# I go hit from the inside...and no-one can help me



## emeraldknyght (Apr 26, 2006)

I am the unfortunate reciever of some malware. I've got pop-ups galore , and can't get them gone. I was reading some other threads where people ran Hijack This then deleted or fixed the affected areas. Is there any help for me? Here's what my file loks like.Thanx

Logfile of HijackThis v1.99.1
Scan saved at 9:28:44 PM, on 25/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\mike\LOCALS~1\Temp\Rar$EX01.515\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\jtn8075ue.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\dnn8015ue.dll (file missing)
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\n84slih7184.dll (file missing)
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\guard.tmp
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


----------



## happyrck (Feb 17, 2006)

you dont have a firewall get zone alarm..its free

http://www.download.com/3000-2092-10039884.html


----------



## happyrck (Feb 17, 2006)

have HJT fix this

O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe

then run another scan and post it and wait on the pros

you have got to use a firewall or you will keep getting infected


----------



## brendandonhu (Jul 8, 2002)

Download L2mfix from http://www.downloads.subratam.org/l2mfix.exe
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread. Wait for advice on what to do with this log.


----------



## emeraldknyght (Apr 26, 2006)

I hope I'm doing htis right...Here's the L2MFix report
L2MFIX find log 032106
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jtn8075ue.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Internet Settings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\dnn8015ue.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OptimalLayout]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\n84slih7184.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\guard.tmp"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{A2EA40D3-AD32-3C94-FCAA-A0557A85A053}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.6b5 (beta test) Context Menu Shell Extension"
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.6b5 (beta test) DragDrop Shell Extension"
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.6b5 (beta test) Context Menu Shell Extension"
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.6b5 (beta test) Property Sheet Shell Extension"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{3F6005DE-F98C-4D13-93B4-3ADC9DAE66BC}"=""
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}"="aý Context Menu Shell Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3F6005DE-F98C-4D13-93B4-3ADC9DAE66BC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3F6005DE-F98C-4D13-93B4-3ADC9DAE66BC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3F6005DE-F98C-4D13-93B4-3ADC9DAE66BC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3F6005DE-F98C-4D13-93B4-3ADC9DAE66BC}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
wininet.dll Sat Mar 4 2006 12:33:46a A.... 658,432 643.00 K
sporder.dll Mon Mar 27 2006 6:40:32p A.... 8,464 8.27 K
dpu11.dll Tue Apr 18 2006 7:30:28p A.... 294,912 288.00 K
urlmon.dll Sat Mar 18 2006 8:09:38a A.... 613,376 599.00 K
dpus11.dll Tue Apr 18 2006 7:30:28p A.... 344,064 336.00 K
dpugui11.dll Tue Apr 18 2006 7:30:28p A.... 593,920 580.00 K
dpv11.dll Tue Apr 18 2006 7:30:28p A.... 57,344 56.00 K
qt-dx331.dll Tue Apr 18 2006 7:30:58p A.... 3,596,288 3.43 M
libdivx.dll Tue Apr 18 2006 7:31:14p A.... 1,044,480 1020.00 K
legitc~1.dll Tue Feb 14 2006 9:20:14a A.... 550,120 537.23 K
ssldivx.dll Tue Apr 18 2006 7:31:14p A.... 200,704 196.00 K
dpl100.dll Tue Apr 18 2006 7:30:28p A.... 90,112 88.00 K
dtu100.dll Tue Apr 18 2006 7:30:28p A.... 200,704 196.00 K
dpu10.dll Tue Apr 18 2006 7:30:28p A.... 294,912 288.00 K
dpugui10.dll Tue Apr 18 2006 7:30:30p A.... 53,248 52.00 K
divx.dll Wed Apr 19 2006 5:09:20p A.... 619,156 604.64 K
divx_x~1.dll Wed Apr 19 2006 5:09:20p A.... 778,240 760.00 K
divx_x~2.dll Wed Apr 19 2006 5:09:20p A.... 778,240 760.00 K
mgimsg.dll Tue Apr 25 2006 1:36:28a ..... 234,272 228.78 K
divx_x~3.dll Wed Apr 19 2006 5:09:20p A.... 761,856 744.00 K
inetcomm.dll Fri Mar 17 2006 6:07:18a A.... 679,424 663.50 K
wmp.dll Fri Mar 10 2006 6:09:14a A.... 5,533,696 5.28 M
shlwapi.dll Sat Mar 4 2006 12:33:44a A.... 474,112 463.00 K
shdocvw.dll Thu Mar 30 2006 6:16:04a A.... 1,492,480 1.42 M
divxwm~1.dll Tue Mar 21 2006 9:38:44p A.... 12,288 12.00 K
pngfilt.dll Sat Mar 4 2006 12:33:44a A.... 39,424 38.50 K
mstime.dll Sat Mar 4 2006 12:33:44a A.... 532,480 520.00 K
msrating.dll Sat Mar 4 2006 12:33:44a A.... 146,432 143.00 K
mshtmled.dll Sat Mar 4 2006 12:33:44a A.... 448,512 438.00 K
mshtml.dll Thu Mar 23 2006 5:32:42p A.... 3,053,568 2.91 M
inseng.dll Sat Mar 4 2006 12:33:42a A.... 96,256 94.00 K
iepeers.dll Sat Mar 4 2006 12:33:42a A.... 251,392 245.50 K
dxtrans.dll Sat Mar 4 2006 12:33:42a A.... 205,312 200.50 K
danim.dll Sat Mar 4 2006 12:33:42a A.... 1,054,208 1.00 M
cdfview.dll Sat Mar 4 2006 12:33:40a A.... 151,040 147.50 K
browseui.dll Sat Mar 4 2006 12:33:40a A.... 1,022,976 999.00 K
xpsp3res.dll Wed Mar 29 2006 10:00:14p A.... 16,384 16.00 K
extmgr.dll Sat Mar 4 2006 12:33:42a A.... 55,808 54.50 K
shell32.dll Fri Mar 17 2006 1:03:54a A.... 8,452,096 8.06 M
bszip.dll Mon Apr 24 2006 1:06:24a A.... 62,464 61.00 K
unicows.dll Tue Apr 18 2006 7:30:24p A.... 245,408 239.66 K

41 items found: 41 files, 0 directories.
Total of file sizes: 35,798,604 bytes 34.14 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Tue Apr 25 2006 1:35:12a ..... 234,272 228.78 K
setupe~1.tmp Mon Apr 24 2006 1:06:28a A.... 32,768 32.00 K

2 items found: 2 files, 0 directories.
Total of file sizes: 267,040 bytes 260.78 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C is ACER
Volume Serial Number is 320D-180E

Directory of C:\WINDOWS\System32

09/03/2005 04:05 PM Microsoft
09/03/2005 03:50 PM dllcache
0 File(s) 0 bytes
2 Dir(s) 36,910,858,240 bytes free


----------



## brendandonhu (Jul 8, 2002)

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log


----------



## emeraldknyght (Apr 26, 2006)

Her are the requested logs.

L2mfix 032106
Creating Account.
The command completed successfully.

Adding Administrative privleges. 
The command completed successfully.
Checking for L2MFix account(0=no 1=yes): 
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 324 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 512 'winlogon.exe'
Killing PID 512 'winlogon.exe'
Killing PID 512 'winlogon.exe'
Killing PID 512 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 1388 'explorer.exe'
Killing PID 1388 'explorer.exe'
Killing PID 1388 'explorer.exe'
Killing PID 1388 'explorer.exe'
Killing PID 1388 'explorer.exe'
Killing PID 1388 'explorer.exe'
Killing PID 1388 'explorer.exe'
Killing PID 1388 'explorer.exe'
Killing PID 1388 'explorer.exe'
Killing PID 1388 'explorer.exe'
Killing PID 1388 'explorer.exe'
Killing PID 1388 'explorer.exe'
Killing PID 1388 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 1484 'rundll32.exe'
Killing PID 1484 'rundll32.exe'
Killing PID 1484 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\mgimsg.dll 
Successfully Deleted: C:\WINDOWS\system32\mgimsg.dll 
Deleting: C:\WINDOWS\system32\guard.tmp 
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

msg11?.dll 
0 file(s) copied.
Desktop.ini sucessfully removed

Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jtn8075ue.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Internet Settings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\dnn8015ue.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OptimalLayout]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\n84slih7184.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\guard.tmp"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found: 
****************************************************************************
C:\WINDOWS\system32\mgimsg.dll 
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted: 
Please verify that the listing looks ok. 
If there was something deleted wrongly there are backups in the backreg folder. 
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3F6005DE-F98C-4D13-93B4-3ADC9DAE66BC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3F6005DE-F98C-4D13-93B4-3ADC9DAE66BC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3F6005DE-F98C-4D13-93B4-3ADC9DAE66BC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3F6005DE-F98C-4D13-93B4-3ADC9DAE66BC}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{3F6005DE-F98C-4D13-93B4-3ADC9DAE66BC}"=-
[-HKEY_CLASSES_ROOT\CLSID\{3F6005DE-F98C-4D13-93B4-3ADC9DAE66BC}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents: 
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************
Checking for L2MFix account(0=no 1=yes): 
0
Zipping up files for submission:
adding: dlls/mgimsg.dll (deflated 4%)
adding: dlls/guard.tmp (deflated 4%)
adding: backregs/notibac.reg (deflated 88%)
adding: backregs/shell.reg (deflated 74%)
adding: backregs/3F6005DE-F98C-4D13-93B4-3ADC9DAE66BC.reg (deflated 70%)

Logfile of HijackThis v1.99.1
Scan saved at 1:30:30 AM, on 26/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\jtn8075ue.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\dnn8015ue.dll (file missing)
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\n84slih7184.dll (file missing)
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\guard.tmp (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


----------



## emeraldknyght (Apr 26, 2006)

My previous thread was closed. I did post it in error under the incorrect forum, but is there any solution forthcoming for this querry.I'm still inundated with pop-ups. Thanx for your attention.


----------



## brendandonhu (Jul 8, 2002)

Run *HijackThis* and click *Do a system scan only*
Put a checkmark next to each of the following entries that appear:
*
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\jtn8075ue.dll (file missing)
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\dnn8015ue.dll (file missing)
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\n84slih7184.dll (file missing)
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\guard.tmp (file missing)
*​
Click *Fix Checked* and exit *HijackThis*

Locate and delete any of the following files found on your computer:
*
C:\Program Files\Network\
*​Restart your computer

Run *HijackThis* and click *Do a system scan and save a log file*
Your *HijackThis* log will open in *Notepad*. Post the contents of the log here


----------



## emeraldknyght (Apr 26, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 1:19:58 AM, on 27/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


----------



## brendandonhu (Jul 8, 2002)

Go to *Kaspersky Online Scanner* and click *Accept*
When the updates are finished downloading, click *Next*>>*Scan Settings*
Under *Scan using the following antivirus database:*, select *extended*
Make sure the *Scan Archives* and *Scan Mail Bases* options are selected as well. Click *OK*
Click *My Computer* and wait for the scan to finish
Click *Save Report As*. Under *Save as type:*, select *Text file*. Save this log to your *Desktop* and post a copy of it here


----------



## emeraldknyght (Apr 26, 2006)

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, April 27, 2006 9:01:31 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 27/04/2006
Kaspersky Anti-Virus database records: 190296
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 77394
Number of viruses found: 14
Number of infected objects: 57
Number of suspicious objects: 2
Duration of the scan process: 00:41:57

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\pf78.exe/data0002	Infected: Trojan-Downloader.Win32.VB.tw	skipped
C:\WINDOWS\pf78.exe/data0003	Infected: Trojan.Win32.VB.tg	skipped
C:\WINDOWS\pf78.exe/data0006	Infected: Trojan.Win32.VB.tg	skipped
C:\WINDOWS\pf78.exe/data0007	Infected: Trojan.Win32.VB.tg	skipped
C:\WINDOWS\pf78.exe	NSIS: infected - 4	skipped
C:\Documents and Settings\mike\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZBDSEQ7T\tbfp[1].avi/stream/data0007	Infected: not-a-virus:AdWare.Win32.Softomate.j	skipped
C:\Documents and Settings\mike\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZBDSEQ7T\tbfp[1].avi/stream	Infected: not-a-virus:AdWare.Win32.Softomate.j	skipped
C:\Documents and Settings\mike\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZBDSEQ7T\tbfp[1].avi	NSIS: infected - 2	skipped
C:\Documents and Settings\mike\Local Settings\Temp\Temporary Internet Files\Content.IE5\89JT048O\freeprodtb[1].exe/stream/data0007	Infected: not-a-virus:AdWare.Win32.Softomate.j	skipped
C:\Documents and Settings\mike\Local Settings\Temp\Temporary Internet Files\Content.IE5\89JT048O\freeprodtb[1].exe/stream	Infected: not-a-virus:AdWare.Win32.Softomate.j	skipped
C:\Documents and Settings\mike\Local Settings\Temp\Temporary Internet Files\Content.IE5\89JT048O\freeprodtb[1].exe	NSIS: infected - 2	skipped
C:\Documents and Settings\mike\Local Settings\Temp\Temporary Internet Files\Content.IE5\5V5MUCYB\tbfp[1].avi/stream/data0007	Infected: not-a-virus:AdWare.Win32.Softomate.j	skipped
C:\Documents and Settings\mike\Local Settings\Temp\Temporary Internet Files\Content.IE5\5V5MUCYB\tbfp[1].avi/stream	Infected: not-a-virus:AdWare.Win32.Softomate.j	skipped
C:\Documents and Settings\mike\Local Settings\Temp\Temporary Internet Files\Content.IE5\5V5MUCYB\tbfp[1].avi	NSIS: infected - 2	skipped
C:\Documents and Settings\mike\Local Settings\Temp\Temporary Internet Files\Content.IE5\S9YFO52N\launcher[1].exe/data0001	Infected: Trojan-Downloader.NSIS.Agent.p	skipped
C:\Documents and Settings\mike\Local Settings\Temp\Temporary Internet Files\Content.IE5\S9YFO52N\launcher[1].exe	NSIS: infected - 1	skipped
C:\Documents and Settings\mike\Local Settings\Temp\Temporary Internet Files\Content.IE5\1SS7LLG1\send_car_int[1].htm	Suspicious: Exploit.HTML.CodeBaseExec	skipped
C:\Documents and Settings\mike\Local Settings\Temporary Internet Files\Content.IE5\V2VK0945\installer[1].exe/data0001	Infected: not-a-virus:AdWare.Win32.CommAd.a	skipped
C:\Documents and Settings\mike\Local Settings\Temporary Internet Files\Content.IE5\V2VK0945\installer[1].exe	Inno: infected - 1	skipped
C:\Documents and Settings\mike\Local Settings\Temporary Internet Files\Content.IE5\STU7STYF\launcher[1].exe/data0001	Infected: Trojan-Downloader.NSIS.Agent.p	skipped
C:\Documents and Settings\mike\Local Settings\Temporary Internet Files\Content.IE5\STU7STYF\launcher[1].exe	NSIS: infected - 1	skipped
C:\Documents and Settings\mike\Local Settings\Temporary Internet Files\Content.IE5\GX2VKPYZ\ysb_prompt[1].htm	Infected: Trojan-Downloader.JS.IstBar.j	skipped
C:\Documents and Settings\mike\Local Settings\Temporary Internet Files\Content.IE5\85QFWX6N\freeprodtb[1].exe/stream/data0007	Infected: not-a-virus:AdWare.Win32.Softomate.j	skipped
C:\Documents and Settings\mike\Local Settings\Temporary Internet Files\Content.IE5\85QFWX6N\freeprodtb[1].exe/stream	Infected: not-a-virus:AdWare.Win32.Softomate.j	skipped
C:\Documents and Settings\mike\Local Settings\Temporary Internet Files\Content.IE5\85QFWX6N\freeprodtb[1].exe	NSIS: infected - 2	skipped
C:\Documents and Settings\mike\Local Settings\Temporary Internet Files\Content.IE5\85QFWX6N\send_car_int[1].htm	Suspicious: Exploit.HTML.CodeBaseExec	skipped
C:\Documents and Settings\mike\My Documents\torrents\BitTorrent-Stable.exe/stream/data0009	Infected: not-a-virus:RiskTool.Win32.PsKill.n	skipped
C:\Documents and Settings\mike\My Documents\torrents\BitTorrent-Stable.exe/stream	Infected: not-a-virus:RiskTool.Win32.PsKill.n	skipped
C:\Documents and Settings\mike\My Documents\torrents\BitTorrent-Stable.exe	NSIS: infected - 2	skipped
C:\Documents and Settings\mike\My Documents\My Data Sources\archive\BitTorrent-Stable.exe/stream/data0009	Infected: not-a-virus:RiskTool.Win32.PsKill.n	skipped
C:\Documents and Settings\mike\My Documents\My Data Sources\archive\BitTorrent-Stable.exe/stream	Infected: not-a-virus:RiskTool.Win32.PsKill.n	skipped
C:\Documents and Settings\mike\My Documents\My Data Sources\archive\BitTorrent-Stable.exe	NSIS: infected - 2	skipped
C:\Documents and Settings\mike\Desktop\l2mfix\dlls\mgimsg.dll	Infected: not-a-virus:AdWare.Win32.Look2Me.ab	skipped
C:\Documents and Settings\mike\Desktop\l2mfix\dlls\guard.tmp	Infected: not-a-virus:AdWare.Win32.Look2Me.ab	skipped
C:\Documents and Settings\mike\Desktop\l2mfix\backup.zip/dlls/mgimsg.dll	Infected: not-a-virus:AdWare.Win32.Look2Me.ab	skipped
C:\Documents and Settings\mike\Desktop\l2mfix\backup.zip/dlls/guard.tmp	Infected: not-a-virus:AdWare.Win32.Look2Me.ab	skipped
C:\Documents and Settings\mike\Desktop\l2mfix\backup.zip	ZIP: infected - 2	skipped
C:\Program Files\BitTorrent\uninstall.exe/stream/data0002	Infected: not-a-virus:RiskTool.Win32.PsKill.n	skipped
C:\Program Files\BitTorrent\uninstall.exe/stream	Infected: not-a-virus:RiskTool.Win32.PsKill.n	skipped
C:\Program Files\BitTorrent\uninstall.exe	NSIS: infected - 2	skipped
C:\System Volume Information\_restore{3E6ED909-6ACB-48A8-860B-9698B24D0759}\RP174\A0012544.dll	Infected: not-a-virus:AdWare.Win32.NewDotNet.i	skipped
C:\System Volume Information\_restore{3E6ED909-6ACB-48A8-860B-9698B24D0759}\RP176\A0012621.exe/stream/data0002	Infected: not-a-virus:RiskTool.Win32.PsKill.n	skipped
C:\System Volume Information\_restore{3E6ED909-6ACB-48A8-860B-9698B24D0759}\RP176\A0012621.exe/stream	Infected: not-a-virus:RiskTool.Win32.PsKill.n	skipped
C:\System Volume Information\_restore{3E6ED909-6ACB-48A8-860B-9698B24D0759}\RP176\A0012621.exe	NSIS: infected - 2	skipped
C:\System Volume Information\_restore{3E6ED909-6ACB-48A8-860B-9698B24D0759}\RP176\A0012660.exe	Infected: P2P-Worm.Win32.Krepper.c	skipped
C:\System Volume Information\_restore{3E6ED909-6ACB-48A8-860B-9698B24D0759}\RP196\A0014660.exe/stream/data0007	Infected: not-a-virus:AdWare.Win32.Softomate.j	skipped
C:\System Volume Information\_restore{3E6ED909-6ACB-48A8-860B-9698B24D0759}\RP196\A0014660.exe/stream	Infected: not-a-virus:AdWare.Win32.Softomate.j	skipped
C:\System Volume Information\_restore{3E6ED909-6ACB-48A8-860B-9698B24D0759}\RP196\A0014660.exe	NSIS: infected - 2	skipped
C:\System Volume Information\_restore{3E6ED909-6ACB-48A8-860B-9698B24D0759}\RP196\A0014745.exe/stream/data0007	Infected: not-a-virus:AdWare.Win32.Softomate.j	skipped
C:\System Volume Information\_restore{3E6ED909-6ACB-48A8-860B-9698B24D0759}\RP196\A0014745.exe/stream	Infected: not-a-virus:AdWare.Win32.Softomate.j	skipped
C:\System Volume Information\_restore{3E6ED909-6ACB-48A8-860B-9698B24D0759}\RP196\A0014745.exe	NSIS: infected - 2	skipped
C:\System Volume Information\_restore{3E6ED909-6ACB-48A8-860B-9698B24D0759}\RP196\A0014816.exe/data.rar/whAgent.exe	Infected: not-a-virus:AdWare.Win32.WebHancer.351	skipped
C:\System Volume Information\_restore{3E6ED909-6ACB-48A8-860B-9698B24D0759}\RP196\A0014816.exe/data.rar/whSurvey.exe	Infected: not-a-virus:AdWare.Win32.WebHancer.381	skipped
C:\System Volume Information\_restore{3E6ED909-6ACB-48A8-860B-9698B24D0759}\RP196\A0014816.exe/data.rar/webhdll.dll	Infected: not-a-virus:AdWare.Win32.WebHancer.381	skipped
C:\System Volume Information\_restore{3E6ED909-6ACB-48A8-860B-9698B24D0759}\RP196\A0014816.exe/data.rar/whiehlpr.dll	Infected: not-a-virus:AdWare.Win32.WebHancer.381	skipped
C:\System Volume Information\_restore{3E6ED909-6ACB-48A8-860B-9698B24D0759}\RP196\A0014816.exe/data.rar	Infected: not-a-virus:AdWare.Win32.WebHancer.381	skipped
C:\System Volume Information\_restore{3E6ED909-6ACB-48A8-860B-9698B24D0759}\RP196\A0014816.exe	RarSFX: infected - 5	skipped
C:\System Volume Information\_restore{3E6ED909-6ACB-48A8-860B-9698B24D0759}\RP196\A0014834.exe	Infected: not-a-virus:AdWare.Win32.Maxifiles.y	skipped
C:\System Volume Information\_restore{3E6ED909-6ACB-48A8-860B-9698B24D0759}\RP198\A0014967.dll	Infected: not-a-virus:AdWare.Win32.Look2Me.ab	skipped

Scan process completed.


----------



## brendandonhu (Jul 8, 2002)

Install *CleanUp!*

Save *KillBox* to your *Desktop*

Run *CleanUp!* and go to *Options*>>*Custom CleanUp!*
Put a checkmark next to each of the following items:
*
Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
*​Click *OK*>>*CleanUp!*
Exit *CleanUp!*

Go to *Start*>>*Run*. Type *msconfig* and press *Enter*
Click *Launch System Restore* then click *System Restore Settings*
Put a checkmark next to *Turn off system restore on all drives* and click *Apply*>>*OK*
Close *System Restore* utility and the *System Configuration Utility*

Run *KillBox* and select *Delete on Reboot*
Copy this list of file locations to your clipboard:
*
C:\WINDOWS\pf78.exe
*​Go to *File*>>*Paste from clipboard*. Click *All Files*
Press the button with a red circle with an X in it, then *Yes* when prompted to restart your computer
*WARNING:* Your computer will be restarted. Any unsaved work in open applications will be lost.​Go to *Start*>>*Run*. Type *msconfig* and press *Enter*
Click *Launch System Restore* then click *System Restore Settings*
Uncheck *Turn off system restore on all drives* and click *Apply*>>*OK*
Close *System Restore* utility and the *System Configuration Utility*

Let me know if you're still having problems after that.


----------

