Spyware Warrior

shadow0727 · Posted: Sun Apr 03, 2005 4:45 pm Post subject: Please Help Me!

Hi- I am having the hardest time getting rid of these Ceres pop ups...I also have a weird desktop search bar at the bottom right of my screen. My McAfee keeps popping up every second asking me to allow certain cookies.....I am so frustrated. Here is my log.....Thank you so much in advance Smile

Logfile of HijackThis v1.99.1
Scan saved at 8:36:32 PM, on 4/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
C:\WINDOWS\system32\picsvr\picsvr.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\system32\innrmm.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\McAfee.com\MPS\mscifapp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\jps\LOCALS~1\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [RecoverFromReboo] C:\WINDOWS\Temp\RECOVE~1.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [nsvcin] C:\Documents and Settings\jps\n20050308.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\innrmm.exe
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ComcastHSI - {2D7E3638-8482-4FF1-8F21-B361F27A5E05} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {37047679-3856-4E61-BF09-9E62036A9D58} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {AEB3DAF3-A623-45CB-9821-2623BE14FF1F} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\m4nq0e55eh.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

TeMerc · Posted: Sun Apr 03, 2005 5:10 pm Post subject:

Hello and welcome to Spyware Warrior forums.

The infection you have is called Bube(Beavis) Trojan. It is very difficult to remove, and currently, there is only one app available which completely removes it. Kaspersky Antivirus is linked and there is a tutorial for it also. Be warned, you must follow the instructions implicitly, or the removal will not work.

http://www.spywarewarrior.com/viewtopic.php?t=10697

Once you have installed, updated and run the scan with KAV, and have rebooted, then please DL the Microsoft Antispy for final clean up. The experts who have worked on many of these variants(6 variants currently) have concluded this is the only anti-spy app that also deals with the remnants of this infection.

http://www.microsoft.com/athome/security/spyware/software/default.mspx

After you have finished all the work with KAV and MS\AS, post a new log and we will see what is left.

Good luck.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog

shadow0727 · Posted: Mon Apr 04, 2005 7:28 am Post subject:

Thank you so much for your reply. I have tried all that you suggested. My KAV scan came up clean, with no viruses, or anything detected. I am still having the same problems. Here is my latest log:

Logfile of HijackThis v1.99.1
Scan saved at 11:26:31 AM, on 4/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\jps\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RecoverFromReboo] C:\WINDOWS\Temp\RECOVE~1.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [nsvcin] C:\Documents and Settings\jps\n20050308.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\innrmm.exe
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

shadow0727 · Posted: Mon Apr 04, 2005 7:30 am Post subject:

Also, I have to do everything in safe mode, as my computer freezes up when I try to do anything in reg mode.

TIA Smile

TeMerc · Posted: Mon Apr 04, 2005 8:57 am Post subject:

OK, I need to check with one of the experts who made that fix with KAV and has been instrumental in getting it figured out.

The fact that KAV found nothing at all is not good.

Can you please, while I do that, go back to those instructions and post the log that KAV created.

Thanks.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog

CalamityJane · Posted: Mon Apr 04, 2005 9:19 am Post subject:

Hi shadow0727,

I suspect you did not get the KAV updates? There are two listed in the directions for updating. You need both the standard update and the extended database update.

KAV would most certainly find some of the nasties that are showing in your log (the isrvs folder for sure).

Posting a copy of the KAV scan log as TeMerc has requested would help as well.

Don't run HijackThis straight out of the zip folder. Follow these instructions:
Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use C:\Program Files\HijackThis but feel free to use any name or folder you like. Unzip HijackThis again and save the contents (Hijackthis.exe) to the new folder you made. Then navigate to it and run HijackThis from there. This is to ensure it makes the necessary backups for recovery if needed.

You also have a Look2me infection. I'm not certain how well KAV cleans that one. It may, but we can run this free tool just in case not.

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
_________________
Microsoft MVP 2003-2008, Windows - Security

shadow0727 · Posted: Mon Apr 04, 2005 10:08 am Post subject:

Thats the thing, it will not allow me to update KAV...keeps saying file is corrupted. Here is my most recent KAV log:

Statistics:
Task start time: 4/4/2005 10:19:11 AM
Task completion time: 4/4/2005 10:59:28 AM
Objects scanned: 145276
Viruses detected: 0
Viruses disinfected: 0
Objects deleted: 0
Objects quarantined: 0

Settings:
Objects to be scanned:
My Computer
If an infected object is found:
Perform recommended action
Scan level:
Maximum Protection
Objects to be excluded from the scan scope:
Option not used

Report:
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui\CmnIds.vbs;password protected, has not been processed;4/4/2005 10:21:35 AM
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui\images/arrow_right.gif;password protected, has not been processed;4/4/2005 10:21:35 AM
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui\images/btn_signup_52x20.gif;password protected, has not been processed;4/4/2005 10:21:35 AM
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui\images/more_info.gif;password protected, has not been processed;4/4/2005 10:21:35 AM
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui\images/sidetable_bottom.gif;password protected, has not been processed;4/4/2005 10:21:35 AM
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui\images/sidetable_bottom_red.gif;password protected, has not been processed;4/4/2005 10:21:35 AM
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui\images/sidetable_top.gif;password protected, has not been processed;4/4/2005 10:21:35 AM
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui\images/sidetable_top_red.gif;password protected, has not been processed;4/4/2005 10:21:35 AM
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui\images/transpix.gif;password protected, has not been processed;4/4/2005 10:21:35 AM
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui\images/watermark_mys_150x130.gif;password protected, has not been processed;4/4/2005 10:21:35 AM
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui\oemcfg.vbs;password protected, has not been processed;4/4/2005 10:21:35 AM
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui\OEMIds.vbs;password protected, has not been processed;4/4/2005 10:21:35 AM
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui\valert.htm;password protected, has not been processed;4/4/2005 10:21:35 AM
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui\valert_old.htm;password protected, has not been processed;4/4/2005 10:21:35 AM
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui\hs~valert.htm;password protected, has not been processed;4/4/2005 10:21:35 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mpsins.ui\appcons.vbs;password protected, has not been processed;4/4/2005 10:24:03 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mpsins.ui\appinst.htm;password protected, has not been processed;4/4/2005 10:24:03 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mpsins.ui\appinst.vbs;password protected, has not been processed;4/4/2005 10:24:03 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mpsins.ui\applang.vbs;password protected, has not been processed;4/4/2005 10:24:03 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mpsins.ui\default.htm;password protected, has not been processed;4/4/2005 10:24:03 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mpsins.ui\header.vbs;password protected, has not been processed;4/4/2005 10:24:03 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mpsins.ui\images/bg_left_1x314.gif;password protected, has not been processed;4/4/2005 10:24:03 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mpsins.ui\images/icon_info_16x16.gif;password protected, has not been processed;4/4/2005 10:24:03 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mpsins.ui\images/icon_mcafee_61x61.gif;password protected, has not been processed;4/4/2005 10:24:03 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mpsins.ui\images/icon_progress_checked_13x13.gif;password protected, has not been processed;4/4/2005 10:24:03 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mpsins.ui\images/icon_progress_hot_13x13.gif;password protected, has not been processed;4/4/2005 10:24:03 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mpsins.ui\images/icon_progress_unchecked_13x13.gif;password protected, has not been processed;4/4/2005 10:24:03 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mpsins.ui\instwiz.css;password protected, has not been processed;4/4/2005 10:24:03 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mpsins.ui\instxp.css;password protected, has not been processed;4/4/2005 10:24:03 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mpsins.ui\mcccom.lpk;password protected, has not been processed;4/4/2005 10:24:03 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mpsins.ui\mpsins.ini;password protected, has not been processed;4/4/2005 10:24:03 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mpsins.ui\pbar.vbs;password protected, has not been processed;4/4/2005 10:24:03 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mpsins.ui\setcss.vbs;password protected, has not been processed;4/4/2005 10:24:03 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mps\en-us\us\mpscfg.cab\mpsrem.ui\comctl.lpk;password protected, has not been processed;4/4/2005 10:24:04 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mps\en-us\us\mpscfg.cab\mpsrem.ui\config.ini;password protected, has not been processed;4/4/2005 10:24:04 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mps\en-us\us\mpscfg.cab\mpsrem.ui\pbar.vbs;password protected, has not been processed;4/4/2005 10:24:04 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mps\en-us\us\mpscfg.cab\mpsrem.ui\uninstall.htm;password protected, has not been processed;4/4/2005 10:24:04 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mps\win9x\mps.cab\RemoveMPS.exe/WISE0005.BIN\comctl.lpk;password protected, has not been processed;4/4/2005 10:24:04 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mps\win9x\mps.cab\RemoveMPS.exe/WISE0005.BIN\config.ini;password protected, has not been processed;4/4/2005 10:24:04 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mps\win9x\mps.cab\RemoveMPS.exe/WISE0005.BIN\uninstall.htm;password protected, has not been processed;4/4/2005 10:24:04 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mps\winnt\mps.cab\RemoveMPS.exe/WISE0005.BIN\comctl.lpk;password protected, has not been processed;4/4/2005 10:24:05 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mps\winnt\mps.cab\RemoveMPS.exe/WISE0005.BIN\config.ini;password protected, has not been processed;4/4/2005 10:24:05 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\mps\winnt\mps.cab\RemoveMPS.exe/WISE0005.BIN\uninstall.htm;password protected, has not been processed;4/4/2005 10:24:05 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentcfg.cab\screm.ui\agntcons.vbs;password protected, has not been processed;4/4/2005 10:24:05 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentcfg.cab\screm.ui\agntlang.vbs;password protected, has not been processed;4/4/2005 10:24:05 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentcfg.cab\screm.ui\comctl.lpk;password protected, has not been processed;4/4/2005 10:24:05 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentcfg.cab\screm.ui\config.ini;password protected, has not been processed;4/4/2005 10:24:05 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentcfg.cab\screm.ui\pbar.vbs;password protected, has not been processed;4/4/2005 10:24:05 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentcfg.cab\screm.ui\UnInsStr.vbs;password protected, has not been processed;4/4/2005 10:24:05 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentcfg.cab\screm.ui\uninst.vbs;password protected, has not been processed;4/4/2005 10:24:05 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentcfg.cab\screm.ui\uninstall.htm;password protected, has not been processed;4/4/2005 10:24:05 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentcfg.cab\screm.ui\vssver.scc;password protected, has not been processed;4/4/2005 10:24:05 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentins.cab\agentins.ui\images/bg_left_1x314.gif;password protected, has not been processed;4/4/2005 10:24:06 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentins.cab\agentins.ui\images/icon_info_16x16.gif;password protected, has not been processed;4/4/2005 10:24:06 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentins.cab\agentins.ui\images/icon_mcafee_61x61.gif;password protected, has not been processed;4/4/2005 10:24:06 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentins.cab\agentins.ui\images/icon_progress_checked_13x13.gif;password protected, has not been processed;4/4/2005 10:24:06 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentins.cab\agentins.ui\images/icon_progress_hot_13x13.gif;password protected, has not been processed;4/4/2005 10:24:06 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentins.cab\agentins.ui\images/icon_progress_unchecked_13x13.gif;password protected, has not been processed;4/4/2005 10:24:06 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentins.cab\agentins.ui\images/vssver.scc;password protected, has not been processed;4/4/2005 10:24:06 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentins.cab\agentins.ui\agentins.ini;password protected, has not been processed;4/4/2005 10:24:06 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentins.cab\agentins.ui\agntcons.vbs;password protected, has not been processed;4/4/2005 10:24:06 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentins.cab\agentins.ui\agntinst.htm;password protected, has not been processed;4/4/2005 10:24:06 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentins.cab\agentins.ui\agntinst.vbs;password protected, has not been processed;4/4/2005 10:24:06 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentins.cab\agentins.ui\agntlang.vbs;password protected, has not been processed;4/4/2005 10:24:06 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentins.cab\agentins.ui\default.htm;password protected, has not been processed;4/4/2005 10:24:06 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentins.cab\agentins.ui\header.vbs;password protected, has not been processed;4/4/2005 10:24:06 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentins.cab\agentins.ui\HtmlUtil.vbs;password protected, has not been processed;4/4/2005 10:24:06 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentins.cab\agentins.ui\InstUtil.vbs;password protected, has not been processed;4/4/2005 10:24:06 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentins.cab\agentins.ui\instwiz.css;password protected, has not been processed;4/4/2005 10:24:06 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentins.cab\agentins.ui\instxp.css;password protected, has not been processed;4/4/2005 10:24:06 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentins.cab\agentins.ui\mcccom.lpk;password protected, has not been processed;4/4/2005 10:24:06 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentins.cab\agentins.ui\pbar.vbs;password protected, has not been processed;4/4/2005 10:24:06 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentins.cab\agentins.ui\setcss.vbs;password protected, has not been processed;4/4/2005 10:24:06 AM
C:\Documents and Settings\jps\Local Settings\Temp\mps90Daysdell.tmp\shared\agentins.cab\agentins.ui\vssver.scc;password protected, has not been processed;4/4/2005 10:24:06 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\arrow1.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\arrow2.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bck1.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bck2.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt11.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt12.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt13.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt21.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt22.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt23.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt31.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt32.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt33.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt41.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt42.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt43.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt51.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt52.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt53.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt61.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt62.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox1.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox2.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox3.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox4.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\default.skn;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\defbtn1.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\defbtn2.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\defbtn3.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph1.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph2.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph3.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph4.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph5.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph6.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph7.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\main.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\preview.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\sprite1.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\tab1.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\tab2.bmp;password protected, has not been processed;4/4/2005 10:36:47 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0006.BIN\agent_lang_helper.vbs;password protected, has not been processed;4/4/2005 10:37:05 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0006.BIN\agentins.ini;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0006.BIN\agntcons.vbs;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0006.BIN\agntinst.htm;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0006.BIN\agntinst.vbs;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0006.BIN\agntlang.vbs;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0006.BIN\default.htm;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0006.BIN\header.vbs;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0006.BIN\HtmlUtil.vbs;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0006.BIN\images/bg_left_1x314.gif;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0006.BIN\images/icon_info_16x16.gif;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0006.BIN\images/icon_mcafee_61x61.gif;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0006.BIN\images/icon_progress_checked_13x13.gif;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0006.BIN\images/icon_progress_hot_13x13.gif;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0006.BIN\images/icon_progress_unchecked_13x13.gif;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0006.BIN\InstUtil.vbs;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0006.BIN\instwiz.css;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0006.BIN\instxp.css;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0006.BIN\lang_agnt.vbs;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0006.BIN\mcccom.lpk;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0006.BIN\pbar.vbs;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0006.BIN\setcss.vbs;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0006.BIN\SubInfoData.vbs;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0006.BIN\vssver.scc;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0015.BIN\appcons.vbs;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0015.BIN\appinst.htm;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0015.BIN\appinst.vbs;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0015.BIN\applang.vbs;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0015.BIN\default.htm;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0015.BIN\header.vbs;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0015.BIN\images/bg_left_1x314.gif;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0015.BIN\images/icon_info_16x16.gif;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0015.BIN\images/icon_mcafee_61x61.gif;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0015.BIN\images/icon_progress_checked_13x13.gif;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0015.BIN\images/icon_progress_hot_13x13.gif;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0015.BIN\images/icon_progress_unchecked_13x13.gif;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0015.BIN\instwiz.css;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0015.BIN\instxp.css;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0015.BIN\mcccom.lpk;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0015.BIN\mpfins.ini;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0015.BIN\pbar.vbs;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0015.BIN\setcss.vbs;password protected, has not been processed;4/4/2005 10:37:06 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0021.BIN\screm.ui\agntcons.vbs;password protected, has not been processed;4/4/2005 10:37:11 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0021.BIN\screm.ui\agntlang.vbs;password protected, has not been processed;4/4/2005 10:37:11 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0021.BIN\screm.ui\comctl.lpk;password protected, has not been processed;4/4/2005 10:37:11 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0021.BIN\screm.ui\config.ini;password protected, has not been processed;4/4/2005 10:37:11 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0021.BIN\screm.ui\pbar.vbs;password protected, has not been processed;4/4/2005 10:37:11 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0021.BIN\screm.ui\UnInsStr.vbs;password protected, has not been processed;4/4/2005 10:37:11 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0021.BIN\screm.ui\uninst.vbs;password protected, has not been processed;4/4/2005 10:37:11 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0021.BIN\screm.ui\uninstall.htm;password protected, has not been processed;4/4/2005 10:37:11 AM
C:\Program Files\McAfee.com\Agent\mpfpinst.exe/WISE0021.BIN\screm.ui\vssver.scc;password protected, has not been processed;4/4/2005 10:37:11 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0015.BIN\appcons.vbs;password protected, has not been processed;4/4/2005 10:37:14 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0015.BIN\appinst.htm;password protected, has not been processed;4/4/2005 10:37:14 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0015.BIN\appinst.vbs;password protected, has not been processed;4/4/2005 10:37:14 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0015.BIN\applang.vbs;password protected, has not been processed;4/4/2005 10:37:14 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0015.BIN\default.htm;password protected, has not been processed;4/4/2005 10:37:14 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0015.BIN\header.vbs;password protected, has not been processed;4/4/2005 10:37:14 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0015.BIN\images/bg_left_1x314.gif;password protected, has not been processed;4/4/2005 10:37:14 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0015.BIN\images/icon_info_16x16.gif;password protected, has not been processed;4/4/2005 10:37:14 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0015.BIN\images/icon_mcafee_61x61.gif;password protected, has not been processed;4/4/2005 10:37:14 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0015.BIN\images/icon_progress_checked_13x13.gif;password protected, has not been processed;4/4/2005 10:37:14 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0015.BIN\images/icon_progress_hot_13x13.gif;password protected, has not been processed;4/4/2005 10:37:14 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0015.BIN\images/icon_progress_unchecked_13x13.gif;password protected, has not been processed;4/4/2005 10:37:14 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0015.BIN\instwiz.css;password protected, has not been processed;4/4/2005 10:37:14 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0015.BIN\instxp.css;password protected, has not been processed;4/4/2005 10:37:14 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0015.BIN\mcccom.lpk;password protected, has not been processed;4/4/2005 10:37:14 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0015.BIN\mpsins.ini;password protected, has not been processed;4/4/2005 10:37:14 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0015.BIN\pbar.vbs;password protected, has not been processed;4/4/2005 10:37:14 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0015.BIN\setcss.vbs;password protected, has not been processed;4/4/2005 10:37:14 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0018.BIN\mpsrem.ui\comctl.lpk;password protected, has not been processed;4/4/2005 10:37:14 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0018.BIN\mpsrem.ui\config.ini;password protected, has not been processed;4/4/2005 10:37:14 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0018.BIN\mpsrem.ui\pbar.vbs;password protected, has not been processed;4/4/2005 10:37:14 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0018.BIN\mpsrem.ui\uninstall.htm;password protected, has not been processed;4/4/2005 10:37:14 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0019.BIN\RemoveMPS.exe/WISE0005.BIN\comctl.lpk;password protected, has not been processed;4/4/2005 10:37:17 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0019.BIN\RemoveMPS.exe/WISE0005.BIN\config.ini;password protected, has not been processed;4/4/2005 10:37:17 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0019.BIN\RemoveMPS.exe/WISE0005.BIN\uninstall.htm;password protected, has not been processed;4/4/2005 10:37:17 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0024.BIN\agentins.ui\images/bg_left_1x314.gif;password protected, has not been processed;4/4/2005 10:37:19 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0024.BIN\agentins.ui\images/icon_info_16x16.gif;password protected, has not been processed;4/4/2005 10:37:19 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0024.BIN\agentins.ui\images/icon_mcafee_61x61.gif;password protected, has not been processed;4/4/2005 10:37:19 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0024.BIN\agentins.ui\images/icon_progress_checked_13x13.gif;password protected, has not been processed;4/4/2005 10:37:19 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0024.BIN\agentins.ui\images/icon_progress_hot_13x13.gif;password protected, has not been processed;4/4/2005 10:37:19 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0024.BIN\agentins.ui\images/icon_progress_unchecked_13x13.gif;password protected, has not been processed;4/4/2005 10:37:19 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0024.BIN\agentins.ui\images/vssver.scc;password protected, has not been processed;4/4/2005 10:37:19 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0024.BIN\agentins.ui\agentins.ini;password protected, has not been processed;4/4/2005 10:37:19 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0024.BIN\agentins.ui\agntcons.vbs;password protected, has not been processed;4/4/2005 10:37:19 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0024.BIN\agentins.ui\agntinst.htm;password protected, has not been processed;4/4/2005 10:37:19 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0024.BIN\agentins.ui\agntinst.vbs;password protected, has not been processed;4/4/2005 10:37:19 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0024.BIN\agentins.ui\agntlang.vbs;password protected, has not been processed;4/4/2005 10:37:19 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0024.BIN\agentins.ui\default.htm;password protected, has not been processed;4/4/2005 10:37:19 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0024.BIN\agentins.ui\header.vbs;password protected, has not been processed;4/4/2005 10:37:19 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0024.BIN\agentins.ui\HtmlUtil.vbs;password protected, has not been processed;4/4/2005 10:37:19 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0024.BIN\agentins.ui\InstUtil.vbs;password protected, has not been processed;4/4/2005 10:37:19 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0024.BIN\agentins.ui\instwiz.css;password protected, has not been processed;4/4/2005 10:37:19 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0024.BIN\agentins.ui\instxp.css;password protected, has not been processed;4/4/2005 10:37:19 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0024.BIN\agentins.ui\mcccom.lpk;password protected, has not been processed;4/4/2005 10:37:19 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0024.BIN\agentins.ui\pbar.vbs;password protected, has not been processed;4/4/2005 10:37:19 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0024.BIN\agentins.ui\setcss.vbs;password protected, has not been processed;4/4/2005 10:37:19 AM
C:\Program Files\McAfee.com\Agent\mpsinst.exe/WISE0024.BIN\agentins.ui\vssver.scc;password protected, has not been processed;4/4/2005 10:37:19 AM
C:\Program Files\McAfee.com\Agent\vsoinst.exe/WISE0020.BIN\countries.js;password protected, has not been processed;4/4/2005 10:37:22 AM
C:\Program Files\McAfee.com\Agent\vsoinst.exe/WISE0020.BIN\default.htm;password protected, has not been processed;4/4/2005 10:37:22 AM
C:\Program Files\McAfee.com\Agent\vsoinst.exe/WISE0020.BIN\header.vbs;password protected, has not been processed;4/4/2005 10:37:22 AM
C:\Program Files\McAfee.com\Agent\vsoinst.exe/WISE0020.BIN\HtmlUtil.vbs;password protected, has not been processed;4/4/2005 10:37:22 AM
C:\Program Files\McAfee.com\Agent\vsoinst.exe/WISE0020.BIN\images/bg_left_1x314.gif;password protected, has not been processed;4/4/2005 10:37:22 AM
C:\Program Files\McAfee.com\Agent\vsoinst.exe/WISE0020.BIN\images/icon_info_16x16.gif;password protected, has not been processed;4/4/2005 10:37:22 AM
C:\Program Files\McAfee.com\Agent\vsoinst.exe/WISE0020.BIN\images/icon_mcafee_61x61.gif;password protected, has not been processed;4/4/2005 10:37:22 AM
C:\Program Files\McAfee.com\Agent\vsoinst.exe/WISE0020.BIN\images/icon_progress_checked_13x13.gif;password protected, has not been processed;4/4/2005 10:37:22 AM
C:\Program Files\McAfee.com\Agent\vsoinst.exe/WISE0020.BIN\images/icon_progress_hot_13x13.gif;password protected, has not been processed;4/4/2005 10:37:22 AM
C:\Program Files\McAfee.com\Agent\vsoinst.exe/WISE0020.BIN\images/icon_progress_unchecked_13x13.gif;password protected, has not been processed;4/4/2005 10:37:22 AM
C:\Program Files\McAfee.com\Agent\vsoinst.exe/WISE0020.BIN\install.htm;password protected, has not been processed;4/4/2005 10:37:22 AM
C:\Program Files\McAfee.com\Agent\vsoinst.exe/WISE0020.BIN\instwiz.css;password protected, has not been processed;4/4/2005 10:37:22 AM
C:\Program Files\McAfee.com\Agent\vsoinst.exe/WISE0020.BIN\instxp.css;password protected, has not been processed;4/4/2005 10:37:22 AM
C:\Program Files\McAfee.com\Agent\vsoinst.exe/WISE0020.BIN\lang_countries.vbs;password protected, has not been processed;4/4/2005 10:37:22 AM
C:\Program Files\McAfee.com\Agent\vsoinst.exe/WISE0020.BIN\lang_vso.vbs;password protected, has not been processed;4/4/2005 10:37:22 AM
C:\Program Files\McAfee.com\Agent\vsoinst.exe/WISE0020.BIN\mcccom.lpk;password protected, has not been processed;4/4/2005 10:37:22 AM
C:\Program Files\McAfee.com\Agent\vsoinst.exe/WISE0020.BIN\pbar.vbs;password protected, has not been processed;4/4/2005 10:37:22 AM
C:\Program Files\McAfee.com\Agent\vsoinst.exe/WISE0020.BIN\setcss.vbs;password protected, has not been processed;4/4/2005 10:37:22 AM
C:\Program Files\McAfee.com\Agent\vsoinst.exe/WISE0020.BIN\VsoConst.vbs;password protected, has not been processed;4/4/2005 10:37:22 AM
C:\Program Files\McAfee.com\Agent\vsoinst.exe/WISE0020.BIN\vsoins.ini;password protected, has not been processed;4/4/2005 10:37:22 AM
C:\Program Files\McAfee.com\Agent\vsoinst.exe/WISE0020.BIN\VSOPropConst.vbs;password protected, has not been processed;4/4/2005 10:37:22 AM
C:\Program Files\McAfee.com\Agent\Uninst\mpsrem.ui\comctl.lpk;password protected, has not been processed;4/4/2005 10:37:33 AM
C:\Program Files\McAfee.com\Agent\Uninst\mpsrem.ui\config.ini;password protected, has not been processed;4/4/2005 10:37:33 AM
C:\Program Files\McAfee.com\Agent\Uninst\mpsrem.ui\pbar.vbs;password protected, has not been processed;4/4/2005 10:37:33 AM
C:\Program Files\McAfee.com\Agent\Uninst\mpsrem.ui\uninstall.htm;password protected, has not been processed;4/4/2005 10:37:33 AM
C:\Program Files\McAfee.com\Agent\Uninst\screm.ui\agntcons.vbs;password protected, has not been processed;4/4/2005 10:37:33 AM
C:\Program Files\McAfee.com\Agent\Uninst\screm.ui\agntlang.vbs;password protected, has not been processed;4/4/2005 10:37:33 AM
C:\Program Files\McAfee.com\Agent\Uninst\screm.ui\comctl.lpk;password protected, has not been processed;4/4/2005 10:37:33 AM
C:\Program Files\McAfee.com\Agent\Uninst\screm.ui\config.ini;password protected, has not been processed;4/4/2005 10:37:33 AM
C:\Program Files\McAfee.com\Agent\Uninst\screm.ui\pbar.vbs;password protected, has not been processed;4/4/2005 10:37:33 AM
C:\Program Files\McAfee.com\Agent\Uninst\screm.ui\UnInsStr.vbs;password protected, has not been processed;4/4/2005 10:37:33 AM
C:\Program Files\McAfee.com\Agent\Uninst\screm.ui\uninst.vbs;password protected, has not been processed;4/4/2005 10:37:33 AM
C:\Program Files\McAfee.com\Agent\Uninst\screm.ui\uninstall.htm;password protected, has not been processed;4/4/2005 10:37:33 AM
C:\Program Files\McAfee.com\MPS\RemoveMPS.exe/WISE0005.BIN\comctl.lpk;password protected, has not been processed;4/4/2005 10:37:37 AM
C:\Program Files\McAfee.com\MPS\RemoveMPS.exe/WISE0005.BIN\config.ini;password protected, has not been processed;4/4/2005 10:37:37 AM
C:\Program Files\McAfee.com\MPS\RemoveMPS.exe/WISE0005.BIN\uninstall.htm;password protected, has not been processed;4/4/2005 10:37:37 AM

CalamityJane · Posted: Mon Apr 04, 2005 10:29 am Post subject:

shadow0727 · Posted: Mon Apr 04, 2005 11:52 am Post subject:

Okay, I ran a full system scan in safe mode with EZAV...no files detected.....I'm not sure how to post the log from that.

CalamityJane · Posted: Mon Apr 04, 2005 12:00 pm Post subject:

Ok, if no files detected, I don't need the EZ log. Just move on to MSAS and the l2mfix tool. And then reboot after all that and scan once more with Hijackthis and post a fresh log please.
_________________
Microsoft MVP 2003-2008, Windows - Security

shadow0727 · Posted: Mon Apr 04, 2005 2:40 pm Post subject:

Okay....things are looking a little better over here! Here is my current log after the scans, what do you think?

Logfile of HijackThis v1.99.1
Scan saved at 6:38:13 PM, on 4/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\innrmm.exe
C:\Program Files\McAfee.com\MPS\mscifapp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\jps\Local Settings\Temporary Internet Files\Content.IE5\WTEHAF6Z\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RecoverFromReboo] C:\WINDOWS\Temp\RECOVE~1.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [nsvcin] C:\Documents and Settings\jps\n20050308.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\innrmm.exe
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [second] C:\Documents and Settings\jps\Desktop\l2mfix\second.bat
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ComcastHSI - {2D7E3638-8482-4FF1-8F21-B361F27A5E05} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {37047679-3856-4E61-BF09-9E62036A9D58} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {AEB3DAF3-A623-45CB-9821-2623BE14FF1F} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

CalamityJane · Posted: Mon Apr 04, 2005 2:54 pm Post subject:

It's a bit premature for the new HijackThis log.

I still to see the log from l2mfix, because we haven't fixed that yet. Did you save the log? If not run a new one and post it back here:

shadow0727 · Posted: Mon Apr 04, 2005 3:08 pm Post subject:

Ok, here's that log:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{5BA2C9C0-6FB5-1EA4-A158-3F6CC47CFBBB}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{A4267E02-E3AF-4C03-BC58-F7FD92D3104B}"=""
"{57871811-5C71-476D-92BD-63943D9740C8}"=""
"{1CE2AA40-1317-11D3-9922-00104B0AD431}"="CA_AntiVirus"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A4267E02-E3AF-4C03-BC58-F7FD92D3104B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A4267E02-E3AF-4C03-BC58-F7FD92D3104B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A4267E02-E3AF-4C03-BC58-F7FD92D3104B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A4267E02-E3AF-4C03-BC58-F7FD92D3104B}\InprocServer32]
@="C:\\WINDOWS\\system32\\medimap.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{57871811-5C71-476D-92BD-63943D9740C8}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{57871811-5C71-476D-92BD-63943D9740C8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{57871811-5C71-476D-92BD-63943D9740C8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{57871811-5C71-476D-92BD-63943D9740C8}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
aza027~1.dll Mon Apr 4 2005 10:06:50a ..S.R 235,329 229.81 K
azvpack.dll Sun Apr 3 2005 10:40:26p ..S.R 234,835 229.33 K
bjhci.dll Mon Apr 4 2005 10:09:12a ..S.R 232,976 227.52 K
browseui.dll Thu Jan 27 2005 1:13:16p ..... 1,016,832 993.00 K
cdfview.dll Thu Jan 27 2005 1:13:16p ..... 151,040 147.50 K
d2j02c~1.dll Mon Apr 4 2005 3:14:42p ..S.R 234,190 228.70 K
daanp.dll Mon Apr 4 2005 6:36:46p A.... 0 0.00 K
dfuiext.dll Sun Apr 3 2005 9:51:54p ..S.R 234,835 229.33 K
dlnwsock.dll Sun Apr 3 2005 10:41:34p ..S.R 234,835 229.33 K
ducpcsvc.dll Sun Apr 3 2005 10:28:44p ..S.R 234,835 229.33 K
en4ql1~1.dll Sun Apr 3 2005 9:46:50p ..S.R 232,994 227.53 K
enl8l1~1.dll Sat Apr 2 2005 1:11:40p ..S.R 235,079 229.57 K
enp8l1~1.dll Sun Apr 3 2005 9:51:52p ..S.R 233,159 227.69 K
fn0021~1.dll Sun Apr 3 2005 10:22:58p ..S.R 234,835 229.33 K
gccoll~1.dll Thu Feb 10 2005 10:32:20p A.... 119,520 116.72 K
gcmd5q~1.dll Mon Apr 4 2005 6:26:20p A.... 10,752 10.50 K
gcunco~1.dll Thu Feb 10 2005 10:32:20p A.... 130,272 127.22 K
hashlib.dll Thu Feb 10 2005 10:32:18p A.... 81,120 79.22 K
hrp805~1.dll Mon Apr 4 2005 11:21:12a ..S.R 234,776 229.27 K
i6lolg~1.dll Sun Apr 3 2005 8:48:38a ..S.R 233,917 228.43 K
ialolg~1.dll Mon Apr 4 2005 9:19:50a ..S.R 234,835 229.33 K
icetcomm.dll Sun Apr 3 2005 7:48:24p ..S.R 232,581 227.13 K
iepeers.dll Thu Jan 27 2005 1:13:16p ..... 249,856 244.00 K
inseng.dll Thu Jan 27 2005 1:13:16p ..... 96,256 94.00 K
isafeif.dll Thu Jan 27 2005 12:15:40p A.... 95,344 93.11 K
isafprod.dll Thu Jan 27 2005 12:15:52p A.... 74,864 73.11 K
k0080a~1.dll Mon Apr 4 2005 9:19:50a ..S.R 235,635 230.11 K
k644lg~1.dll Sat Apr 2 2005 1:23:02p ..S.R 234,694 229.19 K
ksdcr.dll Mon Apr 4 2005 10:04:28a ..S.R 232,976 227.52 K
ltl027~1.dll Sat Apr 2 2005 1:20:22p ..S.R 235,285 229.77 K
lv6m09~1.dll Mon Apr 4 2005 10:04:28a ..S.R 233,145 227.68 K
lv6o09~1.dll Mon Apr 4 2005 10:00:46a ..S.R 233,345 227.88 K
lv8009~1.dll Sat Apr 2 2005 1:26:50p ..S.R 233,337 227.87 K
m646lg~1.dll Sun Apr 3 2005 10:40:26p ..S.R 233,047 227.58 K
m6polg~1.dll Sun Apr 3 2005 10:33:06p ..S.R 236,211 230.67 K
mkhgrcoi.dll Sun Apr 3 2005 9:46:50p ..S.R 234,835 229.33 K
mqc71deu.dll Sat Apr 2 2005 2:23:44p ..S.R 233,248 227.78 K
mrxparhd.dll Sat Apr 2 2005 12:18:32p ..S.R 233,248 227.78 K
mshtml.dll Thu Jan 27 2005 1:13:18p ..... 3,006,976 2.87 M
n06q0a~1.dll Sat Apr 2 2005 2:28:22p ..S.R 234,003 228.52 K
n0p4la~1.dll Sun Apr 3 2005 10:41:34p ..S.R 236,305 230.77 K
n64slg~1.dll Sat Apr 2 2005 1:14:12p ..S.R 234,994 229.48 K
ndlsapi.dll Sun Apr 3 2005 8:27:38p ..S.R 233,509 228.04 K
o0pq0a~1.dll Mon Apr 4 2005 9:29:30a ..S.R 233,546 228.07 K
ole32.dll Fri Jan 14 2005 4:55:50a ..... 1,285,120 1.22 M
olecli32.dll Fri Jan 14 2005 4:55:50a ..... 74,752 73.00 K
olecnv32.dll Fri Jan 14 2005 4:55:50a ..... 37,888 37.00 K
q0ps0a~1.dll Mon Apr 4 2005 9:19:56a ..S.R 233,069 227.61 K
rpcss.dll Fri Jan 14 2005 4:55:50a ..... 395,776 386.50 K
s0880a~1.dll Sat Apr 2 2005 1:17:16p ..S.R 234,128 228.64 K
sessetup.dll Sun Apr 3 2005 10:33:06p ..S.R 234,835 229.33 K
sggphhp.dll Mon Apr 4 2005 3:56:38p A.... 27,136 26.50 K
shdocvw.dll Thu Jan 27 2005 1:13:18p ..... 1,483,264 1.41 M
shlwapi.dll Thu Jan 27 2005 1:13:18p ..... 473,600 462.50 K
sscfiles.dll Mon Apr 4 2005 9:29:30a ..S.R 232,976 227.52 K
swecli.dll Mon Apr 4 2005 9:23:04a ..S.R 234,835 229.33 K
sxarddlg.dll Mon Apr 4 2005 10:00:46a ..S.R 232,976 227.52 K
urlmon.dll Thu Jan 27 2005 1:13:18p ..... 607,744 593.50 K
vetredir.dll Mon Apr 4 2005 3:51:04p A.... 74,864 73.11 K
wininet.dll Thu Jan 27 2005 1:13:18p ..... 656,896 641.50 K
winup2~1.dll Sat Apr 2 2005 1:00:56p ..... 5,632 5.50 K

61 items found: 61 files (38 H/S), 0 directories.
Total of file sizes: 19,053,697 bytes 18.17 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Mon Apr 4 2005 3:50:26p ..S.R 233,901 228.42 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 233,901 bytes 228.42 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 1484-EB34

Directory of C:\WINDOWS\System32

04/04/2005 03:50 PM 233,901 guard.tmp
04/04/2005 03:14 PM 234,190 d2j02c1mgf.dll
04/04/2005 11:21 AM 234,776 hrp8057ue.dll
04/04/2005 10:09 AM 232,976 bjhci.dll
04/04/2005 10:06 AM 235,329 aza0273mg.dll
04/04/2005 10:04 AM 232,976 KSDCR.DLL
04/04/2005 10:04 AM 233,145 lv6m09j1e.dll
04/04/2005 10:00 AM 232,976 sxarddlg.dll
04/04/2005 10:00 AM 233,345 lv6o09j3e.dll
04/04/2005 09:29 AM 232,976 sscfiles.dll
04/04/2005 09:29 AM 233,546 o0pq0a75ed.dll
04/04/2005 09:23 AM 234,835 swecli.dll
04/04/2005 09:19 AM 233,069 q0ps0a77ed.dll
04/04/2005 09:19 AM 234,835 iAlolg3316.dll
04/04/2005 09:19 AM 235,635 k0080adued080.dll
04/03/2005 10:41 PM 234,835 DLNWSOCK.DLL
04/03/2005 10:41 PM 236,305 n0p4la7q1d.dll
04/03/2005 10:40 PM 234,835 azvpack.dll
04/03/2005 10:40 PM 233,047 m646lghs1646.dll
04/03/2005 10:33 PM 234,835 sessetup.dll
04/03/2005 10:33 PM 236,211 m6polg7316.dll
04/03/2005 10:28 PM 234,835 ducpcsvc.dll
04/03/2005 10:22 PM 234,835 fn0021dmg.dll
04/03/2005 09:51 PM 234,835 dfuiext.dll
04/03/2005 09:51 PM 233,159 enp8l17u1.dll
04/03/2005 09:46 PM 234,835 MKHGRCOI.DLL
04/03/2005 09:46 PM 232,994 en4ql1h51.dll
04/03/2005 08:27 PM 233,509 ndlsapi.dll
04/03/2005 08:20 PM <DIR> DLLCACHE
04/03/2005 07:48 PM 232,581 icetcomm.dll
04/03/2005 08:48 AM 233,917 i6lolg3316.dll
04/02/2005 02:28 PM 234,003 n06q0aj5edo.dll
04/02/2005 02:23 PM 233,248 MQC71DEU.DLL
04/02/2005 01:26 PM 233,337 lv8009lme.dll
04/02/2005 01:23 PM 234,694 k644lghq164e.dll
04/02/2005 01:20 PM 235,285 ltl0273mg.dll
04/02/2005 01:17 PM 234,128 s0880aluedq80.dll
04/02/2005 01:14 PM 234,994 n64slgh7164.dll
04/02/2005 01:11 PM 235,079 enl8l13u1.dll
04/02/2005 12:18 PM 233,248 mrxparhd.dll
03/13/2004 05:39 PM <DIR> Microsoft
39 File(s) 9,132,094 bytes
2 Dir(s) 32,174,505,984 bytes free

CalamityJane · Posted: Mon Apr 04, 2005 4:03 pm Post subject:

Great, ok...let's proceed with the fix then.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!
_________________
Microsoft MVP 2003-2008, Windows - Security

shadow0727 · Posted: Mon Apr 04, 2005 4:41 pm Post subject:

Okay, did that.....here's the log:

L2Mfix 1.03

Running From:
C:\Documents and Settings\jps\Desktop\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry
- removing existing ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\jps\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\jps\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1736 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\aza0273mg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\azvpack.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\bjhci.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\d2j02c1mgf.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dfuiext.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\DLNWSOCK.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ducpcsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en4ql1h51.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\enl8l13u1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\enp8l17u1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fn0021dmg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hrp8057ue.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i6lolg3316.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iAlolg3316.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\icetcomm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k0080adued080.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k644lghq164e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\KSDCR.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ltl0273mg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv6m09j1e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv6o09j3e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv8009lme.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m646lghs1646.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m6polg7316.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MKHGRCOI.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MQC71DEU.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mrxparhd.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\n06q0aj5edo.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\n0p4la7q1d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\n64slgh7164.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ndlsapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o0pq0a75ed.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\q0ps0a77ed.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\s0880aluedq80.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sessetup.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sscfiles.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\swecli.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sxarddlg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\aza0273mg.dll
Successfully Deleted: C:\WINDOWS\system32\aza0273mg.dll
deleting: C:\WINDOWS\system32\azvpack.dll
Successfully Deleted: C:\WINDOWS\system32\azvpack.dll
deleting: C:\WINDOWS\system32\bjhci.dll
Successfully Deleted: C:\WINDOWS\system32\bjhci.dll
deleting: C:\WINDOWS\system32\d2j02c1mgf.dll
Successfully Deleted: C:\WINDOWS\system32\d2j02c1mgf.dll
deleting: C:\WINDOWS\system32\dfuiext.dll
Successfully Deleted: C:\WINDOWS\system32\dfuiext.dll
deleting: C:\WINDOWS\system32\DLNWSOCK.DLL
Successfully Deleted: C:\WINDOWS\system32\DLNWSOCK.DLL
deleting: C:\WINDOWS\system32\ducpcsvc.dll
Successfully Deleted: C:\WINDOWS\system32\ducpcsvc.dll
deleting: C:\WINDOWS\system32\en4ql1h51.dll
Successfully Deleted: C:\WINDOWS\system32\en4ql1h51.dll
deleting: C:\WINDOWS\system32\enl8l13u1.dll
Successfully Deleted: C:\WINDOWS\system32\enl8l13u1.dll
deleting: C:\WINDOWS\system32\enp8l17u1.dll
Successfully Deleted: C:\WINDOWS\system32\enp8l17u1.dll
deleting: C:\WINDOWS\system32\fn0021dmg.dll
Successfully Deleted: C:\WINDOWS\system32\fn0021dmg.dll
deleting: C:\WINDOWS\system32\hrp8057ue.dll
Successfully Deleted: C:\WINDOWS\system32\hrp8057ue.dll
deleting: C:\WINDOWS\system32\i6lolg3316.dll
Successfully Deleted: C:\WINDOWS\system32\i6lolg3316.dll
deleting: C:\WINDOWS\system32\iAlolg3316.dll
Successfully Deleted: C:\WINDOWS\system32\iAlolg3316.dll
deleting: C:\WINDOWS\system32\icetcomm.dll
Successfully Deleted: C:\WINDOWS\system32\icetcomm.dll
deleting: C:\WINDOWS\system32\k0080adued080.dll
Successfully Deleted: C:\WINDOWS\system32\k0080adued080.dll
deleting: C:\WINDOWS\system32\k644lghq164e.dll
Successfully Deleted: C:\WINDOWS\system32\k644lghq164e.dll
deleting: C:\WINDOWS\system32\KSDCR.DLL
Successfully Deleted: C:\WINDOWS\system32\KSDCR.DLL
deleting: C:\WINDOWS\system32\ltl0273mg.dll
Successfully Deleted: C:\WINDOWS\system32\ltl0273mg.dll
deleting: C:\WINDOWS\system32\lv6m09j1e.dll
Successfully Deleted: C:\WINDOWS\system32\lv6m09j1e.dll
deleting: C:\WINDOWS\system32\lv6o09j3e.dll
Successfully Deleted: C:\WINDOWS\system32\lv6o09j3e.dll
deleting: C:\WINDOWS\system32\lv8009lme.dll
Successfully Deleted: C:\WINDOWS\system32\lv8009lme.dll
deleting: C:\WINDOWS\system32\m646lghs1646.dll
Successfully Deleted: C:\WINDOWS\system32\m646lghs1646.dll
deleting: C:\WINDOWS\system32\m6polg7316.dll
Successfully Deleted: C:\WINDOWS\system32\m6polg7316.dll
deleting: C:\WINDOWS\system32\MKHGRCOI.DLL
Successfully Deleted: C:\WINDOWS\system32\MKHGRCOI.DLL
deleting: C:\WINDOWS\system32\MQC71DEU.DLL
Successfully Deleted: C:\WINDOWS\system32\MQC71DEU.DLL
deleting: C:\WINDOWS\system32\mrxparhd.dll
Successfully Deleted: C:\WINDOWS\system32\mrxparhd.dll
deleting: C:\WINDOWS\system32\n06q0aj5edo.dll
Successfully Deleted: C:\WINDOWS\system32\n06q0aj5edo.dll
deleting: C:\WINDOWS\system32\n0p4la7q1d.dll
Successfully Deleted: C:\WINDOWS\system32\n0p4la7q1d.dll
deleting: C:\WINDOWS\system32\n64slgh7164.dll
Successfully Deleted: C:\WINDOWS\system32\n64slgh7164.dll
deleting: C:\WINDOWS\system32\ndlsapi.dll
Successfully Deleted: C:\WINDOWS\system32\ndlsapi.dll
deleting: C:\WINDOWS\system32\o0pq0a75ed.dll
Successfully Deleted: C:\WINDOWS\system32\o0pq0a75ed.dll
deleting: C:\WINDOWS\system32\q0ps0a77ed.dll
Successfully Deleted: C:\WINDOWS\system32\q0ps0a77ed.dll
deleting: C:\WINDOWS\system32\s0880aluedq80.dll
Successfully Deleted: C:\WINDOWS\system32\s0880aluedq80.dll
deleting: C:\WINDOWS\system32\sessetup.dll
Successfully Deleted: C:\WINDOWS\system32\sessetup.dll
deleting: C:\WINDOWS\system32\sscfiles.dll
Successfully Deleted: C:\WINDOWS\system32\sscfiles.dll
deleting: C:\WINDOWS\system32\swecli.dll
Successfully Deleted: C:\WINDOWS\system32\swecli.dll
deleting: C:\WINDOWS\system32\sxarddlg.dll
Successfully Deleted: C:\WINDOWS\system32\sxarddlg.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Zipping up files for submission:
adding: aza0273mg.dll (164 bytes security) (deflated 5%)
adding: azvpack.dll (164 bytes security) (deflated 5%)
adding: bjhci.dll (164 bytes security) (deflated 4%)
adding: d2j02c1mgf.dll (164 bytes security) (deflated 5%)
adding: dfuiext.dll (164 bytes security) (deflated 5%)
adding: DLNWSOCK.DLL (164 bytes security) (deflated 5%)
adding: ducpcsvc.dll (164 bytes security) (deflated 5%)
adding: en4ql1h51.dll (164 bytes security) (deflated 4%)
adding: enl8l13u1.dll (164 bytes security) (deflated 5%)
adding: enp8l17u1.dll (164 bytes security) (deflated 4%)
adding: fn0021dmg.dll (164 bytes security) (deflated 5%)
adding: hrp8057ue.dll (164 bytes security) (deflated 5%)
adding: i6lolg3316.dll (164 bytes security) (deflated 5%)
adding: iAlolg3316.dll (164 bytes security) (deflated 5%)
adding: icetcomm.dll (164 bytes security) (deflated 4%)
adding: k0080adued080.dll (164 bytes security) (deflated 5%)
adding: k644lghq164e.dll (164 bytes security) (deflated 5%)
adding: KSDCR.DLL (164 bytes security) (deflated 4%)
adding: ltl0273mg.dll (164 bytes security) (deflated 5%)
adding: lv6m09j1e.dll (164 bytes security) (deflated 4%)
adding: lv6o09j3e.dll (164 bytes security) (deflated 5%)
adding: lv8009lme.dll (164 bytes security) (deflated 4%)
adding: m646lghs1646.dll (164 bytes security) (deflated 4%)
adding: m6polg7316.dll (164 bytes security) (deflated 6%)
adding: MKHGRCOI.DLL (164 bytes security) (deflated 5%)
adding: MQC71DEU.DLL (164 bytes security) (deflated 4%)
adding: mrxparhd.dll (164 bytes security) (deflated 4%)
adding: n06q0aj5edo.dll (164 bytes security) (deflated 5%)
adding: n0p4la7q1d.dll (164 bytes security) (deflated 6%)
adding: n64slgh7164.dll (164 bytes security) (deflated 5%)
adding: ndlsapi.dll (164 bytes security) (deflated 5%)
adding: o0pq0a75ed.dll (164 bytes security) (deflated 5%)
adding: q0ps0a77ed.dll (164 bytes security) (deflated 4%)
adding: s0880aluedq80.dll (164 bytes security) (deflated 5%)
adding: sessetup.dll (164 bytes security) (deflated 5%)
adding: sscfiles.dll (164 bytes security) (deflated 4%)
adding: swecli.dll (164 bytes security) (deflated 5%)
adding: sxarddlg.dll (164 bytes security) (deflated 4%)
adding: guard.tmp (164 bytes security) (deflated 5%)
adding: clear.reg (164 bytes security) (deflated 36%)
adding: echo.reg (164 bytes security) (deflated 8%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 85%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: test.txt (164 bytes security) (deflated 81%)
adding: test2.txt (164 bytes security) (deflated 16%)
adding: test3.txt (164 bytes security) (deflated 16%)
adding: test5.txt (164 bytes security) (deflated 16%)
adding: xfind.txt (164 bytes security) (deflated 75%)
adding: backregs/57871811-5C71-476D-92BD-63943D9740C8.reg (164 bytes security) (deflated 70%)
adding: backregs/A4267E02-E3AF-4C03-BC58-F7FD92D3104B.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: aza0273mg.dll
deleting local copy: azvpack.dll
deleting local copy: bjhci.dll
deleting local copy: d2j02c1mgf.dll
deleting local copy: dfuiext.dll
deleting local copy: DLNWSOCK.DLL
deleting local copy: ducpcsvc.dll
deleting local copy: en4ql1h51.dll
deleting local copy: enl8l13u1.dll
deleting local copy: enp8l17u1.dll
deleting local copy: fn0021dmg.dll
deleting local copy: hrp8057ue.dll
deleting local copy: i6lolg3316.dll
deleting local copy: iAlolg3316.dll
deleting local copy: icetcomm.dll
deleting local copy: k0080adued080.dll
deleting local copy: k644lghq164e.dll
deleting local copy: KSDCR.DLL
deleting local copy: ltl0273mg.dll
deleting local copy: lv6m09j1e.dll
deleting local copy: lv6o09j3e.dll
deleting local copy: lv8009lme.dll
deleting local copy: m646lghs1646.dll
deleting local copy: m6polg7316.dll
deleting local copy: MKHGRCOI.DLL
deleting local copy: MQC71DEU.DLL
deleting local copy: mrxparhd.dll
deleting local copy: n06q0aj5edo.dll
deleting local copy: n0p4la7q1d.dll
deleting local copy: n64slgh7164.dll
deleting local copy: ndlsapi.dll
deleting local copy: o0pq0a75ed.dll
deleting local copy: q0ps0a77ed.dll
deleting local copy: s0880aluedq80.dll
deleting local copy: sessetup.dll
deleting local copy: sscfiles.dll
deleting local copy: swecli.dll
deleting local copy: sxarddlg.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\aza0273mg.dll
C:\WINDOWS\system32\azvpack.dll
C:\WINDOWS\system32\bjhci.dll
C:\WINDOWS\system32\d2j02c1mgf.dll
C:\WINDOWS\system32\dfuiext.dll
C:\WINDOWS\system32\DLNWSOCK.DLL
C:\WINDOWS\system32\ducpcsvc.dll
C:\WINDOWS\system32\en4ql1h51.dll
C:\WINDOWS\system32\enl8l13u1.dll
C:\WINDOWS\system32\enp8l17u1.dll
C:\WINDOWS\system32\fn0021dmg.dll
C:\WINDOWS\system32\hrp8057ue.dll
C:\WINDOWS\system32\i6lolg3316.dll
C:\WINDOWS\system32\iAlolg3316.dll
C:\WINDOWS\system32\icetcomm.dll
C:\WINDOWS\system32\k0080adued080.dll
C:\WINDOWS\system32\k644lghq164e.dll
C:\WINDOWS\system32\KSDCR.DLL
C:\WINDOWS\system32\ltl0273mg.dll
C:\WINDOWS\system32\lv6m09j1e.dll
C:\WINDOWS\system32\lv6o09j3e.dll
C:\WINDOWS\system32\lv8009lme.dll
C:\WINDOWS\system32\m646lghs1646.dll
C:\WINDOWS\system32\m6polg7316.dll
C:\WINDOWS\system32\MKHGRCOI.DLL
C:\WINDOWS\system32\MQC71DEU.DLL
C:\WINDOWS\system32\mrxparhd.dll
C:\WINDOWS\system32\n06q0aj5edo.dll
C:\WINDOWS\system32\n0p4la7q1d.dll
C:\WINDOWS\system32\n64slgh7164.dll
C:\WINDOWS\system32\ndlsapi.dll
C:\WINDOWS\system32\o0pq0a75ed.dll
C:\WINDOWS\system32\q0ps0a77ed.dll
C:\WINDOWS\system32\s0880aluedq80.dll
C:\WINDOWS\system32\sessetup.dll
C:\WINDOWS\system32\sscfiles.dll
C:\WINDOWS\system32\swecli.dll
C:\WINDOWS\system32\sxarddlg.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{A4267E02-E3AF-4C03-BC58-F7FD92D3104B}"=-
"{57871811-5C71-476D-92BD-63943D9740C8}"=-
[-HKEY_CLASSES_ROOT\CLSID\{A4267E02-E3AF-4C03-BC58-F7FD92D3104B}]
[-HKEY_CLASSES_ROOT\CLSID\{57871811-5C71-476D-92BD-63943D9740C8}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

shadow0727 · Posted: Mon Apr 04, 2005 4:48 pm Post subject:

Also...here is the latest Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:47:18 PM, on 4/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\innrmm.exe
C:\Program Files\McAfee.com\MPS\mscifapp.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\jps\Local Settings\Temporary Internet Files\Content.IE5\CP09G7QD\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RecoverFromReboo] C:\WINDOWS\Temp\RECOVE~1.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [nsvcin] C:\Documents and Settings\jps\n20050308.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\innrmm.exe
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ComcastHSI - {2D7E3638-8482-4FF1-8F21-B361F27A5E05} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {37047679-3856-4E61-BF09-9E62036A9D58} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {AEB3DAF3-A623-45CB-9821-2623BE14FF1F} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

CalamityJane · Posted: Mon Apr 04, 2005 5:16 pm Post subject:

1. First, you are still running HijackThis from the zip/compressed file. You need to unzip/extract the HijackThis.exe from the compressed file and put it in it's own folder then run it from there. It won't make backups when you run it straight from the zip file. Follow these instructions:
Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use C:\Program Files\HijackThis but feel free to use any name or folder you like. Unzip HijackThis again and save the contents (Hijackthis.exe) to the new folder you made. Then navigate to it and run HijackThis from there. This is to ensure it makes the necessary backups for recovery if needed.

2. Make a copy of these instructions so you have them handy as the next steps need to be done in safe mode with IE closed.

3. Make sure your PC is configured to show hidden files
How to Show Hidden Files
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

4. Next, Reboot your PC into SAFE MODE

How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam
(copy those instructions too, you may need them to refer to get back into normal mode later)

5. Now, with only HijackThis is open. Scan and when it finishes, put an x in the boxes next to these items, then press *fix checked*

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [nsvcin] C:\Documents and Settings\jps\n20050308.exe

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\innrmm.exe

O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
...........
5. Delete the files and/or folders named in bold:

C:\Documents and Settings\jps\n20050308.exe

C:\WINDOWS\system32\innrmm.exe

C:\WINDOWS\isrvs (delete entire folder and it's contents)
.....................
6. Reboot back into normal mode.

Download FindQoologic-Narrator.zip save it to your Desktop.
http://forums.net-integration.net/index.php?act=Attach&type=post&id=134981

Extract (unzip) the files inside into their own folder called FindQoologic.
Open the FindQoologic folder. Preferable to your desktop.
Locate and double-click the Find-Qoologic.bat file to run it.
wait until a text opens, post it in a reply to your thread.

It's getting late for me here, so I may not be able to get back to this thread until tomorrow. Either TeMerc may take over this evening or I will see you back here in the a.m. Smile

_________________
Microsoft MVP 2003-2008, Windows - Security

shadow0727 · Posted: Mon Apr 04, 2005 6:01 pm Post subject:

Okay...I did all that, but I can't find the file jps/n20050308.exe anywhere.

Also, everytime I try to delete system32/innrmm.exe, a box pops up saying I cannot delete it because it's write protected or in use.

I did delete isrvs successfully. Any thoughts on how I can delete the other two?

BTW-You've been such a great help to me, I really appreciate it Smile

CalamityJane · Posted: Tue Apr 05, 2005 7:14 am Post subject:

Good morning Smile

Ok, you need to go back to my last post, because you need to do the
FindQoologic-Narrator.zip

You've still got a Qoologic trojan and that's very difficult to remove.

You really had some bad infections on there so it's taking quite a few steps.
_________________
Microsoft MVP 2003-2008, Windows - Security

shadow0727 · Posted: Tue Apr 05, 2005 7:15 am Post subject:

Besides the above problems with the 2 files, I did the Qoologic thing, and heres what I got:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\CA_AntiVirus
<NO NAME> REG_SZ {1CE2AA40-1317-11D3-9922-00104B0AD431}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mqqgttgk
<NO NAME> REG_SZ {16fbf2e2-6bf6-4510-82c4-7dcbe91823f0}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
<NO NAME> REG_SZ {E0D79304-84BE-11CE-9641-444553540000}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CalamityJane · Posted: Tue Apr 05, 2005 7:42 am Post subject:

Hmmm, ok. No files found. Let's make sure we're not dealing with a rootkit here. Follow these steps next:

Download unzip then scan RootkitRevealer.exe
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
when its done go file > save
attach the log back here in your next reply
Not to worry, normal there are alot of items.
Its an intensive scan, I suggest you disconnect from the internet and leave the PC alone until its finished.

Becouse the log can be very large please edit out items in C:\RECYCLER\NPROTECT if there.
And C:\System Volume Information, before posting
_________________
Microsoft MVP 2003-2008, Windows - Security

shadow0727 · Posted: Tue Apr 05, 2005 8:10 am Post subject:

Okay, I ran the rootkit revealer.....it did not take very long. Here's the log:

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 4/5/2005 12:04 PM 80 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG:KAVICHS 4/5/2005 12:01 PM 36 bytes Hidden from Windows API.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat:KAVICHS 4/4/2005 3:19 PM 36 bytes Hidden from Windows API.
C:\Documents and Settings\LocalService\ntuser.dat.LOG:KAVICHS 4/5/2005 12:01 PM 36 bytes Hidden from Windows API.
C:\Documents and Settings\LocalService\NTUSER.DAT:KAVICHS 4/4/2005 3:19 PM 36 bytes Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb:KAVICHS 4/5/2005 12:01 PM 36 bytes Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log:KAVICHS 4/5/2005 12:01 PM 36 bytes Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 4/5/2005 12:01 PM 64.00 KB Visible in Windows API, MFT, but not in directory index.
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log:KAVICHS 4/5/2005 12:01 PM 36 bytes Hidden from Windows API.

CalamityJane · Posted: Tue Apr 05, 2005 10:14 am Post subject:

Ok, just hold tight here then. I'll need to get someone more expert than I at these.
_________________
Microsoft MVP 2003-2008, Windows - Security

Mosaic1 · Posted: Tue Apr 05, 2005 10:33 am Post subject:

Hi,

I was asked to take a look.

Download this zip file please:
http://forums.techguy.org/attachment.php?attachmentid=50785&stc=1

Extract its contents to a new folder.

It contains a file named track.vbs

Double click on track.vbs to run it. You may get a warning about a malicious script running . Please ignore that and allow this to run. I wrote it and it is just going to take a look at some areas so we can clean this up for you.

It will produce and open a file named
Report.txt

Wait for Report.txt to open. That means the script has finished running.

Copy and paste the contents of Report.txt into your next reply.

And we'll need a Startuplist too.
In Hijackthis press the Config Button
Click Misc Tools
Check both boxes under the Generate StartupList log and then click the generate startuplist log button.

Paste the contents into your next reply here, please

shadow0727 · Posted: Tue Apr 05, 2005 10:46 am Post subject:

Thank you for helping Smile

Here is the track log:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"RecoverFromReboo"="C:\\WINDOWS\\Temp\\RECOVE~1.EXE"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"MPSExe"="C:\\Program Files\\McAfee.com\\MPS\\mscifapp.exe /embedding"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"CaAvTray"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVTray.exe\""
"CAVRID"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVRID.exe\""
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"KavSvc"="C:\\WINDOWS\\system32\\innrmm.exe"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

Subkey --- CA_AntiVirus
{1CE2AA40-1317-11D3-9922-00104B0AD431}
C:\WINDOWS\avshlext.dll

Subkey --- mqqgttgk
{16fbf2e2-6bf6-4510-82c4-7dcbe91823f0}
C:\WINDOWS\system32\daanp.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll
-----------

System32 Dat Files

And here is the startup list:

StartupList report, 4/5/2005, 2:45:49 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\jps\Desktop\l2mfix\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\McAfee.com\MPS\mscifapp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\innrmm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\jps\Desktop\l2mfix\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\jps\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ATIModeChange = Ati2mdxx.exe
BCMSMMSG = BCMSMMSG.exe
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
DVDSentry = C:\WINDOWS\System32\DSentry.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
RecoverFromReboo = C:\WINDOWS\Temp\RECOVE~1.EXE
ViewMgr = C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
MPSExe = C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
MPFExe = C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
MCUpdateExe = C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
MCAgentExe = c:\PROGRA~1\mcafee.com\agent\mcagent.exe
CaAvTray = "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
CAVRID = "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
VSOCheckTask = "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
VirusScan Online = "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
KavSvc = C:\WINDOWS\system32\innrmm.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
MoneyAgent = "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{578B3FA6-6B04-4709-908B-DD1B08F565F2}C0022D] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[b9e56e72-83a2-4fc4-895a-8fae8ec04f2b]
StubPath = C:\WINDOWS\system32\doocrrc.exe

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

*No BHO's found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

McAfee.com Update Check (D9C0PH41-jps).job
McAfee.com Update Check (D9C0PH41-Owner).job

--------------------------------------------------

Enumerating Download Program Files:

[SAXFile FileUpload ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Softartisans\SAXFile\saaxfile.dll
CODEBASE = http://www.winkflash.com/photo/loaders/SAXFile.cab

[Java Plug-in 1.4.2]
InProcServer32 = C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
CODEBASE = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mclsp.dll
Protocol #2: C:\WINDOWS\system32\mclsp.dll
Protocol #3: C:\WINDOWS\system32\mclsp.dll
Protocol #4: C:\WINDOWS\system32\mclsp.dll
Protocol #5: C:\WINDOWS\system32\mclsp.dll
Protocol #6: C:\WINDOWS\system32\mclsp.dll
Protocol #7: C:\WINDOWS\system32\mclsp.dll
Protocol #8: C:\WINDOWS\system32\mclsp.dll
Protocol #9: C:\WINDOWS\system32\mclsp.dll
Protocol #10: C:\WINDOWS\system32\mclsp.dll
Protocol #11: C:\WINDOWS\system32\mclsp.dll
Protocol #12: C:\WINDOWS\system32\mclsp.dll
Protocol #13: C:\WINDOWS\system32\mclsp.dll
Protocol #14: C:\WINDOWS\system32\mclsp.dll
Protocol #15: C:\WINDOWS\system32\mclsp.dll
Protocol #16: C:\WINDOWS\system32\mclsp.dll
Protocol #17: C:\WINDOWS\system32\mclsp.dll
Protocol #18: C:\WINDOWS\system32\mclsp.dll
Protocol #19: C:\WINDOWS\system32\mclsp.dll
Protocol #20: C:\WINDOWS\system32\VetRedir.dll
Protocol #21: C:\WINDOWS\system32\VetRedir.dll
Protocol #22: C:\WINDOWS\system32\VetRedir.dll
Protocol #23: C:\WINDOWS\system32\mswsock.dll
Protocol #24: C:\WINDOWS\system32\mswsock.dll
Protocol #25: C:\WINDOWS\system32\mswsock.dll
Protocol #26: C:\WINDOWS\system32\rsvpsp.dll
Protocol #27: C:\WINDOWS\system32\rsvpsp.dll
Protocol #28: C:\WINDOWS\system32\mswsock.dll
Protocol #29: C:\WINDOWS\system32\mswsock.dll
Protocol #30: C:\WINDOWS\system32\mswsock.dll
Protocol #31: C:\WINDOWS\system32\mswsock.dll
Protocol #32: C:\WINDOWS\system32\mswsock.dll
Protocol #33: C:\WINDOWS\system32\mswsock.dll
Protocol #34: C:\WINDOWS\system32\mswsock.dll
Protocol #35: C:\WINDOWS\system32\mswsock.dll
Protocol #36: C:\WINDOWS\system32\mswsock.dll
Protocol #37: C:\WINDOWS\system32\mswsock.dll
Protocol #38: C:\WINDOWS\system32\mswsock.dll
Protocol #39: C:\WINDOWS\system32\mswsock.dll
Protocol #40: C:\WINDOWS\system32\mswsock.dll
Protocol #41: C:\WINDOWS\system32\mswsock.dll
Protocol #42: C:\WINDOWS\system32\mclsp.dll
Protocol #43: C:\WINDOWS\system32\VetRedir.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

abp480n5: \SystemRoot\System32\DRIVERS\ABP480N5.SYS (disabled)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
adpu160m: \SystemRoot\System32\DRIVERS\adpu160m.sys (disabled)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: \SystemRoot\System32\DRIVERS\agp440.sys (system)
Compaq AGP Bus Filter: \SystemRoot\System32\DRIVERS\agpCPQ.sys (disabled)
Aha154x: \SystemRoot\System32\DRIVERS\aha154x.sys (disabled)
aic78u2: \SystemRoot\System32\DRIVERS\aic78u2.sys (disabled)
aic78xx: \SystemRoot\System32\DRIVERS\aic78xx.sys (disabled)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AliIde: \SystemRoot\System32\DRIVERS\aliide.sys (disabled)
ALI AGP Bus Filter: \SystemRoot\System32\DRIVERS\alim1541.sys (disabled)
AMD AGP Bus Filter Driver: \SystemRoot\System32\DRIVERS\amdagp.sys (disabled)
amsint: \SystemRoot\System32\DRIVERS\amsint.sys (disabled)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
asc: \SystemRoot\System32\DRIVERS\asc.sys (disabled)
asc3350p: \SystemRoot\System32\DRIVERS\asc3350p.sys (disabled)
asc3550: \SystemRoot\System32\DRIVERS\asc3550.sys (disabled)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Dell TrueMobile WLAN Card Driver: System32\DRIVERS\bcmwl5.sys (manual start)
Broadcom 440x 10/100 Integrated Controller XP Driver: System32\DRIVERS\bcm4sbxp.sys (manual start)
BCM V.92 56K Modem: System32\DRIVERS\BCMSM.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CAISafe: C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe (autostart)
cbidf: \SystemRoot\System32\DRIVERS\cbidf2k.sys (disabled)
cd20xrnt: \SystemRoot\System32\DRIVERS\cd20xrnt.sys (disabled)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
Microsoft ACPI Control Method Battery Driver: System32\DRIVERS\CmBatt.sys (manual start)
CmdIde: \SystemRoot\System32\DRIVERS\cmdide.sys (disabled)
Microsoft Composite Battery Driver: System32\DRIVERS\compbatt.sys (system)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cpqarray: \SystemRoot\System32\DRIVERS\cpqarray.sys (disabled)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
dac2w2k: \SystemRoot\System32\DRIVERS\dac2w2k.sys (disabled)
dac960nt: \SystemRoot\System32\DRIVERS\dac960nt.sys (disabled)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
dpti2o: \SystemRoot\System32\DRIVERS\dpti2o.sys (disabled)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
3Com EtherLink XL 90XB/C Adapter Driver: System32\DRIVERS\el90xbc5.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
hpn: \SystemRoot\System32\DRIVERS\hpn.sys (disabled)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i2omp: \SystemRoot\System32\DRIVERS\i2omp.sys (disabled)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
i81x: System32\DRIVERS\i81xnt5.sys (manual start)
iAimFP0: System32\DRIVERS\wADV01nt.sys (manual start)
iAimFP1: System32\DRIVERS\wADV02NT.sys (manual start)
iAimFP2: System32\DRIVERS\wADV05NT.sys (manual start)
iAimFP3: System32\DRIVERS\wSiINTxx.sys (manual start)
iAimFP4: System32\DRIVERS\wVchNTxx.sys (manual start)
iAimTV0: System32\DRIVERS\wATV01nt.sys (manual start)
iAimTV1: System32\DRIVERS\wATV02NT.sys (manual start)
iAimTV2: System32\DRIVERS\wATV03nt.sys (manual start)
iAimTV3: System32\DRIVERS\wATV04nt.sys (manual start)
iAimTV4: System32\DRIVERS\wCh7xxNT.sys (manual start)
ids00026: \??\C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids00026.sys (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
ini910u: \SystemRoot\System32\DRIVERS\ini910u.sys (disabled)
IntelIde: System32\DRIVERS\intelide.sys (system)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
klstm: \??\C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\klstm.sys (manual start)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
McAfee SecurityCenter Update Manager: C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (manual start)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
MPFIREWL: System32\Drivers\MpFirewall.sys (system)
McAfee Personal Firewall Service: C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe (autostart)
mraid35x: \SystemRoot\System32\DRIVERS\mraid35x.sys (disabled)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Motorola SurfBoard USB Cable Modem Windows 2000 Driver: System32\DRIVERS\NetMotCM.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Texas Instruments OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
OMCI WDM Device Driver: System32\DRIVERS\omci.sys (system)
Intel PentiumIII Processor Driver: System32\DRIVERS\p3.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCAMPR5 NDIS Protocol Driver: \??\D:\ppp\PCAMPR5.SYS (manual start)
PCANDIS5 NDIS Protocol Driver: \??\D:\ppp\PCANDIS5.SYS (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Pcmcia: System32\DRIVERS\pcmcia.sys (system)
perc2: \SystemRoot\System32\DRIVERS\perc2.sys (disabled)
perc2hib: \SystemRoot\System32\DRIVERS\perc2hib.sys (disabled)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
ql1080: \SystemRoot\System32\DRIVERS\ql1080.sys (disabled)
Ql10wnt: \SystemRoot\System32\DRIVERS\ql10wnt.sys (disabled)
ql12160: \SystemRoot\System32\DRIVERS\ql12160.sys (disabled)
ql1240: \SystemRoot\System32\DRIVERS\ql1240.sys (disabled)
ql1280: \SystemRoot\System32\DRIVERS\ql1280.sys (disabled)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SIS AGP Bus Filter: \SystemRoot\System32\DRIVERS\sisagp.sys (disabled)
Sparrow: \SystemRoot\System32\DRIVERS\sparrow.sys (disabled)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Audio Driver (WDM) - SigmaTel CODEC: system32\drivers\STAC97.sys (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{F79A1568-D6C5-4C69-A086-936CF52DBBE3} (manual start)
symc810: \SystemRoot\System32\DRIVERS\symc810.sys (disabled)
symc8xx: \SystemRoot\System32\DRIVERS\symc8xx.sys (disabled)
sym_hi: \SystemRoot\System32\DRIVERS\sym_hi.sys (disabled)
sym_u3: \SystemRoot\System32\DRIVERS\sym_u3.sys (disabled)
Synaptics TouchPad Driver: System32\DRIVERS\SynTP.sys (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TosIde: \SystemRoot\System32\DRIVERS\toside.sys (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TSP: \??\C:\WINDOWS\system32\drivers\klif.sys (manual start)
ultra: \SystemRoot\System32\DRIVERS\ultra.sys (disabled)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VET Message Service: C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe (autostart)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: \SystemRoot\System32\DRIVERS\viaagp.sys (disabled)
ViaIde: \SystemRoot\System32\DRIVERS\viaide.sys (disabled)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WAN Miniport (ATW): System32\DRIVERS\wanatw4.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
WLTRYSVC: %SystemRoot%\System32\WLTRYSVC.EXE %SystemRoot%\System32\bcmwltry.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
YHI: C:\DOCUME~1\jps\LOCALS~1\Temp\YHI.exe (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 37,538 bytes
Report generated in 0.110 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Mosaic1 · Posted: Tue Apr 05, 2005 10:53 am Post subject:

You'll need another tool too.

Click here to download pskill.zip
http://www.sysinternals.com/files/pskill.zip

Extract pskill.exe to your system32 folder. It is a zip and the exe must be extracted to system32 for it to work.

--------------------

EDIT: You're welcome. I see you posted while I typed. Give me a bit to sudy your reports and see what else we need to look at.

shadow0727 · Posted: Tue Apr 05, 2005 10:59 am Post subject:

I did that, but every time I go to open it, it flashes really quick and then disappears.

Mosaic1 · Posted: Tue Apr 05, 2005 11:08 am Post subject:

Ok You downloaded pskill.zip

Did you double click on it to open the zip file?

You can then right click on pskill.exe and choose copy.

Open your system32 folder
Right click on an empty space in the folder and chhose paste from the menu.

pskill.exe should now be there.

It is a command line tool.

Mosaic1 · Posted: Tue Apr 05, 2005 11:20 am Post subject:

I htink this is qoologic but they have made some changes. SO I need to see the following files please.

Create a new folder and copy the following files into it:
C:\WINDOWS\system32\daanp.dll

C:\WINDOWS\system32\doocrrc.exe

C:\DOCUME~1\jps\LOCALS~1\Temp\YHI.exe

C:\WINDOWS\\system32\innrmm.exe

C:\WINDOWS\Temp\RECOVE~1.EXE

Then close the folder. Right click on it.
Click Sendto>Compressed ont he menu

Send to me as an attachment:
Katie_3232 @hotmail.com

I added a space to that email. Remove the space and it will work.

shadow0727 · Posted: Tue Apr 05, 2005 11:22 am Post subject:

I just did everything you said, and it's still just opening for a split second, then disappearing. Hmmm.....

Mosaic1 · Posted: Tue Apr 05, 2005 11:30 am Post subject:

Please send me the files I requested.

Doesn't winzip work for you?

You could right click and select to use Winzip to extract?

Let me know. If no joy, I'll reply to your email and send out the file you need. We'll tshoot the other issue later. I'd like to see about a removal for this.

Mosaic1 · Posted: Tue Apr 05, 2005 12:15 pm Post subject:

shadow0727,

I haven't heard back. I have to go offline for several hours. I do need to see those files too. What I try may not work because this is something they have changed.

In addition you'll need this tool:

Down the Killbox here:

http://www.downloads.subratam.org/KillBox.exe

Put Killbox in the system32 folder as well. It is not a zipped file.

I guess we'll continue this later. Don't wait too long. It is best to get rid of these things in a timely manner.

shadow0727 · Posted: Tue Apr 05, 2005 4:15 pm Post subject:

I only found one out of all those files, and I e-mailed it to you. The others I cannot find anywhere Sad

Mosaic1 · Posted: Tue Apr 05, 2005 5:12 pm Post subject:

I didn't receive your email. Were you ever able to get pskill unzipped to system32?

Which file did you find?

shadow0727 · Posted: Tue Apr 05, 2005 5:25 pm Post subject:

The pskill file in in SYSTEM32, but every time I try and open it, it opens up winzip again.....what am I doing wrong?

The one file I did manage to find was YHI.exe

Mosaic1 · Posted: Tue Apr 05, 2005 5:32 pm Post subject:

You downloaded pskill.zip

You need to extract pskill.exe from the zip file.

I have not gotten any email yet.

Let's try something else for that file.

Go over to this forum:

http://www.thespykiller.co.uk/forum/index.php

Go to the Uploads section. Upload the file over there.

Give a brief explanation of what the file is and that I asked for it. Give them a link to this thread so they can have a look if they like.

I'll wait.

Are you going to be around for a while so we can try a removal? I want to have a quick look at that file first.

Werre you able to download the killbox and put it in system32?

Mosaic1 · Posted: Tue Apr 05, 2005 5:35 pm Post subject:

Have another look for those other files too please after following these instructions:

Because XP will not always show you hidden files and folders by default.
Reset your search settings first.

Open Folder Options>view and check your settings:
Select
Show hidden files and folders
Display the contents of system folders
Uncheck: Hide protected operating system files
Next go to Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders

---------------------

You will be restarting into Safe mode later.
Go here for directions if you need help:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
--------

shadow0727 · Posted: Tue Apr 05, 2005 6:06 pm Post subject:

Just finished posting in the above mentioned forum. I'm going to keep trying to get this pskill going....

I'll be on for a while longer, so let me know what you want to do.

Mosaic1 · Posted: Tue Apr 05, 2005 6:15 pm Post subject:

LOL that file is part of Rootkit Revealer, which you used earlier. So it's ok.

If you have winzip installed, youshould be able to right click on the zip file and select Extract to from the menu. Otherwise you may have a problem with winzip itself.

Did you follow the directions to change your search settings and have another look around for those other files?

Form now on, so we can communicate well, please let me know how each suggestion went.

I am here for a while and willing to work in this.

shadow0727 · Posted: Tue Apr 05, 2005 6:17 pm Post subject:

Okay, changed my search settings per your instructions...still cannot find those other files. I'm goin to try the winzip thing again now.