb 20 2006 6:40:00p ..S.R 236,088 230.55 K
enjql1~1.dll Mon Feb 20 2006 5:00:14p ..S.R 234,003 228.52 K
enpsl1~1.dll Tue Feb 21 2006 9:06:52p ..S.R 234,547 229.05 K
fnl021~1.dll Fri Mar 3 2006 11:37:50a ..S.R 234,906 229.40 K
g0jola~1.dll Tue Feb 21 2006 11:30:06p ..S.R 236,732 231.18 K
h0j4la~1.dll Fri Mar 10 2006 10:15:34p ..S.R 233,953 228.47 K
h4j40e~1.dll Sun Feb 26 2006 9:04:26p ..S.R 234,906 229.40 K
ideshare.dll Tue Feb 21 2006 9:07:48p ..S.R 235,422 229.90 K
ilengine.dll Sun Feb 26 2006 3:39:06p ..S.R 234,263 228.77 K
ir8ml5~1.dll Fri Apr 7 2006 4:51:32p ..S.R 233,912 228.43 K
irengine.dll Wed Feb 22 2006 9:07:44p ..S.R 235,422 229.90 K
jcmkd.dll Sat Feb 25 2006 1:23:26p A.... 98,816 96.50 K
kldlt1.dll Sat Mar 11 2006 12:10:26p ..S.R 233,840 228.36 K
kqdtuf.dll Sat Feb 25 2006 1:41:24p ..S.R 234,978 229.47 K
ktuser.dll Mon Feb 20 2006 6:41:00p ..S.R 236,392 230.85 K
legitc~1.dll Tue Feb 14 2006 10:20:14a A.... 550,120 537.23 K
lvj009~1.dll Sun Feb 26 2006 9:14:26p ..S.R 234,492 228.99 K
lvpq09~1.dll Wed Apr 5 2006 9:57:52a ..S.R 233,894 228.41 K
m4460e~1.dll Mon Feb 20 2006 4:34:20p ..S.R 234,916 229.41 K
mfaudite.dll Sat Feb 25 2006 12:20:16p ..S.R 235,422 229.90 K
mjrecr40.dll Fri Apr 7 2006 4:52:48p ..S.R 233,894 228.41 K
mlvcp50.dll Wed Feb 22 2006 9:02:48p ..S.R 235,422 229.90 K
mlw3prt.dll Fri Mar 10 2006 10:15:34p ..S.R 236,242 230.70 K
mtaatext.dll Sun Feb 26 2006 9:28:16p ..S.R 234,906 229.40 K
mwrepl40.dll Mon Feb 20 2006 5:30:04p ..S.R 236,088 230.55 K
n0r2la~1.dll Mon Feb 20 2006 5:30:04p ..S.R 233,893 228.41 K
njlanui2.dll Wed Feb 22 2006 6:48:46p ..S.R 235,422 229.90 K
nso1b.dll Thu Feb 9 2006 9:16:30a A.... 76,800 75.00 K
ojuninst.dll Wed Mar 29 2006 11:16:52p ..S.R 233,894 228.41 K
pacifisy.dll Sat Feb 25 2006 1:21:26p A.... 22 0.02 K
q6nulg~1.dll Thu Mar 30 2006 7:55:38p ..S.R 235,074 229.56 K
rgnd.dll Fri Feb 24 2006 8:16:02a ..S.R 235,686 230.16 K
s32evnt1.dll Tue Feb 14 2006 1:10:52p A.... 91,904 89.75 K
scclogon.dll Sat Mar 4 2006 2:05:24p ..S.R 235,405 229.89 K
seeio.dll Tue Feb 21 2006 8:18:28p ..S.R 234,118 228.63 K
sfnscfg.dll Tue Feb 21 2006 7:15:56p ..S.R 236,392 230.85 K
smdocvw.dll Tue Feb 21 2006 8:44:52p ..S.R 234,547 229.05 K
spmapi.dll Tue Feb 21 2006 6:49:50p ..S.R 236,392 230.85 K
spmsg.dll Mon Feb 13 2006 8:03:38p ..... 8,632 8.43 K
sporder.dll Mon Feb 20 2006 4:25:06p A.... 8,464 8.27 K
sxful.dll Sat Feb 25 2006 1:21:34p A.... 98,816 96.50 K
vear332.dll Sun Apr 2 2006 10:48:48a ..S.R 233,894 228.41 K
vzscript.dll Sun Mar 5 2006 9:39:22p ..S.R 234,272 228.78 K
wcnscard.dll Sun Feb 26 2006 9:04:26p ..S.R 234,492 228.99 K
wessvc.dll Tue Mar 7 2006 10:03:00p ..S.R 234,272 228.78 K
winapi32.dll Sat Feb 25 2006 12:09:30p A.... 0 0.00 K
winbl32.dll Sat Feb 25 2006 12:09:30p A.... 0 0.00 K
wonbl32.dll Fri Mar 3 2006 8:42:44p ..S.R 235,405 229.89 K
wwdsp.dll Sat Mar 11 2006 1:41:50p ..S.R 233,562 228.09 K
wx2n50.dll Sat Feb 25 2006 1:18:10p ..S.R 234,272 228.78 K

59 items found: 59 files (48 H/S), 0 directories.
Total of file sizes: 12,257,065 bytes 11.69 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
lat13.tmp Wed Feb 22 2006 8:45:08p A.... 0 0.00 K
lat21.tmp Mon Feb 20 2006 5:57:58p A.... 0 0.00 K
lat22.tmp Mon Feb 20 2006 5:59:00p A.... 0 0.00 K
lat23.tmp Mon Feb 20 2006 6:00:02p A.... 0 0.00 K
lat7.tmp Wed Feb 22 2006 7:11:36p A.... 0 0.00 K

5 items found: 5 files, 0 directories.
Total of file sizes: 0 bytes 0.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 1CA4-B152

Directory of C:\WINDOWS\System32

04/07/2006 04:52 PM 233,894 MJRECR40.DLL
04/07/2006 04:51 PM 233,912 ir8ml5l11.dll
04/05/2006 09:57 AM 233,894 lvpq0975e.dll
04/02/2006 10:48 AM 233,894 VEAR332.DLL
03/30/2006 07:55 PM 235,074 q6nulg5916.dll
03/29/2006 11:16 PM 233,894 ojuninst.dll
03/11/2006 01:41 PM 233,562 wwdsp.dll
03/11/2006 12:10 PM 233,840 KLDLT1.DLL
03/11/2006 11:01 AM 237,262 abl71.dll
03/10/2006 10:15 PM 236,242 mlw3prt.dll
03/10/2006 10:15 PM 233,953 h0j4la1q1d.dll
03/09/2006 11:29 PM 234,616 en0sl1d71.dll
03/07/2006 10:02 PM 234,272 wessvc.dll
03/05/2006 09:39 PM 234,272 vzscript.dll
03/04/2006 02:05 PM 235,405 scclogon.dll
03/03/2006 08:42 PM 235,405 wonbl32.dll
03/03/2006 11:37 AM 234,906 fnl0213mg.dll
02/26/2006 09:28 PM 234,906 MTAATEXT.DLL
02/26/2006 09:23 PM 234,906 en08l1du1.dll
02/26/2006 09:14 PM 234,492 lvj0091me.dll
02/26/2006 09:04 PM 234,492 wcnscard.dll
02/26/2006 09:04 PM 234,906 h4j40e1qeh.dll
02/26/2006 03:39 PM 234,263 ilengine.dll
02/26/2006 03:11 PM 234,978 dnnhupnp.dll
02/25/2006 01:46 PM 234,263 DTMSADSN.DLL
02/25/2006 01:41 PM 234,978 KQDTUF.DLL
02/25/2006 01:18 PM 234,272 WX2N50.dll
02/25/2006 12:20 PM 235,422 MFAUDITE.DLL
02/24/2006 08:06 PM 235,422 aoi2evxx.dll
02/24/2006 08:16 AM 235,686 RGND.DLL
02/24/2006 08:05 AM 235,422 agifil32.dll
02/22/2006 09:13 PM 235,422 elent.dll
02/22/2006 09:07 PM 235,422 irengine.dll
02/22/2006 09:02 PM 235,422 MLVCP50.DLL
02/22/2006 06:48 PM 235,422 NJLANUI2.DLL
02/21/2006 11:30 PM 236,732 g0jola131d.dll
02/21/2006 09:07 PM 235,422 ideshare.dll
02/21/2006 09:06 PM 234,547 enpsl1771.dll
02/21/2006 08:44 PM 234,547 smdocvw.dll
02/21/2006 08:18 PM 234,118 seeio.dll
02/21/2006 07:15 PM 236,392 SFNSCFG.DLL
02/21/2006 06:49 PM 236,392 SPMAPI.DLL
02/20/2006 06:40 PM 236,392 ktuser.dll
02/20/2006 06:39 PM 236,088 en84l1lq1.dll
02/20/2006 05:30 PM 236,088 mwrepl40.dll
02/20/2006 05:30 PM 233,893 n0r2la9o1d.dll
02/20/2006 05:00 PM 234,003 enjql1151.dll
02/20/2006 04:55 PM <DIR> DLLCACHE
02/20/2006 04:34 PM 234,916 m4460ehseh460.dll
03/17/2003 03:21 AM <DIR> Microsoft
48 File(s) 11,277,923 bytes
2 Dir(s) 14,736,781,312 bytes free

[jay hulka]

I did run the fix portion, as I did in fact have the error associated with #1 on l2mfix.exe. After running #2 (fix), I was instructed to remove "020 missing file" via hijackthis after reboot. I did do that as well.
Thanks!!!

[LonnyRJones]

OK

Post that option Two log and a fresh hijackthis log

[jay hulka]

Here is the option 2 log (in two posts). Thanks once again for your prompt reply:

L2mfix 032106
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 420 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 508 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 364 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1156 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\abl71.dll
Successfully Deleted: C:\WINDOWS\system32\abl71.dll
Deleting: C:\WINDOWS\system32\agifil32.dll
Successfully Deleted: C:\WINDOWS\system32\agifil32.dll
Deleting: C:\WINDOWS\system32\aoi2evxx.dll
Successfully Deleted: C:\WINDOWS\system32\aoi2evxx.dll
Deleting: C:\WINDOWS\system32\dnnhupnp.dll
Successfully Deleted: C:\WINDOWS\system32\dnnhupnp.dll
Deleting: C:\WINDOWS\system32\DTMSADSN.DLL
Successfully Deleted: C:\WINDOWS\system32\DTMSADSN.DLL
Deleting: C:\WINDOWS\system32\elent.dll
Successfully Deleted: C:\WINDOWS\system32\elent.dll
Deleting: C:\WINDOWS\system32\en08l1du1.dll
Successfully Deleted: C:\WINDOWS\system32\en08l1du1.dll
Deleting: C:\WINDOWS\system32\en0sl1d71.dll
Successfully Deleted: C:\WINDOWS\system32\en0sl1d71.dll
Deleting: C:\WINDOWS\system32\en84l1lq1.dll
Successfully Deleted: C:\WINDOWS\system32\en84l1lq1.dll
Deleting: C:\WINDOWS\system32\enjql1151.dll
Successfully Deleted: C:\WINDOWS\system32\enjql1151.dll
Deleting: C:\WINDOWS\system32\enpsl1771.dll
Successfully Deleted: C:\WINDOWS\system32\enpsl1771.dll
Deleting: C:\WINDOWS\system32\fnl0213mg.dll
Successfully Deleted: C:\WINDOWS\system32\fnl0213mg.dll
Deleting: C:\WINDOWS\system32\g0jola131d.dll
Successfully Deleted: C:\WINDOWS\system32\g0jola131d.dll
Deleting: C:\WINDOWS\system32\h0j4la1q1d.dll
Successfully Deleted: C:\WINDOWS\system32\h0j4la1q1d.dll
Deleting: C:\WINDOWS\system32\h4j40e1qeh.dll
Successfully Deleted: C:\WINDOWS\system32\h4j40e1qeh.dll
Deleting: C:\WINDOWS\system32\ideshare.dll
Successfully Deleted: C:\WINDOWS\system32\ideshare.dll
Deleting: C:\WINDOWS\system32\ilengine.dll
Successfully Deleted: C:\WINDOWS\system32\ilengine.dll
Deleting: C:\WINDOWS\system32\ir8ml5l11.dll
Successfully Deleted: C:\WINDOWS\system32\ir8ml5l11.dll
Deleting: C:\WINDOWS\system32\irengine.dll
Successfully Deleted: C:\WINDOWS\system32\irengine.dll
Deleting: C:\WINDOWS\system32\KLDLT1.DLL
Successfully Deleted: C:\WINDOWS\system32\KLDLT1.DLL
Deleting: C:\WINDOWS\system32\KQDTUF.DLL
Successfully Deleted: C:\WINDOWS\system32\KQDTUF.DLL
Deleting: C:\WINDOWS\system32\ktuser.dll
Successfully Deleted: C:\WINDOWS\system32\ktuser.dll
Deleting: C:\WINDOWS\system32\lvj0091me.dll
Successfully Deleted: C:\WINDOWS\system32\lvj0091me.dll
Deleting: C:\WINDOWS\system32\lvpq0975e.dll
Successfully Deleted: C:\WINDOWS\system32\lvpq0975e.dll
Deleting: C:\WINDOWS\system32\m4460ehseh460.dll
Successfully Deleted: C:\WINDOWS\system32\m4460ehseh460.dll
Deleting: C:\WINDOWS\system32\MFAUDITE.DLL
Successfully Deleted: C:\WINDOWS\system32\MFAUDITE.DLL
Deleting: C:\WINDOWS\system32\MJRECR40.DLL
Successfully Deleted: C:\WINDOWS\system32\MJRECR40.DLL
Deleting: C:\WINDOWS\system32\MLVCP50.DLL
Successfully Deleted: C:\WINDOWS\system32\MLVCP50.DLL
Deleting: C:\WINDOWS\system32\mlw3prt.dll
Successfully Deleted: C:\WINDOWS\system32\mlw3prt.dll
Deleting: C:\WINDOWS\system32\MTAATEXT.DLL
Successfully Deleted: C:\WINDOWS\system32\MTAATEXT.DLL
Deleting: C:\WINDOWS\system32\mwrepl40.dll
Successfully Deleted: C:\WINDOWS\system32\mwrepl40.dll
Deleting: C:\WINDOWS\system32\n0r2la9o1d.dll
Successfully Deleted: C:\WINDOWS\system32\n0r2la9o1d.dll
Deleting: C:\WINDOWS\system32\NJLANUI2.DLL
Successfully Deleted: C:\WINDOWS\system32\NJLANUI2.DLL
Deleting: C:\WINDOWS\system32\ojuninst.dll
Successfully Deleted: C:\WINDOWS\system32\ojuninst.dll
Deleting: C:\WINDOWS\system32\q6nulg5916.dll
Successfully Deleted: C:\WINDOWS\system32\q6nulg5916.dll
Deleting: C:\WINDOWS\system32\RGND.DLL
Successfully Deleted: C:\WINDOWS\system32\RGND.DLL
Deleting: C:\WINDOWS\system32\scclogon.dll
Successfully Deleted: C:\WINDOWS\system32\scclogon.dll
Deleting: C:\WINDOWS\system32\seeio.dll
Successfully Deleted: C:\WINDOWS\system32\seeio.dll
Deleting: C:\WINDOWS\system32\SFNSCFG.DLL
Successfully Deleted: C:\WINDOWS\system32\SFNSCFG.DLL
Deleting: C:\WINDOWS\system32\smdocvw.dll
Successfully Deleted: C:\WINDOWS\system32\smdocvw.dll
Deleting: C:\WINDOWS\system32\SPMAPI.DLL
Successfully Deleted: C:\WINDOWS\system32\SPMAPI.DLL
Deleting: C:\WINDOWS\system32\VEAR332.DLL
Successfully Deleted: C:\WINDOWS\system32\VEAR332.DLL
Deleting: C:\WINDOWS\system32\vzscript.dll
Successfully Deleted: C:\WINDOWS\system32\vzscript.dll
Deleting: C:\WINDOWS\system32\wcnscard.dll
Successfully Deleted: C:\WINDOWS\system32\wcnscard.dll
Deleting: C:\WINDOWS\system32\wessvc.dll
Successfully Deleted: C:\WINDOWS\system32\wessvc.dll
Deleting: C:\WINDOWS\system32\wonbl32.dll
Successfully Deleted: C:\WINDOWS\system32\wonbl32.dll
Deleting: C:\WINDOWS\system32\wwdsp.dll
Successfully Deleted: C:\WINDOWS\system32\wwdsp.dll
Deleting: C:\WINDOWS\system32\WX2N50.dll
Successfully Deleted: C:\WINDOWS\system32\WX2N50.dll

msg11?.dll
0 file(s) copied.



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Telephony]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lvpq0975e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\abl71.dll
C:\WINDOWS\system32\agifil32.dll
C:\WINDOWS\system32\aoi2evxx.dll
C:\WINDOWS\system32\dnnhupnp.dll
C:\WINDOWS\system32\DTMSADSN.DLL
C:\WINDOWS\system32\elent.dll
C:\WINDOWS\system32\en08l1du1.dll
C:\WINDOWS\system32\en0sl1d71.dll
C:\WINDOWS\system32\en84l1lq1.dll
C:\WINDOWS\system32\enjql1151.dll
C:\WINDOWS\system32\enpsl1771.dll
C:\WINDOWS\system32\fnl0213mg.dll
C:\WINDOWS\system32\g0jola131d.dll
C:\WINDOWS\system32\h0j4la1q1d.dll
C:\WINDOWS\system32\h4j40e1qeh.dll
C:\WINDOWS\system32\ideshare.dll
C:\WINDOWS\system32\ilengine.dll
C:\WINDOWS\system32\ir8ml5l11.dll
C:\WINDOWS\system32\irengine.dll
C:\WINDOWS\system32\KLDLT1.DLL
C:\WINDOWS\system32\KQDTUF.DLL
C:\WINDOWS\system32\ktuser.dll
C:\WINDOWS\system32\lvj0091me.dll
C:\WINDOWS\system32\lvpq0975e.dll
C:\WINDOWS\system32\m4460ehseh460.dll
C:\WINDOWS\system32\MFAUDITE.DLL
C:\WINDOWS\system32\MJRECR40.DLL
C:\WINDOWS\system32\MLVCP50.DLL
C:\WINDOWS\system32\mlw3prt.dll
C:\WINDOWS\system32\MTAATEXT.DLL
C:\WINDOWS\system32\mwrepl40.dll
C:\WINDOWS\system32\n0r2la9o1d.dll
C:\WINDOWS\system32\NJLANUI2.DLL
C:\WINDOWS\system32\ojuninst.dll
C:\WINDOWS\system32\q6nulg5916.dll
C:\WINDOWS\system32\RGND.DLL
C:\WINDOWS\system32\scclogon.dll
C:\WINDOWS\system32\seeio.dll
C:\WINDOWS\system32\SFNSCFG.DLL
C:\WINDOWS\system32\smdocvw.dll
C:\WINDOWS\system32\SPMAPI.DLL
C:\WINDOWS\system32\VEAR332.DLL
C:\WINDOWS\system32\vzscript.dll
C:\WINDOWS\system32\wcnscard.dll
C:\WINDOWS\system32\wessvc.dll
C:\WINDOWS\system32\wonbl32.dll
C:\WINDOWS\system32\wwdsp.dll
C:\WINDOWS\system32\WX2N50.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A695DDBF-EC30-43CE-8341-7080D657A9C9}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A695DDBF-EC30-43CE-8341-7080D657A9C9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A695DDBF-EC30-43CE-8341-7080D657A9C9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A695DDBF-EC30-43CE-8341-7080D657A9C9}\InprocServer32]
@="C:\\WINDOWS\\system32\\RYSMXS.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3EB756B8-1A16-489C-8939-8E4078BBADED}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3EB756B8-1A16-489C-8939-8E4078BBADED}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3EB756B8-1A16-489C-8939-8E4078BBADED}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3EB756B8-1A16-489C-8939-8E4078BBADED}\InprocServer32]
@="C:\\WINDOWS\\system32\\nftlogon.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DC7E53E5-CED0-4839-8778-D9FC93579C3A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DC7E53E5-CED0-4839-8778-D9FC93579C3A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DC7E53E5-CED0-4839-8778-D9FC93579C3A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DC7E53E5-CED0-4839-8778-D9FC93579C3A}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A847E43E-6E5C-4B5C-9FAC-39DF507BFB79}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A847E43E-6E5C-4B5C-9FAC-39DF507BFB79}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A847E43E-6E5C-4B5C-9FAC-39DF507BFB79}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A847E43E-6E5C-4B5C-9FAC-39DF507BFB79}\InprocServer32]
@="C:\\WINDOWS\\system32\\KLDLT1.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0B0AE582-3021-4000-9528-C6A2CB66D413}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0B0AE582-3021-4000-9528-C6A2CB66D413}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0B0AE582-3021-4000-9528-C6A2CB66D413}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0B0AE582-3021-4000-9528-C6A2CB66D413}\InprocServer32]
@="C:\\WINDOWS\\system32\\MJRECR40.DLL"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{A695DDBF-EC30-43CE-8341-7080D657A9C9}"=-
"{3EB756B8-1A16-489C-8939-8E4078BBADED}"=-
"{DC7E53E5-CED0-4839-8778-D9FC93579C3A}"=-
"{A847E43E-6E5C-4B5C-9FAC-39DF507BFB79}"=-
"{0B0AE582-3021-4000-9528-C6A2CB66D413}"=-
[-HKEY_CLASSES_ROOT\CLSID\{A695DDBF-EC30-43CE-8341-7080D657A9C9}]
[-HKEY_CLASSES_ROOT\CLSID\{3EB756B8-1A16-489C-8939-8E4078BBADED}]
[-HKEY_CLASSES_ROOT\CLSID\{DC7E53E5-CED0-4839-8778-D9FC93579C3A}]
[-HKEY_CLASSES_ROOT\CLSID\{A847E43E-6E5C-4B5C-9FAC-39DF507BFB79}]
[-HKEY_CLASSES_ROOT\CLSID\{0B0AE582-3021-4000-9528-C6A2CB66D413}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

[jay hulka]

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/abl71.dll (164 bytes security) (deflated 6%)
adding: dlls/agifil32.dll (164 bytes security) (deflated 5%)
adding: dlls/aoi2evxx.dll (164 bytes security) (deflated 5%)
adding: dlls/dnnhupnp.dll (164 bytes security) (deflated 5%)
adding: dlls/DTMSADSN.DLL (164 bytes security) (deflated 4%)
adding: dlls/elent.dll (164 bytes security) (deflated 5%)
adding: dlls/en08l1du1.dll (164 bytes security) (deflated 5%)
adding: dlls/en0sl1d71.dll (164 bytes security) (deflated 4%)
adding: dlls/en84l1lq1.dll (164 bytes security) (deflated 5%)
adding: dlls/enjql1151.dll (164 bytes security) (deflated 4%)
adding: dlls/enpsl1771.dll (164 bytes security) (deflated 5%)
adding: dlls/fnl0213mg.dll (164 bytes security) (deflated 5%)
adding: dlls/g0jola131d.dll (164 bytes security) (deflated 5%)
adding: dlls/h0j4la1q1d.dll (164 bytes security) (deflated 4%)
adding: dlls/h4j40e1qeh.dll (164 bytes security) (deflated 5%)
adding: dlls/ideshare.dll (164 bytes security) (deflated 5%)
adding: dlls/ilengine.dll (164 bytes security) (deflated 4%)
adding: dlls/ir8ml5l11.dll (164 bytes security) (deflated 4%)
adding: dlls/irengine.dll (164 bytes security) (deflated 5%)
adding: dlls/KLDLT1.DLL (164 bytes security) (deflated 4%)
adding: dlls/KQDTUF.DLL (164 bytes security) (deflated 5%)
adding: dlls/ktuser.dll (164 bytes security) (deflated 5%)
adding: dlls/lvj0091me.dll (164 bytes security) (deflated 4%)
adding: dlls/lvpq0975e.dll (164 bytes security) (deflated 4%)
adding: dlls/m4460ehseh460.dll (164 bytes security) (deflated 5%)
adding: dlls/MFAUDITE.DLL (164 bytes security) (deflated 5%)
adding: dlls/MJRECR40.DLL (164 bytes security) (deflated 4%)
adding: dlls/MLVCP50.DLL (164 bytes security) (deflated 5%)
adding: dlls/mlw3prt.dll (164 bytes security) (deflated 5%)
adding: dlls/MTAATEXT.DLL (164 bytes security) (deflated 5%)
adding: dlls/mwrepl40.dll (164 bytes security) (deflated 5%)
adding: dlls/n0r2la9o1d.dll (164 bytes security) (deflated 4%)
adding: dlls/NJLANUI2.DLL (164 bytes security) (deflated 5%)
adding: dlls/ojuninst.dll (164 bytes security) (deflated 4%)
adding: dlls/q6nulg5916.dll (164 bytes security) (deflated 5%)
adding: dlls/RGND.DLL (164 bytes security) (deflated 5%)
adding: dlls/scclogon.dll (164 bytes security) (deflated 5%)
adding: dlls/seeio.dll (164 bytes security) (deflated 4%)
adding: dlls/SFNSCFG.DLL (164 bytes security) (deflated 5%)
adding: dlls/smdocvw.dll (164 bytes security) (deflated 5%)
adding: dlls/SPMAPI.DLL (164 bytes security) (deflated 5%)
adding: dlls/VEAR332.DLL (164 bytes security) (deflated 4%)
adding: dlls/vzscript.dll (164 bytes security) (deflated 4%)
adding: dlls/wcnscard.dll (164 bytes security) (deflated 4%)
adding: dlls/wessvc.dll (164 bytes security) (deflated 4%)
adding: dlls/wonbl32.dll (164 bytes security) (deflated 5%)
adding: dlls/wwdsp.dll (164 bytes security) (deflated 4%)
adding: dlls/WX2N50.dll (164 bytes security) (deflated 4%)
adding: backregs/0B0AE582-3021-4000-9528-C6A2CB66D413.reg (188 bytes security) (deflated 70%)
adding: backregs/3EB756B8-1A16-489C-8939-8E4078BBADED.reg (188 bytes security) (deflated 70%)
adding: backregs/A695DDBF-EC30-43CE-8341-7080D657A9C9.reg (188 bytes security) (deflated 70%)
adding: backregs/A847E43E-6E5C-4B5C-9FAC-39DF507BFB79.reg (188 bytes security) (deflated 70%)
adding: backregs/DC7E53E5-CED0-4839-8778-D9FC93579C3A.reg (188 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

[jay hulka]

Here is the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:18:58 AM, on 4/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\hramebe.exe
C:\WINDOWS\system32\hribycb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.apple.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O1 - Hosts: 17.250.248.77 idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com
O2 - BHO: SDWin32 Class - {28308351-8788-4C11-BE17-0D4E7A1977C9} - C:\WINDOWS\system32\sxful.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\system32\guarnset.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: Helper - https://www.ubspwmobile.com/CWM/helper.cab
O16 - DPF: Java Mainframe Display (MFD) - https://www.wm-mobile.ubs.com/W2H/w2h/applet/wdmfd.cab
O16 - DPF: PCGMC Client - https://www.wm-mobile.ubs.com/PCGMC/PCGMCClient.CAB
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {10DB6D21-8915-11D2-8E3A-006008D1E01C} (Reuters Plus - Web 1.6.1.12) - https://www.ubspwmobile.com/md/jnavigator.cab
O16 - DPF: {138A4B11-6BBA-4EF3-B333-0515F67729DB} (Reuters PlusWeb Agent Java Classes - 1.6.0.33) - https://www.wm-mobile.ubs.com/md/pluswebagentjava.cab
O16 - DPF: {18D29F69-AD28-450E-8EC4-AD3F8632D4FE} (qqagent Class) - https://www.wm-mobile.ubs.com/md/pluswebagent.cab
O16 - DPF: {24F7A9CC-4EEB-49A7-8592-95E66A7C24A8} (Java ScrollingHeadlines Widget - 1.0.1.8) - https://www.wm-mobile.ubs.com/md/cla...ava/shdown.cab
O16 - DPF: {2FCFDAB1-F134-11D2-97C6-00104B659322} (Java Monitor - 1.0.3.11) - https://www.wm-mobile.ubs.com/md/cla...nclassdown.cab
O16 - DPF: {3005838E-2A00-11D2-B701-006008D1E01C} (webctl Class) - https://www.ubspwmobile.com/md/Navigator.cab
O16 - DPF: {3D5F4B42-A6AD-4F31-BC6B-C4BA6AAEF08B} (Reuters PlusWeb Excel Macro 1,5,0,9) - https://www.ubspwmobile.com/md/plugi...obil/excel.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093137400467
O16 - DPF: {766190C9-CF9B-11D5-92EA-00805FC7E991} (Java MarketAtGlance - 1.0.0.9) - https://www.wm-mobile.ubs.com/md/cla...yncompdown.cab
O16 - DPF: {77E94DB3-EF12-40BE-9AC5-96E2A140900E} (Java jExit - 1.0.0.4) - https://www.ubspwmobile.com/md/jexitdown.cab
O16 - DPF: {7B70A888-E8AC-4757-B454-766DA6B0B761} (Reuters PlusWeb Excel PreCheck 1,5,0,1) - https://www.ubspwmobile.com/md/plugi...l/precheck.cab
O16 - DPF: {89F7D494-DA30-4207-9318-49D6E60BD805} (Reuters Webchart Class) - https://www.wm-mobile.ubs.com/md/webchart.cab
O16 - DPF: {93972343-C012-11D4-A8E1-0060976A74AE} (Java Quote Widget - 1.1.6.11) - https://www.wm-mobile.ubs.com/md/cla...jquotedown.cab
O16 - DPF: {B5C6E4C0-F9DB-11D2-B126-00104B0EB7AE} (Java Dialogs - 1.6.1.6) - https://www.wm-mobile.ubs.com/md/cla...ialogsdown.cab
O16 - DPF: {C0966447-1276-46EF-A5BB-1D5BCB6E8935} (PWSweep Class) - https://www.ubspwmobile.com/CWM/pluswebsweeper.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D439B6E0-1838-11D2-A461-00A0C968EE5F} (Java QQagent - 1.0.6.05) - https://www.wm-mobile.ubs.com/md/cla...qagentdown.cab
O16 - DPF: {E041DA00-21AF-11D2-A465-00A0C968EE5F} (Java MLSOFT package) - https://www.ubspwmobile.com/md/class...mlsoftdown.cab
O16 - DPF: {F436C877-B085-4871-BADD-D23A6E630581} (Reuters PlusWeb Versions - 1,6,0,22) - https://www.wm-mobile.ubs.com/md/pluswebverdown.cab
O16 - DPF: {F822CC94-9D2F-4914-9CBB-8FBB9EDB1BF0} (PWAgent Class) - https://www.wm-mobile.ubs.com/md/pwagentclient.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O16 - DPF: {FF2B96CA-23B8-4B6F-8B90-873770F0D537} (PlusWebLocator Class) - https://www.ubspwmobile.com/md/plusweblocator.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: hdiceai - Unknown owner - C:\WINDOWS\system32\hdiceai.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

**********************************************************
Thank you once again for your help...you guys are the best!!!

[LonnyRJones]

Open a command prompt (start run type cmd press enter) type
sc stop hdiceai
press enter, type in
sc delete hdiceai
press enter, type exit and press enter to exit the command prompt

Start Hijackthis and place a check next to these items If there.
O2 - BHO: SDWin32 Class - {28308351-8788-4C11-BE17-0D4E7A1977C9} - C:\WINDOWS\system32\sxful.dll
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\system32\guarnset.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Go here http://www.virustotal.com/flash/index_en.html
and submit these files
C:\WINDOWS\system32\hramebe.exe
C:\WINDOWS\system32\hribycb.exe
Post a fresh hijackthis log please, be sure to mention any current problems.