Recently had a bad virus. I managed to get most of it off, but there are still remnants of CoolWebSearch that won't go away. Any help would be appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 3:24:06 PM, on 3/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
F:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
F:\WINDOWS\system32\vmnat.exe
F:\WINDOWS\system32\vmnetdhcp.exe
F:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
F:\Program Files\Saitek\Software\Profiler.exe
F:\Program Files\Saitek\Software\SaiSmart.exe
F:\Program Files\ATI Multimedia\main\ATISched.EXE
F:\Program Files\Windows Defender\MsMpEng.exe
F:\Program Files\Windows Defender\MSASCui.exe
F:\WINDOWS\system32\WISPTIS.EXE
D:\Program Files\Winamp\winamp.exe
F:\Program Files\WinBar\WinBar.exe
F:\WINDOWS\explorer.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\CE\nmSvc.exe
C:\Download\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/Old%20Documents/Documents%20and%20Settings/LukeJ/Desktop/homepage.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SU B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = 192.168.1.135
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [NMSVC] F:\Program Files\CE\nmSvc.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AWMON] "F:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Profiler] F:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] F:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [Windows Defender] "F:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ATI Scheduler] F:\Program Files\ATI Multimedia\main\ATISched.EXE
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - F:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: f:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O15 - Trusted Zone: http://www.wadsworth.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...p1.0.0.8-2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6160A3F4-A261-4651-A43A-B147785A5A6D}: NameServer = 65.24.7.3
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - f:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: H323TSP - F:\WINDOWS\system32\jtpu0779e.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - F:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - F:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - F:\WINDOWS\system32\vmnat.exe

This is my first time posting a Hijack This log, so tell me if I need more.

Luke

Do you know specifically that you have CWS remnants? What specific signs are you getting for this? Have you previously run CWShredder?



This line points to a Covenant Eyes (parental surveillance program) keylogger:

O10 - Broken Internet access because of LSP provider 'cespy.dll' missing

Did you knowingly set that up; do you know anything about it ?

O20 - Winlogon Notify: H323TSP - F:\WINDOWS\system32\jtpu0779e.dll

Please download the latest version of Look2Me-Remover.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=7

* Close all windows before continuing.
* Double-click Look2Me-Remover.exe to run it.
* Put a check next to Run this program as a task.
* You will receive a message saying Look2Me-Remover will close and re-open in approximately 10 seconds. Click OK
* When Look2Me-Remover re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
* Once it's done scanning, click the Remove L2M button.
* You will receive a Done Scanning message, click OK.
* When completed, you will receive this message: Done removing infected files! Look2Me-Remover will now shutdown your computer, click OK.
* Your computer will then shutdown.
* Turn your computer back on.
* Please post the contents of C:\Look2Me-Remover.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the Internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/im...WINSCK.OCX

I downloaded the Look2Me-Destroyer to my desktop, closed all windows, ran the program and clicked the run as task box, and it shuts down and never comes back up. I didn't get a 339 runtime error, but I tried to download the MSWINSCK.OCX from that site anyway to see if it would work but the link is broken.

The computer this is on is a family computer, so we use Covenant Eyes to protect from adult sites. It probably wasn't logged at the time of running the Hijack This scan. I don't believe it is any kind of a keylogger.

I thought I had the CoolWebSearch because Ad-Aware found it.

Thanks for the quick reply. This has gotten to be a bit of an annoyance... it attempts to change the homepage, but I block it... I think a new Windows tool allows that. It also tries to pop up various web pages. Such as www.winantiviruspro.com. Thanks again for any assistance.

Luke


EDIT... Here is the real link to the MSWINSCK.OCX file...
http://www.ascentive.com/support/new...b/MSWINSCK.OCX

I made a backup of the old one and put the new one in the system32 folder, and Look2Me-Destroyer still doesn't work.

EDIT... why does the forum shorten the web link?

MSWINSCK.OCX file download works for me. A shortened link is very common across all forums - must an IE thing.


Please print out or save to a file on your desktop for future reference.



Click on the link below to get lsp-fix.
Run that to fix your internet connection.

http://www.cexx.org/lspfix.htm

Run the program. Check the box that says "I know what I'm doing".
Remove cespy.dll only that one!


REBOOT.



Download the latest version of CWSHredder to your desktop from here:
http://cwshredder.net/bin/CWShredder.exe

Run this application, initially, ONLY to search for UPDATES.
You may have to do this on another PC - it simply downloads the latest EXE and overwrites the current one (512K).


Download Clean.bat to your desktop: for later use .
http://www.thatcomputerguy.us/downloads/clean.bat



DISCONNECT FROM THE INTERNET
During the fix do NOT connect to the Internet (turn your modem off or disconnect your internet connection wire).
Unless you can memorize these instructions, it would be a good idea to print them out or save these instructions to a file on your desktop (NOTEPAD).



SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...up1.0.0.8-2.cab

Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.



HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here

SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).


Run Clean.bat


Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:
Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files
Click OK or Enter

*** Re-run CLEANMGR.EXE once you have regained the full functional use of your PC.



Navigate to or locate the following Files and Folders:
- using Windows Explorer: right click on ‘My Computer’>Explore) or using Start (button)>Search …


Delete these Files (if found):
None specified.


Delete these Folders (if found) - preferably using Add/Remove Programs where possible:
None specified.



Next, run CWShredder
-Click on the: ‘Fix’ button
-Follow the prompts, and press OK



POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.



Try re-running Look2Me-Remover.exe.

If still no joy, try first disabling 'windows defender BETA' temporarily:

http://www.microsoft.com/athome/secu...t/faq.mspx#ECF

To configure the Real-Time Protection system, on the Tools menu, click General Settings. Scroll down to Real-Time Protection options section to view options to activate or deactivate the Real-Time Protection system.

Or,
Go to Start > All Programs > Windows Defender.

This will open up the WD window... in the toolbar across the top there is a little down pointing arrow next to the question mark icon, if the user clicks on that they will get a drop down list and one of the options is to exit Windows Defender. Click on that and they will get a pop up asking if they are sure they want to exit.

To start it up again then all they need to do is go to Start > All Programs > Windows Defender and it will start running again.

Did all the steps you said, and Look2Me-Destroyer still wouldn't work. The CWShredder didn't find anything, but Ad-Aware still finds the CoolWebSearch.

Logfile of HijackThis v1.99.1
Scan saved at 1:06:11 AM, on 3/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
F:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\vmnat.exe
F:\WINDOWS\system32\vmnetdhcp.exe
F:\Program Files\CE\nmSvc.exe
F:\Program Files\ATI Multimedia\main\ATISched.EXE
F:\WINDOWS\system32\rundll32.exe
C:\Download\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/Old%20Documents/Documents%20and%20Settings/LukeJ/Desktop/homepage.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SU B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = 192.168.1.135
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [NMSVC] F:\Program Files\CE\nmSvc.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AWMON] "F:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Defender] "F:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ATI Scheduler] F:\Program Files\ATI Multimedia\main\ATISched.EXE
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - c:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - c:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - F:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: f:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O15 - Trusted Zone: http://www.wadsworth.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141247056234
O17 - HKLM\System\CCS\Services\Tcpip\..\{6160A3F4-A261-4651-A43A-B147785A5A6D}: NameServer = 65.24.7.3
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - f:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: SMDEn - F:\WINDOWS\system32\fpjq0315e.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - F:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - F:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - F:\WINDOWS\system32\vmnat.exe

I still every so often get a message:

Security Warning
The current Web page is trying to open a site on the Internet. Do you want to allow this?
Current site: www.ad-w-a-r-e.com
Internet site: www.buyer-shabit.com (this site varies)
________ ________
| Yes | | No |
------------ ------------

Please advise what to do next.

Here is also the log from the Ad-Aware scan that identifies CWS.


Ad-Aware SE Build 1.05
Logfile Created on:Friday, March 03, 2006 12:52:32 AM
Using definitions file:SE1R94 28.02.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
CoolWebSearch(TAC index:10):3 total references
MRU List(TAC index:0):55 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Ignore spanned files when scanning cab archives
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Automatically select problematic objects in results lists
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Show splash screen
Set : Backup current definitions file before updating
Set : Play sound at scan completion if scan locates critical objects


3-3-2006 12:52:32 AM - Scan started. (Smart mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 184
ThreadCreationTime : 3-3-2006 5:41:32 AM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\F:\WINDOWS\system32\
ProcessID : 256
ThreadCreationTime : 3-3-2006 5:41:41 AM
BasePriority : High


CoolWebSearch Object Recognized!
Type : Process
Data : aza6033se.dll
Category : Malware
Comment : (CSI MATCH)
Object : F:\WINDOWS\system32\


Warning! CoolWebSearch Object found in memory(F:\WINDOWS\system32\aza6033se.dll)


#:3 [services.exe]
FilePath : F:\WINDOWS\system32\
ProcessID : 300
ThreadCreationTime : 3-3-2006 5:41:45 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:4 [lsass.exe]
FilePath : F:\WINDOWS\system32\
ProcessID : 312
ThreadCreationTime : 3-3-2006 5:41:45 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:5 [svchost.exe]
FilePath : F:\WINDOWS\system32\
ProcessID : 468
ThreadCreationTime : 3-3-2006 5:41:48 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:6 [msmpeng.exe]
FilePath : F:\Program Files\Windows Defender\
ProcessID : 580
ThreadCreationTime : 3-3-2006 5:41:51 AM
BasePriority : Normal
FileVersion : 1.1.1051.0
ProductVersion : 1.1.1051.0
ProductName : Windows Defender
CompanyName : Microsoft Corporation
FileDescription : Service Executable
InternalName : MsMpEng.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : MsMpEng.exe

#:7 [svchost.exe]
FilePath : F:\WINDOWS\system32\
ProcessID : 628
ThreadCreationTime : 3-3-2006 5:41:52 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [rundll32.exe]
FilePath : F:\WINDOWS\system32\
ProcessID : 796
ThreadCreationTime : 3-3-2006 5:42:03 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE

CoolWebSearch Object Recognized!
Type : Process
Data : kldlk41j.dll
Category : Malware
Comment : (CSI MATCH)
Object : F:\WINDOWS\system32\


Warning! CoolWebSearch Object found in memory(F:\WINDOWS\system32\kldlk41j.dll)


#:9 [explorer.exe]
FilePath : F:\WINDOWS\
ProcessID : 872
ThreadCreationTime : 3-3-2006 5:42:06 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:10 [ad-aware.exe]
FilePath : F:\Program Files\Lavasoft\Ad-Aware SE Plus\
ProcessID : 1256
ThreadCreationTime : 3-3-2006 5:52:25 AM
BasePriority : Normal
FileVersion : 6.2.0.207
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2



Deep scanning and examining files...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for F:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2

Disk Scan Result for F:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2

Disk Scan Result for F:\DOCUME~1\LUKENE~1\LOCALS~1\Temp\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2


Scanning Hosts file......
Hosts file location:"F:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
6 entries scanned.
New critical objects:0
Objects found so far: 2



MRU List Object Recognized!
Location: : F:\Documents and Settings\Luke Nelson\Application Data\microsoft\office\recent
Description :


MRU List Object Recognized!
Location: : F:\Documents and Settings\Luke Nelson\recent
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\adobe\acrobat reader\6.0\avgeneral\crecentfiles
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\kazaa\search
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\direct3d\mostrecentapplica tion
Description :


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\direct3d\mostrecentapplica tion
Description :


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description :


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplicatio n
Description :


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\directinput\mostrecent application
Description :


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\directinput\mostrecentapplic ation
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\directinput\mostrecentappl ication
Description :


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\directinput\mostrecent application
Description :


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\directinput\mostrecentapplic ation
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\directinput\mostrecentappl ication
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\internet explorer
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\internet explorer\main
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\internet explorer\typedurls
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\mediaplayer\medialibraryui
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\mediaplayer\player\setting s
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\mediaplayer\preferences
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\mediaplayer\preferences
Description :


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\preference s
Description :


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\mediaplayer\preferences
Description :


MRU List Object Recognized!
Location: : S-1-5-20\software\microsoft\mediaplayer\preferences
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\mediaplayer\preferences
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\microsoft management console\recent file list
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\office\10.0\clip organizer\search\last query
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\office\10.0\common\general
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\office\10.0\common\open find\microsoft powerpoint\settings\insert picture\file name mru
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\office\10.0\common\open find\microsoft powerpoint\settings\save as\file name mru
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\office\10.0\common\open find\microsoft word\settings\open\file name mru
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\office\10.0\common\open find\microsoft word\settings\save as\file name mru
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\office\10.0\common\search\ last query
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\office\10.0\excel\recent files
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\office\10.0\powerpoint\rec ent file list
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\office\10.0\powerpoint\rec ent typeface list
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\office\10.0\powerpoint\rec entfolderlist
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\office\10.0\word\recent templates
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\search assistant\acmru
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\windows\currentversion\app lets\paint\recent file list
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\windows\currentversion\app lets\regedit
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\windows\currentversion\app lets\wordpad\recent file list
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\windows\currentversion\exp lorer\comdlg32\lastvisitedmru
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\windows\currentversion\exp lorer\comdlg32\opensavemru
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\windows\currentversion\exp lorer\recentdocs
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\windows\currentversion\exp lorer\runmru
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\nvidia corporation\global\nview\windowmanagement
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\realnetworks\realplayer\6.0\preferen ces
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\realnetworks\realplayer\6.0\preferen ces
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\realnetworks\realplayer\6.0\preferen ces
Description :


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description :


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\microsoft\windows media\wmsdk\general
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-813497703-725345543-1003\software\winrar\dialogedithistory\extrpath
Description :



Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : File
Data : wbemess.log
Category : Malware
Comment :
Object : F:\WINDOWS\system32\wbem\logs\



Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 58

12:54:24 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:01:52.375
Objects scanned:83646
Objects identified:1
Objects ignored:0
New critical objects:1

When Ad-Aware find these CWS files, does it remove them only to have the same or slightly different items return:

F:\WINDOWS\system32\aza6033se.dll
F:\WINDOWS\system32\kldlk41j.dll
F:\WINDOWS\system32\wbem\logs\wbemess.log




Download deldomains:
http://www.mvps.org/winhelp2002/DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.


Note: Because this will remove all entries in both the Trusted Zone and the Restricted Zone, any program, tool, or settings that were previously used to set restrictions will need to be reset:
Examples: (if these are being used),

• Spybot's "Immunize" feature is affected, you will need to re-immunize
• SpywareBlaster's "Enable all protection" feature will have to be re-enabled
• IE-SPYADS will have to be reinstalled

Get hoster here:
http://www.funkytoad.com/download/hoster.zip

Unzip it to a convenient place and open the program.
Choose "Restore Original Hosts" and press "OK".
Close the program.

Security Warning
The current Web page is trying to open a site on the Internet. Do you want to allow this?
Current site: www.ad-w-a-r-e.com
Internet site: www.buyer-shabit.com (this site varies)# [Look2Me related]

Such sites, above, are easily blocked by use of a HOSTS file described below (see specific item #7):






To reduce the re-infection potential for malware and protect your PC against spyware, here are a few helpful suggestions:

1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft . This will patch many of the security holes through which attackers can gain access to your computer . You CANNOT complete this update using an alternate browser – you must use Internet Explorer.
   http://v5.windowsupdate.microsoft.com/v5co...t.aspx?ln=en-us
   http://www.microsoft.com/windows/ie/default.asp
   
   • http://www.securityfocus.com/news/11273
     If you surf to questionable (blockable) parts of the Web, you could encounter sites that compromise your PC without any user interaction. In experiments [reported Aug 2005], Microsoft identified 752 specific addresses owned by 287 Web sites that contain programs able to install themselves on a completely unpatched Windows XP system. Also, be aware that the WinXP Service Pack 2 was an update that focused almost exclusively on security. Also reported was that a fully patched Windows XP SP2 system cannot be compromised by any such discovered rogue Web sites.
   
   
2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching (using a real-time AV tool only one at a time), there are some good free Antivirus programs that are decent, including AVG and Avast!.
   AVG: http://free.grisoft.com/doc/1
   Avast: http://www.avast.com/eng/avast_4_home.html
   
   
3. In addition to using Ad-aware, consider using another free malware scanning/removal program :
   Adaware SE: http://www.download.com/Ad-Aware-SE-Person...ubj=dl&tag=top5
   Spybot S&D: http://www.download.com/Spybot-Search-Dest...tml?tag=lst-0-1
   MS Antispyware beta: http://www.microsoft.com/athome/security/s...re/default.mspx
   
   
4. Consider using a free firewall if you are not already using one (use only one firewall at a time – normally you will need to disable the MS firewall). Some good free ones (for incoming and added outgoing traffic protection) are:
   Kerio Personal Firewall: http://www.sunbelt-software.com/Kerio.cfm
   *** After 30 days, Kerio shuts down selected features, but will continue to run in 'free' mode.
   Zone Alarm: http://www.zonelabs.com/store/content/company/products/znalm/comparison.jsp?lid=ho_za
   
   It is not a bad idea to also consider using a Router/Hardware firewall device where you have a High-Speed Internet access connection. A software firewall may occasionally need to be disabled or it gets/remains disabled by someone or something. Such an added layer of security consistency has a lot of merit to it.
   
   
5. Consider using an alternate free browser for general web surfing but you must use IE for windows updates.
   Mozilla Firefox: http://www.mozilla.org/products/firefox/
   
   
6. Consider increasing your browser security by using these programs:
   SpywareGuard will help protect your homepage from being hijacked: http://www.javacoolsoftware.com/spywareguard.html
   SpywareBlaster will increase browser protection by blocking access to thousands of known malware sites by adding them to IE's restricted sites zone. It essentially blocks known- bad ActiveX program items from being installed or running on your computer. Download it here: http://www.javacoolsoftware.com/spywareblaster.html
   • If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: http://customblockinglist.cjb.net/
     
   • IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
     http://www.spywarewarrior.com/uiuc/resource.htm
   
   
7. A HOSTS file can block Internet access to thousands of known-bad sites by not allowing you any easy browser access to such sites knowingly or unknowingly. Use HJT to determine if a current HOSTS file exists and any contents therein:
   • Run the HiJackThis tool and select ‘Open the Misc Tools section’.
   • Next select ‘Open host file manager’ button.
   • Use the ‘Open in Notepad’ button in XP/W2K or use WORDPAD if necessary [type wordpad.exe in the RUN box (Start>Run)] and load the FILE PATH identified in HJT.
   • Go to http://www.mvps.org/winhelp2002/hosts.txt . # Read the initial instructions #. Copy and paste (append or replace) the RELEVANT host address entry contents of that file into Notepad or Wordpad and save the updated file contents.
     
     EXCERPT:
     #start of lines added by WinHelp2002
     # [Misc A - Z]
     127.0.0.1 phpadsnew.abac.com
     127.0.0.1 a.abnad.net
     127.0.0.1 e.abnad.net
     127.0.0.1 www.accoona.com #[Adware-Accoona][Adware.Atoolb][Panda.Accoona]
     .
     .
     .
     #end of lines added by WinHelp2002

*Remember just like your primary anti-virus software, it is important to:

• Keep all of these programs up-to-date, and
• Use them on a regular basis.

Try re-running Ad-Aware or manual removal for any CWS items found. Look2Me-Destroyer might now be permittted to work.

Ad-Aware does try to remove them, and it says it can't to it then and will remove it on restart, but it never does. Yes the file name does change. This time it is...

COOLWEBSEARCH
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Process : F:\WINDOWS\system32\e8jmli1118.dll
obj[1]=Process : F:\WINDOWS\system32\guard.tmp
obj[2]=File : F:\WINDOWS\system32\wbem\logs\wbemess.log

Look2Me-Destroyer still doesn't work.

Here's my new Hijack This log. Not sure if it is any different.

Logfile of HijackThis v1.99.1
Scan saved at 11:59:35 PM, on 3/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
F:\WINDOWS\system32\vmnat.exe
F:\WINDOWS\system32\vmnetdhcp.exe
F:\Program Files\CE\nmSvc.exe
F:\WINDOWS\system32\rundll32.exe
C:\Download\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/Old%20Documents/Documents%20and%20Settings/LukeJ/Desktop/homepage.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SU B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = 192.168.1.135
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [NMSVC] F:\Program Files\CE\nmSvc.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AWMON] "F:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Defender] "F:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ATI Scheduler] F:\Program Files\ATI Multimedia\main\ATISched.EXE
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - c:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - c:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - F:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: f:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141247056234
O17 - HKLM\System\CCS\Services\Tcpip\..\{6160A3F4-A261-4651-A43A-B147785A5A6D}: NameServer = 65.24.7.3
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - f:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: Telephony - F:\WINDOWS\system32\fplo0333e.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - F:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - F:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - F:\WINDOWS\system32\vmnat.exe

Please ensure that you have disabled the following running processes as they may be interfering with the fix attempts. You can re-enable such tools after your computer is clean.


Disable Windows Defender

http://www.microsoft.com/athome/secu...t/faq.mspx#ECF

To configure the Real-Time Protection system, on the Tools menu, click General Settings. Scroll down to Real-Time Protection options section to view options to activate or deactivate the Real-Time Protection system.

Or,
Go to Start > All Programs > Windows Defender.

This will open up the WD window... in the toolbar across the top there is a little down pointing arrow next to the question mark icon, if the user clicks on that they will get a drop down list and one of the options is to exit Windows Defender. Click on that and they will get a pop up asking if they are sure they want to exit.

To start it up again then all they need to do is go to Start > All Programs > Windows Defender and it will start running again.


Ad_Watch




WE are definitely still dealing with L2ME. Lets try an alternate fix procedure:


Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe



Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, NOTEPAD will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

If you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and Microsoft windows applications. Choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. Do not run the fix portion without fixing this first.

Ok here's the log. I have to do it in 2 different ones because it is too big. I disabled Windows Defender and Ad Watch.

L2MFIX find log 010406
These are the registry keys present
************************************************** ********************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]
"Asynchronous"=dword:00000000
"DllName"="F:\\WINDOWS\\system32\\gpnql3551.dl l"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

************************************************** ********************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]
"{1742275C-EE92-016F-9E4C-A7A5DFE113FD}"=""

************************************************** ********************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"="{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
"{D66DC78C-4F61-447F-942B-3FB6980118CF}"="{D66DC78C-4F61-447F-942B-3FB6980118CF}"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.6b3 (beta test) Context Menu Shell Extension"
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.6b3 (beta test) DragDrop Shell Extension"
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.6b3 (beta test) Context Menu Shell Extension"
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.6b3 (beta test) Property Sheet Shell Extension"
"{692E33B0-AF9D-11D0-B976-00A0C9190447}"="Remote Storage Properties"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{D2790A37-0F57-4D8E-812E-F96FF8C6B0AF}"=""
"{FB85B31E-6329-4300-B2BF-DF9513CFE825}"=""
"{2432CED9-5790-43B3-8A5F-38A7124DC0F7}"=""
"{52530BBC-D1D1-49DF-9695-10D256B414D2}"=""
"{28FAB743-D35E-4099-BF3C-E3B93F85A3AA}"=""
"{2F25CF20-C569-11D1-B94C-00608CB45480}"="TextPad"
"{84490D97-BDAB-4F80-9DB5-405BFC6ED52E}"=""
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{38B21DEC-93C0-4759-B2D7-B080E0F839C9}"=""
"{8A3CC7EB-0049-48D1-8EC4-C45488DC7BEB}"=""
"{C1489CFD-571F-47EE-B11E-5AA1B4F33EB9}"=""
"{4E4F8172-B480-4F89-AC6B-634C8949D89B}"=""

************************************************** ********************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D2790A37-0F57-4D8E-812E-F96FF8C6B0AF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D2790A37-0F57-4D8E-812E-F96FF8C6B0AF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D2790A37-0F57-4D8E-812E-F96FF8C6B0AF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D2790A37-0F57-4D8E-812E-F96FF8C6B0AF}\InprocServer32]
@="F:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{52530BBC-D1D1-49DF-9695-10D256B414D2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{52530BBC-D1D1-49DF-9695-10D256B414D2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{52530BBC-D1D1-49DF-9695-10D256B414D2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{52530BBC-D1D1-49DF-9695-10D256B414D2}\InprocServer32]
@="F:\\WINDOWS\\system32\\gxjql3151.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{28FAB743-D35E-4099-BF3C-E3B93F85A3AA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{28FAB743-D35E-4099-BF3C-E3B93F85A3AA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{28FAB743-D35E-4099-BF3C-E3B93F85A3AA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{28FAB743-D35E-4099-BF3C-E3B93F85A3AA}\InprocServer32]
@="F:\\WINDOWS\\system32\\flsrch.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{84490D97-BDAB-4F80-9DB5-405BFC6ED52E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{84490D97-BDAB-4F80-9DB5-405BFC6ED52E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{84490D97-BDAB-4F80-9DB5-405BFC6ED52E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{84490D97-BDAB-4F80-9DB5-405BFC6ED52E}\InprocServer32]
@="F:\\WINDOWS\\system32\\dnrectpt.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{38B21DEC-93C0-4759-B2D7-B080E0F839C9}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{38B21DEC-93C0-4759-B2D7-B080E0F839C9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{38B21DEC-93C0-4759-B2D7-B080E0F839C9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{38B21DEC-93C0-4759-B2D7-B080E0F839C9}\InprocServer32]
@="F:\\WINDOWS\\system32\\wniprop.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8A3CC7EB-0049-48D1-8EC4-C45488DC7BEB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8A3CC7EB-0049-48D1-8EC4-C45488DC7BEB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8A3CC7EB-0049-48D1-8EC4-C45488DC7BEB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8A3CC7EB-0049-48D1-8EC4-C45488DC7BEB}\InprocServer32]
@="F:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C1489CFD-571F-47EE-B11E-5AA1B4F33EB9}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C1489CFD-571F-47EE-B11E-5AA1B4F33EB9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C1489CFD-571F-47EE-B11E-5AA1B4F33EB9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C1489CFD-571F-47EE-B11E-5AA1B4F33EB9}\InprocServer32]
@="F:\\WINDOWS\\system32\\mpl_qic.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4E4F8172-B480-4F89-AC6B-634C8949D89B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4E4F8172-B480-4F89-AC6B-634C8949D89B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4E4F8172-B480-4F89-AC6B-634C8949D89B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4E4F8172-B480-4F89-AC6B-634C8949D89B}\InprocServer32]
@="F:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"