coolWWWSearch.Toolban

justin1224 · May 2005

New problem, This problem, I think is different than the one I posted before; because before I never got these 3 problems when I ran spybot. It occured just right now. Thanks again for helping me out. I ran everything, adware, cwshredder, spybot, and on Spybot 3 things keep coming up but I can not get rid of them,

coolWWWSearch.Toolban
coolWWWSearch.leftovers
coolWWWSearch.Mupdate

my highjack log looks like this:

Logfile of HijackThis v1.99.1
Scan saved at 4:28:02 PM, on 5/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\Program Files\Folding@Home\FahCore_82.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis_199.zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = pitt.edu,cis.pitt.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = pitt.edu,cis.pitt.edu
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Buckeye_Sam · May 2005

Please post the log from your Spybot scan so I can see exactly what registry entries are being found.

justin1224 · May 2005

Thanks for the help Sam. Here is my spybot log

CoolWWWSearch.Toolband: Trusted Site (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-861567501-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\isprime.com\*!=W=4

CoolWWWSearch.Leftovers: Trusted Site (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-861567501-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\greatplugin.com\*!=W=4

CoolWWWSearch.Mupdate: Trusted Site (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-861567501-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\masspass.com\*!=W=4

--- Spybot - Search && Destroy version: 1.3 ---
2005-04-26 Includes\Cookies.sbi
2005-04-27 Includes\Dialer.sbi
2005-05-12 Includes\Hijackers.sbi
2005-04-15 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2005-05-11 Includes\Malware.sbi
2005-05-11 Includes\PUPS.sbi
2005-04-27 Includes\Revision.sbi
2005-02-09 Includes\Security.sbi
2005-05-11 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-05-11 Includes\Trojans.sbi

Buckeye_Sam · May 2005

Click Start -> Run -> (type) regedit

Navigate to these keys and delete them.

HKEY_USERS\S-1-5-21-861567501-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\ZoneMap\Domains\isprime.com

HKEY_USERS\S-1-5-21-861567501-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\ZoneMap\Domains\greatplugin.com

HKEY_USERS\S-1-5-21-861567501-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\ZoneMap\Domains\masspass.com

Exit Regedit. Your Spybot scan should come up clean now.

Please describe any other problems that you still may be having.

justin1224 · May 2005

the 3 keys are gone but the address still apears in the address bar? Thus, Spybot is clean when I run it, but when I use EI and type in the address bar, that say website appears.????

THANK YOU FOR THE HELP, IT IS AMAZING WHAT YOU GUYS CAN DO!

Buckeye_Sam · May 2005

Please download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.zip
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop. Please post the entire contents of this logfile for me to see.

justin1224 · May 2005

Here is the file it produced. Thanks Sam
I hope this is not too much of a problem?

"Silent Runners.vbs", revision 37, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Default" = (no data)
"ATI Launchpad" = (no data)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"WINDVDPatch" = "CTHELPER.EXE" ["Creative Technology Ltd"]
"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
"Jet Detection" = ""C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"" [empty string]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"ccRegVfy" = ""C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"" ["Symantec Corporation"]
"zBrowser Launcher" = "C:\Program Files\Logitech\iTouch\iTouch.exe" ["Logitech Inc. "]
"EM_EXEC" = "C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" ["Logitech Inc. "]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" ["HP"]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [null data]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"HP Software Update" = ""C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"" ["Hewlett-Packard"]
"HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{32A9D769-5B55-4a25-9A62-86B5683FE50A}" = "NikonView Drop Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Nikon\NkView6\NkvDropExt.dll" ["Nikon Corporation"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

Enabled Active Desktop and Wallpaper:

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Justin Ostry\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Startup items in "Justin Ostry" & "All Users" startup folders:

C:\Documents and Settings\Justin Ostry\Start Menu\Programs\Startup
"Folding@Home 5.03" -> shortcut to: "C:\Program Files\Folding@Home\winFAH.exe" ["Stanford University"]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]

Enabled Scheduled Tasks:

"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {CLSID}\(Default) = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {CLSID}\(Default) = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {CLSID}\(Default) = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Running Services (Display Name, Service Name, Path {Service DLL}):

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.exe" ["Creative Technology Ltd"]
GEARSecurity, GEARSecurity, "system32\gearsec.exe" ["GEAR Software"]
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
SymWMI Service, SymWSC, ""C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"" ["Symantec Corporation"]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]

Keyboard Driver Filters:

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = INFECTION WARNING! "Lkbdflt2" ["Logitech, Inc."]

This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.

Buckeye_Sam · May 2005

Not much there. Let's take another look.

Download rkfiles.zip
http://skads.org/special/rkfiles.zip
Unzip the contents to a permanent folder.

Reboot your computer into Safe Mode

Doubleclick rkfiles.bat
It will scan for a while, so please be patient.
Wait till the DOS window closes and reboot back to normal mode.

Post the contents of C:\log.txt in your next reply.

justin1224 · May 2005

Here is my log for the rkfiles.

C:\Documents and Settings\Justin Ostry\Desktop\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............

C:\WINDOWS\system32\thinInstall12.dll: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\Dwapilib.tlb: dwProvSpec2

Files Found in all users startup Folder............

Files Found in all users windows Folder............

Finished
bye

Thanks. Justin

Buckeye_Sam · May 2005

Open notepad, copy and paste next content (bold) in it:

cd\
cd %windir%\system32
dir /a:-d /o:-d > %systemdrive%\system32.txt
start %systemdrive%\system32.txt
cls
exit

Save this as look.bat ,choose to save as *all files and save it to your desktop.
Doubleclick on it and notepad will open with a long list of all the files present in your system32-folder.
Copy and paste the first 20-30 lines of that log in your next reply.

justin1224 · May 2005

Here is the log.

Volume in drive C has no label.
Volume Serial Number is 14DC-98BB

Directory of C:\WINDOWS\system32

05/24/2005 09:25 PM 4,032 settings.sfm
05/24/2005 09:25 PM 4,032 settingsbkup.sfm
05/24/2005 09:25 PM 16,516 BMXState-{00000000-00000000-0000000C-00001102-00000002-80651102}.rfx
05/24/2005 09:25 PM 25,296 BMXBkpCtrlState-{00000000-00000000-0000000C-00001102-00000002-80651102}.rfx
05/24/2005 09:25 PM 25,296 BMXCtrlState-{00000000-00000000-0000000C-00001102-00000002-80651102}.rfx
05/24/2005 09:25 PM 16,516 BMXStateBkp-{00000000-00000000-0000000C-00001102-00000002-80651102}.rfx
05/24/2005 09:25 PM 24 DVCStateBkp-{00000000-00000000-0000000C-00001102-00000002-80651102}.dat
05/24/2005 09:25 PM 24 DVCState-{00000000-00000000-0000000C-00001102-00000002-80651102}.dat
05/23/2005 02:57 PM 2,206 wpa.dbl
05/21/2005 08:57 PM 98,304 CmdLineExt.dll
05/17/2005 08:19 PM 181,040 FNTCACHE.DAT
05/16/2005 06:34 PM 549,376 shdoclc.dll
05/16/2005 06:34 PM 549,376 ,
05/16/2005 06:34 PM 549,376 p
05/16/2005 06:34 PM 549,376 pp
05/07/2005 10:51 AM 1,043,800 MRT.exe
05/04/2005 02:45 PM 2,890,240 msi.dll
05/04/2005 02:45 PM 13,536 spmsg.dll
04/05/2005 11:17 AM 517,848 SymNeti.dll
04/05/2005 11:17 AM 132,824 SymRedir.dll
04/03/2005 11:07 AM 311,934 perfh009.dat
04/03/2005 11:07 AM 40,196 perfc009.dat
04/03/2005 11:07 AM 356,120 PerfStringBackup.INI
03/26/2005 11:14 AM 25,296 BMXBkpCtrlState-{00000000-00000000-0000000B-00001102-00000002-80651102}.rfx
03/26/2005 11:14 AM 25,296 BMXCtrlState-{00000000-00000000-0000000B-00001102-00000002-80651102}.rfx
03/26/2005 11:14 AM 16,516 BMXStateBkp-{00000000-00000000-0000000B-00001102-00000002-80651102}.rfx
03/26/2005 11:14 AM 16,516 BMXState-{00000000-00000000-0000000B-00001102-00000002-80651102}.rfx
03/26/2005 11:14 AM 24 DVCStateBkp-{00000000-00000000-0000000B-00001102-00000002-80651102}.dat
03/26/2005 11:14 AM 24 DVCState-{00000000-00000000-0000000B-00001102-00000002-80651102}.dat
03/21/2005 03:00 PM 271,360 msihnd.dll
03/21/2005 03:00 PM 884,736 msimsg.dll
03/21/2005 03:00 PM 78,848 msiexec.exe
03/21/2005 03:00 PM 15,360 msisip.dll
03/10/2005 04:02 AM 607,744 urlmon.dll
03/10/2005 04:02 AM 656,896 wininet.dll
03/10/2005 04:02 AM 146,432 msrating.dll
03/10/2005 04:02 AM 3,010,560 mshtml.dll
03/10/2005 04:02 AM 1,483,264 shdocvw.dll
03/10/2005 04:02 AM 473,600 shlwapi.dll
03/10/2005 04:02 AM 250,880 iepeers.dll
03/10/2005 04:02 AM 96,256 inseng.dll
03/10/2005 04:02 AM 1,016,832 browseui.dll
03/10/2005 04:02 AM 151,040 cdfview.dll
03/02/2005 02:09 PM 291,328 winsrv.dll
03/02/2005 02:09 PM 577,024 user32.dll
03/02/2005 02:09 PM 56,832 authz.dll
03/01/2005 09:06 PM 1,836,288 win32k.sys
03/01/2005 08:59 PM 2,179,328 ntoskrnl.exe
03/01/2005 08:34 PM 2,056,832 ntkrnlpa.exe
02/28/2005 07:11 PM 8,450,048 shell32.dll
01/14/2005 04:55 AM 1,285,120 ole32.dll
01/14/2005 04:55 AM 74,752 olecli32.dll
01/14/2005 04:55 AM 37,888 olecnv32.dll
01/14/2005 04:55 AM 395,776 rpcss.dll
01/07/2005 06:35 PM 6 reboot.txt
12/20/2004 07:58 PM 83,664 S32EVNT1.DLL
12/14/2004 01:24 PM 466,944 capicom.dll
12/07/2004 03:32 PM 96,768 srvsvc.dll
12/01/2004 02:01 AM 294,912 atiiiexx.dll
12/01/2004 01:23 AM 208,896 ATIDEMGR.dll
12/01/2004 01:19 AM 539,648 hhctrl.ocx
11/30/2004 11:37 PM 6,643,712 atioglxx.dll
11/30/2004 11:13 PM 222,208 ati2dvag.dll
11/30/2004 11:07 PM 131,072 atipdlxx.dll
11/30/2004 11:07 PM 102,400 Oemdspif.dll
11/30/2004 11:07 PM 65,536 Ati2mdxx.exe
11/30/2004 11:07 PM 38,400 ati2edxx.dll
11/30/2004 11:06 PM 94,208 ati2evxx.dll
11/30/2004 11:05 PM 425,984 ati2evxx.exe
11/30/2004 11:04 PM 81,920 ATIDDC.DLL
11/30/2004 10:50 PM 2,169,120 ati3duag.dll
11/30/2004 10:45 PM 428,320 ativvaxx.dll
11/30/2004 10:36 PM 17,408 atitvo32.dll
11/30/2004 10:28 PM 245,760 ati2cqag.dll
11/30/2004 10:10 PM 516,096 ati2sgag.exe
11/17/2004 01:41 PM 347,136 hypertrm.dll
11/17/2004 01:38 PM 9,054 atifglpf.xml
11/16/2004 05:17 PM 68,096 hlink.dll
11/15/2004 04:14 PM 72,105 atiicdxx.dat
10/27/2004 09:21 PM 721,920 lsasrv.dll
09/17/2004 06:37 PM 61,440 vuins32.dll
09/08/2004 07:48 PM 269 spupdwxp.log
09/08/2004 01:38 PM 1,712,201 inetclnt.dll
09/05/2004 08:58 PM 80,384 thinInstall12.dll
09/05/2004 12:56 AM 114,688 k404SearchSetup_MS14.exe
09/05/2004 12:42 AM 0 06wu29rd.exe
09/05/2004 12:42 AM 0 newdevin.exe
08/17/2004 11:14 PM 442,368 vp6vfw.dll
08/04/2004 01:56 AM 130,048 ksproxy.ax
08/04/2004 01:56 AM 4,096 ksuser.dll
08/04/2004 01:07 AM 1,788 dcache.bin
08/04/2004 01:02 AM 329,728 netsetup.exe
08/04/2004 01:01 AM 87,176 rdpwsx.dll
08/04/2004 01:01 AM 12,168 tsddd.dll
08/04/2004 01:01 AM 92,168 rdpdd.dll
08/04/2004 12:57 AM 299,520 drmclien.dll
08/04/2004 12:57 AM 2,105,344 wmvcore.dll
08/04/2004 12:57 AM 695,296 drmv2clt.dll
08/04/2004 12:57 AM 356,352 msscp.dll
08/04/2004 12:57 AM 259,072 msnetobj.dll
08/04/2004 12:56 AM 848,384 ir41_32.ax
08/04/2004 12:56 AM 8,192 spdwnwxp.exe
08/04/2004 12:56 AM 89,600 smlogsvc.exe
08/04/2004 12:56 AM 8,192 smbinst.exe
08/04/2004 12:56 AM 11,776 spnpinst.exe
08/04/2004 12:56 AM 73,796 slserv.exe
08/04/2004 12:56 AM 18,432 bdaplgin.ax
08/04/2004 12:56 AM 154,624 ivfsrc.ax
08/04/2004 12:56 AM 57,856 spoolsv.exe
08/04/2004 12:56 AM 21,504 spupdwxp.exe
08/04/2004 12:56 AM 221,184 msadds32.ax
08/04/2004 12:56 AM 32,866 slrundll.exe
08/04/2004 12:56 AM 704,512 ss3dfo.scr
08/04/2004 12:56 AM 19,968 ssbezier.scr
08/04/2004 12:56 AM 164,352 wstpager.ax
08/04/2004 12:56 AM 239,616 wstrenderer.ax
08/04/2004 12:56 AM 17,408 ipconf.tsp
08/04/2004 12:56 AM 129,536 intl.cpl
08/04/2004 12:56 AM 131,584 sndrec32.exe
08/04/2004 12:56 AM 23,040 ativmvxx.ax
08/04/2004 12:56 AM 9,728 ativdaxx.ax
08/04/2004 12:56 AM 358,400 inetcpl.cpl
08/04/2004 12:56 AM 148,480 wscui.cpl
08/04/2004 12:56 AM 68,608 joy.cpl
08/04/2004 12:56 AM 114,688 wscript.exe
08/04/2004 12:56 AM 13,824 wscntfy.exe
08/04/2004 12:56 AM 393,216 ssflwbox.scr
08/04/2004 12:56 AM 20,992 ssmarque.scr
08/04/2004 12:56 AM 26,112 skeys.exe
08/04/2004 12:56 AM 32,768 odbccp32.cpl
08/04/2004 12:56 AM 47,104 ssmypics.scr
08/04/2004 12:56 AM 70,144 sigverif.exe
08/04/2004 12:56 AM 110,592 bthprops.cpl
08/04/2004 12:56 AM 19,456 shutdown.exe
08/04/2004 12:56 AM 33,280 kmddsp.tsp
08/04/2004 12:56 AM 76,800 remotesp.tsp
08/04/2004 12:56 AM 18,944 ssmyst.scr
08/04/2004 12:56 AM 610,304 sspipes.scr
08/04/2004 12:56 AM 32,256 wpnpinst.exe
08/04/2004 12:56 AM 14,336 ssstars.scr
08/04/2004 12:56 AM 32,256 wpabaln.exe
08/04/2004 12:56 AM 220,672 logon.scr
08/04/2004 12:56 AM 77,824 shrpubw.exe
08/04/2004 12:56 AM 42,496 shmgrate.exe
08/04/2004 12:56 AM 679,936 sstext3d.scr
08/04/2004 12:56 AM 14,848 stimon.exe
08/04/2004 12:56 AM 135,168 desk.cpl
08/04/2004 12:56 AM 16,384 ipsink.ax
08/04/2004 12:56 AM 61,952 kstvtune.ax
08/04/2004 12:56 AM 549,888 appwiz.cpl
08/04/2004 12:56 AM 90,624 kswdmcap.ax
08/04/2004 12:56 AM 258,048 wmvds32.ax
08/04/2004 12:56 AM 33,280 psisrndr.ax
08/04/2004 12:56 AM 56,832 msdvbnp.ax
08/04/2004 12:56 AM 43,008 ksxbar.ax
08/04/2004 12:56 AM 298,496 sysdm.cpl
08/04/2004 12:56 AM 105,984 sysocmgr.exe
08/04/2004 12:56 AM 23,040 setup.exe
08/04/2004 12:56 AM 135,680 taskmgr.exe
08/04/2004 12:56 AM 75,264 telnet.exe
08/04/2004 12:56 AM 50,688 smss.exe
08/04/2004 12:56 AM 278,559 wmv8ds32.ax
08/04/2004 12:56 AM 31,232 sethc.exe
08/04/2004 12:56 AM 94,208 timedate.cpl
08/04/2004 12:56 AM 61,440 tlntadmn.exe
08/04/2004 12:56 AM 78,336 tlntsess.exe
08/04/2004 12:56 AM 73,216 tlntsvr.exe
08/04/2004 12:56 AM 347,136 tourstart.exe
08/04/2004 12:56 AM 259,584 tracerpt.exe
08/04/2004 12:56 AM 12,288 tracert.exe
08/04/2004 12:56 AM 257,024 nusrmgr.cpl
08/04/2004 12:56 AM 206,848 unimdm.tsp
08/04/2004 12:56 AM 16,896 upnpcont.exe
08/04/2004 12:56 AM 18,432 ups.exe
08/04/2004 12:56 AM 80,384 firewall.cpl
08/04/2004 12:56 AM 140,800 sessmgr.exe
08/04/2004 12:56 AM 24,576 userinit.exe

Buckeye_Sam · May 2005

Download the Pocket Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.

Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:
C:\WINDOWS\system32\thinInstall12.dll
C:\WINDOWS\system32\Dwapilib.tlb

[*]Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.
[*]Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

Your system will reboot now.

Please download IEFix from here:
http://www.spywareinfo.com/downloads/tools/IEFIX.reg
Save it to the desktop. Double-click on it to merge it with the registry, and OK any prompts. Then please restart your computer, run Internet Explorer, and let me know if the problems remain.

justin1224 · May 2005

Sam, this really sucks. I did everything you said and everything worked fine, but when I restarted my computer the last time (after I double-clicked the IEFix file) I opened my IE and the website still appeared. WHy is this so difficult? I am really sorry for the trouble. I really do appreaciate what you are doing.

Buckeye_Sam · May 2005

What website does it take you to?

justin1224 · May 2005

Here is the website. It was also posted in the other thread I posted. I do not know why but every time I use my address bar it eneters into it.

http://www.platinumfreegallery.com/host.html?q=/SR/CFT/211560/picture/15/carrerra/1/51/0/1/PBb/

Buckeye_Sam · May 2005

Run Hijackthis. Click on "Open the Misc Tools section". Next click on "Open hosts file manager". Now click on "Open in notepad". Copy and paste the text from notepad to here.

justin1224 · May 2005

here is what you asked for I think???, also is my highjack log, I did not know if you wanted it too?

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

Logfile of HijackThis v1.99.1
Scan saved at 1:55:52 PM, on 5/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Folding@Home\FahCore_78.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\Temporary Directory 5 for hijackthis_199.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = pitt.edu,cis.pitt.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = pitt.edu,cis.pitt.edu
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Buckeye_Sam · May 2005

Boy we are just striking out everywhere.

Please download the Registry Search tool by clicking on the "hard drive" icon halfway down this page:
http://www.billsway.com/vbspage/
Save it to the desktop and run it. If you get an alert from your antivirus about scripting, choose to allow the script to run. Search for platinumfreegallery and click OK. Post the logfile from the tool here for me.

justin1224 · May 2005

hey, sam I think we hit something. Here is what it found. Sam, thanks a whole bunch. This was/ still is a pain in the butt.

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "platinumfreegallery" 5/27/2005 7:42:13 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_USERS\S-1-5-21-861567501-688789844-725345543-1003\Software\Microsoft\Internet Explorer\TypedURLs]
"url10"="http://www.platinumfreegallery.com/host.html?q=/SR/CFT/211560/picture/15/carrerra/1/51/0/1/PBb/"

Buckeye_Sam · May 2005

That's not what I was hoping to find.

Delete temp files

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin.

Open Internet Explorer. Click Tools -> Internet Options. The click the Security tab and hilight Restricted Sites. Click the Sites button and you should be presented with a form where you can add a site to be restricted. Enter in *.platinumfreegallery.com

Ok your way out. Reboot and let me know if you still get that page with IE.

justin1224 · May 2005

Ummmmm....the page is still there and comes up. What next?

Buckeye_Sam · May 2005

Download mwav.exe from MicroWorld, then:

- Double-click the mwav.exe icon to run it (it'll self extract).
- When it opens, check the following:
---- Memory
---- Registry
---- Startup Folders
---- System Folders
---- Services
---- Drive
---- All local drives
---- Scan all files

- Then click on SCAN

When it completes, post back the results (copy and paste) from the 'Virus log information' pane.

justin1224 · May 2005

Here is the virus log info:

Object "AdDestroyer Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\System32\iuctl.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\MSXML3A.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\LOGILANG.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\iuctl.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\QuickTime\QuickTimeAuthoring.qtx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\QuickTime\QuickTimeCapture.qtx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\QuickTime\QuickTimeEffects.qtx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\QuickTime\QuickTimeImage.qtx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\QuickTime\QuickTimeMusic.qtx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\QuickTimeMusicalInstruments.qtx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\QuickTime\QuickTimeStreamingAuthoring.qtx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\QuickTime\QuickTimeVRAuthoring.qtx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\QTPlugin.OCX". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-dan.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-cht.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-nld.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-fra.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-ita.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-jpn.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-kor.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-nor.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-ptg.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-rus.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-esp.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-fin.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-ptb.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-chs.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-plk.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-csy.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-sky.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-slv.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-hun.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-tha.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-trk.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-ell.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-esl.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Chs.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Cht.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Esp.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Fra.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Ita.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Jpn.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Kor.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Nld.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Ptg.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Chs.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Cht.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Esp.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Fra.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Ita.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Jpn.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-kor.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Nld.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Ptg.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\Dwapilib.tlb". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{00C00B36-69FC-453A-BD54-52C4CFECD868}" refers to invalid object "C:\PROGRA~1\INTERA~1\INTERA~1\RECOEN~1\ONEVOI~1.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{01111e00-3e00-11d2-8470-0060089874ed}" refers to invalid object "C:\Program Files\support.com\bin\tgctlsi.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{01113300-3e00-11d2-8470-0060089874ed}" refers to invalid object "C:\Program Files\support.com\bin\tgctlcm.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{01118400-3e00-11d2-8470-0060089874ed}" refers to invalid object "C:\Program Files\support.com\bin\sdcnetcheck.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{01118b00-3e00-11d2-8470-0060089874ed}" refers to invalid object "C:\Program Files\support.com\bin\ssctlnwk.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{01118d00-3e00-11d2-8470-0060089874ed}" refers to invalid object "C:\Program Files\support.com\bin\tgctlpw.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{039CD332-FB27-4F71-93D2-DB6610BB84D3}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\DVD\XDiscLayer.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{065DAF12-2C96-11D1-A2BE-00A024C0EB3C}" refers to invalid object "C:\Program Files\PCFriendly\main\bin\Router.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{09076121-9B82-463F-AB64-571692399646}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\DVD\XDiscLayer.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{11136AFD-75EA-4897-842E-AF59266DA353}" refers to invalid object "C:\PROGRA~1\INTERA~1\INTERA~1\RECOEN~1\ONEVOI~1.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1E5CC1BF-9B43-47BA-AFA9-BB38A9068722}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\DVD\XDiscLayer.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{29FF67FF-8050-480f-9F30-CC41635F2F9D}" refers to invalid object "ADMWPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3708886A-7D2C-4451-9325-0DA59C287011}" refers to invalid object "C:\Program Files\Creative\SBLive\RemoteCenter\Center\Tasks\MP3FileSink.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{37C64D52-538B-11D5-BC0B-00D0B76BF9FA}" refers to invalid object "C:\PROGRA~1\Creative\SBLive\REMOTE~1\Center\Tasks\CTAudRec.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4281B857-D41F-4165-B9E6-BE3DD5B24109}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRDrv.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4573D9BF-F1AE-4516-B9B3-F9B1B9A9BDDC}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\DVD\LdvdEng.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{49527153-FCFD-42FC-A7B8-07B6CADB4D2D}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\DVD\XDiscLayer.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{56336BCA-3D8A-11d6-A00B-0050DA18DE71}" refers to invalid object "C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\InfoWindow.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{61CAAD5D-29B6-4207-A3AA-E9AFEDA8510C}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\DVD\NTICdDrv.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{70B51430-B6CA-11D0-B9B9-00A0C922E750}" refers to invalid object "ADMWPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{70DC80A9-D4F8-4383-A0D7-93179AA8305E}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\DVD\LdvdEng.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7630D6A2-4512-4ca2-915D-F457BC782564}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\DVD\LdvdEng.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{76CE1CC0-7932-11D1-9509-00A0C9925315}" refers to invalid object "C:\PROGRA~1\PCFRIE~1\main\bin\ITIVIDEO.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8298d101-f992-43b7-8eca-5052d885b995}" refers to invalid object "ADMWPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{86D31600-D69B-11D0-B5A3-00609715DEB2}" refers to invalid object "C:\PROGRA~1\COMMON~1\Risxtd\Risxtd32.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8ED29D6D-A97D-4365-A72D-390743E39AEB}" refers to invalid object "C:\Program Files\Ulead Systems\Ulead DVD PictureShow 2 SE\uFileIO.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{94515F8C-8451-4067-9816-4166B3418F0B}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\DVD\XDiscLayer.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9885A107-6FB9-4D28-8864-8DB73413B7E9}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\DVD\XLogUtil.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{99AC5564-0CF3-4c5b-A594-651AC625DE15}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\DVD\LdvdEng.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A9E69612-B80D-11D0-B9B9-00A0C922E750}" refers to invalid object "ADMWPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{AADE03FE-7BB6-4312-981D-E9F6DAAA3D75}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\DVD\XDiscLayer.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{AC8BF71E-E41F-4FE7-B58C-E4AC3555C0BF}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\DVD\LDrtBurn.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B4346D2E-E989-49B1-B3AB-4506028194C6}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\DVD\LdrtDisc.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BB37EFA1-7BA6-437D-99AA-16E023451DE2}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\DVD\XDiscLayer.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C2316705-49F3-46a6-B178-FD617FA235D8}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\DVD\LdvdEng.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CF957F20-77FE-4192-A59F-95CA43BD04BA}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\MPEG\ulspmpeg.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CF957F28-77FE-4192-A59F-95CA43BD04BA}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\MPEG\ulspmpeg.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CF957F30-77FE-4192-A59F-95CA43BD04BA}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\MPEG\uldsmpeg.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CF957F38-77FE-4192-A59F-95CA43BD04BA}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\MPEG\uldsmpeg.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CF957F40-77FE-4192-A59F-95CA43BD04BA}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\MPEG\uldsmpeg.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CF957F48-77FE-4192-A59F-95CA43BD04BA}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\MPEG\uldsmpeg.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CF957F50-77FE-4192-A59F-95CA43BD04BA}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\MPEG\ulesmpeg.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CF957F58-77FE-4192-A59F-95CA43BD04BA}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\MPEG\ulesmpeg.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CF957F59-77FE-4192-A59F-95CA43BD04BA}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\MPEG\ulesmpeg.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CF957F5A-77FE-4192-A59F-95CA43BD04BA}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\MPEG\ulesmpeg.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CF957F5B-77FE-4192-A59F-95CA43BD04BA}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\MPEG\ulesmpeg.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D19355DC-9045-4B3A-B321-1710330B5AB8}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\DVD\XDiscLayer.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D5B94B54-5C93-4E75-853A-28D4F18A5E3A}" refers to invalid object "C:\Program Files\Ulead Systems\Ulead DVD PictureShow 2 SE\uFileIO.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D7BCD582-12D9-41DE-A0DD-1140A140D8C3}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\DVD\XDiscLayer.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D9353291-110E-437E-B5AC-596E64E0ECAD}" refers to invalid object "C:\Program Files\Ulead Systems\Ulead DVD PictureShow 2 SE\uFileIO.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DC377543-0DAB-4737-87DF-A7BB78769370}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\DVD\LDVDRec.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DF5F4E46-D041-416C-B77E-6F8E662E2734}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\DVD\XDiscLayer.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E69C308A-0582-4BFF-B3DA-697BB2BB5CDA}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\DVD\XDiscLayer.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F50B3F10-19C4-11CF-AA9A-02608C9BABA2}" refers to invalid object "C:\WINDOWS\System32\FILTER.AX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{f612954d-3b0b-4c56-9563-227b7be624b4}" refers to invalid object "ADMWPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup.1" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\PCFriendly.PCFriendly ActiveX Control.1" refers to invalid object "{A0739DE5-571F-11D2-A031-0060977F760C}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient.1" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPShell.HWEventHandler" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken.
Entry "HKCR\WMPShell.HWEventHandler.1" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken.
Entry "HKCR\WMSServer.Server" refers to invalid object "{845FB959-4279-11D2-BF23-00805FBE84A6}". Action Taken: No Action Taken.
Entry "HKCR\WMSServer.Server.9" refers to invalid object "{845FB959-4279-11D2-BF23-00805FBE84A6}". Action Taken: No Action Taken.
File C:\WINDOWS\system32\k404SearchSetup_MS14.exe tagged as "not-a-virus:AdWare.ToolBar.404Search.a". Action Taken: No Action Taken.
File C:\WINDOWS\system32\KILLAPPS.EXE tagged as not-a-virus:Tool.Win32.KillApp.b. No Action Taken.
File C:\WINDOWS\system32\SWRT01.dll tagged as "not-a-virus:AdWare.VirtualBouncer.g". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{199C590E-0FD8-4823-80EA-7EC264848546}\RP185\A0026670.dll infected by "Trojan-Dropper.Win32.Keenval.a" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{199C590E-0FD8-4823-80EA-7EC264848546}\RP199\A0027447.dll infected by "Trojan-Dropper.Win32.Small.nj" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\k404SearchSetup_MS14.exe tagged as "not-a-virus:AdWare.ToolBar.404Search.a". Action Taken: No Action Taken.
File C:\WINDOWS\system32\KILLAPPS.EXE tagged as not-a-virus:Tool.Win32.KillApp.b. No Action Taken.
File C:\WINDOWS\system32\SWRT01.dll tagged as "not-a-virus:AdWare.VirtualBouncer.g". Action Taken: No Action Taken.

Buckeye_Sam · May 2005

Use Killbox to delete these files.

C:\WINDOWS\system32\SWRT01.dll
C:\WINDOWS\system32\KILLAPPS.EXE
C:\WINDOWS\system32\k404SearchSetup_MS14.exe

Download the trial version of Ace Utilities and install it.
http://acelogix.fileburst.com/au.exe

Open up the program and go to Clean System Registry. Run this utility and remove the bad registry entries that it finds. Reboot your computer when it's done.

Please download DLLCompare from here:
http://downloads.subratam.org/DllCompare.exe
Save it to the desktop and run it. Click "Run Locate.com" to scan for DLL files. When the scan is finished, click "Compare". Finally, when that is complete, click "Make a Log of What Was Found". Please post the entire contents of the logfile here for me.

justin1224 · May 2005

I did the acelog but the cp never restarted, so I restarted it myself. When the cp turned back on it ran much slower and choppier. Here is the log of the dllcompare.

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found

"
________________________________________________

1,386 items found: 1,386 files, 0 directories.
Total of file sizes: 295,574,030 bytes 281.88 M

Administrator Account = True

End log

Buckeye_Sam · May 2005

Did Ace remove a lot of bad entries? If so, download and run this tool to optimize your registry.

http://www.snapfiles.com/get/ntregopt.html

Are you still getting that page?

justin1224 · June 2005

Ace removed a lot of keys but the page is still coming up. I also downloaded the snapfiles but trhe site directed to me a german T-online store???? Therefore I did not download anyhthing.

Buckeye_Sam · June 2005

Here's a new link that works for Ntregopt.
http://www.derfisch.de/lars/ntregopt-setup.exe

Please download RootKitRevealer from here:

http://www.sysinternals.com/files/rootkitrevealer.zip

Unzip it to your desktop, run it, and click Scan.
This will generate a log file. Please post the entire contents of the log file to your next post.

justin1224 · June 2005

the rootkit would not work for me I tried it 2 times. Is there anything simple that can do the job. Do you think I should just erase my HD? I mean it is just a pain in the butt. Could the website be a virus or something??? I mean this is being a bigger ordeal than I expected. Tell me what you think, thanks.

justin1224 · June 2005

I finally got the rootkit to work, i do not how I did though. Here is the log it made:

HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\EventMessageFile 6/1/2005 8:44 PM 60 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\CategoryMessageFile 6/1/2005 8:44 PM 60 bytes Data mismatch between Windows API and raw hive data.

Buckeye_Sam · June 2005

We've looked everywhere I know to look for malware on your system and it's not there. I'm afraid I don't have an explanation as to why you get redirected to that page. It's not a normal site for malware to redirect to so it does puzzle me.

My only suggestion at this point is to use an alternate browser such as Firefox.

coolWWWSearch.Toolban

Comments