# Help, Popup Problem



## zerlphr (Apr 4, 2005)

i am recently being infected by some malwares. i have scanned with adaware and spybot but they couldn't remove the popups.

it will open funny pop ups such as the one below:

hug-ediscounts
http://www.browserbuy-out.com/normal/yyy102.html
http://www.mediapurchases.com/normal/yyy65.html

PLEASE HELP!!

Logfile of HijackThis v1.99.1
Scan saved at 12:51:36 AM, on 1/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\msgconfigrs.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Wizards of the Coast\Magic Online\magic1.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Wizards of the Coast\Magic Online\magic1.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\jre1.5.0_05\bin\javaw.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\eBay\Turbo Lister\Tl.exe
C:\Program Files\Wizards of the Coast\Magic Online\magic1.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\Neo Zhizhong\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Microsft Configure 32] msaconfig.exe
O4 - HKLM\..\Run: [Microsoft Configure 32] msgconfigre.exe
O4 - HKLM\..\Run: [Microsoft Configs 32] msgconfigrs.exe
O4 - HKLM\..\RunServices: [Microsft Configure 32] msaconfig.exe
O4 - HKLM\..\RunServices: [Microsoft Configure 32] msgconfigre.exe
O4 - HKLM\..\RunServices: [Microsoft Configs 32] msgconfigrs.exe
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [Microsft Configure 32] msaconfig.exe
O4 - HKCU\..\Run: [Microsoft Configure 32] msgconfigre.exe
O4 - HKCU\..\Run: [magica] C:\WINDOWS\System32\magica.exe
O4 - HKCU\..\Run: [Microsoft Configs 32] msgconfigrs.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O11 - Options group: [JAVA_IBM] Java (IBM)
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Seekmo/ie/bridge-c24.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F2E9264-1CAC-4322-AFAF-472DF0C54764}: NameServer = 165.21.83.88 165.21.100.88
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\lvl4093qe.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\kgdsl1.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmVvIFpoaXpob25n\command.exe (file missing)
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: dllmgr64 - Unknown owner - C:\WINDOWS\dllmgr64.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: fwnet64 (fwnet) - Unknown owner - C:\WINDOWS\fwnet64.exe (file missing)
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: netconf32 - Unknown owner - C:\WINDOWS\netconf32.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: sysmgr64 - Unknown owner - C:\WINDOWS\sysmgr64.exe (file missing)
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe


----------



## Rache (Sep 30, 2002)

Try Ewido (it's free and picks up things others miss) http://www.ewido.net/en/download/

And get a Google or Yahoo toolbar to stop popups.


----------



## zerlphr (Apr 4, 2005)

it is not really pop up, it just open another window on it's own even if i don't have any windows up


----------



## zerlphr (Apr 4, 2005)

i have already tried ewido


----------



## Cheeseball81 (Mar 3, 2004)

Hi and welcome 

You have a lot of infection. Please do this first:

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click *l2mfix.exe*. Click the *Install* button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click *l2mfix.bat* and select option #*1* for *Run Find Log* by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

*IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!*

* Note: If you receive an error while running option #1 like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications, choose close to terminate the application.."...then do one of the following:

1: Click on the l2mfix.bat again and choose option # 5 for Fix Autoexec.nt/cmd.exe error.
2: Alternatively, you can click the fixautont.html link in the l2mfix folder and follow the directions there to fix it manually.
Do not run the fix portion without fixing the error first.
After you have performed the procedures to fix the error, repeat the steps above to run option #1 for Run Find Log.


----------



## zerlphr (Apr 4, 2005)

ok i have done all that... what next?


----------



## zerlphr (Apr 4, 2005)

L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lvl4093qe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WebCheck]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\kgdsl1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{71BBE2C9-FD67-5AD8-4FE3-A63279E435A9}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}"="RecordNow! SendToExt"
"{5CA3D70E-1895-11CF-8E15-001234567890}"="DriveLetterAccess"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{516EC4D3-4AD9-11D5-AA6A-00E0189008B3}"="The Core Media Player Shell Extension"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{8E4276A5-9BAE-4F76-995E-01321B86C97B}"=""
"{AA0A1A25-639F-4AD0-8189-EE35B56620F5}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8E4276A5-9BAE-4F76-995E-01321B86C97B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8E4276A5-9BAE-4F76-995E-01321B86C97B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8E4276A5-9BAE-4F76-995E-01321B86C97B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8E4276A5-9BAE-4F76-995E-01321B86C97B}\InprocServer32]
@="C:\\WINDOWS\\system32\\pjchdprf.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{AA0A1A25-639F-4AD0-8189-EE35B56620F5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AA0A1A25-639F-4AD0-8189-EE35B56620F5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AA0A1A25-639F-4AD0-8189-EE35B56620F5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AA0A1A25-639F-4AD0-8189-EE35B56620F5}\InprocServer32]
@="C:\\WINDOWS\\system32\\kgdsl1.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
kgdsl1.dll Tue Jan 24 2006 10:23:44p ..S.R 234,272 228.78 K
s32evnt1.dll Thu Dec 1 2005 12:14:20p A.... 86,091 84.07 K
__dele~1.dll Tue Jan 24 2006 10:19:38p ..... 234,272 228.78 K
__dele~2.dll Tue Jan 24 2006 10:23:48p ..... 234,272 228.78 K

4 items found: 4 files (1 H/S), 0 directories.
Total of file sizes: 788,907 bytes 770.41 K
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is IBM_PRELOAD
Volume Serial Number is C888-7FCE

Directory of C:\WINDOWS\System32

01/24/2006 10:23 PM 234,272 kgdsl1.dll
12/26/2005 01:55 PM dllcache
12/24/2005 03:26 PM 99,328 msgconfigrs.exe
02/21/2003 02:38 AM Microsoft
2 File(s) 333,600 bytes
2 Dir(s) 12,124,573,696 bytes free


----------



## Cheeseball81 (Mar 3, 2004)

Close any programs you have open since this step requires a reboot.

Open the *l2mfix folder* and double click *l2mfix.bat* and select option *#2* for *Run Fix* by typing 2 and then pressing enter.
Your desktop and icons will disappear (this is normal).
L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot.
Press any key to reboot.
After the reboot notepad will open with a log.
Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.
*IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!*
If after the reboot the log does not open, double click on it in the l2mfix folder.


----------



## zerlphr (Apr 4, 2005)

L2mfix 010406
Creating Account.
The command completed successfully.

Adding Administrative privleges. 
The command completed successfully.
Checking for L2MFix account(0=no 1=yes): 
1
Granting SeDebugPrivilege to L2MFIX ... successful
Checking for L2MFix account(0=no 1=yes): 
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/notibac.reg (164 bytes security) (deflated 88%)


----------



## Cheeseball81 (Mar 3, 2004)

Is that the whole thing?

Also need to see a new Hijack This log


----------



## zerlphr (Apr 4, 2005)

the pop ups are still there btw


----------



## zerlphr (Apr 4, 2005)

first of all, thank you very much for the prompt replies


----------



## zerlphr (Apr 4, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 2:42:16 AM, on 1/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\TpShocks.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\System32\msgconfigrs.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Neo Zhizhong\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Microsft Configure 32] msaconfig.exe
O4 - HKLM\..\Run: [Microsoft Configure 32] msgconfigre.exe
O4 - HKLM\..\Run: [Microsoft Configs 32] msgconfigrs.exe
O4 - HKLM\..\RunServices: [Microsft Configure 32] msaconfig.exe
O4 - HKLM\..\RunServices: [Microsoft Configure 32] msgconfigre.exe
O4 - HKLM\..\RunServices: [Microsoft Configs 32] msgconfigrs.exe
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [Microsft Configure 32] msaconfig.exe
O4 - HKCU\..\Run: [Microsoft Configure 32] msgconfigre.exe
O4 - HKCU\..\Run: [magica] C:\WINDOWS\System32\magica.exe
O4 - HKCU\..\Run: [Microsoft Configs 32] msgconfigrs.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O11 - Options group: [JAVA_IBM] Java (IBM)
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Seekmo/ie/bridge-c24.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F2E9264-1CAC-4322-AFAF-472DF0C54764}: NameServer = 165.21.83.88 165.21.100.88
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\lvl4093qe.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\kt48l7hu1.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmVvIFpoaXpob25n\command.exe (file missing)
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: dllmgr64 - Unknown owner - C:\WINDOWS\dllmgr64.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: fwnet64 (fwnet) - Unknown owner - C:\WINDOWS\fwnet64.exe (file missing)
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: netconf32 - Unknown owner - C:\WINDOWS\netconf32.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: sysmgr64 - Unknown owner - C:\WINDOWS\sysmgr64.exe (file missing)
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe


----------



## zerlphr (Apr 4, 2005)

i ran the l2mfix.bat and chose option 1 to get this log again L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lvl4093qe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WebCheck]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\kt48l7hu1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{71BBE2C9-FD67-5AD8-4FE3-A63279E435A9}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}"="RecordNow! SendToExt"
"{5CA3D70E-1895-11CF-8E15-001234567890}"="DriveLetterAccess"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{516EC4D3-4AD9-11D5-AA6A-00E0189008B3}"="The Core Media Player Shell Extension"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{8E4276A5-9BAE-4F76-995E-01321B86C97B}"=""
"{AA0A1A25-639F-4AD0-8189-EE35B56620F5}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8E4276A5-9BAE-4F76-995E-01321B86C97B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8E4276A5-9BAE-4F76-995E-01321B86C97B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8E4276A5-9BAE-4F76-995E-01321B86C97B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8E4276A5-9BAE-4F76-995E-01321B86C97B}\InprocServer32]
@="C:\\WINDOWS\\system32\\pjchdprf.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{AA0A1A25-639F-4AD0-8189-EE35B56620F5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AA0A1A25-639F-4AD0-8189-EE35B56620F5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AA0A1A25-639F-4AD0-8189-EE35B56620F5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AA0A1A25-639F-4AD0-8189-EE35B56620F5}\InprocServer32]
@="C:\\WINDOWS\\system32\\mivcr70.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
g4220e~1.dll Wed Jan 25 2006 2:32:00a ..S.R 236,343 230.80 K
kt48l7~1.dll Wed Jan 25 2006 2:29:26a ..S.R 236,119 230.58 K
mivcr70.dll Wed Jan 25 2006 2:32:00a ..S.R 236,119 230.58 K
s32evnt1.dll Thu Dec 1 2005 12:14:20p A.... 86,091 84.07 K

4 items found: 4 files (3 H/S), 0 directories.
Total of file sizes: 794,672 bytes 776.05 K
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is IBM_PRELOAD
Volume Serial Number is C888-7FCE

Directory of C:\WINDOWS\System32

01/25/2006 02:31 AM 236,119 mivcr70.dll
01/25/2006 02:31 AM 236,343 g4220efoeh2c0.dll
01/25/2006 02:29 AM 236,119 kt48l7hu1.dll
12/26/2005 01:55 PM dllcache
12/24/2005 03:26 PM 99,328 msgconfigrs.exe
02/21/2003 02:38 AM Microsoft
4 File(s) 807,909 bytes
2 Dir(s) 12,125,065,216 bytes free


----------



## Cheeseball81 (Mar 3, 2004)

You're welcome. 

It looks as though the L2MFix wasn't successful so let's give this a try:

Please download *Webroot SpySweeper* from here: http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129
(It's a 2 week trial.)

Click the Free Trial link under to "SpySweeper" to download the program.
Install it.
Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.

Paste the contents of the session log you copied into your next reply.


----------



## zerlphr (Apr 4, 2005)

********
2:51 AM: | Start of Session, Wednesday, January 25, 2006 |
2:51 AM: Spy Sweeper started
2:51 AM: Sweep initiated using definitions version 605
2:51 AM: Starting Memory Sweep
2:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:54 AM: Memory Sweep Complete, Elapsed Time: 00:02:38
2:54 AM: Starting Registry Sweep
2:54 AM: Found Adware: elitemediagroup-mediamotor
2:54 AM: HKCR\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\ (23 subtraces) (ID = 140032)
2:54 AM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\inprocserver32\ (2 subtraces) (ID = 140081)
2:54 AM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\miscstatus\ (3 subtraces) (ID = 140082)
2:54 AM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\progid\ (1 subtraces) (ID = 140083)
2:54 AM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\toolboxbitmap32\ (1 subtraces) (ID = 140084)
2:54 AM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\typelib\ (1 subtraces) (ID = 140085)
2:54 AM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\version\ (1 subtraces) (ID = 140086)
2:54 AM: HKLM\software\classes\typelib\{466c63ac-f26e-49f1-861a-e07da768a46a}\ (9 subtraces) (ID = 140131)
2:54 AM: HKLM\software\mm\ (1 subtraces) (ID = 140211)
2:54 AM: HKCR\typelib\{466c63ac-f26e-49f1-861a-e07da768a46a}\ (9 subtraces) (ID = 140223)
2:54 AM: Found System Monitor: sc-keylog
2:54 AM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\explorer\ (6 subtraces) (ID = 140468)
2:54 AM: Found Adware: winad
2:54 AM: HKCR\mediagatewayx.installer\ (5 subtraces) (ID = 372857)
2:54 AM: HKCR\mediagatewayx.installer\clsid\ (1 subtraces) (ID = 372859)
2:54 AM: HKLM\software\classes\mediagatewayx.installer\ (5 subtraces) (ID = 398902)
2:54 AM: HKLM\software\classes\mediagatewayx.installer\clsid\ (1 subtraces) (ID = 398904)
2:54 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (2 subtraces) (ID = 763026)
2:54 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediagatewayx.dll (ID = 763028)
2:54 AM: HKCR\clsid\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (15 subtraces) (ID = 815132)
2:54 AM: HKLM\software\classes\clsid\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (15 subtraces) (ID = 815145)
2:54 AM: Found Adware: 180search assistant/zango
2:54 AM: HKLM\software\microsoft\code store database\distribution units\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (11 subtraces) (ID = 832871)
2:54 AM: Found Adware: command
2:54 AM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (7 subtraces) (ID = 892523)
2:54 AM: HKLM\system\currentcontrolset\services\cmdservice\ (12 subtraces) (ID = 958670)
2:54 AM: Found Adware: mediamotor - popuppers
2:54 AM: HKCR\iemonitor.cbrowsers\ (3 subtraces) (ID = 960700)
2:54 AM: HKCR\iemonitor.ieevents\ (3 subtraces) (ID = 960704)
2:54 AM: HKCR\clsid\{62fba4e7-bd9e-4d8d-8fbb-3c32999cb7fc}\ (23 subtraces) (ID = 960709)
2:54 AM: HKCR\clsid\{a03323d3-f649-4f16-a6e4-4fc53f917a83}\ (10 subtraces) (ID = 960733)
2:54 AM: HKCR\typelib\{1942bebe-dce5-4148-868e-1250a2218b4c}\ (9 subtraces) (ID = 960748)
2:54 AM: HKLM\software\classes\iemonitor.cbrowsers\ (3 subtraces) (ID = 960762)
2:54 AM: HKLM\software\classes\iemonitor.ieevents\ (3 subtraces) (ID = 960766)
2:54 AM: HKLM\software\classes\clsid\{62fba4e7-bd9e-4d8d-8fbb-3c32999cb7fc}\ (23 subtraces) (ID = 960771)
2:54 AM: HKLM\software\classes\clsid\{a03323d3-f649-4f16-a6e4-4fc53f917a83}\ (10 subtraces) (ID = 960795)
2:54 AM: HKLM\software\classes\typelib\{1942bebe-dce5-4148-868e-1250a2218b4c}\ (9 subtraces) (ID = 960810)
2:54 AM: Found Adware: elitemediagroup-pop64
2:54 AM: HKLM\software\microsoft\windows\currentversion\uninstall\elitemediagroup\ (2 subtraces) (ID = 1015939)
2:54 AM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
2:54 AM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
2:54 AM: HKCR\mediagatewayx.installer.1\ (3 subtraces) (ID = 1023379)
2:54 AM: HKCR\appid\{d28cd14c-50be-4cfa-951e-b37f25da3472}\ (1 subtraces) (ID = 1023385)
2:54 AM: HKCR\typelib\{981bda1d-c8ad-46ff-be2c-fddd859ac6f5}\ (9 subtraces) (ID = 1023387)
2:54 AM: HKLM\software\classes\typelib\{981bda1d-c8ad-46ff-be2c-fddd859ac6f5}\ (9 subtraces) (ID = 1023399)
2:54 AM: HKLM\software\classes\mediagatewayx.installer.1\ (3 subtraces) (ID = 1023409)
2:54 AM: HKCR\appid\activex.dll\ || appid (ID = 1049592)
2:54 AM: HKLM\software\classes\appid\{d28cd14c-50be-4cfa-951e-b37f25da3472}\ (1 subtraces) (ID = 1049593)
2:54 AM: HKLM\software\classes\appid\activex.dll\ || appid (ID = 1049594)
2:54 AM: HKLM\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}\ (7 subtraces) (ID = 1110756)
2:54 AM: Registry Sweep Complete, Elapsed Time:00:00:10
2:54 AM: Starting Cookie Sweep
2:54 AM: Found Spy Cookie: about cookie
2:54 AM: neo [email protected][2].txt (ID = 2037)
2:54 AM: Found Spy Cookie: hbmediapro cookie
2:54 AM: neo [email protected][2].txt (ID = 2768)
2:54 AM: Found Spy Cookie: adultfriendfinder cookie
2:54 AM: neo [email protected][2].txt (ID = 2165)
2:54 AM: Found Spy Cookie: atwola cookie
2:54 AM: neo [email protected][1].txt (ID = 2255)
2:54 AM: Found Spy Cookie: azjmp cookie
2:54 AM: neo [email protected][2].txt (ID = 2270)
2:54 AM: Found Spy Cookie: belnk cookie
2:54 AM: neo [email protected][1].txt (ID = 2292)
2:54 AM: Found Spy Cookie: bizrate cookie
2:54 AM: neo [email protected][1].txt (ID = 2308)
2:54 AM: neo [email protected][1].txt (ID = 2038)
2:54 AM: neo [email protected][2].txt (ID = 2293)
2:54 AM: neo [email protected][1].txt (ID = 2038)
2:54 AM: Found Spy Cookie: starware.com cookie
2:54 AM: neo [email protected][2].txt (ID = 3442)
2:54 AM: Found Spy Cookie: partypoker cookie
2:54 AM: neo [email protected][1].txt (ID = 3111)
2:54 AM: Found Spy Cookie: questionmarket cookie
2:54 AM: neo [email protected][1].txt (ID = 3217)
2:54 AM: Found Spy Cookie: popuppers cookie
2:54 AM: neo [email protected][1].txt (ID = 3158)
2:54 AM: Found Spy Cookie: rn11 cookie
2:54 AM: neo [email protected]n11[2].txt (ID = 3261)
2:54 AM: Found Spy Cookie: dealtime cookie
2:54 AM: neo [email protected][2].txt (ID = 2506)
2:54 AM: Found Spy Cookie: tacoda cookie
2:54 AM: neo [email protected][1].txt (ID = 6444)
2:54 AM: Found Spy Cookie: ugo cookie
2:54 AM: neo [email protected][1].txt (ID = 3608)
2:54 AM: neo [email protected][1].txt (ID = 3442)
2:54 AM: Found Spy Cookie: xiti cookie
2:54 AM: neo [email protected][1].txt (ID = 3717)
2:54 AM: Cookie Sweep Complete, Elapsed Time: 00:00:02
2:54 AM: Starting File Sweep
2:54 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:54 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:54 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:54 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:54 AM: c:\program files\network monitor (ID = -2147459771)
2:55 AM: mmxeyn007[1].exe (ID = 204831)
2:56 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:56 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:56 AM: Found Adware: purityscan
2:56 AM: mediaticketsinstaller.inf (ID = 73158)
2:57 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:57 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:57 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:57 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:58 AM: Found Adware: look2me
2:58 AM: kt48l7hu1.dll (ID = 159)
2:58 AM: g4220efoeh2c0.dll (ID = 159)
2:58 AM: uninstall_nmon.vbs (ID = 231442)
2:58 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:58 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:58 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:58 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:58 AM: mivcr70.dll (ID = 159)
2:58 AM: installer[1].exe (ID = 231664)
2:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:59 AM: unstall[1].exe (ID = 133210)
2:59 AM: unstall.exe (ID = 133210)
2:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:59 AM: mediaview[1].cab (ID = 187158)
3:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:01 AM: installer[2].exe (ID = 231664)
3:01 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:01 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:01 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:01 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:01 AM: cmdinst.exe (ID = 231664)
3:01 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:01 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:01 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:01 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:02 AM: iemonitor.ocx (ID = 186211)
3:02 AM: cmdinst.exe (ID = 231664)
3:03 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:03 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:03 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:03 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:03 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:03 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:03 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:03 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:03 AM: napskidcurdcvzcb.vbs (ID = 185675)
3:03 AM: File Sweep Complete, Elapsed Time: 00:08:56
3:03 AM: Full Sweep has completed. Elapsed time 00:11:56
3:03 AM: Traces Found: 356
3:03 AM: Removal process initiated
3:03 AM: Quarantining All Traces: 180search assistant/zango
3:03 AM: Quarantining All Traces: look2me
3:03 AM: look2me is in use. It will be removed on reboot.
3:03 AM: kt48l7hu1.dll is in use. It will be removed on reboot.
3:03 AM: g4220efoeh2c0.dll is in use. It will be removed on reboot.
3:03 AM: mivcr70.dll is in use. It will be removed on reboot.
3:03 AM: Quarantining All Traces: purityscan
3:03 AM: Quarantining All Traces: sc-keylog
3:03 AM: Quarantining All Traces: winad
3:03 AM: Quarantining All Traces: command
3:04 AM: Quarantining All Traces: elitemediagroup-mediamotor
3:04 AM: Quarantining All Traces: elitemediagroup-pop64
3:04 AM: Quarantining All Traces: mediamotor - popuppers
3:04 AM: Quarantining All Traces: about cookie
3:04 AM: Quarantining All Traces: adultfriendfinder cookie
3:04 AM: Quarantining All Traces: atwola cookie
3:04 AM: Quarantining All Traces: azjmp cookie
3:04 AM: Quarantining All Traces: belnk cookie
3:04 AM: Quarantining All Traces: bizrate cookie
3:04 AM: Quarantining All Traces: dealtime cookie
3:04 AM: Quarantining All Traces: hbmediapro cookie
3:04 AM: Quarantining All Traces: partypoker cookie
3:04 AM: Quarantining All Traces: popuppers cookie
3:04 AM: Quarantining All Traces: questionmarket cookie
3:04 AM: Quarantining All Traces: rn11 cookie
3:04 AM: Quarantining All Traces: starware.com cookie
3:04 AM: Quarantining All Traces: tacoda cookie
3:04 AM: Quarantining All Traces: ugo cookie
3:04 AM: Quarantining All Traces: xiti cookie
3:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:04 AM: Preparing to restart your computer. Please wait...
3:04 AM: Removal process completed. Elapsed time 00:00:46
********
2:50 AM: | Start of Session, Wednesday, January 25, 2006 |
2:50 AM: Spy Sweeper started
2:51 AM: Your spyware definitions have been updated.
2:51 AM: | End of Session, Wednesday, January 25, 2006 |


----------



## zerlphr (Apr 4, 2005)

seems like the problem is solved. another updated hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 3:44:26 AM, on 1/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\System32\msgconfigrs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\jre1.5.0_05\bin\javaw.exe
C:\Documents and Settings\Neo Zhizhong\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Microsft Configure 32] msaconfig.exe
O4 - HKLM\..\Run: [Microsoft Configure 32] msgconfigre.exe
O4 - HKLM\..\Run: [Microsoft Configs 32] msgconfigrs.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [Microsft Configure 32] msaconfig.exe
O4 - HKLM\..\RunServices: [Microsoft Configure 32] msgconfigre.exe
O4 - HKLM\..\RunServices: [Microsoft Configs 32] msgconfigrs.exe
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [Microsft Configure 32] msaconfig.exe
O4 - HKCU\..\Run: [Microsoft Configure 32] msgconfigre.exe
O4 - HKCU\..\Run: [magica] C:\WINDOWS\System32\magica.exe
O4 - HKCU\..\Run: [Microsoft Configs 32] msgconfigrs.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O11 - Options group: [JAVA_IBM] Java (IBM)
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F2E9264-1CAC-4322-AFAF-472DF0C54764}: NameServer = 165.21.83.88 165.21.100.88
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Shell Extentions - C:\WINDOWS\system32\g4220efoeh2c0.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: dllmgr64 - Unknown owner - C:\WINDOWS\dllmgr64.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: fwnet64 (fwnet) - Unknown owner - C:\WINDOWS\fwnet64.exe (file missing)
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: netconf32 - Unknown owner - C:\WINDOWS\netconf32.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: sysmgr64 - Unknown owner - C:\WINDOWS\sysmgr64.exe (file missing)
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe


----------



## Cheeseball81 (Mar 3, 2004)

Not quite yet  Be back soon with instructions


----------



## Cheeseball81 (Mar 3, 2004)

Download *KillBox* here: http://www.downloads.subratam.org/KillBox.exe
Save it to your desktop.
*DO NOT* run it yet.

For the next step, each will have to be entered one at a time.

Click *Start*  *Run* - and type in:

*services.msc*

Click OK.

In the services window find:

*dllmgr64

fwnet64

netconf32

sysmgr64 *

Right click and choose *Properties*. On the *General* tab under *Service Status* click the *Stop* button to stop the service. Beside *Startup Type* in the dropdown menu select *Disabled*. Click *Apply* then *OK*. Exit the Services utility.

*Note: *You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

Rescan with Hijack This.
Close all browser windows except Hijack This.
Put a check mark beside these entries and click "Fix Checked".

*R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [Microsft Configure 32] msaconfig.exe

O4 - HKLM\..\Run: [Microsoft Configure 32] msgconfigre.exe

O4 - HKLM\..\Run: [Microsoft Configs 32] msgconfigrs.exe

O4 - HKLM\..\RunServices: [Microsft Configure 32] msaconfig.exe

O4 - HKLM\..\RunServices: [Microsoft Configure 32] msgconfigre.exe

O4 - HKLM\..\RunServices: [Microsoft Configs 32] msgconfigrs.exe

O4 - HKCU\..\Run: [Microsft Configure 32] msaconfig.exe

O4 - HKCU\..\Run: [Microsoft Configure 32] msgconfigre.exe

O4 - HKCU\..\Run: [magica] C:\WINDOWS\System32\magica.exe

O4 - HKCU\..\Run: [Microsoft Configs 32] msgconfigrs.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com

O20 - Winlogon Notify: Shell Extentions - C:\WINDOWS\system32\g4220efoeh2c0.dll (file missing)

O23 - Service: dllmgr64 - Unknown owner - C:\WINDOWS\dllmgr64.exe (file missing)

O23 - Service: fwnet64 (fwnet) - Unknown owner - C:\WINDOWS\fwnet64.exe (file missing)

O23 - Service: netconf32 - Unknown owner - C:\WINDOWS\netconf32.exe (file missing)

O23 - Service: sysmgr64 - Unknown owner - C:\WINDOWS\sysmgr64.exe (file missing)*

Boot into Safe Mode.

* Double-click on Killbox.exe to run it.

Put a tick by *Standard File Kill*.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

*C:\WINDOWS\System32\msaconfig.exe
C:\WINDOWS\System32\msgconfigre.exe
C:\WINDOWS\System32\magica.exe
C:\WINDOWS\System32\msgconfigrs.exe
C:\Program Files\PartyPoker
C:\WINDOWS\dllmgr64.exe
C:\WINDOWS\fwnet64.exe
C:\WINDOWS\netconf32.exe
C:\WINDOWS\sysmgr64.exe *

Click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confirmation to delete the file.
Click Yes.
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist.
If that happens, just continue on with all the files. Be sure you don't miss any.
Next in Killbox go to *Tools > Delete Temp Files*
In the window that pops up, put a check by ALL the options there except these three:
XP Prefetch
Recent
History
Now click the *Delete Selected Temp Files* button.
Exit the Killbox.

Finally go to Control Panel > Internet Options. 
On the General tab under "Temporary Internet Files" Click "Delete Files". 
Put a check by "Delete Offline Content" and click OK. 
Click on the Programs tab then click the "Reset Web Settings" button. 
Click Apply then OK.

Empty the Recycle Bin.

Reboot, post a new log.


----------



## zerlphr (Apr 4, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 10:53:29 PM, on 1/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Neo Zhizhong\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe


----------



## zerlphr (Apr 4, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 10:53:29 PM, on 1/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Neo Zhizhong\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe


----------



## Cheeseball81 (Mar 3, 2004)

How are things now?


----------



## zerlphr (Apr 4, 2005)

seems better but ewido occasionally pops up alert


----------



## Cheeseball81 (Mar 3, 2004)

What alert is it?


----------



## zerlphr (Apr 4, 2005)

hi there, after a while, i have no problems, but suddenly the windows popped back out again... it should be due the spysweeper expiring....

Logfile of HijackThis v1.99.1
Scan saved at 10:51:25 AM, on 2/15/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\TmVvIFpoaXpob25n\command.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\mswmf32.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\System32\msn32xp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\systems.exe
C:\windows\winsysban8.exe
C:\kndve.exe
C:\WINDOWS\System32\real.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ProcessGuard\procguard.exe
C:\WINDOWS\System32\msoftconf1.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\explorer.exe
c:\os.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\pcvp.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Wizards of the Coast\Magic Online\magic1.exe
C:\Program Files\ewido anti-malware\SecuritySuite.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Documents and Settings\Neo Zhizhong\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://exchange.nus.edu.sg/exchange/u0404267
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [System Driver] systems.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd8.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban8.exe
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames.exe
O4 - HKLM\..\Run: [Microsoft Configure1 32] msoftconf1.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\kndve.exe
O4 - HKLM\..\Run: [Service] real.exe
O4 - HKLM\..\Run: [Microsoft Video Capture Controls] msn32xp.exe
O4 - HKLM\..\Run: [pcvp] C:\WINDOWS\System32\pcvp.exe
O4 - HKLM\..\RunServices: [System Driver] systems.exe
O4 - HKLM\..\RunServices: [Microsoft Configure1 32] msoftconf1.exe
O4 - HKLM\..\RunServices: [Service] real.exe
O4 - HKLM\..\RunServices: [Microsoft Video Capture Controls] msn32xp.exe
O4 - HKLM\..\RunOnce: [Microsoft Video Capture Controls] msn32xp.exe
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [Microsoft Configure1 32] msoftconf1.exe
O4 - HKCU\..\Run: [Microsoft Video Capture Controls] msn32xp.exe
O4 - HKCU\..\RunOnce: [Microsoft Video Capture Controls] msn32xp.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Seekmo/ie/bridge-c24.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F2E9264-1CAC-4322-AFAF-472DF0C54764}: NameServer = 165.21.83.88 165.21.100.88
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\iElmdev5.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmVvIFpoaXpob25n\command.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: mswmf32 - Unknown owner - C:\WINDOWS\mswmf32.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

Please help!!


----------



## Cheeseball81 (Mar 3, 2004)

L2M is back, along with other nasties

Download *L2mfix* from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click *l2mfix.exe*. Click the *Install* button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click *l2mfix.bat* and select option #*1* for *Run Find Log* by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

*IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!*

Note: If you receive an error while running option #1 like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications, choose close to terminate the application.."...then do one of the following:

1: Click on the l2mfix.bat again and choose option # 5 for Fix Autoexec.nt/cmd.exe error.
2: Alternatively, you can click the fixautont.html link in the l2mfix folder and follow the directions there to fix it manually.
Do not run the fix portion without fixing the error first.
After you have performed the procedures to fix the error, repeat the steps above to run option #1 for Run Find Log.


----------



## zerlphr (Apr 4, 2005)

L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\iElmdev5.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{71BBE2C9-FD67-5AD8-4FE3-A63279E435A9}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}"="RecordNow! SendToExt"
"{5CA3D70E-1895-11CF-8E15-001234567890}"="DriveLetterAccess"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{516EC4D3-4AD9-11D5-AA6A-00E0189008B3}"="The Core Media Player Shell Extension"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{8E4276A5-9BAE-4F76-995E-01321B86C97B}"=""
"{AA0A1A25-639F-4AD0-8189-EE35B56620F5}"=""
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
"{1163AD9A-8CD6-407D-8530-EA841BF59EE2}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8E4276A5-9BAE-4F76-995E-01321B86C97B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8E4276A5-9BAE-4F76-995E-01321B86C97B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8E4276A5-9BAE-4F76-995E-01321B86C97B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8E4276A5-9BAE-4F76-995E-01321B86C97B}\InprocServer32]
@="C:\\WINDOWS\\system32\\pjchdprf.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{AA0A1A25-639F-4AD0-8189-EE35B56620F5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AA0A1A25-639F-4AD0-8189-EE35B56620F5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AA0A1A25-639F-4AD0-8189-EE35B56620F5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AA0A1A25-639F-4AD0-8189-EE35B56620F5}\InprocServer32]
@="C:\\WINDOWS\\system32\\mivcr70.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1163AD9A-8CD6-407D-8530-EA841BF59EE2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1163AD9A-8CD6-407D-8530-EA841BF59EE2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1163AD9A-8CD6-407D-8530-EA841BF59EE2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1163AD9A-8CD6-407D-8530-EA841BF59EE2}\InprocServer32]
@="C:\\WINDOWS\\system32\\iElmdev5.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
hmfci007.dll Wed Feb 15 2006 10:42:14a ..S.R 234,272 228.78 K
ielmdev5.dll Wed Feb 15 2006 10:42:10a ..S.R 234,272 228.78 K
s32evnt1.dll Thu Dec 1 2005 12:14:20p A.... 86,091 84.07 K
wrlogo~1.dll Wed Dec 14 2005 7:17:20p A.... 492,544 481.00 K
wrlzma.dll Wed Dec 14 2005 7:17:16p A.... 17,920 17.50 K

5 items found: 5 files (2 H/S), 0 directories.
Total of file sizes: 1,065,099 bytes 1.02 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is IBM_PRELOAD
Volume Serial Number is C888-7FCE

Directory of C:\WINDOWS\System32

02/15/2006 10:42 AM 234,272 HMFCI007.dll
02/15/2006 10:42 AM 234,272 iElmdev5.dll
02/13/2006 04:38 PM 109,568 systems.exe
02/07/2006 02:09 PM 99,328 msoftconf1.exe
01/28/2006 06:26 AM 100,352 msgconfigrs.exe
12/26/2005 01:55 PM dllcache
02/21/2003 02:38 AM Microsoft
08/29/2002 07:41 PM 105,472 real.exe
08/29/2002 07:41 PM 80,896 mssvcc.exe
08/29/2002 07:41 PM 76,800 mssecure.exe
8 File(s) 1,040,960 bytes
2 Dir(s) 10,892,877,824 bytes free


----------



## zerlphr (Apr 4, 2005)

L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\iElmdev5.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{71BBE2C9-FD67-5AD8-4FE3-A63279E435A9}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}"="RecordNow! SendToExt"
"{5CA3D70E-1895-11CF-8E15-001234567890}"="DriveLetterAccess"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{516EC4D3-4AD9-11D5-AA6A-00E0189008B3}"="The Core Media Player Shell Extension"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{8E4276A5-9BAE-4F76-995E-01321B86C97B}"=""
"{AA0A1A25-639F-4AD0-8189-EE35B56620F5}"=""
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
"{1163AD9A-8CD6-407D-8530-EA841BF59EE2}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8E4276A5-9BAE-4F76-995E-01321B86C97B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8E4276A5-9BAE-4F76-995E-01321B86C97B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8E4276A5-9BAE-4F76-995E-01321B86C97B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8E4276A5-9BAE-4F76-995E-01321B86C97B}\InprocServer32]
@="C:\\WINDOWS\\system32\\pjchdprf.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{AA0A1A25-639F-4AD0-8189-EE35B56620F5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AA0A1A25-639F-4AD0-8189-EE35B56620F5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AA0A1A25-639F-4AD0-8189-EE35B56620F5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AA0A1A25-639F-4AD0-8189-EE35B56620F5}\InprocServer32]
@="C:\\WINDOWS\\system32\\mivcr70.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1163AD9A-8CD6-407D-8530-EA841BF59EE2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1163AD9A-8CD6-407D-8530-EA841BF59EE2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1163AD9A-8CD6-407D-8530-EA841BF59EE2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1163AD9A-8CD6-407D-8530-EA841BF59EE2}\InprocServer32]
@="C:\\WINDOWS\\system32\\iElmdev5.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
hmfci007.dll Wed Feb 15 2006 10:42:14a ..S.R 234,272 228.78 K
ielmdev5.dll Wed Feb 15 2006 10:42:10a ..S.R 234,272 228.78 K
s32evnt1.dll Thu Dec 1 2005 12:14:20p A.... 86,091 84.07 K
wrlogo~1.dll Wed Dec 14 2005 7:17:20p A.... 492,544 481.00 K
wrlzma.dll Wed Dec 14 2005 7:17:16p A.... 17,920 17.50 K

5 items found: 5 files (2 H/S), 0 directories.
Total of file sizes: 1,065,099 bytes 1.02 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is IBM_PRELOAD
Volume Serial Number is C888-7FCE

Directory of C:\WINDOWS\System32

02/15/2006 10:42 AM 234,272 HMFCI007.dll
02/15/2006 10:42 AM 234,272 iElmdev5.dll
02/13/2006 04:38 PM 109,568 systems.exe
02/07/2006 02:09 PM 99,328 msoftconf1.exe
01/28/2006 06:26 AM 100,352 msgconfigrs.exe
12/26/2005 01:55 PM dllcache
02/21/2003 02:38 AM Microsoft
08/29/2002 07:41 PM 105,472 real.exe
08/29/2002 07:41 PM 80,896 mssvcc.exe
08/29/2002 07:41 PM 76,800 mssecure.exe
8 File(s) 1,040,960 bytes
2 Dir(s) 10,892,877,824 bytes free


----------



## Cheeseball81 (Mar 3, 2004)

Close any programs you have open since this step requires a reboot.

Open the *l2mfix folder* and double click *l2mfix.bat* and select option *#2* for *Run Fix* by typing 2 and then pressing enter.
Your desktop and icons will disappear (this is normal).
L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot.
Press any key to reboot.
After the reboot notepad will open with a log.
Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.
*IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!*
If after the reboot the log does not open, double click on it in the l2mfix folder.


----------



## zerlphr (Apr 4, 2005)

L2mfix 010406
Creating Account.
The command completed successfully.

Adding Administrative privleges. 
The command completed successfully.
Checking for L2MFix account(0=no 1=yes): 
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 788 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 884 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 824 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 352 'rundll32.exe'
Killing PID 264 'rundll32.exe'
Killing PID 620 'rundll32.exe'
Killing PID 1300 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\enj6l11s1.dll 
Successfully Deleted: C:\WINDOWS\system32\enj6l11s1.dll 
Deleting: C:\WINDOWS\system32\hrrs0597e.dll 
Successfully Deleted: C:\WINDOWS\system32\hrrs0597e.dll 
Deleting: C:\WINDOWS\system32\iElmdev5.dll 
Successfully Deleted: C:\WINDOWS\system32\iElmdev5.dll 
Deleting: C:\WINDOWS\system32\kadth2.dll 
Successfully Deleted: C:\WINDOWS\system32\kadth2.dll 
Deleting: C:\WINDOWS\system32\SwrngAPI.dll 
Successfully Deleted: C:\WINDOWS\system32\SwrngAPI.dll

msg11?.dll 
0 file(s) copied.
Desktop.ini sucessfully removed

Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WebCheck]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\iElmdev5.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

The following are the files found: 
****************************************************************************
C:\WINDOWS\system32\enj6l11s1.dll 
C:\WINDOWS\system32\hrrs0597e.dll 
C:\WINDOWS\system32\iElmdev5.dll 
C:\WINDOWS\system32\kadth2.dll 
C:\WINDOWS\system32\SwrngAPI.dll

Registry Entries that were Deleted: 
Please verify that the listing looks ok. 
If there was something deleted wrongly there are backups in the backreg folder. 
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8E4276A5-9BAE-4F76-995E-01321B86C97B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8E4276A5-9BAE-4F76-995E-01321B86C97B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8E4276A5-9BAE-4F76-995E-01321B86C97B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8E4276A5-9BAE-4F76-995E-01321B86C97B}\InprocServer32]
@="C:\\WINDOWS\\system32\\pjchdprf.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{AA0A1A25-639F-4AD0-8189-EE35B56620F5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AA0A1A25-639F-4AD0-8189-EE35B56620F5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AA0A1A25-639F-4AD0-8189-EE35B56620F5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AA0A1A25-639F-4AD0-8189-EE35B56620F5}\InprocServer32]
@="C:\\WINDOWS\\system32\\mivcr70.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1163AD9A-8CD6-407D-8530-EA841BF59EE2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1163AD9A-8CD6-407D-8530-EA841BF59EE2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1163AD9A-8CD6-407D-8530-EA841BF59EE2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1163AD9A-8CD6-407D-8530-EA841BF59EE2}\InprocServer32]
@="C:\\WINDOWS\\system32\\kadth2.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{8E4276A5-9BAE-4F76-995E-01321B86C97B}"=-
"{AA0A1A25-639F-4AD0-8189-EE35B56620F5}"=-
"{1163AD9A-8CD6-407D-8530-EA841BF59EE2}"=-
[-HKEY_CLASSES_ROOT\CLSID\{8E4276A5-9BAE-4F76-995E-01321B86C97B}]
[-HKEY_CLASSES_ROOT\CLSID\{AA0A1A25-639F-4AD0-8189-EE35B56620F5}]
[-HKEY_CLASSES_ROOT\CLSID\{1163AD9A-8CD6-407D-8530-EA841BF59EE2}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents: 
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************
Checking for L2MFix account(0=no 1=yes): 
0
Zipping up files for submission:
adding: dlls/enj6l11s1.dll (164 bytes security) (deflated 5%)
adding: dlls/hrrs0597e.dll (164 bytes security) (deflated 5%)
adding: dlls/iElmdev5.dll (164 bytes security) (deflated 4%)
adding: dlls/kadth2.dll (164 bytes security) (deflated 4%)
adding: dlls/SwrngAPI.dll (164 bytes security) (deflated 4%)
adding: backregs/1163AD9A-8CD6-407D-8530-EA841BF59EE2.reg (212 bytes security) (deflated 70%)
adding: backregs/8E4276A5-9BAE-4F76-995E-01321B86C97B.reg (212 bytes security) (deflated 70%)
adding: backregs/AA0A1A25-639F-4AD0-8189-EE35B56620F5.reg (212 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 88%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)


----------



## zerlphr (Apr 4, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 12:22:39 AM, on 2/16/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\TmVvIFpoaXpob25n\command.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\mswmf32.exe
C:\WINDOWS\System32\systems.exe
C:\windows\winsysban8.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\msoftconf1.exe
C:\kndve.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\real.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\pcvp.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
c:\os.exe
C:\Documents and Settings\Neo Zhizhong\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [System Driver] systems.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd8.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban8.exe
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames.exe
O4 - HKLM\..\Run: [Microsoft Configure1 32] msoftconf1.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\kndve.exe
O4 - HKLM\..\Run: [Service] real.exe
O4 - HKLM\..\Run: [Microsoft Video Capture Controls] msn32xp.exe
O4 - HKLM\..\Run: [pcvp] C:\WINDOWS\System32\pcvp.exe
O4 - HKLM\..\RunServices: [System Driver] systems.exe
O4 - HKLM\..\RunServices: [Microsoft Configure1 32] msoftconf1.exe
O4 - HKLM\..\RunServices: [Service] real.exe
O4 - HKLM\..\RunServices: [Microsoft Video Capture Controls] msn32xp.exe
O4 - HKLM\..\RunOnce: [Microsoft Video Capture Controls] msn32xp.exe
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [Microsoft Configure1 32] msoftconf1.exe
O4 - HKCU\..\Run: [Microsoft Video Capture Controls] msn32xp.exe
O4 - HKCU\..\RunOnce: [Microsoft Video Capture Controls] msn32xp.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Seekmo/ie/bridge-c24.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F2E9264-1CAC-4322-AFAF-472DF0C54764}: NameServer = 165.21.83.88 165.21.100.88
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\iElmdev5.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmVvIFpoaXpob25n\command.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: mswmf32 - Unknown owner - C:\WINDOWS\mswmf32.exe
O23 - Service: Microsoft Video Capture Controls (NDIS DIP Layer Transport Device) - Unknown owner - C:\WINDOWS\System32\C:\WINDOWS\System32\msn32xp.exe" -netsvcs (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe


----------



## Cheeseball81 (Mar 3, 2004)

Please do a scan with* Ewido*.

Boot into *Safe Mode*.

Launch Ewido.
Click on scanner.
Click Complete System Scan and the scan will begin.
During the scan it will prompt you to clean files, click OK.
When the scan is finished, look at the bottom of the screen and click the Save report button.
Save the report to your desktop.

Reboot.

*Post a new Hijack This log and the results of the Ewido scan.*


----------



## zerlphr (Apr 4, 2005)

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:53:22 PM, 2/16/2006
+ Report-Checksum: 4DB593F3

+ Scan result:

HKLM\SOFTWARE\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCmore - The Search Accelerator -> Adware.UCmore : Cleaned with backup
HKU\S-1-5-21-2211992698-41798728-916698469-1005\Software\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKU\S-1-5-21-2211992698-41798728-916698469-1005\Software\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKU\S-1-5-21-2211992698-41798728-916698469-1005\Software\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar : Cleaned with backup
C:\cnef.exe -> Proxy.Ranky.dy : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GBK7U94H\all[1].tar -> Backdoor.Agent.tk : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S5IJW9MN\c[1].txt -> Proxy.Ranky.dy : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S5IJW9MN\members[1].zip -> Backdoor.Agent.tk : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Realcastmedia : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.155:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.205:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.225:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.240:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.241:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.244:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.253:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.254:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.255:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Trafic : Cleaned with backup
:mozilla.256:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.279:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.280:C:\Documents and Settings\Neo Zhizhong\Application Data\Mozilla\Firefox\Profiles\4di84337.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][2].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][2].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Cookies\neo [email protected][2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Desktop\l2mfix\backup.zip/dlls/enj6l11s1.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Desktop\l2mfix\backup.zip/dlls/hrrs0597e.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Desktop\l2mfix\backup.zip/dlls/iElmdev5.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Desktop\l2mfix\backup.zip/dlls/kadth2.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Desktop\l2mfix\backup.zip/dlls/SwrngAPI.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Desktop\l2mfix\dlls\enj6l11s1.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Desktop\l2mfix\dlls\hrrs0597e.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Desktop\l2mfix\dlls\iElmdev5.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Desktop\l2mfix\dlls\kadth2.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Desktop\l2mfix\dlls\SwrngAPI.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Local Settings\Temporary Internet Files\Content.IE5\9TG2CNHN\drsmartload396a[1].exe -> Downloader.Adload.o : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Local Settings\Temporary Internet Files\Content.IE5\C9QNCT63\Installer[1].exe -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Local Settings\Temporary Internet Files\Content.IE5\KPYJ092V\bridge-c24[1].cab/MediaGatewayX.dll -> Adware.WinAD : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Local Settings\Temporary Internet Files\Content.IE5\MJHYFAFT\ucmoreiex[1].exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Local Settings\Temporary Internet Files\Content.IE5\MJHYFAFT\ucmoreiex[1].exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Local Settings\Temporary Internet Files\Content.IE5\O9SPERWD\MediaGateway[1].exe -> Adware.WinAD : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Local Settings\Temporary Internet Files\Content.IE5\O9SPERWD\MTE3NDI6ODoxNg[1].exe -> Downloader.Small.buy : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Local Settings\Temporary Internet Files\Content.IE5\SHMJW92R\mmxeyn007[1].exe -> Downloader.VB.sh : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Local Settings\Temporary Internet Files\Content.IE5\SHMJW92R\test[1].exe -> Hijacker.Small.dw : Cleaned with backup
C:\Documents and Settings\Neo Zhizhong\Local Settings\Temporary Internet Files\Content.IE5\WTY78PQB\alg[1].exe -> Trojan.LowZones.bb : Cleaned with backup
C:\drsmartload396a.exe -> Downloader.Adload.o : Cleaned with backup
C:\gimmygames.exe -> Downloader.VB.wd : Cleaned with backup
C:\Installer.exe -> Adware.Look2Me : Cleaned with backup
C:\kndve.exe -> Backdoor.Agent.tk : Cleaned with backup
C:\mmxeyn007.exe -> Downloader.VB.sh : Cleaned with backup
C:\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup
C:\Newme.exe -> Trojan.LowZones.ct : Cleaned with backup
C:\os.exe -> Hijacker.Small.dw : Cleaned with backup
C:\Program Files\TheSearchAccelerator -> Adware.UCmore : Cleaned with backup
C:\Program Files\TheSearchAccelerator\INSTALL.LOG -> Adware.UCmore : Cleaned with backup
C:\Program Files\TheSearchAccelerator\IUCmore.dll -> Adware.UCmore : Cleaned with backup
C:\Program Files\TheSearchAccelerator\logo.ico -> Adware.UCmore : Cleaned with backup
C:\Program Files\TheSearchAccelerator\TBlogin.users.ucmore.com.4.5.40.0 -> Adware.UCmore : Cleaned with backup
C:\Program Files\TheSearchAccelerator\toolbar.cfg -> Adware.UCmore : Cleaned with backup
C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll -> Adware.UCmore : Cleaned with backup
C:\Program Files\TheSearchAccelerator\UNWISE.EXE -> Adware.UCmore : Cleaned with backup
C:\RECYCLER\S-1-5-21-2211992698-41798728-916698469-1005\Dc1.exe -> Downloader.Small.buy : Cleaned with backup
C:\RECYCLER\S-1-5-21-2211992698-41798728-916698469-1005\Dc2.exe -> Trojan.LowZones.bb : Cleaned with backup
C:\RECYCLER\S-1-5-21-2211992698-41798728-916698469-1005\Dc3.exe -> Backdoor.Rbot : Cleaned with backup
C:\RECYCLER\S-1-5-21-2211992698-41798728-916698469-1005\Dc5.exe -> Downloader.Adload.j : Cleaned with backup
C:\RECYCLER\S-1-5-21-2211992698-41798728-916698469-1005\Dc6.exe -> Downloader.Adload.j : Cleaned with backup
C:\RECYCLER\S-1-5-21-2211992698-41798728-916698469-1005\Dc7.exe -> Downloader.VB.sh : Cleaned with backup
C:\RECYCLER\S-1-5-21-2211992698-41798728-916698469-1005\Dc8.exe -> Adware.Look2Me : Cleaned with backup
C:\styleme.exe -> Downloader.VB.sh : Cleaned with backup
C:\svcss.exe -> Trojan.LowZones.bb : Cleaned with backup
C:\ucmoreiex.exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup
C:\ucmoreiex.exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup
C:\uvend.exe -> Backdoor.Agent.tk : Cleaned with backup
C:\WINDOWS\dllmgr64.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll -> Adware.WinAD : Cleaned with backup
C:\WINDOWS\fwnet64.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\gimmygames.exe -> Downloader.VB.wd : Cleaned with backup
C:\WINDOWS\mswmf32.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\myupdates.exe -> Downloader.Adload.l : Cleaned with backup
C:\WINDOWS\sysmgr64.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91J4P93D\gimmygames[1].exe -> Downloader.VB.wd : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91J4P93D\MTE3NDI6ODoxNg[1].exe -> Downloader.Small.buy : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91J4P93D\winsysupd7[1].exe -> Downloader.VB.wg : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\B69DLZ8U\bridge-c24[1].cab/MediaGatewayX.dll -> Adware.WinAD : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\B69DLZ8U\Installer[2].exe -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\B69DLZ8U\myupdates[1].exe -> Downloader.Adload.l : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\B69DLZ8U\winsysupd4[1].exe -> Hijacker.StartPage.ahg : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\B69DLZ8U\winvista2[1].exe -> Trojan.LowZones.ct : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GG87HUS9\alg[1].exe -> Trojan.LowZones.bb : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GG87HUS9\goaway[1].exe -> Trojan.LowZones.ct : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GG87HUS9\goaway[2].exe -> Trojan.LowZones.ct : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GG87HUS9\mediaview[1].cab/elite.ocx -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GG87HUS9\mmxeyn007[1].exe -> Downloader.VB.sh : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GLNC2L7A\drsmartload[1].exe -> Downloader.VB.wj : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GLNC2L7A\test[1].exe -> Hijacker.Small.dw : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GLNC2L7A\winsysban7[1].exe -> Hijacker.VB.le : Cleaned with backup
C:\WINDOWS\system32\eraseme_15285.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\eraseme_46787.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\eraseme_47751.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\eraseme_50644.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\eraseme_55031.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\eraseme_57765.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\eraseme_72331.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\eraseme_81588.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\msn32xp.exe -> Backdoor.Wootbot : Cleaned with backup
C:\WINDOWS\system32\mssecure.exe -> Backdoor.Rbot.aoi : Cleaned with backup
C:\WINDOWS\system32\mssvcc.exe -> Backdoor.Rbot.aoi : Cleaned with backup
C:\WINDOWS\system32\pcvp.exe -> Proxy.Ranky.dy : Cleaned with backup
C:\WINDOWS\system32\real.exe -> Backdoor.Rbot.aeu : Cleaned with backup
C:\WINDOWS\system32\taskmanger.exe -> Backdoor.Rbot.aeu : Cleaned with backup
C:\WINDOWS\Temp\ICD2.tmp\elite.ocx -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\Temp\ICD3.tmp\elite.ocx -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\TmVvIFpoaXpob25n\asappsrv.dll -> Adware.CommAd : Cleaned with backup
C:\WINDOWS\TmVvIFpoaXpob25n\command.exe -> Adware.CommAd : Cleaned with backup
C:\WINDOWS\winsysban7.exe -> Hijacker.VB.le : Cleaned with backup
C:\WINDOWS\winsysupd4.exe -> Hijacker.StartPage.ahg : Cleaned with backup
C:\WINDOWS\winsysupd7.exe -> Downloader.VB.wg : Cleaned with backup

::Report End


----------



## zerlphr (Apr 4, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 11:47:13 PM, on 2/16/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\TmVvIFpoaXpob25n\command.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\systems.exe
C:\windows\winsysban8.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\msoftconf1.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
c:\windows\winsysban9.exe
C:\Program Files\Wizards of the Coast\Magic Online\magic1.exe
C:\Documents and Settings\Neo Zhizhong\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [System Driver] systems.exe
O4 - HKLM\..\Run: [winsysupd] c:\windows\winsysupd9.exe
O4 - HKLM\..\Run: [winsysban] c:\windows\winsysban9.exe
O4 - HKLM\..\Run: [Microsoft Configure1 32] msoftconf1.exe
O4 - HKLM\..\Run: [gimmygames] c:\windows\gimmygames9.exe
O4 - HKLM\..\RunServices: [System Driver] systems.exe
O4 - HKLM\..\RunServices: [Microsoft Configure1 32] msoftconf1.exe
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [Microsoft Configure1 32] msoftconf1.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Seekmo/ie/bridge-c24.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F2E9264-1CAC-4322-AFAF-472DF0C54764}: NameServer = 165.21.83.88 165.21.100.88
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\denhpast.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\iElmdev5.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmVvIFpoaXpob25n\command.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: mswmf32 - Unknown owner - C:\WINDOWS\mswmf32.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe


----------



## zerlphr (Apr 4, 2005)

please help, thank you~


----------



## Cheeseball81 (Mar 3, 2004)

Download *KillBox* here: http://www.downloads.subratam.org/KillBox.exe
Save it to your desktop.
*DO NOT* run it yet.

* Go to Add/Remove Programs and uninstall *Network Monitor*.

* Click here to download *NetworkMonitor.zip*: http://www.geekstogo.com/forum/index.php?act=Attach&type=post&id=6386
Save it to your desktop.
Unzip it to extract the NetworkMonitor.reg file it contains. Don't run the reg file yet.

Click *Start*  *Run* - and type in:

*services.msc*

Click OK.

In the services window find:

*Command Service

mswmf32

Network Monitor*

Right click and choose *Properties*. On the *General* tab under *Service Status* click the *Stop* button to stop the service. Beside *Startup Type* in the dropdown menu select *Disabled*. Click *Apply* then *OK*. Exit the Services utility.

*Note: *You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

Boot into *Safe Mode*.

Rescan with Hijack This.
Close all browser windows except Hijack This.
Put a check mark beside these entries and click "Fix Checked".

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll

O4 - HKLM\..\Run: [System Driver] systems.exe

O4 - HKLM\..\Run: [winsysupd] c:\windows\winsysupd9.exe

O4 - HKLM\..\Run: [winsysban] c:\windows\winsysban9.exe

O4 - HKLM\..\Run: [Microsoft Configure1 32] msoftconf1.exe

O4 - HKLM\..\Run: [gimmygames] c:\windows\gimmygames9.exe

O4 - HKLM\..\RunServices: [System Driver] systems.exe

O4 - HKLM\..\RunServices: [Microsoft Configure1 32] msoftconf1.exe

O4 - HKCU\..\Run: [Microsoft Configure1 32] msoftconf1.exe

O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Seek...bridge-c24.cab

O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\denhpast.dll

O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\iElmdev5.dll (file missing)

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmVvIFpoaXpob25n\command.exe

O23 - Service: mswmf32 - Unknown owner - C:\WINDOWS\mswmf32.exe (file missing)

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe*

Exit Hijack This.

* Double click on Killbox.exe to run it.

Put a tick by *Standard File Kill*.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

*C:\Program Files\TheSearchAccelerator
c:\windows\winsysupd9.exe
c:\windows\winsysban9.exe
c:\windows\gimmygames9.exe
C:\WINDOWS\system32\systems.exe
C:\WINDOWS\system32\msoftconf1.exe
C:\WINDOWS\system32\denhpast.dll
C:\WINDOWS\TmVvIFpoaXpob25n
C:\Program Files\Network Monitor*

Click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confirmation to delete the file.
Click Yes.
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist.
If that happens, just continue on with all the files. Be sure you don't miss any.
Next in Killbox go to *Tools > Delete Temp Files*
In the window that pops up, put a check by ALL the options there except these three:
*XP Prefetch
Recent
History*
Now click the *Delete Selected Temp Files* button.
Exit the Killbox.

* Double click on the *NetworkMonitor.reg* file to add it to the registry. Answer yes to confirm the merge.

Finally go to Control Panel > Internet Options. 
On the General tab under "Temporary Internet Files" Click "Delete Files". 
Put a check by "Delete Offline Content" and click OK. 
Click on the Programs tab then click the "Reset Web Settings" button. 
Click Apply then OK.

Empty the Recycle Bin.

Reboot, post a new Hijack This log.


----------



## zerlphr (Apr 4, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 10:07:25 PM, on 2/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINDOWS\System32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\msnxpexe.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\ProcessGuard\procguard.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Documents and Settings\Neo Zhizhong\Desktop\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe

O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [System Service] msnxpexe.exe
O4 - HKLM\..\RunServices: [System Service] msnxpexe.exe
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\i4060edseh060.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe


----------



## zerlphr (Apr 4, 2005)

the windows are still popping up


----------



## zerlphr (Apr 4, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 11:04:00 PM, on 2/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINDOWS\System32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\System32\msnxpexe.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\ProcessGuard\procguard.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Wizards of the Coast\Magic Online\magic1.exe
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Neo Zhizhong\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [System Service] msnxpexe.exe
O4 - HKLM\..\RunServices: [System Service] msnxpexe.exe
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F2E9264-1CAC-4322-AFAF-472DF0C54764}: NameServer = 165.21.83.88 165.21.100.88
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\i4060edseh060.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe


----------



## zerlphr (Apr 4, 2005)

wat about the msnxpexe.exe?


----------



## Cheeseball81 (Mar 3, 2004)

The L2M infection is back.

*Click here* to download Look2Me-Destroyer.exe and save it to your desktop.


Close all windows before continuing.

Double-click *Look2Me-Destroyer.exe* to run it.

Put a check next to *Run this program as a task.*

You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click *OK*

When Look2Me-Destroyer re-opens, click the *Scan for L2M* button, your desktop icons will disappear, this is normal.

Once it's done scanning, click the *Remove L2M* button.

You will receive a *Done Scanning* message, click *OK*.

When completed, you will receive this message: *Done removing infected files! Look2Me-Destroyer will now shutdown your computer*, click *OK*.

Your computer will then shutdown.

Turn your computer back on.

Please post the contents of C:\*Look2Me-Destroyer.txt* and a new HiJackThis log.


If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a *runtime error '339'* please download MSWINSCK.OCX from the link below and place it in your *C:\Windows\System32* Directory.

http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX


----------



## zerlphr (Apr 4, 2005)

i rebooted and tried again but l2m destroyer doesn't pop up


----------



## zerlphr (Apr 4, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 12:15:05 PM, on 2/18/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\msnxpexe.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ProcessGuard\procguard.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Neo Zhizhong\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [System Service] msnxpexe.exe
O4 - HKLM\..\RunServices: [System Service] msnxpexe.exe
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F2E9264-1CAC-4322-AFAF-472DF0C54764}: NameServer = 165.21.83.88 165.21.100.88
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe


----------



## Cheeseball81 (Mar 3, 2004)

Rescan with Hijack This.
Close all browser windows except Hijack This.
Put a check mark beside these entries and click "Fix Checked".

*O4 - HKLM\..\Run: [System Service] msnxpexe.exe

O4 - HKLM\..\RunServices: [System Service] msnxpexe.exe

O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB*

Boot into Safe Mode.

KillBox this file: *C:\WINDOWS\System32\msnxpexe.exe*

Reboot, post a new log.


----------



## zerlphr (Apr 4, 2005)

HELP! the problem is back.... i have a few weeks of peace before the omnipotent pop up dingy is back.... here's a log of hjt. Thank you for helping!

Logfile of HijackThis v1.99.1
Scan saved at 9:25:55 PM, on 4/18/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\rundll32.exe
C:\windows\mousepad12.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Common Files\VCClient\VCClient.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\TmVvIFpoaXpob25n\command.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\zaber.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\Sc32Inch.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\.ZerLphR\virus fix\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [System Service] msnxpexe.exe
O4 - HKLM\..\Run: [Microsoft Video Capture Controls] msn32xp.exe
O4 - HKLM\..\Run: [Service] real.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [newname] C:\windows\newname12.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad12.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard12.exe
O4 - HKLM\..\RunServices: [System Service] msnxpexe.exe
O4 - HKLM\..\RunServices: [Microsoft Video Capture Controls] msn32xp.exe
O4 - HKLM\..\RunServices: [Service] real.exe
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [Microsoft Video Capture Controls] msn32xp.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\RunOnce: [Microsoft Video Capture Controls] msn32xp.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O4 - Startup: ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashcasino.ladbrokes.com/instant-play-en/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F2E9264-1CAC-4322-AFAF-472DF0C54764}: NameServer = 165.21.100.88 165.21.83.88
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NetCache - C:\WINDOWS\system32\bdackbox.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: mtklefap - {A8A84252-1D1A-470F-8197-91C64EA0DBCF} - C:\WINDOWS\System32\ixwr32.dll (file missing)
O21 - SSODL: mtklefap - {A8A84252-1D1A-470F-8197-91C64EA0DBCF} - C:\WINDOWS\System32\ixwr32.dll (file missing)
O21 - SSODL: mtklefa - {BF1143AD-F879-41B0-14BC-AD7FF5D2C89A} - C:\WINDOWS\System32\idsab32.dll (file missing)
O21 - SSODL: mtklef - {8A87684F-124B-4905-47AE-826313675D2E} - C:\WINDOWS\System32\yyie32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmVvIFpoaXpob25n\command.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Microsoft Windows System32 - Unknown owner - C:\WINDOWS\zaber.exe
O23 - Service: Microsoft Video Capture Controls (NDIS DIP Layer Transport Device) - Unknown owner - C:\WINDOWS\System32\C:\WINDOWS\System32\msn32xp.exe" -netsvcs (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Socks-Cap (Sc32Inch) - Unknown owner - C:\WINDOWS\Sc32Inch.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe


----------

