HiJack Log and some Messages...help please

Dlara303 · Sep 22, 2005

Hi Guys

I am trying to help my friend with his comp, I would say that I can handle some stuff. Well, some stuff is not happening to this comp.

Well the first thing is 3 messages I get:

DX7WEBVW.EXE
The instructions at "0x7c80d189" reference memory at 0xfc85cff. The memory could not be "read'. Click OK to terminate the program.

I click "OK" and then

USPACYPT.EXE
The instructions at "0x7c80d189" reference memory at 0x537774f1. The memory could not be "read'. Click OK to terminate the program.

then

The exemption Guard Page Extension a page of memory that marks the end of Data Structure such as a stack or an array, has been access. (0x80000001) occurred in the application at location 0x100011d2
(last location sometimes changes to 0x00c611d2)

Second is the Hijack log(my friend has a lot of stuff in his computer and I am certain not all of it is good).

Logfile of HijackThis v1.99.1
Scan saved at 1:00:31 PM, on 9/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ttktuvb.exe
C:\WINDOWS\voqssvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\sysnet.exe
C:\WINDOWS\dinst.exe
C:\WINDOWS\szslefr.EXE
C:\Program Files\SurfAccuracy\SAcc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\eskfenc.EXE
C:\WINDOWS\eskfdll.EXE
C:\Program Files\Media Gateway\MediaGateway.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\MediaGateway.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\etb\pokapoka67.exe
C:\Documents and Settings\Owner\Desktop\hijack\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*[url]http://www.yahoo.com[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://69.28.210.175/media/1
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0B67AE48-10F6-6526-8D9D-40D1E96A93C9} - C:\WINDOWS\system32\ndjex.dll
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\system32\vbrundll.dll
O2 - BHO: ts - {4006DCA3-433D-4FC8-AC36-42DA7797DCB7} - C:\WINDOWS\system32\bho.dll
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pkshvijt.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {64DADDBE-6B07-1D81-7E77-3EB60F44A1CB} - C:\WINDOWS\system32\dam.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\system32\jzvsvkvj.dll
O2 - BHO: SDWin32 Class - {997A4B88-3A4D-4910-86B5-8CC6FD8F1379} - C:\WINDOWS\system32\kbukk.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - (no file)
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [RebateNation0] "C:\Program Files\Rebate_Nation\RebateNation0.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [regsync] C:\WINDOWS\system32\regsync.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\Owner\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\system32\lanbrup.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [fggscrv] C:\WINDOWS\fggscrv.exe
O4 - HKLM\..\Run: [szslefr] C:\WINDOWS\szslefr.EXE
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [testit.exe] C:\WINDOWS\system32\testit.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [mediapluscash.exe] C:\WINDOWS\system32\mediapluscash.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [eskfenc] C:\WINDOWS\eskfenc.EXE
O4 - HKLM\..\Run: [eskfdll] C:\WINDOWS\eskfdll.EXE
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [System service67] C:\WINDOWS\etb\pokapoka67.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095802821906
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4529/mcfscan.cab
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\uknpui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Flash Communication Server (FlashCom) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe
O23 - Service: Flash Communication Admin Service (FlashComAdmin) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\ttktuvb.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\voqssvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Third is that I cant get a connection to the internet from his comp. I tried creating a new one or repairing the old one but nothing. I have cable and it has never been a problem. I am thinking its from one or the two previous problems.

The comp has XP, and run 512 MD ddr 400 MHz ram. I have ran ad-aware, avast, and cleaned the temp folder not in that order. I was told that the locations problems might have to do with bad memory and to replace the ram?

Any help will be appreciated, let me know if there is any other info you need.
Thanks in advance

Oscillator · Sep 22, 2005

Make sure he has a firewall activated.

Fix the following that are in bold, run Clean Disk, restart your computer and post a new log.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://69.28.210.175/media/1
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0B67AE48-10F6-6526-8D9D-40D1E96A93C9} - C:\WINDOWS\system32\ndjex.dll
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\system32\vbrundll.dll
O2 - BHO: ts - {4006DCA3-433D-4FC8-AC36-42DA7797DCB7} - C:\WINDOWS\system32\bho.dll
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pkshvijt.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {64DADDBE-6B07-1D81-7E77-3EB60F44A1CB} - C:\WINDOWS\system32\dam.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\system32\jzvsvkvj.dll
O2 - BHO: SDWin32 Class - {997A4B88-3A4D-4910-86B5-8CC6FD8F1379} - C:\WINDOWS\system32\kbukk.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - (no file)
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [RebateNation0] "C:\Program Files\Rebate_Nation\RebateNation0.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [regsync] C:\WINDOWS\system32\regsync.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\Owner\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\system32\lanbrup.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [fggscrv] C:\WINDOWS\fggscrv.exe
O4 - HKLM\..\Run: [szslefr] C:\WINDOWS\szslefr.EXE
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [testit.exe] C:\WINDOWS\system32\testit.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [mediapluscash.exe] C:\WINDOWS\system32\mediapluscash.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [eskfenc] C:\WINDOWS\eskfenc.EXE
O4 - HKLM\..\Run: [eskfdll] C:\WINDOWS\eskfdll.EXE
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [System service67] C:\WINDOWS\etb\pokapoka67.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1095802821906
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/i...529/mcfscan.cab
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\uknpui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Flash Communication Server (FlashCom) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe
O23 - Service: Flash Communication Admin Service (FlashComAdmin) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\ttktuvb.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\voqssvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Dlara303 · Sep 22, 2005

Cool, the memory messages disappeared!

One doubt, when you said run Disk Clean, was that the disk cleaning utility in window system tools or some other utility. I ran disk cleaning and then the ran a highjack log

Logfile of HijackThis v1.99.1
Scan saved at 3:00:09 PM, on 9/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ttktuvb.exe
C:\WINDOWS\voqssvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\sysnet.exe
C:\WINDOWS\szslefr.EXE
C:\Program Files\SurfAccuracy\SAcc.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\eskfenc.EXE
C:\WINDOWS\eskfdll.EXE
C:\WINDOWS\etb\pokapoka67.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\hijack\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://69.28.210.175/media/1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0B67AE48-10F6-6526-8D9D-40D1E96A93C9} - C:\WINDOWS\system32\ndjex.dll
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\system32\vbrundll.dll
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pkshvijt.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {64DADDBE-6B07-1D81-7E77-3EB60F44A1CB} - C:\WINDOWS\system32\dam.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\system32\jzvsvkvj.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [RebateNation0] "C:\Program Files\Rebate_Nation\RebateNation0.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [regsync] C:\WINDOWS\system32\regsync.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\Owner\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [fggscrv] C:\WINDOWS\fggscrv.exe
O4 - HKLM\..\Run: [szslefr] C:\WINDOWS\szslefr.EXE
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [eskfenc] C:\WINDOWS\eskfenc.EXE
O4 - HKLM\..\Run: [eskfdll] C:\WINDOWS\eskfdll.EXE
O4 - HKLM\..\Run: [System service67] C:\WINDOWS\etb\pokapoka67.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095802821906
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4529/mcfscan.cab
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\uknpui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Flash Communication Server (FlashCom) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe
O23 - Service: Flash Communication Admin Service (FlashComAdmin) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\ttktuvb.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\voqssvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

MicroBell · Sep 22, 2005

Hi and Welcome to TF

Please be advised your severly infected and and the first fix missed all of the infections. You can not simply fix the entry in the HJT log with todays infections.

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Ad-AwareÂ® SE Personal Edition
*Note* For Ad-AwareSE also install the VX2 Addon Cleaner To run this tool once Adaware is updated click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK" , then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.
Spybot Search & Destroy
CWShredder

Please go to at least two of these sites and run an online Virus Scan.
Be sure to have the AutoFix box(es) checked.

http://housecall.trendmicro.com/
http://www3.ca.com/virusinfo/virusscan.aspx
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.bitdefender.com/scan/license.php
http://us.mcafee.com/root/mfs/default.asp
http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
http://www3.ca.com/virusinfo/virusscan.aspx

Download and install Cleanup but DO NOT run it yet!

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download, install, and update Ewido Security Suite

Install ewido security suite
Launch ewido, there should be a big E icon on your desktop, double-click it.
The program will prompt you to update click the OK button
The program will now go to the main screen

You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update
Click on Start

The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido

Download LQfix.exe and place it on your desktop.

Doubleclick LQfix.exe and click install.
Leave the default settings. If you change them, the fix will fail.
Make sure 'Launch LQfix' is checked. After clicking finish in the install, the fix will start.
Follow the prompts on the screen.
Your system will reboot afterwards.
Please be patient after reboot, because there is a script running in the background.

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and save it as I will ask for it later.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible.
Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure itÂ’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Open add/remove programs and remove the following if listed.

Rebate_Nation
SurfAccuracy
Media Gateway

Go to Start->Run and type Services.msc then hit Ok

Scroll down and find the service called: System Startup Service (SvcProc)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Repeat that same procedure for these services as well..

Windows Overlay Components
Windows VisFx Components

Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one IF they are still listed (they shouldn't be but make sure)

C:\WINDOWS\ttktuvb.exe
C:\WINDOWS\voqssvc.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\sysnet.exe
C:\WINDOWS\szslefr.EXE
C:\Program Files\SurfAccuracy\SAcc.exe
C:\WINDOWS\eskfenc.EXE
C:\WINDOWS\eskfdll.EXE
C:\WINDOWS\etb\pokapoka67.exe

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://69.28.210.175/media/1
O2 - BHO: (no name) - {0B67AE48-10F6-6526-8D9D-40D1E96A93C9} - C:\WINDOWS\system32\ndjex.dll
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\system32\vbrundll.dll
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pkshvijt.dll
O2 - BHO: (no name) - {64DADDBE-6B07-1D81-7E77-3EB60F44A1CB} - C:\WINDOWS\system32\dam.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\system32\jzvsvkvj.dll
O4 - HKLM\..\Run: [RebateNation0] "C:\Program Files\Rebate_Nation\RebateNation0.exe"
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\Owner\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [fggscrv] C:\WINDOWS\fggscrv.exe
O4 - HKLM\..\Run: [szslefr] C:\WINDOWS\szslefr.EXE
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [eskfdll] C:\WINDOWS\eskfdll.EXE
O4 - HKLM\..\Run: [System service67] C:\WINDOWS\etb\pokapoka67.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\uknpui.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\ttktuvb.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\voqssvc.exe

Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for themÂ…make sure you have search hidden files, folders, sub directoryÂ’s ect enabled if it applyÂ’s to your OS)

C:\WINDOWS\ttktuvb.exe
C:\WINDOWS\szslefr.EXE
C:\Program Files\SurfAccuracy\SAcc.exe
C:\WINDOWS\eskfenc.EXE
C:\WINDOWS\eskfdll.EXE
C:\WINDOWS\system32\ndjex.dll
C:\Program Files\DNS\Catcher.dll
C:\WINDOWS\system32\vbrundll.dll
C:\WINDOWS\system32\pkshvijt.dll
C:\WINDOWS\system32\dam.dll
C:\WINDOWS\system32\jzvsvkvj.dll
C:\Program Files\Rebate_Nation\RebateNation0.exe
C:\WINDOWS\fggscrv.exe
C:\Program Files\Media Gateway\MediaGateway.exe
C:\WINDOWS\system32\uknpui.dll
C:\WINDOWS\svcproc.exe
C:\WINDOWS\ttktuvb.exe
C:\WINDOWS\voqssvc.exe

Run Ewido:

Click [Scanner]
Click [Complete System Scan] to begin scanning.
Click [OK] when prompted to clean files
With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
Once finished, click the [Save report] button
Save the report to your desktop

Close Ewido

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
[X]Scan local drives for temporary files (Please uncheck this option)
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Once back to normal windows....

Please run an online scan at http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Once it has finished save the activescan log. Then post that log in your next post along with the other logs.

So I need....

Panda scan log
Ewido scan log
Hijackthis log
l2mfix log (first tool we ran)

Dlara303 · Sep 23, 2005

I was able to install and update must programs on my comp before transferring to the infected machine. The connection to the internet on the infected comp just wonÂ’t repair. I also tried creating a new one, but no cigar. It keep telling me to contact the person in charge, I thought I was in charge : ( . So....I was not able to run the online scans and lqfix. I was able to run everything else. Oh funny story......the ewido log from safe mode did not make it to normal mode not sure why. So I ran ewido again in normal mode.

Logfile of HijackThis v1.99.1
Scan saved at 11:49:26 AM, on 9/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\hijack\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://69.28.210.175/media/1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095802821906
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4529/mcfscan.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Owner\Desktop\cwshredder.exe
O23 - Service: Flash Communication Server (FlashCom) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe
O23 - Service: Flash Communication Admin Service (FlashComAdmin) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:27:54 PM, 9/23/2005
+ Report-Checksum: 91B303A1

+ Scan result:

No infected objects found.

::Report End

Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1492 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1544 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\aaicap32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\aaicap32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\aysnt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\aysnt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\bwdispl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\bwdispl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cpnfmsp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cpnfmsp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dJd8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dJd8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\djwave.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\djwave.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dqsshlex.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dqsshlex.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\DTLCPY32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\DTLCPY32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dukquota.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dukquota.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ests.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ests.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ewentcls.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ewentcls.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\exsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\exsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\feppro32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\feppro32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ffdrclnr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ffdrclnr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fgamebuf.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fgamebuf.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fgdrclnr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fgdrclnr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fkscfgwz.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fkscfgwz.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fwsrch.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fwsrch.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iwitpki.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iwitpki.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jasd400.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jasd400.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kidusx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kidusx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktdsg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktdsg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kzdda.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kzdda.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mbdsrv32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mbdsrv32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mhjter35.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mhjter35.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\miricons.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\miricons.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\msndex.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\msndex.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nltman.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nltman.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nzw43.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nzw43.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\oceaccrc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\oceaccrc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rIsser.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rIsser.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rlm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rlm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rXsadhlp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rXsadhlp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rZsmxs.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rZsmxs.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sjdpsrv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sjdpsrv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\smc_os.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\smc_os.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ssnscfg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ssnscfg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sWfrdm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sWfrdm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\swsinv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\swsinv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sznceng.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sznceng.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\thrmmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\thrmmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\TIIC32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\TIIC32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\TVIC32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\TVIC32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uknpui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uknpui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uursvpia.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uursvpia.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\VPovrlay.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\VPovrlay.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wahrm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wahrm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\whhip6.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\whhip6.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\widmtpus.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\widmtpus.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wlnmm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wlnmm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wyps2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wyps2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\YWRWin32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\YWRWin32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\aaicap32.dll
Successfully Deleted: C:\WINDOWS\system32\aaicap32.dll
deleting: C:\WINDOWS\system32\aaicap32.dll
Successfully Deleted: C:\WINDOWS\system32\aaicap32.dll
deleting: C:\WINDOWS\system32\aysnt.dll
Successfully Deleted: C:\WINDOWS\system32\aysnt.dll
deleting: C:\WINDOWS\system32\aysnt.dll
Successfully Deleted: C:\WINDOWS\system32\aysnt.dll
deleting: C:\WINDOWS\system32\bwdispl.dll
Successfully Deleted: C:\WINDOWS\system32\bwdispl.dll
deleting: C:\WINDOWS\system32\bwdispl.dll
Successfully Deleted: C:\WINDOWS\system32\bwdispl.dll
deleting: C:\WINDOWS\system32\cpnfmsp.dll
Successfully Deleted: C:\WINDOWS\system32\cpnfmsp.dll
deleting: C:\WINDOWS\system32\cpnfmsp.dll
Successfully Deleted: C:\WINDOWS\system32\cpnfmsp.dll
deleting: C:\WINDOWS\system32\dJd8.dll
Successfully Deleted: C:\WINDOWS\system32\dJd8.dll
deleting: C:\WINDOWS\system32\dJd8.dll
Successfully Deleted: C:\WINDOWS\system32\dJd8.dll
deleting: C:\WINDOWS\system32\djwave.dll
Successfully Deleted: C:\WINDOWS\system32\djwave.dll
deleting: C:\WINDOWS\system32\djwave.dll
Successfully Deleted: C:\WINDOWS\system32\djwave.dll
deleting: C:\WINDOWS\system32\dqsshlex.dll
Successfully Deleted: C:\WINDOWS\system32\dqsshlex.dll
deleting: C:\WINDOWS\system32\dqsshlex.dll
Successfully Deleted: C:\WINDOWS\system32\dqsshlex.dll
deleting: C:\WINDOWS\system32\DTLCPY32.dll
Successfully Deleted: C:\WINDOWS\system32\DTLCPY32.dll
deleting: C:\WINDOWS\system32\DTLCPY32.dll
Successfully Deleted: C:\WINDOWS\system32\DTLCPY32.dll
deleting: C:\WINDOWS\system32\dukquota.dll
Successfully Deleted: C:\WINDOWS\system32\dukquota.dll
deleting: C:\WINDOWS\system32\dukquota.dll
Successfully Deleted: C:\WINDOWS\system32\dukquota.dll
deleting: C:\WINDOWS\system32\ests.dll
Successfully Deleted: C:\WINDOWS\system32\ests.dll
deleting: C:\WINDOWS\system32\ests.dll
Successfully Deleted: C:\WINDOWS\system32\ests.dll
deleting: C:\WINDOWS\system32\ewentcls.dll
Successfully Deleted: C:\WINDOWS\system32\ewentcls.dll
deleting: C:\WINDOWS\system32\ewentcls.dll
Successfully Deleted: C:\WINDOWS\system32\ewentcls.dll
deleting: C:\WINDOWS\system32\exsvc.dll
Successfully Deleted: C:\WINDOWS\system32\exsvc.dll
deleting: C:\WINDOWS\system32\exsvc.dll
Successfully Deleted: C:\WINDOWS\system32\exsvc.dll
deleting: C:\WINDOWS\system32\feppro32.dll
Successfully Deleted: C:\WINDOWS\system32\feppro32.dll
deleting: C:\WINDOWS\system32\feppro32.dll
Successfully Deleted: C:\WINDOWS\system32\feppro32.dll
deleting: C:\WINDOWS\system32\ffdrclnr.dll
Successfully Deleted: C:\WINDOWS\system32\ffdrclnr.dll
deleting: C:\WINDOWS\system32\ffdrclnr.dll
Successfully Deleted: C:\WINDOWS\system32\ffdrclnr.dll
deleting: C:\WINDOWS\system32\fgamebuf.dll
Successfully Deleted: C:\WINDOWS\system32\fgamebuf.dll
deleting: C:\WINDOWS\system32\fgamebuf.dll
Successfully Deleted: C:\WINDOWS\system32\fgamebuf.dll
deleting: C:\WINDOWS\system32\fgdrclnr.dll
Successfully Deleted: C:\WINDOWS\system32\fgdrclnr.dll
deleting: C:\WINDOWS\system32\fgdrclnr.dll
Successfully Deleted: C:\WINDOWS\system32\fgdrclnr.dll
deleting: C:\WINDOWS\system32\fkscfgwz.dll
Successfully Deleted: C:\WINDOWS\system32\fkscfgwz.dll
deleting: C:\WINDOWS\system32\fkscfgwz.dll
Successfully Deleted: C:\WINDOWS\system32\fkscfgwz.dll
deleting: C:\WINDOWS\system32\fwsrch.dll
Successfully Deleted: C:\WINDOWS\system32\fwsrch.dll
deleting: C:\WINDOWS\system32\fwsrch.dll
Successfully Deleted: C:\WINDOWS\system32\fwsrch.dll
deleting: C:\WINDOWS\system32\iwitpki.dll
Successfully Deleted: C:\WINDOWS\system32\iwitpki.dll
deleting: C:\WINDOWS\system32\iwitpki.dll
Successfully Deleted: C:\WINDOWS\system32\iwitpki.dll
deleting: C:\WINDOWS\system32\jasd400.dll
Successfully Deleted: C:\WINDOWS\system32\jasd400.dll
deleting: C:\WINDOWS\system32\jasd400.dll
Successfully Deleted: C:\WINDOWS\system32\jasd400.dll
deleting: C:\WINDOWS\system32\kidusx.dll
Successfully Deleted: C:\WINDOWS\system32\kidusx.dll
deleting: C:\WINDOWS\system32\kidusx.dll
Successfully Deleted: C:\WINDOWS\system32\kidusx.dll
deleting: C:\WINDOWS\system32\ktdsg.dll
Successfully Deleted: C:\WINDOWS\system32\ktdsg.dll
deleting: C:\WINDOWS\system32\ktdsg.dll
Successfully Deleted: C:\WINDOWS\system32\ktdsg.dll
deleting: C:\WINDOWS\system32\kzdda.dll
Successfully Deleted: C:\WINDOWS\system32\kzdda.dll
deleting: C:\WINDOWS\system32\kzdda.dll
Successfully Deleted: C:\WINDOWS\system32\kzdda.dll
deleting: C:\WINDOWS\system32\mbdsrv32.dll
Successfully Deleted: C:\WINDOWS\system32\mbdsrv32.dll
deleting: C:\WINDOWS\system32\mbdsrv32.dll
Successfully Deleted: C:\WINDOWS\system32\mbdsrv32.dll
deleting: C:\WINDOWS\system32\mhjter35.dll
Successfully Deleted: C:\WINDOWS\system32\mhjter35.dll
deleting: C:\WINDOWS\system32\mhjter35.dll
Successfully Deleted: C:\WINDOWS\system32\mhjter35.dll
deleting: C:\WINDOWS\system32\miricons.dll
Successfully Deleted: C:\WINDOWS\system32\miricons.dll
deleting: C:\WINDOWS\system32\miricons.dll
Successfully Deleted: C:\WINDOWS\system32\miricons.dll
deleting: C:\WINDOWS\system32\msndex.dll
Successfully Deleted: C:\WINDOWS\system32\msndex.dll
deleting: C:\WINDOWS\system32\msndex.dll
Successfully Deleted: C:\WINDOWS\system32\msndex.dll
deleting: C:\WINDOWS\system32\nltman.dll
Successfully Deleted: C:\WINDOWS\system32\nltman.dll
deleting: C:\WINDOWS\system32\nltman.dll
Successfully Deleted: C:\WINDOWS\system32\nltman.dll
deleting: C:\WINDOWS\system32\nzw43.dll
Successfully Deleted: C:\WINDOWS\system32\nzw43.dll
deleting: C:\WINDOWS\system32\nzw43.dll
Successfully Deleted: C:\WINDOWS\system32\nzw43.dll
deleting: C:\WINDOWS\system32\oceaccrc.dll
Successfully Deleted: C:\WINDOWS\system32\oceaccrc.dll
deleting: C:\WINDOWS\system32\oceaccrc.dll
Successfully Deleted: C:\WINDOWS\system32\oceaccrc.dll
deleting: C:\WINDOWS\system32\rIsser.dll
Successfully Deleted: C:\WINDOWS\system32\rIsser.dll
deleting: C:\WINDOWS\system32\rIsser.dll
Successfully Deleted: C:\WINDOWS\system32\rIsser.dll
deleting: C:\WINDOWS\system32\rlm.dll
Successfully Deleted: C:\WINDOWS\system32\rlm.dll
deleting: C:\WINDOWS\system32\rlm.dll
Successfully Deleted: C:\WINDOWS\system32\rlm.dll
deleting: C:\WINDOWS\system32\rXsadhlp.dll
Successfully Deleted: C:\WINDOWS\system32\rXsadhlp.dll
deleting: C:\WINDOWS\system32\rXsadhlp.dll
Successfully Deleted: C:\WINDOWS\system32\rXsadhlp.dll
deleting: C:\WINDOWS\system32\rZsmxs.dll
Successfully Deleted: C:\WINDOWS\system32\rZsmxs.dll
deleting: C:\WINDOWS\system32\rZsmxs.dll
Successfully Deleted: C:\WINDOWS\system32\rZsmxs.dll
deleting: C:\WINDOWS\system32\sjdpsrv.dll
Successfully Deleted: C:\WINDOWS\system32\sjdpsrv.dll
deleting: C:\WINDOWS\system32\sjdpsrv.dll
Successfully Deleted: C:\WINDOWS\system32\sjdpsrv.dll
deleting: C:\WINDOWS\system32\smc_os.dll
Successfully Deleted: C:\WINDOWS\system32\smc_os.dll
deleting: C:\WINDOWS\system32\smc_os.dll
Successfully Deleted: C:\WINDOWS\system32\smc_os.dll
deleting: C:\WINDOWS\system32\ssnscfg.dll
Successfully Deleted: C:\WINDOWS\system32\ssnscfg.dll
deleting: C:\WINDOWS\system32\ssnscfg.dll
Successfully Deleted: C:\WINDOWS\system32\ssnscfg.dll
deleting: C:\WINDOWS\system32\sWfrdm.dll
Successfully Deleted: C:\WINDOWS\system32\sWfrdm.dll
deleting: C:\WINDOWS\system32\sWfrdm.dll
Successfully Deleted: C:\WINDOWS\system32\sWfrdm.dll
deleting: C:\WINDOWS\system32\swsinv.dll
Successfully Deleted: C:\WINDOWS\system32\swsinv.dll
deleting: C:\WINDOWS\system32\swsinv.dll
Successfully Deleted: C:\WINDOWS\system32\swsinv.dll
deleting: C:\WINDOWS\system32\sznceng.dll
Successfully Deleted: C:\WINDOWS\system32\sznceng.dll
deleting: C:\WINDOWS\system32\sznceng.dll
Successfully Deleted: C:\WINDOWS\system32\sznceng.dll
deleting: C:\WINDOWS\system32\thrmmgr.dll
Successfully Deleted: C:\WINDOWS\system32\thrmmgr.dll
deleting: C:\WINDOWS\system32\thrmmgr.dll
Successfully Deleted: C:\WINDOWS\system32\thrmmgr.dll
deleting: C:\WINDOWS\system32\TIIC32.dll
Successfully Deleted: C:\WINDOWS\system32\TIIC32.dll
deleting: C:\WINDOWS\system32\TIIC32.dll
Successfully Deleted: C:\WINDOWS\system32\TIIC32.dll
deleting: C:\WINDOWS\system32\TVIC32.dll
Successfully Deleted: C:\WINDOWS\system32\TVIC32.dll
deleting: C:\WINDOWS\system32\TVIC32.dll
Successfully Deleted: C:\WINDOWS\system32\TVIC32.dll
deleting: C:\WINDOWS\system32\uknpui.dll
Successfully Deleted: C:\WINDOWS\system32\uknpui.dll
deleting: C:\WINDOWS\system32\uknpui.dll
Successfully Deleted: C:\WINDOWS\system32\uknpui.dll
deleting: C:\WINDOWS\system32\uursvpia.dll
Successfully Deleted: C:\WINDOWS\system32\uursvpia.dll
deleting: C:\WINDOWS\system32\uursvpia.dll
Successfully Deleted: C:\WINDOWS\system32\uursvpia.dll
deleting: C:\WINDOWS\system32\VPovrlay.dll
Successfully Deleted: C:\WINDOWS\system32\VPovrlay.dll
deleting: C:\WINDOWS\system32\VPovrlay.dll
Successfully Deleted: C:\WINDOWS\system32\VPovrlay.dll
deleting: C:\WINDOWS\system32\wahrm.dll
Successfully Deleted: C:\WINDOWS\system32\wahrm.dll
deleting: C:\WINDOWS\system32\wahrm.dll
Successfully Deleted: C:\WINDOWS\system32\wahrm.dll
deleting: C:\WINDOWS\system32\whhip6.dll
Successfully Deleted: C:\WINDOWS\system32\whhip6.dll
deleting: C:\WINDOWS\system32\whhip6.dll
Successfully Deleted: C:\WINDOWS\system32\whhip6.dll
deleting: C:\WINDOWS\system32\widmtpus.dll
Successfully Deleted: C:\WINDOWS\system32\widmtpus.dll
deleting: C:\WINDOWS\system32\widmtpus.dll
Successfully Deleted: C:\WINDOWS\system32\widmtpus.dll
deleting: C:\WINDOWS\system32\wlnmm.dll
Successfully Deleted: C:\WINDOWS\system32\wlnmm.dll
deleting: C:\WINDOWS\system32\wlnmm.dll
Successfully Deleted: C:\WINDOWS\system32\wlnmm.dll
deleting: C:\WINDOWS\system32\wyps2.dll
Successfully Deleted: C:\WINDOWS\system32\wyps2.dll
deleting: C:\WINDOWS\system32\wyps2.dll
Successfully Deleted: C:\WINDOWS\system32\wyps2.dll
deleting: C:\WINDOWS\system32\YWRWin32.dll
Successfully Deleted: C:\WINDOWS\system32\YWRWin32.dll
deleting: C:\WINDOWS\system32\YWRWin32.dll
Successfully Deleted: C:\WINDOWS\system32\YWRWin32.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Zipping up files for submission:
adding: aaicap32.dll (188 bytes security) (deflated 48%)
adding: aysnt.dll (188 bytes security) (deflated 48%)
adding: bwdispl.dll (188 bytes security) (deflated 48%)
adding: cpnfmsp.dll (188 bytes security) (deflated 48%)
adding: dJd8.dll (188 bytes security) (deflated 48%)
adding: djwave.dll (188 bytes security) (deflated 48%)
adding: dqsshlex.dll (188 bytes security) (deflated 48%)
adding: DTLCPY32.dll (188 bytes security) (deflated 48%)
adding: dukquota.dll (188 bytes security) (deflated 48%)
adding: ests.dll (188 bytes security) (deflated 48%)
adding: ewentcls.dll (188 bytes security) (deflated 48%)
adding: exsvc.dll (188 bytes security) (deflated 48%)
adding: feppro32.dll (188 bytes security) (deflated 48%)
adding: ffdrclnr.dll (188 bytes security) (deflated 48%)
adding: fgamebuf.dll (188 bytes security) (deflated 48%)
adding: fgdrclnr.dll (188 bytes security) (deflated 48%)
adding: fkscfgwz.dll (188 bytes security) (deflated 48%)
adding: fwsrch.dll (188 bytes security) (deflated 48%)
adding: gdiplus.dll (148 bytes security) (deflated 43%)
adding: iwitpki.dll (188 bytes security) (deflated 48%)
adding: jasd400.dll (188 bytes security) (deflated 48%)
adding: kidusx.dll (188 bytes security) (deflated 48%)
adding: ktdsg.dll (188 bytes security) (deflated 48%)
adding: kzdda.dll (188 bytes security) (deflated 48%)
adding: mbdsrv32.dll (188 bytes security) (deflated 48%)
adding: mhjter35.dll (188 bytes security) (deflated 48%)
adding: miricons.dll (188 bytes security) (deflated 48%)
adding: msndex.dll (188 bytes security) (deflated 48%)
adding: nltman.dll (188 bytes security) (deflated 48%)
adding: nzw43.dll (188 bytes security) (deflated 48%)
adding: oceaccrc.dll (188 bytes security) (deflated 48%)
adding: rIsser.dll (188 bytes security) (deflated 48%)
adding: rlm.dll (188 bytes security) (deflated 48%)
adding: rXsadhlp.dll (188 bytes security) (deflated 48%)
adding: rZsmxs.dll (188 bytes security) (deflated 48%)
adding: sjdpsrv.dll (188 bytes security) (deflated 48%)
adding: smc_os.dll (188 bytes security) (deflated 48%)
adding: ssnscfg.dll (188 bytes security) (deflated 48%)
adding: sWfrdm.dll (188 bytes security) (deflated 48%)
adding: swsinv.dll (188 bytes security) (deflated 48%)
adding: sznceng.dll (188 bytes security) (deflated 48%)
adding: thrmmgr.dll (188 bytes security) (deflated 48%)
adding: TIIC32.dll (188 bytes security) (deflated 48%)
adding: TVIC32.dll (188 bytes security) (deflated 48%)
adding: uknpui.dll (188 bytes security) (deflated 48%)
adding: uursvpia.dll (188 bytes security) (deflated 48%)
adding: VPovrlay.dll (188 bytes security) (deflated 48%)
adding: wahrm.dll (188 bytes security) (deflated 48%)
adding: whhip6.dll (188 bytes security) (deflated 48%)
adding: widmtpus.dll (188 bytes security) (deflated 48%)
adding: wlnmm.dll (188 bytes security) (deflated 48%)
adding: wyps2.dll (188 bytes security) (deflated 48%)
adding: YWRWin32.dll (188 bytes security) (deflated 48%)
adding: guard.tmp (188 bytes security) (deflated 48%)
adding: clear.reg (188 bytes security) (deflated 66%)
adding: adlog.txt (188 bytes security) (deflated 99%)
adding: EyeCandyLog.txt (188 bytes security) (deflated 98%)
adding: FINIS_IT.TXT (188 bytes security) (deflated 67%)
adding: lo2.txt (188 bytes security) (deflated 93%)
adding: test.txt (188 bytes security) (deflated 91%)
adding: test2.txt (188 bytes security) (deflated 47%)
adding: test3.txt (188 bytes security) (deflated 47%)
adding: test5.txt (188 bytes security) (deflated 47%)
adding: vx2logs.txt (188 bytes security) (stored 0%)
adding: xfind.txt (188 bytes security) (deflated 89%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: aaicap32.dll
deleting local copy: aaicap32.dll
deleting local copy: aysnt.dll
deleting local copy: aysnt.dll
deleting local copy: bwdispl.dll
deleting local copy: bwdispl.dll
deleting local copy: cpnfmsp.dll
deleting local copy: cpnfmsp.dll
deleting local copy: dJd8.dll
deleting local copy: dJd8.dll
deleting local copy: djwave.dll
deleting local copy: djwave.dll
deleting local copy: dqsshlex.dll
deleting local copy: dqsshlex.dll
deleting local copy: DTLCPY32.dll
deleting local copy: DTLCPY32.dll
deleting local copy: dukquota.dll
deleting local copy: dukquota.dll
deleting local copy: ests.dll
deleting local copy: ests.dll
deleting local copy: ewentcls.dll
deleting local copy: ewentcls.dll
deleting local copy: exsvc.dll
deleting local copy: exsvc.dll
deleting local copy: feppro32.dll
deleting local copy: feppro32.dll
deleting local copy: ffdrclnr.dll
deleting local copy: ffdrclnr.dll
deleting local copy: fgamebuf.dll
deleting local copy: fgamebuf.dll
deleting local copy: fgdrclnr.dll
deleting local copy: fgdrclnr.dll
deleting local copy: fkscfgwz.dll
deleting local copy: fkscfgwz.dll
deleting local copy: fwsrch.dll
deleting local copy: fwsrch.dll
deleting local copy: iwitpki.dll
deleting local copy: iwitpki.dll
deleting local copy: jasd400.dll
deleting local copy: jasd400.dll
deleting local copy: kidusx.dll
deleting local copy: kidusx.dll
deleting local copy: ktdsg.dll
deleting local copy: ktdsg.dll
deleting local copy: kzdda.dll
deleting local copy: kzdda.dll
deleting local copy: mbdsrv32.dll
deleting local copy: mbdsrv32.dll
deleting local copy: mhjter35.dll
deleting local copy: mhjter35.dll
deleting local copy: miricons.dll
deleting local copy: miricons.dll
deleting local copy: msndex.dll
deleting local copy: msndex.dll
deleting local copy: nltman.dll
deleting local copy: nltman.dll
deleting local copy: nzw43.dll
deleting local copy: nzw43.dll
deleting local copy: oceaccrc.dll
deleting local copy: oceaccrc.dll
deleting local copy: rIsser.dll
deleting local copy: rIsser.dll
deleting local copy: rlm.dll
deleting local copy: rlm.dll
deleting local copy: rXsadhlp.dll
deleting local copy: rXsadhlp.dll
deleting local copy: rZsmxs.dll
deleting local copy: rZsmxs.dll
deleting local copy: sjdpsrv.dll
deleting local copy: sjdpsrv.dll
deleting local copy: smc_os.dll
deleting local copy: smc_os.dll
deleting local copy: ssnscfg.dll
deleting local copy: ssnscfg.dll
deleting local copy: sWfrdm.dll
deleting local copy: sWfrdm.dll
deleting local copy: swsinv.dll
deleting local copy: swsinv.dll
deleting local copy: sznceng.dll
deleting local copy: sznceng.dll
deleting local copy: thrmmgr.dll
deleting local copy: thrmmgr.dll
deleting local copy: TIIC32.dll
deleting local copy: TIIC32.dll
deleting local copy: TVIC32.dll
deleting local copy: TVIC32.dll
deleting local copy: uknpui.dll
deleting local copy: uknpui.dll
deleting local copy: uursvpia.dll
deleting local copy: uursvpia.dll
deleting local copy: VPovrlay.dll
deleting local copy: VPovrlay.dll
deleting local copy: wahrm.dll
deleting local copy: wahrm.dll
deleting local copy: whhip6.dll
deleting local copy: whhip6.dll
deleting local copy: widmtpus.dll
deleting local copy: widmtpus.dll
deleting local copy: wlnmm.dll
deleting local copy: wlnmm.dll
deleting local copy: wyps2.dll
deleting local copy: wyps2.dll
deleting local copy: YWRWin32.dll
deleting local copy: YWRWin32.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\aaicap32.dll
C:\WINDOWS\system32\aaicap32.dll
C:\WINDOWS\system32\aysnt.dll
C:\WINDOWS\system32\aysnt.dll
C:\WINDOWS\system32\bwdispl.dll
C:\WINDOWS\system32\bwdispl.dll
C:\WINDOWS\system32\cpnfmsp.dll
C:\WINDOWS\system32\cpnfmsp.dll
C:\WINDOWS\system32\dJd8.dll
C:\WINDOWS\system32\dJd8.dll
C:\WINDOWS\system32\djwave.dll
C:\WINDOWS\system32\djwave.dll
C:\WINDOWS\system32\dqsshlex.dll
C:\WINDOWS\system32\dqsshlex.dll
C:\WINDOWS\system32\DTLCPY32.dll
C:\WINDOWS\system32\DTLCPY32.dll
C:\WINDOWS\system32\dukquota.dll
C:\WINDOWS\system32\dukquota.dll
C:\WINDOWS\system32\ests.dll
C:\WINDOWS\system32\ests.dll
C:\WINDOWS\system32\ewentcls.dll
C:\WINDOWS\system32\ewentcls.dll
C:\WINDOWS\system32\exsvc.dll
C:\WINDOWS\system32\exsvc.dll
C:\WINDOWS\system32\feppro32.dll
C:\WINDOWS\system32\feppro32.dll
C:\WINDOWS\system32\ffdrclnr.dll
C:\WINDOWS\system32\ffdrclnr.dll
C:\WINDOWS\system32\fgamebuf.dll
C:\WINDOWS\system32\fgamebuf.dll
C:\WINDOWS\system32\fgdrclnr.dll
C:\WINDOWS\system32\fgdrclnr.dll
C:\WINDOWS\system32\fkscfgwz.dll
C:\WINDOWS\system32\fkscfgwz.dll
C:\WINDOWS\system32\fwsrch.dll
C:\WINDOWS\system32\fwsrch.dll
C:\WINDOWS\system32\iwitpki.dll
C:\WINDOWS\system32\iwitpki.dll
C:\WINDOWS\system32\jasd400.dll
C:\WINDOWS\system32\jasd400.dll
C:\WINDOWS\system32\kidusx.dll
C:\WINDOWS\system32\kidusx.dll
C:\WINDOWS\system32\ktdsg.dll
C:\WINDOWS\system32\ktdsg.dll
C:\WINDOWS\system32\kzdda.dll
C:\WINDOWS\system32\kzdda.dll
C:\WINDOWS\system32\mbdsrv32.dll
C:\WINDOWS\system32\mbdsrv32.dll
C:\WINDOWS\system32\mhjter35.dll
C:\WINDOWS\system32\mhjter35.dll
C:\WINDOWS\system32\miricons.dll
C:\WINDOWS\system32\miricons.dll
C:\WINDOWS\system32\msndex.dll
C:\WINDOWS\system32\msndex.dll
C:\WINDOWS\system32\nltman.dll
C:\WINDOWS\system32\nltman.dll
C:\WINDOWS\system32\nzw43.dll
C:\WINDOWS\system32\nzw43.dll
C:\WINDOWS\system32\oceaccrc.dll
C:\WINDOWS\system32\oceaccrc.dll
C:\WINDOWS\system32\rIsser.dll
C:\WINDOWS\system32\rIsser.dll
C:\WINDOWS\system32\rlm.dll
C:\WINDOWS\system32\rlm.dll
C:\WINDOWS\system32\rXsadhlp.dll
C:\WINDOWS\system32\rXsadhlp.dll
C:\WINDOWS\system32\rZsmxs.dll
C:\WINDOWS\system32\rZsmxs.dll
C:\WINDOWS\system32\sjdpsrv.dll
C:\WINDOWS\system32\sjdpsrv.dll
C:\WINDOWS\system32\smc_os.dll
C:\WINDOWS\system32\smc_os.dll
C:\WINDOWS\system32\ssnscfg.dll
C:\WINDOWS\system32\ssnscfg.dll
C:\WINDOWS\system32\sWfrdm.dll
C:\WINDOWS\system32\sWfrdm.dll
C:\WINDOWS\system32\swsinv.dll
C:\WINDOWS\system32\swsinv.dll
C:\WINDOWS\system32\sznceng.dll
C:\WINDOWS\system32\sznceng.dll
C:\WINDOWS\system32\thrmmgr.dll
C:\WINDOWS\system32\thrmmgr.dll
C:\WINDOWS\system32\TIIC32.dll
C:\WINDOWS\system32\TIIC32.dll
C:\WINDOWS\system32\TVIC32.dll
C:\WINDOWS\system32\TVIC32.dll
C:\WINDOWS\system32\uknpui.dll
C:\WINDOWS\system32\uknpui.dll
C:\WINDOWS\system32\uursvpia.dll
C:\WINDOWS\system32\uursvpia.dll
C:\WINDOWS\system32\VPovrlay.dll
C:\WINDOWS\system32\VPovrlay.dll
C:\WINDOWS\system32\wahrm.dll
C:\WINDOWS\system32\wahrm.dll
C:\WINDOWS\system32\whhip6.dll
C:\WINDOWS\system32\whhip6.dll
C:\WINDOWS\system32\widmtpus.dll
C:\WINDOWS\system32\widmtpus.dll
C:\WINDOWS\system32\wlnmm.dll
C:\WINDOWS\system32\wlnmm.dll
C:\WINDOWS\system32\wyps2.dll
C:\WINDOWS\system32\wyps2.dll
C:\WINDOWS\system32\YWRWin32.dll
C:\WINDOWS\system32\YWRWin32.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{D3B302A9-54D6-40AE-B1B8-D4ED0C008A8F}"=-
"{938ACB86-A57C-4F3F-9C14-7366C974A5AD}"=-
"{06031768-64C7-44FC-BA2D-4BB9BD5C3DB6}"=-
"{386C898F-A212-4988-9A8D-21FD0000E86B}"=-
"{EE839DCE-2ED8-4AFB-8F0B-EDBDC313B00D}"=-
"{F36A5F10-3C24-4298-83B9-4BDE1DF5F4A1}"=-
"{8D004D24-3B32-4124-803C-FF3C4A008A46}"=-
"{1809554F-2A06-4BBA-B5B3-1A60A124C9D9}"=-
"{ADC37B38-EECC-4218-87B2-00E98B0D78E9}"=-
"{B2CF3E79-6B5E-4F21-93D2-236259D54BBB}"=-
"{6D6BEED4-26D2-44F6-A828-1CB8EDB211D8}"=-
"{A1BFF906-3934-4B87-841E-E5AF2C530DBF}"=-
"{F7A136FC-89BE-4493-A6AC-676992CFF46F}"=-
[-HKEY_CLASSES_ROOT\CLSID\{D3B302A9-54D6-40AE-B1B8-D4ED0C008A8F}]
[-HKEY_CLASSES_ROOT\CLSID\{938ACB86-A57C-4F3F-9C14-7366C974A5AD}]
[-HKEY_CLASSES_ROOT\CLSID\{06031768-64C7-44FC-BA2D-4BB9BD5C3DB6}]
[-HKEY_CLASSES_ROOT\CLSID\{386C898F-A212-4988-9A8D-21FD0000E86B}]
[-HKEY_CLASSES_ROOT\CLSID\{EE839DCE-2ED8-4AFB-8F0B-EDBDC313B00D}]
[-HKEY_CLASSES_ROOT\CLSID\{F36A5F10-3C24-4298-83B9-4BDE1DF5F4A1}]
[-HKEY_CLASSES_ROOT\CLSID\{8D004D24-3B32-4124-803C-FF3C4A008A46}]
[-HKEY_CLASSES_ROOT\CLSID\{1809554F-2A06-4BBA-B5B3-1A60A124C9D9}]
[-HKEY_CLASSES_ROOT\CLSID\{ADC37B38-EECC-4218-87B2-00E98B0D78E9}]
[-HKEY_CLASSES_ROOT\CLSID\{B2CF3E79-6B5E-4F21-93D2-236259D54BBB}]
[-HKEY_CLASSES_ROOT\CLSID\{6D6BEED4-26D2-44F6-A828-1CB8EDB211D8}]
[-HKEY_CLASSES_ROOT\CLSID\{A1BFF906-3934-4B87-841E-E5AF2C530DBF}]
[-HKEY_CLASSES_ROOT\CLSID\{F7A136FC-89BE-4493-A6AC-676992CFF46F}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

Well that is it for reports. Ill keep trying to get that online connection, I might have to go dial up but then I donÂ’t have a phone line in my house. Well I feel we made allot of progress, let me know what else needs to be done or what I could try to do. Thanks for taking the time to help me.

MicroBell · Sep 23, 2005

Download Winsock2Fix and unzip it. Then double-click on it to run it.

See if that fixs your connection on the infected PC. Also run hijackthis and fix this entry...

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://69.28.210.175/media/1

Dlara303 · Sep 26, 2005

Awesome, I downloaded winsock2fix, but it didnÂ’t help me get online. So we took the comp to my friendÂ’s house and his DSL kicked in right away. I guess the comp doesnÂ’t like cable. We ran the online check and came out clean which was a great reliever. I had a talk to the people in that house about surfing and downloading. Explained how to use some of the tool I had used and to keep spybot, ad adware and cwshredder.
Its incredible the amount of knowledge found here.

Thanks for taking the time and walking me through the steps.

MicroBell · Sep 26, 2005

Not done yet!! I still need to check for more...

Perform an online scan with Internet Explorer with

Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Standard
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

HiJack Log and some Messages...help please

Dlara303

Beta member

Oscillator

Banned

Dlara303

Beta member

MicroBell

Daemon Poster

Dlara303

Beta member

MicroBell

Daemon Poster

Dlara303

Beta member

MicroBell

Daemon Poster

Similar threads