Spyware popups hijackthis log-topher21(RESOLVED)
-
Spyware popups hijackthis log-topher21(RESOLVED)
Hi everyone, I am currently having a lot of trouble with spyware with popups that come all the time especially when Internet Explorer isn't even running, but they come up through a website websearchtv.com somehow. I really would appreciate help from anyone who is willing. I've used all the spyware removal tactics I could including McAfee Antispware and Viruscan, Microsoft AntiSpyware, Ad Aware SE, Spybot, and CCleaner, but each time something else comes up and never goes away. I even tried to use system restore but suddenly all the restore points were gone, deleted somehow. I currently have security set on lockdown so that I can keep the popups at bay. This Hijackthis log is the last thing I could think of to possibly work, so please someone help me, I would appreciate this greatly!
Logfile of HijackThis v1.99.1
Scan saved at 10:12:09 PM, on 12/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\progra~1\mcafee\MCAFEE~2\MssSrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\progra~1\mcafee\MCAFEE~2\MssCli.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nfomon\nfomon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Hijackkthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://home.netscape.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 213.219.251.80 go.com
O1 - Hosts: 213.219.251.80 www.go.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~2\MssCli.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [0oqw0ct0.dll] RUNDLL32.EXE 0oqw0ct0.dll,b 86241593
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [fwiw] C:\Program Files\Common Files\fwiw\fwiwm.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1119932121275
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1123552180578
O16 - DPF: {79B96C72-C0D0-4DC8-BC7E-9F314A918228} - http://ak.imgfarm.com/images/nocache...up1.0.0.14.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\NDPRINT.DLL (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~2\MssSrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
-
Hi and welcome to DAL,
You have to many anti-virus programs, please pick your favorite one and uninstall the other.
Please download hoster from the link below.
http://www.funkytoad.com/download/hoster.zip
Open Hoster.exe.
Then click on "Restore Original Hosts"
Close program when complete.
Look in add/remove program and remove if present
mysearch, mywebsearch or anything related to search
DelfinMedia
PromulGate
GO
Reboot if anything was removed
Make sure you can see hidden files/folders
In Windows XP
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
After you're cleaned, please "rehide" them again.
Run hijackthis and click scan button and put checks next to these items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://home.netscape.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
these may be gone after the above tool isrun
O1 - Hosts: 213.219.251.80 go.com
O1 - Hosts: 213.219.251.80 www.go.com
O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
O4 - HKLM\..\Run: [0oqw0ct0.dll] RUNDLL32.EXE 0oqw0ct0.dll,b 86241593
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe
O4 - HKCU\..\Run: [fwiw] C:\Program Files\Common Files\fwiw\fwiwm.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {79B96C72-C0D0-4DC8-BC7E-9F314A918228} - http://ak.imgfarm.com/images/nocach...tup1.0.0.14.cab
Again make sure all browser windows are closed and click FIX
Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.
Hunt for and delete these if presents:
0oqw0ct0.dll < file
C:\WINDOWS\system32\nfomon < folder
C:\Program Files\Common Files\fwiw < folder
Reboot normal mode and post a new hijackthis log please and how is your computer behaving now?
-
[EDIT: Sorry - missed Neal's post]
Last edited by VopThis; 09-12-2005 at 10:54 PM.
-
Hi, Thank you very much for helping me out, I don't know how you are able to do it, but I am very impressed. I very much appreciated your help, and it appears to have corrected the problem as the popups have stopped, the messages of connection attempts have stopped too, and it appears to be running faster. I also happened to find, in addition to the two folders and file to look for, was that I found two additional ones, a nfomon.something in the prefetch folder, and another fwiw folder in the windows folder that I deleted as well. If I have any other problems concerning this, then I'll repost, but thank you so much. Here's the updated hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 1:03:17 AM, on 12/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
c:\progra~1\mcafee\MCAFEE~2\MssSrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Ahead\InCD\InCD.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\progra~1\mcafee\MCAFEE~2\MssCli.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackkthis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~2\MssCli.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1119932121275
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1123552180578
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\NDPRINT.DLL (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~2\MssSrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
-
I wouldn't go just yet if I was you, VOPTHIS pointed out a bad line in your hijackthis log that needs attention.
Post back please letting me know you are still here.
Last edited by Neal; 10-12-2005 at 10:34 PM.
-
Hmm, so there's another bad line? How do I fix this one? Do you use VOPTHIS to analyze the logs, I'd love to learn to do this on my own as well.
-
No I don't use VOPTHIS to analyze logs, we work as a team here and on other computer help sites and I just missed it and he caught it.
Please download Webroot SpySweeper from here: SpySweeper
Click the Free Trial link under to "SpySweeper" to download the program.
Install it.
Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.
Then
You possibly have the latest version of VX2. Download L2mfix from one of these two locations:
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! This Fix must NOT be run in safe mode for it to work.
if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.
-
Oh okay, I thought VOPTHIS was a program, glad he caught it though, thanks, I'll try to apply the directions real soon, and repost a log,
-
Okay, I ran Spysweeper and here's the log for that:
********
1:34 PM: | Start of Session, Sunday, December 11, 2005 |
1:34 PM: Spy Sweeper started
1:34 PM: Sweep initiated using definitions version 582
1:34 PM: Starting Memory Sweep
1:38 PM: Memory Sweep Complete, Elapsed Time: 00:03:44
1:38 PM: Starting Registry Sweep
1:38 PM: Found Adware: azsearch toolbar
1:38 PM: HKCR\azentretien.loader\ (5 subtraces) (ID = 103886)
1:38 PM: HKLM\software\azentretienco\ (3 subtraces) (ID = 103905)
1:38 PM: HKLM\software\classes\azentretien.loader.1\ (3 subtraces) (ID = 103909)
1:38 PM: HKLM\software\classes\azentretien.loader\ (5 subtraces) (ID = 103910)
1:38 PM: Found Adware: screensavers
1:38 PM: HKLM\software\screensavers.com\ (ID = 140569)
1:38 PM: Found Adware: searchrelevancy
1:38 PM: HKCR\interface\{300fa067-9b94-45cf-a30b-cb5221eeb0c3}\ (8 subtraces) (ID = 141290)
1:38 PM: HKLM\software\classes\interface\{300fa067-9b94-45cf-a30b-cb5221eeb0c3}\ (8 subtraces) (ID = 141293)
1:38 PM: HKLM\software\classes\typelib\{65a6bb6d-78d0-4e0a-824d-2de1e0d154af}\ (9 subtraces) (ID = 141295)
1:38 PM: HKLM\software\classes\updater.bho\ (5 subtraces) (ID = 141297)
1:38 PM: HKCR\typelib\{65a6bb6d-78d0-4e0a-824d-2de1e0d154af}\ (9 subtraces) (ID = 141302)
1:38 PM: HKCR\updater.bho\ (5 subtraces) (ID = 141303)
1:38 PM: Found Adware: directrevenue-abetterinternet
1:38 PM: HKLM\software\sdf7sdfgs324\ (ID = 146129)
1:38 PM: Found Adware: icannnews
1:38 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\dynamic directory\ (6 subtraces) (ID = 359346)
1:38 PM: Found Adware: delfin
1:38 PM: HKLM\software\vidmon\ (1 subtraces) (ID = 890155)
1:38 PM: HKLM\software\microsoft\windows\currentversion\uni nstall\webdp\ (2 subtraces) (ID = 890173)
1:38 PM: Found Adware: command
1:38 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmd service\0000\ (6 subtraces) (ID = 1016064)
1:38 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmd service\ (8 subtraces) (ID = 1016072)
1:38 PM: Found Adware: findthewebsiteyouneed hijacker
1:38 PM: HKU\S-1-5-21-2989038497-1796451027-3149009385-1008\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
1:38 PM: HKU\S-1-5-21-2989038497-1796451027-3149009385-1008\software\vidmon\ (1 subtraces) (ID = 890125)
1:38 PM: Found Adware: comet cursor
1:38 PM: HKU\WRSS_Profile_S-1-5-21-2989038497-1796451027-3149009385-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {fe6bc4ef-5676-484b-88ae-883323913256} (ID = 106731)
1:38 PM: HKU\WRSS_Profile_S-1-5-21-2989038497-1796451027-3149009385-1006\software\microsoft\internet explorer\main\ || default_search_url (ID = 125236)
1:38 PM: HKU\WRSS_Profile_S-1-5-21-2989038497-1796451027-3149009385-1006\software\microsoft\internet explorer\main\ || search bar (ID = 125237)
1:38 PM: HKU\WRSS_Profile_S-1-5-21-2989038497-1796451027-3149009385-1006\software\microsoft\internet explorer\main\ || search page (ID = 125238)
1:38 PM: HKU\WRSS_Profile_S-1-5-21-2989038497-1796451027-3149009385-1006\software\microsoft\internet explorer\main\ || start page (ID = 125239)
1:38 PM: HKU\WRSS_Profile_S-1-5-21-2989038497-1796451027-3149009385-1006\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
1:38 PM: HKU\WRSS_Profile_S-1-5-21-2989038497-1796451027-3149009385-1006\software\microsoft\internet explorer\main\ || search bar (ID = 790268)
1:38 PM: HKU\WRSS_Profile_S-1-5-21-2989038497-1796451027-3149009385-1006\software\microsoft\internet explorer\main\ || default_search_url (ID = 790269)
1:38 PM: Registry Sweep Complete, Elapsed Time:00:00:38
1:38 PM: Starting Cookie Sweep
1:38 PM: Found Spy Cookie: yieldmanager cookie
1:38 PM: amh@ad.yieldmanager[1].txt (ID = 3751)
1:38 PM: Found Spy Cookie: adknowledge cookie
1:38 PM: amh@adknowledge[1].txt (ID = 2072)
1:38 PM: Found Spy Cookie: specificclick.com cookie
1:38 PM: amh@adopt.specificclick[1].txt (ID = 3400)
1:38 PM: Found Spy Cookie: delfinproject cookie
1:38 PM: amh@delfinproject[1].txt (ID = 2509)
1:38 PM: Found Spy Cookie: exitexchange cookie
1:38 PM: amh@exitexchange[1].txt (ID = 2633)
1:38 PM: Found Spy Cookie: clickandtrack cookie
1:38 PM: amh@hits.clickandtrack[2].txt (ID = 2397)
1:38 PM: Found Spy Cookie: rn11 cookie
1:38 PM: amh@rn11[2].txt (ID = 3261)
1:38 PM: stc@ad.yieldmanager[2].txt (ID = 3751)
1:38 PM: Found Spy Cookie: atwola cookie
1:38 PM: stc@atwola[1].txt (ID = 2255)
1:38 PM: Found Spy Cookie: screensavers.com cookie
1:38 PM: stc@i.screensavers[1].txt (ID = 3298)
1:38 PM: Found Spy Cookie: mywebsearch cookie
1:38 PM: stc@mywebsearch[2].txt (ID = 3051)
1:38 PM: Found Spy Cookie: starware.com cookie
1:38 PM: stc@starware[2].txt (ID = 3441)
1:38 PM: stc@www.screensavers[1].txt (ID = 3298)
1:38 PM: Found Spy Cookie: websponsors cookie
1:38 PM: mph@a.websponsors[2].txt (ID = 3665)
1:38 PM: mph@ad.yieldmanager[1].txt (ID = 3751)
1:38 PM: Found Spy Cookie: adecn cookie
1:38 PM: mph@adecn[1].txt (ID = 2063)
1:38 PM: mph@adknowledge[1].txt (ID = 2072)
1:38 PM: Found Spy Cookie: hbmediapro cookie
1:38 PM: mph@adopt.hbmediapro[2].txt (ID = 2768)
1:38 PM: mph@adopt.specificclick[2].txt (ID = 3400)
1:38 PM: Found Spy Cookie: ask cookie
1:38 PM: mph@ask[1].txt (ID = 2245)
1:38 PM: mph@atwola[1].txt (ID = 2255)
1:38 PM: Found Spy Cookie: belnk cookie
1:38 PM: mph@belnk[1].txt (ID = 2292)
1:38 PM: mph@delfinproject[1].txt (ID = 2509)
1:38 PM: mph@dist.belnk[2].txt (ID = 2293)
1:38 PM: mph@exitexchange[1].txt (ID = 2633)
1:38 PM: mph@hits.clickandtrack[2].txt (ID = 2397)
1:38 PM: mph@i.screensavers[1].txt (ID = 3298)
1:38 PM: Found Spy Cookie: 2o7.net cookie
1:38 PM: mph@microsofteup.112.2o7[2].txt (ID = 1958)
1:38 PM: Found Spy Cookie: nextag cookie
1:38 PM: mph@nextag[1].txt (ID = 5014)
1:38 PM: mph@starware[2].txt (ID = 3441)
1:38 PM: Found Spy Cookie: reliablestats cookie
1:38 PM: mph@stats1.reliablestats[2].txt (ID = 3254)
1:38 PM: mph@www.screensavers[2].txt (ID = 3298)
1:38 PM: mph@yieldmanager[1].txt (ID = 3749)
1:38 PM: Cookie Sweep Complete, Elapsed Time: 00:00:04
1:38 PM: Starting File Sweep
1:39 PM: c:\program files\screensavers.com (2 subtraces) (ID = -2147480365)
1:39 PM: Found Adware: quicklink search toolbar
1:39 PM: c:\program files\quick links (1 subtraces) (ID = -2147478145)
1:39 PM: c:\program files\searchrelevant (ID = -2147480349)
1:39 PM: c:\windows\system32\nfomon (4 subtraces) (ID = -2147468684)
1:39 PM: c:\documents and settings\all users\application data\nfo (17 subtraces) (ID = -2147468687)
1:47 PM: nfo.ocx (ID = 194608)
1:47 PM: removewebdp.exe (ID = 166172)
1:53 PM: Found Adware: adtech
1:53 PM: adtech2006[1].exe (ID = 203582)
1:57 PM: Found Adware: targetsaver
1:57 PM: class-barrel (ID = 78229)
2:00 PM: swpstart.exe (ID = 74759)
2:07 PM: Found Adware: 180search assistant/zango
2:07 PM: salmau.dat (ID = 93788)
2:17 PM: Found Adware: personal money tree
2:17 PM: pmtinstaller.exe (ID = 141749)
2:18 PM: mon1920.dbd (ID = 57692)
2:19 PM: mon2007.dbd (ID = 57693)
2:19 PM: 538.dfn (ID = 133429)
2:19 PM: Found Adware: wfgtech
2:19 PM: inst_0004.exe (ID = 203674)
2:20 PM: nfomon.exe (ID = 194610)
2:20 PM: adtech2006.exe (ID = 203582)
2:21 PM: fwiwc.dll (ID = 195129)
2:21 PM: nfom.dll (ID = 194609)
2:26 PM: vocabulary (ID = 78283)
2:28 PM: mon0315.ddx (ID = 57686)
2:28 PM: mon0204.ddx (ID = 57686)
2:28 PM: mon0504.ddx (ID = 57686)
2:28 PM: mon0904.ddx (ID = 57684)
2:28 PM: mon0412.ddx (ID = 57686)
2:28 PM: mon0106.ddx (ID = 57679)
2:28 PM: mon1204.ddx (ID = 57686)
2:28 PM: mon1125.ddx (ID = 57685)
2:28 PM: mon1909.ddx (ID = 57684)
2:28 PM: Found Adware: cws-aboutblank
2:28 PM: blank.htm (ID = 54894)
2:28 PM: Found Adware: xupiter toolbar
2:28 PM: aparrel.url (ID = 90880)
2:28 PM: cards.url (ID = 90890)
2:28 PM: electronics.url (ID = 90904)
2:28 PM: flowers.url (ID = 90907)
2:28 PM: gifts.url (ID = 90912)
2:28 PM: jewelry.url (ID = 90918)
2:28 PM: retail products.url (ID = 90931)
2:28 PM: shoes.url (ID = 90936)
2:28 PM: shopping.url (ID = 90937)
2:28 PM: toys.url (ID = 90941)
2:28 PM: accessories.url (ID = 90879)
2:28 PM: computer games.url (ID = 90896)
2:28 PM: b2b.url (ID = 90884)
2:28 PM: cars.url (ID = 90892)
2:28 PM: entertainment.url (ID = 90905)
2:28 PM: mp3.url (ID = 90923)
2:28 PM: travel.url (ID = 90942)
2:28 PM: classifieds.url (ID = 90894)
2:28 PM: free email.url (ID = 90908)
2:28 PM: free homepage.url (ID = 90909)
2:28 PM: salm_gdf.dat (ID = 93789)
2:28 PM: free services.url (ID = 90910)
2:28 PM: homework.url (ID = 90916)
2:28 PM: school essays.url (ID = 90933)
2:28 PM: services.url (ID = 90935)
2:28 PM: auction.url (ID = 90883)
2:28 PM: computer stores.url (ID = 90897)
2:28 PM: dedicated server.url (ID = 90900)
2:28 PM: domain names.url (ID = 90901)
2:28 PM: hardware.url (ID = 90913)
2:28 PM: laptops.url (ID = 90920)
2:28 PM: software.url (ID = 90939)
2:28 PM: web design.url (ID = 90943)
2:28 PM: web hosting.url (ID = 90944)
2:28 PM: banking.url (ID = 90885)
2:28 PM: blackjack.url (ID = 90886)
2:28 PM: business.url (ID = 90889)
2:28 PM: careers.url (ID = 90891)
2:28 PM: credit cards.url (ID = 90899)
2:28 PM: finance.url (ID = 90906)
2:28 PM: insurance.url (ID = 90917)
2:28 PM: office.url (ID = 90925)
2:28 PM: printing.url (ID = 90930)
2:28 PM: sinstaller.inf (ID = 74756)
2:29 PM: File Sweep Complete, Elapsed Time: 00:50:30
2:29 PM: Full Sweep has completed. Elapsed time 00:55:04
2:29 PM: Traces Found: 243
2:37 PM: Removal process initiated
2:37 PM: Quarantining All Traces: 180search assistant/zango
2:37 PM: Quarantining All Traces: cws-aboutblank
2:37 PM: Quarantining All Traces: directrevenue-abetterinternet
2:37 PM: Quarantining All Traces: icannnews
2:37 PM: Quarantining All Traces: azsearch toolbar
2:37 PM: Quarantining All Traces: comet cursor
2:37 PM: Quarantining All Traces: delfin
2:38 PM: Quarantining All Traces: xupiter toolbar
2:38 PM: Quarantining All Traces: adtech
2:38 PM: Quarantining All Traces: command
2:38 PM: Quarantining All Traces: findthewebsiteyouneed hijacker
2:38 PM: Quarantining All Traces: personal money tree
2:38 PM: Quarantining All Traces: quicklink search toolbar
2:38 PM: Quarantining All Traces: screensavers
2:38 PM: Quarantining All Traces: searchrelevancy
2:38 PM: Quarantining All Traces: targetsaver
2:38 PM: Quarantining All Traces: wfgtech
2:38 PM: Quarantining All Traces: 2o7.net cookie
2:38 PM: Quarantining All Traces: adecn cookie
2:38 PM: Quarantining All Traces: adknowledge cookie
2:38 PM: Quarantining All Traces: ask cookie
2:38 PM: Quarantining All Traces: atwola cookie
2:38 PM: Quarantining All Traces: belnk cookie
2:38 PM: Quarantining All Traces: clickandtrack cookie
2:38 PM: Quarantining All Traces: delfinproject cookie
2:38 PM: Quarantining All Traces: exitexchange cookie
2:38 PM: Quarantining All Traces: hbmediapro cookie
2:38 PM: Quarantining All Traces: mywebsearch cookie
2:38 PM: Quarantining All Traces: nextag cookie
2:38 PM: Quarantining All Traces: reliablestats cookie
2:38 PM: Quarantining All Traces: rn11 cookie
2:38 PM: Quarantining All Traces: screensavers.com cookie
2:38 PM: Quarantining All Traces: specificclick.com cookie
2:38 PM: Quarantining All Traces: starware.com cookie
2:38 PM: Quarantining All Traces: websponsors cookie
2:38 PM: Quarantining All Traces: yieldmanager cookie
2:38 PM: Removal process completed. Elapsed time 00:00:54
********
1:28 PM: | Start of Session, Sunday, December 11, 2005 |
1:28 PM: Spy Sweeper started
1:29 PM: Your spyware definitions have been updated.
1:34 PM: | End of Session, Sunday, December 11, 2005 |
I deleted the files from the quarantine area afterwards,
-
And here's the log from l2mfix:
L2MFIX find log 120905
These are the registry keys present
************************************************** ********************************
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33, 00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e, 00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69, 00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74, 00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69, 00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEven t"
"Logoff"="UnregisterTicketExpiredNotificationEvent "
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"
************************************************** ********************************
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
************************************************** ********************************
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved]
"{950FF917-7A57-46BC-8017-59D9BF474000}"="Shell Extension for CDRW"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}"="CopyToCD shell extension"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"="Adobe.Acrobat.ContextMenu"
"{F2A0229A-C4CA-4789-B606-973D24DCDD1C}"="McAfee AntiSpyware Shell Extension"
"{C141B52E-7FAC-49D6-A3D2-C7AFBBD7357E}"="SimpleShlExt extension"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
************************************************** ********************************
HKEY ROOT CLASSIDS:
************************************************** ********************************
Files Found are not all bad files:
C:\WINDOWS\SYSTEM32\
0oqwf4l0.dll Sat Dec 10 2005 12:15:04a A.... 39,936 39.00 K
gdi32.dll Wed Oct 5 2005 10:09:36p A.... 280,064 273.50 K
islzma.dll Fri Oct 21 2005 3:50:14p A.... 102,912 100.50 K
mcinsctl.dll Tue Oct 18 2005 11:08:04a A.... 349,760 341.56 K
mshtml.dll Tue Oct 4 2005 4:26:00p A.... 3,015,168 2.88 M
shell32.dll Thu Sep 22 2005 10:05:30p A.... 8,450,560 8.06 M
wrlogo~1.dll Mon Oct 24 2005 12:20:36p A.... 492,544 481.00 K
wrlzma.dll Mon Oct 24 2005 12:20:32p A.... 17,920 17.50 K
8 items found: 8 files, 0 directories.
Total of file sizes: 12,748,864 bytes 12.16 M
Locate .tmp files:
No matches found.
************************************************** ********************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 30F8-037F
Directory of C:\WINDOWS\System32
12/11/2005 02:45 PM <DIR> DLLCACHE
10/09/2004 12:43 AM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 16,553,357,312 bytes free
