Logfile of HijackThis v1.99.1 Scan saved at 2:59:16 PM, on 7/22/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe C:\Program Files\Common Files\AOL\1135730972\ee\AOLSoftware.exe C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe C:\WINDOWS\cfg32.exe C:\nwnmed_7.exe C:\dfndred_7.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe C:\kybrded_7.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\AIM\aim.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\Program Files\Dell Photo Printer 720\dlbcserv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\cfg32a.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\System32\svchost.exe c:\program files\common files\aol\1135730972\ee\aexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing) O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file) O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing) O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135730972\ee\AOLSoftware.exe O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~2\bar\1.bin\mwsoemon.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe O4 - HKLM\..\Run: [qam8f8d1] RUNDLL32.EXE w25b3eef.dll,n 0018f8d00000000325b3eef O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe O4 - HKLM\..\Run: [newname] C:\\nwnmed_7.exe O4 - HKLM\..\Run: [defender] C:\\dfndred_7.exe O4 - HKLM\..\Run: [keyboard] C:\\kybrded_7.exe O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149876603363 O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\nztid.dll O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\lqrmonui.dll O20 - Winlogon Notify: Group Policy - C:\WINDOWS\system32\ackctrs.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\MFRDO20.DLL O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\xlsp2res.dll O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\npdeapi.dll O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\mqwstr10.dll O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\uyicows.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Daemon Desync Protocol Service (DDPS) - Unknown owner - C:\WINDOWS\msdds.exe (file missing) O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
Hi there, you got some infections... Download Look2Me-Destroyer -> http://www.atribune.org/ccount/click.php?id=7 and save it on desktop IMPORTANT: Before continuing, you MUST do the following: ->Print this or save as a textfile ->Click start -> run -> services.msc -> ok ->Check that this service is running or its startuptype is automatic Secondary logon ->Disconnect from internet (unplug your network cable) ->Close ALL antivirus programs (this is essential!) ->Close all windows before continuing. ->Double-click Look2Me-Destroyer.exe to run it. ->Put a check next to Run this program as a task. ->You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK ->When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal. ->Once it's done scanning, click the Remove L2M button. ->You will receive a Done Scanning message, click OK. ->When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK. ->Your computer will then shutdown. ->Turn your computer back on. ->Please post the contents of C:\Look2Me-Destroyer.txt If you receive a message from your firewall about this program accessing the internet please allow it. If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory. http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
thanks i cant seem to check the on button in windows firewall? Look2Me-Destroyer V1.0.12 Scanning for infected files..... Scan started at 7/22/2006 4:20:05 PM Infected! C:\WINDOWS\system32\nztid.dll Infected! C:\WINDOWS\system32\lqrmonui.dll Infected! C:\WINDOWS\system32\MFRDO20.DLL Infected! C:\WINDOWS\system32\xlsp2res.dll Infected! C:\WINDOWS\system32\npdeapi.dll Infected! C:\WINDOWS\system32\mqwstr10.dll Infected! C:\WINDOWS\system32\uyicows.dll Infected! C:\WINDOWS\system32\ackctrs.dll Infected! C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP201\A0016556.dll Infected! C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP201\A0016557.dll Infected! C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP201\A0016558.dll Infected! C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP201\A0016560.dll Infected! C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP201\A0016561.dll Infected! C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP201\A0016562.dll Infected! C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP201\A0016563.dll Infected! C:\WINDOWS\system32\wfps.dll Attempting to delete infected files... Attempting to delete: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP201\A0016556.dll C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP201\A0016556.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP201\A0016557.dll C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP201\A0016557.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP201\A0016558.dll C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP201\A0016558.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP201\A0016560.dll C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP201\A0016560.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP201\A0016561.dll C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP201\A0016561.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP201\A0016562.dll C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP201\A0016562.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP201\A0016563.dll C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP201\A0016563.dll Deleted successfully! Attempting to delete: C:\WINDOWS\system32\wfps.dll C:\WINDOWS\system32\wfps.dll Deleted successfully! Making registry repairs. Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reinstall Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnceEx Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Syncmgr Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ThemeManager Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Unimodem Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Group Policy Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5580C2EF-FA42-49EC-A992-39A1B5F05A2F}" HKCR\Clsid\{5580C2EF-FA42-49EC-A992-39A1B5F05A2F} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{55EB4F3B-3406-44C9-A745-F122DFD08E2A}" HKCR\Clsid\{55EB4F3B-3406-44C9-A745-F122DFD08E2A} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{EED99203-F772-40F6-A753-953851885A46}" HKCR\Clsid\{EED99203-F772-40F6-A753-953851885A46} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C9BA3C7D-8790-4232-B810-3AA515AE78C1}" HKCR\Clsid\{C9BA3C7D-8790-4232-B810-3AA515AE78C1} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E5E52365-14B2-4238-9B13-B1DC54FE925E}" HKCR\Clsid\{E5E52365-14B2-4238-9B13-B1DC54FE925E} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E060F250-027A-4EE3-A1FF-B232F7197099}" HKCR\Clsid\{E060F250-027A-4EE3-A1FF-B232F7197099} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1966705B-3CF4-4927-9EA9-0A60AD766B09}" HKCR\Clsid\{1966705B-3CF4-4927-9EA9-0A60AD766B09} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{BFE5FFB6-6DEF-4170-8EE1-88EA8D975679}" HKCR\Clsid\{BFE5FFB6-6DEF-4170-8EE1-88EA8D975679} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4C115DD6-207D-4247-A747-0FB452C116DA}" HKCR\Clsid\{4C115DD6-207D-4247-A747-0FB452C116DA} Restoring Windows certificates. Replaced hosts file with default windows hosts file Restoring SeDebugPrivilege for Administrators - Succeeded
Ok, we'll continue... Download L2mfix to your desktop -> http://www.atribune.org/downloads/l2mfix.exe -> Double click l2mfix.exe. -> Click the Install button to extract the files and follow the prompts -> Open the newly added l2mfix folder on your desktop. -> Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. -> This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. -> Copy the contents of that log and paste it into this thread. Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! Post a fresh HjT log to here too.
L2MFIX find log 051206 These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui] @="" "DLLName"="igfxdev.dll" "Asynchronous"=dword:00000001 "Impersonate"=dword:00000001 "Unlock"="WinlogonUnlockEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon] "Logon"="WLEventLogon" "Logoff"="WLEventLogoff" "Startup"="WLEventStartup" "Shutdown"="WLEventShutdown" "StartScreenSaver"="WLEventStartScreenSaver" "StopScreenSaver"="WLEventStopScreenSaver" "Lock"="WLEventLock" "Unlock"="WLEventUnlock" "StartShell"="WLEventStartShell" "PostShell"="WLEventPostShell" "Disconnect"="WLEventDisconnect" "Reconnect"="WLEventReconnect" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000000 "SafeMode"=dword:00000001 "MaxWait"=dword:ffffffff "DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Event"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings] "Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\ 00,00,80,31,61,50,49,8f,82,4d,bf,ca,ff,90,80,6c,be,77,04,00,00,00,04,00,00,\ 00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,1e,98,f6,b0,f6,fa,61,e9,\ dd,04,b1,dd,a3,12,ae,16,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,63,\ c6,b2,6d,5c,e7,fc,77,fa,f6,31,1e,a4,ad,a5,d8,08,06,00,00,a5,52,d9,21,aa,b8,\ 86,70,d8,fd,88,0a,fc,09,8a,9e,ac,5d,06,e7,ec,b4,c7,02,ec,7f,34,c5,2a,46,58,\ b3,4c,21,e0,59,94,fc,8e,0b,89,c5,88,b2,62,97,2e,d4,6f,75,45,63,67,1a,ce,88,\ 13,2c,5b,1e,1a,6c,80,ef,48,05,dc,7a,a4,27,c7,92,8e,12,e0,ec,86,cb,78,f1,df,\ f3,9f,2f,45,dc,e6,c6,56,13,5a,21,36,bd,8d,34,e3,c8,60,00,03,07,ed,c8,fd,ae,\ a9,cd,a9,e4,cb,4f,77,94,01,bb,27,e2,2d,2d,ae,52,04,1e,70,b2,3b,9d,d7,d1,5c,\ 50,64,ab,bb,c8,3e,67,67,8b,d7,07,55,ec,4f,36,4f,bb,b3,57,6a,a0,39,18,e5,7a,\ c4,1a,f1,b4,e9,c4,d0,18,6a,82,96,ec,28,9a,4d,b0,a7,5f,b2,83,5d,51,9e,a2,ec,\ fa,39,c4,09,1d,d1,71,9b,13,9b,5d,b2,2b,6a,c9,65,22,5c,89,f2,8b,b0,59,46,24,\ 47,3b,ba,fc,53,e7,b1,b4,53,1c,26,b9,1f,e4,da,ad,a2,d2,7d,4d,98,8f,1c,99,83,\ 27,5f,cb,cd,2d,10,d6,bf,f2,65,6c,0f,08,dd,47,c3,e9,38,d6,bc,d2,8c,5d,e3,55,\ ba,df,84,6c,e2,0a,d4,67,46,ee,51,86,36,9d,5f,d6,77,18,f1,5a,9c,6f,e6,35,67,\ a7,bc,f6,bb,93,99,0f,68,63,ea,d0,ea,87,e6,86,a9,b5,4a,21,52,a7,70,c8,4e,54,\ fd,ed,f9,09,61,75,c2,9c,c2,9e,70,33,8e,7d,85,7e,68,83,ee,a9,e8,f4,2e,10,3b,\ b9,fa,78,09,6a,c2,49,3b,4a,88,42,3f,93,55,47,99,51,e3,9c,31,b9,1e,67,25,70,\ d2,49,fc,bd,d6,49,f5,8b,fa,8a,50,b5,38,f6,76,48,e9,93,75,05,b6,e3,fd,fb,e3,\ 4f,5a,66,31,4d,85,f1,54,c3,fc,a9,1a,06,cf,04,f9,fe,84,d2,bf,ab,99,76,bf,9d,\ 2a,eb,83,31,f0,55,b1,a1,4f,2d,2b,03,ed,16,51,0e,e7,3c,98,2e,54,34,b3,10,69,\ c6,c6,dc,f5,2f,89,dc,b8,aa,c4,06,fd,be,a4,cc,21,dd,20,74,dc,e4,18,99,bb,22,\ 6a,34,73,da,eb,ec,5c,f5,b8,e1,2f,0c,26,d1,ce,c5,e8,84,9c,cd,90,97,8d,69,a6,\ cf,5d,6b,9f,0c,3f,ad,46,cc,55,fa,c0,07,1a,77,1e,2f,57,77,d7,3a,77,cd,2b,db,\ c4,b9,e1,07,96,47,d6,15,9e,61,57,7d,65,98,9c,a2,67,bc,aa,8c,16,c2,ac,70,5d,\ 83,2b,1b,d6,58,1a,2e,5b,19,ee,25,5e,3c,ef,ed,bd,09,b1,3a,ff,b1,26,e3,ce,e3,\ 22,77,b4,d3,56,a4,17,55,b1,fc,8b,9e,27,c9,df,09,d7,13,2b,12,63,86,30,c7,a5,\ 70,cc,26,0e,4d,3f,54,75,1c,e7,96,ad,55,32,7f,77,a0,85,22,0c,c4,be,db,80,89,\ e3,2e,67,c0,32,92,31,7b,96,ff,4d,e9,c9,b0,51,8a,39,da,aa,ac,a0,5f,50,ab,f9,\ a1,97,36,be,cf,6d,f9,db,cc,2a,5b,15,4b,58,d9,03,83,20,cc,0a,2a,fc,05,80,f3,\ 23,05,29,4d,32,38,cf,94,f6,b9,73,72,37,0b,ad,19,98,52,58,f4,c8,e6,9f,30,7f,\ 5f,1b,78,33,a5,60,a1,da,49,38,08,12,58,02,e8,9a,fd,08,32,fc,0e,5f,b1,a0,d1,\ 2b,57,b7,40,58,0e,cc,32,fa,78,cb,46,0c,a7,18,61,15,9f,92,7d,93,e8,da,f0,05,\ bc,29,e5,1d,63,88,04,a4,24,bb,98,34,4e,e4,61,16,a6,26,49,87,d4,f8,31,e3,1c,\ b4,7a,17,dd,08,04,34,cb,02,4b,33,b9,6b,c7,6f,ea,d8,4a,51,87,e3,5e,54,dc,f1,\ a3,3e,08,9d,79,92,70,d6,f5,20,62,77,25,de,77,7d,8a,b2,04,1d,76,4b,59,4c,88,\ 51,a6,15,b4,39,16,e8,8a,46,2d,ad,e9,74,2d,d8,9f,85,44,6a,f7,d2,f7,b4,2c,37,\ fd,31,8a,35,f6,58,46,74,d3,42,5d,5f,35,1d,11,72,c5,cd,9e,4f,36,a5,32,1b,66,\ af,59,3b,aa,50,db,d4,02,1e,f2,48,52,38,04,6c,d7,dc,79,8a,79,1c,fe,13,08,ad,\ 95,ae,86,18,64,e5,e4,d4,1d,f1,72,70,51,49,3b,c9,0c,6e,78,d0,d6,0b,8f,c0,00,\ ad,57,c4,36,9f,80,88,fb,f5,4a,8f,06,8b,fb,ff,c6,be,e9,54,a6,ea,56,57,f4,18,\ b7,9b,78,e6,21,5e,dd,da,9c,af,ca,2c,04,6a,8b,48,fc,68,1c,cb,df,67,07,cd,26,\ b1,66,52,51,f7,08,af,25,cd,3f,e3,3a,ab,31,20,9b,34,77,63,22,b7,d1,d3,28,34,\ d8,f8,30,25,b3,7c,1f,28,4a,04,a3,07,ef,13,87,b8,7f,54,0f,da,46,69,5d,39,b3,\ 72,d4,c9,97,7b,a9,7f,9c,d8,17,2a,0c,96,77,f8,2e,ed,02,a8,89,9b,1c,1e,f5,05,\ 91,63,01,c4,2c,63,65,b7,03,82,8e,42,80,dd,1f,82,13,a7,dc,30,3c,cd,e2,d2,c0,\ 7c,27,e3,4d,2e,6f,1e,f8,1a,83,87,7c,18,67,b5,87,95,fa,6f,4b,99,9b,a9,f7,21,\ 9f,66,8b,eb,ce,1e,f0,1b,36,47,54,0d,4b,78,48,03,51,b2,53,95,d8,ce,86,6d,3e,\ 1d,d5,b5,84,a2,36,e9,4c,85,1d,41,fe,2d,02,f3,c2,7f,74,15,6d,dc,0c,fc,b5,2f,\ 57,b4,b4,4a,a9,ce,28,24,52,5d,a9,6b,e9,73,b9,77,f5,4c,6f,1b,7a,de,fb,6e,f1,\ 06,89,30,14,e5,ed,3b,06,66,72,a0,0b,3c,cc,d0,7a,97,ea,56,cc,b4,7d,4c,f4,12,\ a8,4d,f2,25,4d,65,b7,44,d4,6c,34,16,58,5f,02,d8,ce,a4,61,e6,a1,54,f8,05,49,\ 8e,b8,a3,af,b4,d4,a9,a0,af,88,28,2e,38,3c,4e,d5,fd,92,42,e1,16,b5,e1,f7,86,\ c8,c9,10,64,8d,a5,40,0a,58,ac,7a,8c,53,ca,09,a4,4e,ea,ce,71,44,2f,28,87,08,\ be,d9,55,fb,6b,4c,6f,c5,cc,49,fa,73,ae,33,8d,a0,96,15,7c,a3,6e,da,c2,ec,ea,\ 6b,b5,7f,0f,4e,d5,52,61,fb,d6,2e,9b,80,16,56,93,0e,bf,8d,c3,04,0c,52,25,e3,\ 1d,ea,71,31,15,14,5c,0f,e3,83,92,1e,72,bc,39,b7,18,d7,b4,cc,56,c2,5e,40,79,\ 54,54,07,e5,52,be,54,28,ae,4a,b8,c0,5e,e8,68,a0,8e,6a,b1,2d,b2,6b,77,32,0f,\ d5,5d,3e,9f,e5,79,7d,0d,d8,4c,d4,55,ae,dd,22,9e,3b,99,a1,8b,1f,77,d3,a4,41,\ b9,2f,04,a1,87,26,e6,f9,9b,03,2a,a0,58,27,9f,6e,03,f5,7a,47,62,bd,bc,74,7e,\ 30,cc,b0,70,04,58,9e,53,b1,da,ce,ec,d1,f7,d1,9e,ad,6b,f6,e6,b6,b7,27,b4,38,\ 94,7b,e7,98,25,92,c5,c7,13,f8,22,80,53,68,b9,51,26,db,3f,15,04,61,b2,32,2a,\ 4e,bb,d3,12,a7,72,f3,13,10,a5,57,6b,38,35,d3,53,10,9a,74,76,9d,3c,6f,d3,28,\ 21,0a,92,27,d5,09,57,f7,e7,23,3f,96,76,5d,a1,f3,04,84,79,0d,fc,8d,90,40,cc,\ 62,11,a1,16,3c,bc,ca,b8,59,f0,c7,07,08,30,04,63,96,60,55,e9,49,6d,86,7f,e7,\ 7a,3c,d3,54,a8,ac,d1,61,2b,31,36,15,96,14,00,00,00,b9,c6,ae,63,45,dc,51,e7,\ 98,0b,b1,fa,44,c2,a9,5d,46,0b,17,d8 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "sv1"="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet" "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management" "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page" "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page" "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing" "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension" "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension" "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension" "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension" "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page" "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page" "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler" "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension" "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects" "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management" "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management" "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression" "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension" "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI" "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu" "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase" "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext" "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts" "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile" "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page" "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing" "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension" "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension" "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension" "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections" "{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections" "{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras" "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras" "{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras" "{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras" "{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras" "{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension" "{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache" "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host" "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link" "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler" "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension" "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks" "{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults" "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension" "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu" "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search" "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support" "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support" "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..." "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet" "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail" "{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts" "{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools" "{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page" "{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions" "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler" "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler" "{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler" "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler" "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler" "{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor" "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar" "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status" "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder" "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2" "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy" "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand" "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band" "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search" "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search" "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility" "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address" "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox" "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete" "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor" "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List" "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List" "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible" "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar" "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List" "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List" "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container" "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu" "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp" "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar" "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite" "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist" "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings" "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band" "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service" "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer" "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture" "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut" "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service" "{FF393560-C2A7-11CF-BFF4-444553540000}"="History" "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook" "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen" "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook" "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC" "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC" "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet" "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space" "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band" "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder" "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck" "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr" "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder" "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler" "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent" "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent" "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent" "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent" "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent" "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler" "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager" "{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator" "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher" "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs" "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory" "{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow" "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor" "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)" "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor" "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler" "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard" "{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web" "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object" "{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard" "{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts" "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler" "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target" "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File" "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut" "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object" "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu" "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties" "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder" "{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview" "{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext" "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control" "{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control" "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control" "{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control" "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control" "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI" "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object" "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find" "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find" "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI" "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs" "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook" "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target" "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties" "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu" "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options" "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder" "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler" "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell" "{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%" "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler" "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer" "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..." "{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices" "{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu" "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler" "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler" "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler" "{5CA3D70E-1895-11CF-8E15-001234567890}"="DriveLetterAccess" "{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band" "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension" "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension" "{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler" "{92085AD4-F48A-450D-BD93-B28CC7DF67CE}"="eBay Toolbar" ********************************************************************************** HKEY ROOT CLASSIDS: ********************************************************************************** Files Found are not all bad files: C:\WINDOWS\SYSTEM32\ browseui.dll Wed May 10 2006 1:25:20a A.... 1,022,976 999.00 K cdfview.dll Wed May 10 2006 1:25:20a A.... 151,040 147.50 K danim.dll Wed May 10 2006 1:25:20a A.... 1,054,208 1.00 M dhcpcsvc.dll Fri May 19 2006 8:59:42a A.... 111,616 109.00 K dnsapi.dll Fri May 19 2006 8:59:42a A.... 148,480 145.00 K dxtmsft.dll Wed May 10 2006 1:25:22a A.... 357,888 349.50 K dxtrans.dll Wed May 10 2006 1:25:22a A.... 205,312 200.50 K extmgr.dll Wed May 10 2006 1:25:22a A.... 55,808 54.50 K iepeers.dll Wed May 10 2006 1:25:22a A.... 251,904 246.00 K inseng.dll Wed May 10 2006 1:25:22a A.... 96,256 94.00 K iphlpapi.dll Fri May 19 2006 8:59:42a A.... 94,720 92.50 K jgdw400.dll Thu Jun 1 2006 2:47:08p A.... 163,840 160.00 K jgpl400.dll Thu Jun 1 2006 2:47:08p A.... 27,648 27.00 K jscript.dll Thu May 18 2006 1:24:26a A.... 450,560 440.00 K jsproxy.dll Wed May 10 2006 1:25:22a A.... 15,872 15.50 K legitc~1.dll Mon Jun 19 2006 4:19:42p A.... 571,184 557.80 K mshtml.dll Fri May 19 2006 11:06:04a A.... 3,055,104 2.91 M mshtmled.dll Wed May 10 2006 1:25:22a A.... 448,512 438.00 K msrating.dll Wed May 10 2006 1:25:22a A.... 146,432 143.00 K mstime.dll Wed May 10 2006 1:25:22a A.... 532,480 520.00 K pngfilt.dll Wed May 10 2006 1:25:22a A.... 39,424 38.50 K qam8f8d1.dll Fri Jun 30 2006 3:02:14p A.... 61,440 60.00 K rasmans.dll Sun May 14 2006 4:44:08a A.... 181,248 177.00 K shdocvw.dll Mon May 29 2006 11:32:10a A.... 1,496,576 1.43 M shlwapi.dll Wed May 10 2006 1:25:22a A.... 474,112 463.00 K sporder.dll Fri Jun 30 2006 3:01:52p A.... 8,464 8.27 K urlmon.dll Wed May 10 2006 1:25:22a A.... 615,424 601.00 K w25b3e~1.dll Fri Jun 30 2006 3:02:12p A.... 29,696 29.00 K wgalogon.dll Mon Jun 19 2006 4:20:42p A.... 702,768 686.30 K wininet.dll Wed May 10 2006 1:25:22a A.... 663,552 648.00 K winnb57.dll Fri Jun 30 2006 3:06:50p A.... 303,104 296.00 K wmp.dll Sat Apr 29 2006 6:07:48a A.... 5,533,696 5.28 M xpsp3res.dll Thu May 11 2006 4:37:26a A.... 90,112 88.00 K 33 items found: 33 files, 0 directories. Total of file sizes: 19,161,456 bytes 18.27 M Locate .tmp files: No matches found. ********************************************************************************** Directory Listing of system files: Volume in drive C has no label. Volume Serial Number is A8B4-C105 Directory of C:\WINDOWS\System32 07/22/2006 03:16 PM <DIR> dllcache 07/14/2006 09:43 AM 3,350 KGyGaAvL.sys 07/14/2006 09:43 AM 56 E8AA228709.sys 07/03/2006 11:05 PM 459,786 removefunc.ram 08/16/2005 06:49 AM <DIR> Microsoft 3 File(s) 463,192 bytes 2 Dir(s) 58,192,531,456 bytes free
Logfile of HijackThis v1.99.1 Scan saved at 9:40:00 AM, on 7/23/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe C:\Program Files\Dell Support\DSAgnt.exe C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe C:\Program Files\AIM\aim.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Dell Photo Printer 720\dlbcserv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Internet Explorer\iexplore.exe c:\program files\common files\installshield\updateservice\isuspm.exe C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe C:\Documents and Settings\\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll (file missing) O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing) O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing) O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file) O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~2\bar\1.bin\mwsoemon.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe O4 - HKLM\..\Run: [qam8f8d1] RUNDLL32.EXE w25b3eef.dll,n 0018f8d00000000325b3eef O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149876603363 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Daemon Desync Protocol Service (DDPS) - Unknown owner - C:\WINDOWS\msdds.exe (file missing) O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
Ok lets continue... Cleaning instructions: Download and install Ewido Anti-Spyware 4.0 -> http://www.ewido.net/en/download/ -> Open Ewido Anti-Spyware -> Click the Update icon at the top of the window -> Click the Start update button -> Wait for the update to download and install -> Quit the program, we'll use this later. Download ATF Cleaner by Atribune to your desktop -> http://www.atribune.org/ccount/click.php?id=1 Do NOT run yet. Go to Control Panel -> Add/Remove programs -> Remove MyWaySA, MyWeb, ToolBar888 or similars if found Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll (file missing) O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing) O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing) O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file) O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~2\bar\1.bin\mwsoemon.exe O4 - HKLM\..\Run: [qam8f8d1] RUNDLL32.EXE w25b3eef.dll,n 0018f8d00000000325b3eef O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) Open Notepad -> copy the following lines into a new document: @echo off sc stop DDPS sc delete DDPS Save the document to your desktop as Removal.bat and filetype: All Files Go to your desktop and run the file Removal.bat and answer yes to any questions. Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml Delete these folders (if found): C:\Program Files\MyWaySA C:\Program Files\ToolBar888 C:\Program Files\MyWebSearch Delete these files (if found): C:\WINDOWS\cfg32r.dll C:\WINDOWS\system32\WinNB57.dll C:\WINDOWS\cfg32o.dll C:\WINDOWS\msdds.exe Use the Windows "search" function -> Start -> Search -> All files and folders -> More advanced options Checkmark these options: - "Search system folders" - "Search hidden files and folders" - "Search subfolders" ->Search for this and delete if found: w25b3eef.dll Run ATF Cleaner -> Check select all -> Press Empty selected -> Open Ewido Anti-Spyware -> Click the Scanner icon at the top of the window -> Click the Settings tab then select Recommended Options and choose Quarantine -> Click the Scan tab -> Select Complete System Scan. The scanning begins. -> When the scan has completed: -> If infections were found you'll be prompted about what to do. -> Please make sure that the Set all elements to is set to Quarantine (in downleft corner of the window) -> Then press Apply all actions and answer yes to all if it asks about something -> Click on the Save Scan Report button and save the scan to your Desktop. -> Copy and paste the scan results into your next post Restart your computer normally. Post the following logs to here: -> a fresh HijackThis log -> Ewido's log
running ewido now. w25b3eef.dll box comes up on start up and says run dll w25b3eef.dll cannot be found.how could i make this box from poping up
ewido anti-spyware - Scan Report --------------------------------------------------------- + Created at: 12:07:17 PM 7/23/2006 + Scan result: C:\Documents and Settings\mike kuzo\Desktop\backups\backup-20060723-112657-572.dll -> Adware.BookedSpace : Cleaned with backup (quarantined). C:\WINDOWS\ahgwovdz.exe -> Adware.BookedSpace : Cleaned with backup (quarantined). C:\WINDOWS\cfg32s.dll -> Adware.BookedSpace : Cleaned with backup (quarantined). C:\WINDOWS\cnejirob.exe -> Adware.BookedSpace : Cleaned with backup (quarantined). C:\WINDOWS\djunsvrz.exe -> Adware.BookedSpace : Cleaned with backup (quarantined). C:\stub_sca3.exe -> Adware.BookedSpace : Cleaned with backup (quarantined). C:\WINDOWS\system32\qam8f8d1.dll -> Adware.IEHelper : Cleaned with backup (quarantined). C:\Installer3.exe -> Adware.Look2Me : Cleaned with backup (quarantined). C:\warebundle2.exe -> Adware.Look2Me : Cleaned with backup (quarantined). C:\warebundle3.exe -> Adware.Look2Me : Cleaned with backup (quarantined). C:\warebundlenew.exe -> Adware.Look2Me : Cleaned with backup (quarantined). C:\Documents and Settings\mike kuzo\Desktop\backups\backup-20060723-112657-690.dll -> Adware.Mirar : Cleaned with backup (quarantined). C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup (quarantined). C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup (quarantined). C:\Program Files\Common Files\Sandlot Shared\slghex.dll -> Adware.SpywareStorm : Cleaned with backup (quarantined). C:\Program Files\Common Files\svchostsys\svchostupdate.exe -> Downloader.Small : Cleaned with backup (quarantined). C:\WINDOWS\system32\w25b3eef5.dll -> Downloader.Small : Cleaned with backup (quarantined). C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined). C:\Documents and Settings\LocalService\Cookies\system@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@ford.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@indigio.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@metacafe.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@wrigley.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\missy kuzo\Cookies\missy kuzo@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@stats.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@centrport[1].txt -> TrackingCookie.Centrport : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@clickbank[1].txt -> TrackingCookie.Clickbank : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@com[2].txt -> TrackingCookie.Com : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wfkokkdpsco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wfkywgcjokq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wfl4ckczcap.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wfliomdzsfp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wfmyslcpseo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wgkighd5mcq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wgkiskczkgo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wgkoagd5ccq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wgkywkcjwap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wgl4kgczmlo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wgmiomc5ohq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wgmyegd5ckp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wjk4aidzoap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wjk4socjigo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wjk4wpdpoep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wjkochazwho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wjkognc5adp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wjkokndjgcp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wjkosmazchp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wjkyegdjmlo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wjl4elcjadq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wjliohczohp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wjloejcjsgq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wjlosncpcho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wjlouodjado.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wjlygkcpmco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wjlyqndjifo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wjmisidjmdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wjmyeoajgap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wjny-1sc5wk.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@e-2dj6wjnywlazgdo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@sel.as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@overture[2].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@paycounter[1].txt -> TrackingCookie.Paycounter : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@project2.realtracker[1].txt -> TrackingCookie.Realtracker : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@h.starware[2].txt -> TrackingCookie.Starware : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@try.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@reduxads.valuead[1].txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@reduxads.valuead[2].txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). C:\Documents and Settings\amanda kuzo\Cookies\amanda kuzo@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined). C:\Documents and Settings\logan kuzo\Cookies\logan kuzo@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined). C:\Program Files\Common Files\{A8B4C105-0AE9-1033-1008-050412200001}\Update.exe -> Trojan.Starter.65 : Cleaned with backup (quarantined). ::Report end Logfile of HijackThis v1.99.1 Scan saved at 12:12:02 PM, on 7/23/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\AIM\aim.exe C:\Program Files\Dell Photo Printer 720\dlbcserv.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\mike kuzo\Desktop\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file) O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe O4 - HKLM\..\Run: [qam8f8d1] RUNDLL32.EXE w25b3eef.dll,n 0018f8d00000000325b3eef O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149876603363 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe still i cannot check on in windows firewall thanks for your help w25b3eef.dll box comes up on start up and says run dll w25b3eef.dll cannot be found.how could i make this box from poping up
Ok we'll continue... Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml Fix these entries with HijackThis: O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file) O4 - HKLM\..\Run: [qam8f8d1] RUNDLL32.EXE w25b3eef.dll,n 0018f8d00000000325b3eef Restart you computer normally. Post a fresh HijackThis log to here.
Logfile of HijackThis v1.99.1 Scan saved at 2:35:06 PM, on 7/23/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\userinit.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe C:\Program Files\Dell Support\DSAgnt.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\AIM\aim.exe C:\Program Files\Dell Photo Printer 720\dlbcserv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\eHome\ehmsas.exe C:\Documents and Settings\mike kuzo\Desktop\HijackThis.exe C:\WINDOWS\System32\svchost.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149876603363 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe thanks again but i still cannot check on in windows firewall>very strange
Ok good, you're looking clean now You can't enable your windows firewall but I recommend that you install a better firewall (Windows firewall doesn't give you enough protection) These are good (free) firewalls: ZoneAlarm --> http://www.zonelabs.com Kerio--> http://www.sunbelt-software.com/Kerio.cfm Outpost-> http://www.agnitum.com You should update your Java (old version has all kinds of vulnerabilities) 1. Click "Start"-> "Control panel" -> Double-click Java icon (coffee cup) 2. Move to "Update" tab and update Java by clicking "Update Now". After that do a restart. 3. If you can't make automatic update, get new version manually from here -> http://www.java.com/en/download/manual.jsp 4. After updating, uninstall the old Java (if found) from Add/Remove Programs, named as Java 2 Runtime Environment, SE v1.4.2_03 Then you can make your hidden files hidden again. Then you can clean Ewido's quarantine: -> Open Ewido -> Choose "Infections" -> Click "Select all" -> Click "Remove finally" -> Close Ewido Now that you're clean, here are some tips how to stay clean. -> Stand Up and Be Counted, Malware Complaints -> http://www.malwarecomplaints.info The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware. -> Clear your system restore -> http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx This will clear the system restore folders from possible malware that was left behind during the cleaning process. Remember to create a new restore point after the cleaning. -> Use CCleaner -> http://www.ccleaner.com Download and install CCleaner. Clean your registry and temporary files with it regularly. -> Use Ad-Aware -> http://www.bleepingcomputer.com/forums/?showtutorial=48 Download and install Ad-Aware. Update it and scan your computer regularly with it. -> Use Ewido -> http://www.ewido.net/en Download and install Ewido. Update it and scan your computer regularly with it. -> Install SpywareBlaster -> http://www.javacoolsoftware.com/spywareblaster.html SpywareBlaster will prevent spyware from being installed to your computer. -> Install MVPS Hosts file -> http://mvps.org/winhelp2002/hosts.htm This prevents your computer from connecting to harmful sites. -> Change your browser to Firefox -> http://www.mozilla.org Firefox is faster, safer and quicker browser than Internet Explorer. -> Keep your systen up-to-date -> http://windowsupdate.microsoft.com Visit Windows Update regularly. -> Keep your antivirus and firewall up-to-date Scan your computer regularly with your antivirus. -> Read this article by TonyKlein -> http://castlecops.com/postlite7736-.html So how did I get infected in the first place? Stay clean
thanks so much.i put zonealarm on as the firewall.but still dont know why i could not enable windows firewall.JaPK thanks again
