popup problem, yyy102 and yyy65

Unknown · January 2006

I think I'm infected with Look2Me mallware, when I got it I immidiately deleted files and registry entries that I knew was somehow connected to the problem. I also followed removal instructions I found on the net as good I as I could. And, I ran a lot of different virus cleaning and Spyware cleaning programs. Even the L2MRemover tool(that found the infection), but it crashed every time.... I managed anyway to get it to remove some register entries by stopping it right before the crash, but it just appeard new ones after restart. Nothing has helped to remove the final annoying thing that makes me unable to work or play with my computer properly.

My computer works mostly fine, cause I've removed the most of the crap that followed, the only visible thing that remains is popups and site changing in both Firefox and IE. There are 4 types of theese:
1. adresses that ends with yyy102.htm
2. adresses that ends yyy65.htm
3. advertising for webhotels, spyware removal tools, and other harmless stuff.
4. fancy Popups from nowhere with some advertising and containgng "click here" (maybe removed theese, but I'm not sure)

here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 00:32:37, on 12.01.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Programfiler\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe
C:\WINDOWS\PowerS.exe
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
C:\Programfiler\SundryTools\ST.exe
C:\WINDOWS\system32\rundll32.exe
C:\programfiler\powerstrip\pstrip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programfiler\OpenOffice.org 2.0\program\soffice.exe
C:\Programfiler\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\system32\devldr32.exe
C:\Programfiler\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\Programfiler\Windows NT\Tilbehør\WORDPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ntvdm.exe
G:\Downloaded Programs\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.online.no/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programfiler\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SundryTools] C:\Programfiler\SundryTools\ST.exe -h
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PowerStrip] c:\programfiler\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [gcasServ] "C:\Programfiler\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programfiler\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Programfiler\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download with &DAP - C:\Programfiler\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Programfiler\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: WebPage Spy - {46A89114-6553-4d55-8F0E-B1FF437D5857} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://E:\Content\include\msSecUcd.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4416/mcfscan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\ayi3duag.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET Admin Service (aspnet_admin) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

One certain problem file I think is: O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\ayi3duag.dll

Trogan · January 2006

Hi, Welcome to Short-Media

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

Kladd · January 2006

L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Unimodem]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ayi3duag.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,aa,18,eb,f7,ba,e7,d9,42,94,ac,c7,c8,98,01,f8,ae,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,1d,7c,96,af,c1,da,d8,ca,\
1f,93,c1,34,5b,cc,cd,01,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,8d,\
5f,a4,fa,6a,ab,72,01,1f,de,59,fc,21,9a,c1,67,f0,01,00,00,45,d7,31,cc,97,e4,\
d6,1a,d6,fc,88,64,79,e0,f0,8b,47,ed,c9,bc,12,f0,65,44,4d,b3,47,d0,c3,9d,11,\
76,a3,9e,b1,1b,e4,c8,d7,ea,03,57,40,46,d6,81,62,19,ac,af,9e,cb,1c,0d,87,e4,\
4e,a2,88,77,dd,60,74,0f,aa,ab,32,2c,b1,a3,9e,e7,72,55,df,37,47,61,9c,e9,5d,\
86,94,78,b0,fa,70,94,c0,b7,de,4e,a6,97,74,c9,89,09,29,c9,96,f7,aa,db,db,0f,\
71,df,2d,57,0d,50,51,0a,42,14,bb,c2,bc,9d,53,13,bb,0f,ae,59,4f,e1,63,a3,b1,\
bd,31,bd,ac,39,76,a9,f7,fa,64,8d,5d,36,74,08,9b,b0,5d,cb,a1,9c,89,86,ae,42,\
05,9d,26,86,e9,b4,93,cd,27,06,bb,23,2b,b1,1f,56,4d,cb,e9,71,7e,ef,2f,db,cd,\
55,03,90,bb,09,1b,3a,62,f2,16,cd,bd,76,a8,8c,73,07,86,11,aa,94,6b,25,36,30,\
33,20,db,c2,ad,9b,39,64,a9,9d,ae,83,05,59,31,fd,04,1b,df,64,33,4a,9a,18,bf,\
cf,df,af,f4,9c,04,93,9d,53,f3,2a,1f,f0,27,3f,e9,3d,3b,03,3f,6c,d0,6b,58,77,\
3f,b6,14,0a,85,91,5f,38,86,ac,6a,f7,8f,53,eb,93,ab,ba,ee,10,09,08,4a,86,3d,\
88,b2,49,26,b8,13,8b,a5,b6,e3,f6,85,01,52,32,87,4c,0b,77,ce,d8,c9,a7,84,5f,\
5c,bc,dd,4d,35,56,b8,ef,8c,76,95,30,a1,32,a9,c0,1c,6a,77,cc,3f,cf,fd,e8,51,\
99,77,47,c9,a6,4f,ac,42,ec,dc,56,5e,6d,0a,2e,13,09,f7,6e,88,cd,92,90,bf,6c,\
9d,a9,6e,55,5e,6b,98,c3,4a,c9,08,6b,c3,17,53,72,7a,21,ff,f9,45,e2,bf,57,c0,\
cf,fd,68,87,e8,e6,93,76,dc,aa,3f,6c,83,b7,09,cb,af,d8,1c,3b,24,de,cc,11,b8,\
59,e6,94,bf,17,37,7b,c5,e4,b7,93,a5,74,a3,8c,8f,ab,f6,28,86,3b,87,56,9f,5b,\
3d,e4,16,56,47,f0,41,37,df,ba,6f,c2,fe,28,cd,bf,06,c6,9e,10,a3,a5,fd,5f,3b,\
ba,25,a0,45,c2,d4,34,8a,5c,91,aa,34,01,97,14,1e,d8,28,df,fb,23,42,df,33,66,\
74,b5,52,2d,5b,c0,b1,a4,1c,71,a3,1d,ca,e8,d4,14,00,00,00,37,0b,e5,ad,1e,a1,\
9e,f3,e1,82,e2,b0,f2,62,b1,e1,0d,ee,65,a2

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{03802829-A3EC-E79D-B6E7-A601861DD9DB}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Egenskapsside for multimediefil"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM skannerbehandling"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS-sikkerhetsside"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Egenskapsside for OLE DOC-fil"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Skallutvidelse for deling"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Kontrollpanelsutvidelse for skjermkort"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Kontrollpanelsutvidelse for skjermtype"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Kontrollpanelsutvidelse for skjermpanorering"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS-sikkerhetsside"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Kompatibilitetsside"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Diskkopieringsutvidelse"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Skallutvidelser for Microsoft Windows-nettverksobjekter"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM skjermbehandling"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM skriverbehandling"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Skallutvidelser for filkomprimering"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Skallutvidelse for Web-skriver"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Hurtigmeny for kryptering"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Koffert"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Ikonutvidelse for HyperTerminal"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Skrifter"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-profil"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Skriversikkerhetsside"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Skallutvidelse for deling"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO-utvidelse"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign-utvidelse"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Nettverkstilkoblinger"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Nettverkstilkoblinger"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Skannere og kameraer"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Skannere og kameraer"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Skannere og kameraer"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Skannere og kameraer"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Skannere og kameraer"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Skallutvidelser for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft-datakobling"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Planlagte oppgaver"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Oppgavelinje og Start-meny"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="S›k"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Hjelp og st›tte"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Hjelp og st›tte"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Kj›r..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internett"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-post"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative verkt›y"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internett-verkt›ylinje"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Nedlastingsstatus"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="B†ndproxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft-tjeneste for tidligere URL-adresser"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Logg"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Midlertidige Internett-filer"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Midlertidige Internett-filer"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft-binding for URL-s›k"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Velkomstbilde for Internet Explorer 4.0"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internett"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer-b†nd"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="Mappe for ActiveX-hurtigbuffer"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Abonnementsmappe"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Behandling av skallprogrammer"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Enumerator for installerte programmer"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin Programpubliserer"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Uttrekking av miniatyrbilder i GDI+-filer"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Behandling av informasjon om miniatyrbilder"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Uttrekking av HTML-miniatyrbilder"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Veiviser for Web-publisering"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Bestille utskrifter via Weben"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Veiviserobjekt for skallpublisering"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="F† en passport-veiviser"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Brukerkontoer"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Kanalfil"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Kanalsnarvei"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Kanalbehandlingsobjekt"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Mappe for Frakoblede filer"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="Etter &personer..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{5a61f7a0-cde1-11cf-9113-00aa00425c62}"="IIS Shell Extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.11 Context Menu Shell Extension"
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.11 DragDrop Shell Extension"
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.11 Context Menu Shell Extension"
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.11 Property Sheet Shell Extension"
"{79BC0345-1015-11D2-A299-006008312725}"="blue.shell"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="Web Folders"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}"="OpenOffice.org Column Handler"
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}"="OpenOffice.org Infotip Handler"
"{63542C48-9552-494A-84F7-73AA6A7C99C1}"="OpenOffice.org Property Sheet Handler"
"{3B092F0C-7696-40E3-A80F-68D74DA84210}"="OpenOffice.org Thumbnail Viewer"
"{29F97553-FBD6-33D1-BFC1-47A024D1875C}"="c2c"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{A4D78B20-6E05-1069-8758-4E73FD83DEAD}"="QCopy"
"{3F6D702A-F5D7-41D2-AC6C-426A371C8490}"=""
"{0B42AEF5-DDE1-4FCF-873A-6276CB676346}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0B42AEF5-DDE1-4FCF-873A-6276CB676346}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0B42AEF5-DDE1-4FCF-873A-6276CB676346}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0B42AEF5-DDE1-4FCF-873A-6276CB676346}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0B42AEF5-DDE1-4FCF-873A-6276CB676346}\InprocServer32]
@="C:\\WINDOWS\\system32\\vablock.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
ayi3duag.dll Thu 12 Jan 2006 0:07:04 ..S.R 234 253 228,76 K
bmpanui.dll Wed 11 Jan 2006 21:55:40 ..S.R 235 810 230,28 K
browseui.dll Thu 24 Nov 2005 1:39:22 A.... 1 022 464 998,50 K
cdfview.dll Fri 21 Oct 2005 4:41:50 A.... 151 552 148,00 K
danim.dll Sat 5 Nov 2005 4:20:34 A.... 1 054 720 1,00 M
dnlo01~1.dll Wed 11 Jan 2006 21:21:54 ..S.R 234 805 229,30 K
dxtrans.dll Fri 21 Oct 2005 4:41:50 A.... 205 312 200,50 K
ennsl1~1.dll Wed 11 Jan 2006 23:56:14 ..S.R 236 928 231,38 K
esent.dll Thu 20 Oct 2005 23:31:12 A.... 1 082 368 1,03 M
extmgr.dll Fri 21 Oct 2005 4:41:50 ..... 55 808 54,50 K
f4l02e~1.dll Wed 11 Jan 2006 22:17:08 ..S.R 235 810 230,28 K
fontsub.dll Mon 17 Oct 2005 22:21:56 A.... 80 896 79,00 K
fpj803~1.dll Wed 11 Jan 2006 19:53:24 A.S.R 234 573 229,07 K
gccoll~1.dll Tue 15 Nov 2005 12:12:08 A.... 126 680 123,71 K
gcunco~1.dll Tue 15 Nov 2005 12:12:06 A.... 95 448 93,21 K
gdi32.dll Thu 29 Dec 2005 3:56:08 A.... 280 064 273,50 K
hashlib.dll Tue 15 Nov 2005 12:12:08 A.... 117 976 115,21 K
hrn405~1.dll Wed 11 Jan 2006 23:23:54 ..S.R 233 475 228,00 K
iepeers.dll Fri 21 Oct 2005 4:41:50 A.... 251 392 245,50 K
inseng.dll Fri 21 Oct 2005 4:41:50 A.... 96 768 94,50 K
ir0sl5~1.dll Thu 12 Jan 2006 0:00:04 ..S.R 234 253 228,76 K
ir60l5~1.dll Wed 11 Jan 2006 21:55:40 ..S.R 236 875 231,32 K
kfdusx.dll Wed 11 Jan 2006 21:21:54 ..S.R 234 474 228,98 K
l02s0a~1.dll Wed 11 Jan 2006 22:34:14 ..S.R 233 608 228,13 K
l22slc~1.dll Wed 11 Jan 2006 21:30:42 ..S.R 234 474 228,98 K
legitc~1.dll Wed 9 Nov 2005 11:30:32 ..... 534 280 521,76 K
msctl32.dll Wed 11 Jan 2006 15:45:36 A.... 68 096 66,50 K
msgplu~1.dll Wed 19 Oct 2005 15:05:30 A.... 45 640 44,57 K
mshtml.dll Thu 24 Nov 2005 1:39:24 A.... 3 013 632 2,87 M
mshtmled.dll Fri 21 Oct 2005 4:41:52 A.... 448 512 438,00 K
msrating.dll Fri 21 Oct 2005 4:41:52 A.... 146 432 143,00 K
mstime.dll Fri 21 Oct 2005 4:41:54 A.... 530 944 518,50 K
ndprint.dll Wed 11 Jan 2006 22:37:52 ..S.R 236 928 231,38 K
pngfilt.dll Fri 21 Oct 2005 4:41:54 A.... 39 424 38,50 K
r8p80i~1.dll Wed 11 Jan 2006 21:02:30 ..S.R 235 352 229,84 K
s6rslg~1.dll Thu 12 Jan 2006 0:27:52 ..S.R 236 049 230,52 K
shdocvw.dll Thu 1 Dec 2005 4:33:22 A.... 1 492 480 1,42 M
shlwapi.dll Fri 21 Oct 2005 4:41:54 A.... 473 600 462,50 K
t2embed.dll Mon 17 Oct 2005 22:21:56 A.... 118 272 115,50 K
urlmon.dll Sat 5 Nov 2005 4:20:40 A.... 604 160 590,00 K
vablock.dll Thu 12 Jan 2006 0:27:52 ..S.R 234 253 228,76 K
wbhelp2.dll Fri 21 Oct 2005 22:22:36 A.... 50 688 49,50 K
wgalogon.dll Wed 9 Nov 2005 11:30:24 ..... 396 552 387,26 K
wininet.dll Fri 21 Oct 2005 4:41:54 A.... 657 920 642,50 K
xcnroll.dll Thu 12 Jan 2006 0:21:16 ..S.R 234 253 228,76 K
xvidvfw.dll Sun 16 Oct 2005 7:26:12 A.... 217 088 212,00 K

46 items found: 46 files (17 H/S), 0 directories.
Total of file sizes: 17 455 341 bytes 16,64 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volumet i stasjon C er System
Volumserienummeret er D80D-3F4C

Innhold i C:\WINDOWS\System32

12.01.2006 00:27 234ÿ253 vablock.dll
12.01.2006 00:27 236ÿ049 s6rslg9716.dll
12.01.2006 00:21 234ÿ253 xcnroll.dll
12.01.2006 00:07 234ÿ253 ayi3duag.dll
12.01.2006 00:00 234ÿ253 ir0sl5d71.dll
11.01.2006 23:56 236ÿ928 ennsl1571.dll
11.01.2006 23:23 233ÿ475 hrn4055qe.dll
11.01.2006 22:37 236ÿ928 ndprint.dll
11.01.2006 22:34 233ÿ608 l02s0af7ed2.dll
11.01.2006 22:17 235ÿ810 f4l02e3mgh.dll
11.01.2006 21:55 235ÿ810 bmpanui.dll
11.01.2006 21:55 236ÿ875 ir60l5jm1.dll
11.01.2006 21:30 234ÿ474 l22slcf71f2.dll
11.01.2006 21:21 234ÿ474 kfdusx.dll
11.01.2006 21:21 234ÿ805 dnlo0133e.dll
11.01.2006 21:02 235ÿ352 r8p80i7ue8.dll
11.01.2006 19:53 234ÿ573 fpj8031ue.dll
11.01.2006 16:03 <DIR> dllcache
19.10.2005 16:15 5ÿ120 Thumbs.db
30.08.2004 16:33 <DIR> Microsoft
18 fil(er) 4ÿ001ÿ293 byte
2 mappe(r) 5ÿ409ÿ103ÿ872 byte ledig

Trogan · January 2006

Close any browsers and programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
If after the reboot the log does not open double click on it in the l2mfix folder.

Kladd · January 2006

L2mfix 010406
Creating Account.
Kommandoen er fullf›rt.

Adding Administrative privleges.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
updating: backregs/notibac.reg (188 bytes security) (deflated 83%)

Logfile of HijackThis v1.99.1
Scan saved at 16:26:06, on 12.01.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Programfiler\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe
C:\WINDOWS\PowerS.exe
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
C:\Programfiler\SundryTools\ST.exe
C:\WINDOWS\system32\rundll32.exe
C:\programfiler\powerstrip\pstrip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programfiler\OpenOffice.org 2.0\program\soffice.exe
C:\Programfiler\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\system32\HPHipm11.exe
C:\WINDOWS\system32\devldr32.exe
C:\Programfiler\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Mozilla Firefox\firefox.exe
G:\Downloaded Programs\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.online.no/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programfiler\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SundryTools] C:\Programfiler\SundryTools\ST.exe -h
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PowerStrip] c:\programfiler\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [gcasServ] "C:\Programfiler\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programfiler\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Programfiler\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download with &DAP - C:\Programfiler\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Programfiler\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: WebPage Spy - {46A89114-6553-4d55-8F0E-B1FF437D5857} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://E:\Content\include\msSecUcd.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4416/mcfscan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - Winlogon Notify: MMFiles - C:\WINDOWS\system32\ayi3duag.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET Admin Service (aspnet_admin) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

Trogan · January 2006

Download and run VX2Finder(.exe).
http://www.downloads.subratam.org/VX2Finder.exe

Open the program and click the 'Click to Find VX2.aBetterInternet' button. This will attempt to find all VX2 related files and registry keys and when present display them in its logfile. To create a logfile, click the button named: 'Make Log'. This will open logfile using Notepad. Please post (copy/paste) the results and post them in this topic.

Download these two tools:

http://www.downloads.subratam.org/DllCompare.exe
&
http://www.downloads.subratam.org/KillBox.exe

Run Dllcompare by clicking the "Run Locate.com" then click Compare button... when done post that log here. Do not reboot once you have posted the logs because all the filenames will change otherwise.

Kladd · January 2006

Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
AtiExtEvent
crypt32chain
cryptnet
cscdll
MMFiles
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
WgaLogon
wlballoon

Guardian Key--- is called:

Guardian Key--- :

User Agent String---
{03802829-A3EC-E79D-B6E7-A601861DD9DB}

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\ayi3duag.dll Thu 12 Jan 2006 0:07:04 ..S.R 234 253 228,76 K
C:\WINDOWS\SYSTEM32\bmpanui.dll Wed 11 Jan 2006 21:55:40 ..S.R 235 810 230,28 K
C:\WINDOWS\SYSTEM32\dnlo01~1.dll Wed 11 Jan 2006 21:21:54 ..S.R 234 805 229,30 K
C:\WINDOWS\SYSTEM32\dzdskres.dll Thu 12 Jan 2006 16:22:56 ..S.R 234 253 228,76 K
C:\WINDOWS\SYSTEM32\ennsl1~1.dll Wed 11 Jan 2006 23:56:14 ..S.R 236 928 231,38 K
C:\WINDOWS\SYSTEM32\f4l02e~1.dll Wed 11 Jan 2006 22:17:08 ..S.R 235 810 230,28 K
C:\WINDOWS\SYSTEM32\fpj803~1.dll Wed 11 Jan 2006 19:53:24 A.S.R 234 573 229,07 K
C:\WINDOWS\SYSTEM32\hrn405~1.dll Wed 11 Jan 2006 23:23:54 ..S.R 233 475 228,00 K
C:\WINDOWS\SYSTEM32\ir0sl5~1.dll Thu 12 Jan 2006 0:00:04 ..S.R 234 253 228,76 K
C:\WINDOWS\SYSTEM32\ir60l5~1.dll Wed 11 Jan 2006 21:55:40 ..S.R 236 875 231,32 K
C:\WINDOWS\SYSTEM32\kfdusx.dll Wed 11 Jan 2006 21:21:54 ..S.R 234 474 228,98 K
C:\WINDOWS\SYSTEM32\l02s0a~1.dll Wed 11 Jan 2006 22:34:14 ..S.R 233 608 228,13 K
C:\WINDOWS\SYSTEM32\l22slc~1.dll Wed 11 Jan 2006 21:30:42 ..S.R 234 474 228,98 K
C:\WINDOWS\SYSTEM32\l26o0c~1.dll Thu 12 Jan 2006 16:22:56 ..S.R 234 615 229,11 K
C:\WINDOWS\SYSTEM32\ndprint.dll Wed 11 Jan 2006 22:37:52 ..S.R 236 928 231,38 K
C:\WINDOWS\SYSTEM32\r8p80i~1.dll Wed 11 Jan 2006 21:02:30 ..S.R 235 352 229,84 K
C:\WINDOWS\SYSTEM32\s6rslg~1.dll Thu 12 Jan 2006 0:27:52 ..S.R 236 049 230,52 K
C:\WINDOWS\SYSTEM32\xcnroll.dll Thu 12 Jan 2006 0:21:16 ..S.R 234 253 228,76 K
________________________________________________

1 414 items found: 1 414 files (18 H/S), 0 directories.
Total of file sizes: 308 909 728 bytes 294,60 M

Administrator Account = True

End log

Trogan · January 2006

Stay offline when doing the following fix.

Open killbox and paste in C:\WINDOWS\SYSTEM32\ayi3duag.dll

With the full path to the file name in the topmost textbox, click the option *replace on reboot* and *Use Dummy* which will create a numbered dummy file instantly for you.

Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)

Repeat the above for each of these;

C:\WINDOWS\SYSTEM32\bmpanui.dll
C:\WINDOWS\SYSTEM32\dnlo01~1.dll
C:\WINDOWS\SYSTEM32\dzdskres.dll
C:\WINDOWS\SYSTEM32\ennsl1~1.dll
C:\WINDOWS\SYSTEM32\f4l02e~1.dll
C:\WINDOWS\SYSTEM32\fpj803~1.dll
C:\WINDOWS\SYSTEM32\hrn405~1.dll
C:\WINDOWS\SYSTEM32\ir0sl5~1.dll
C:\WINDOWS\SYSTEM32\ir60l5~1.dll
C:\WINDOWS\SYSTEM32\kfdusx.dll
C:\WINDOWS\SYSTEM32\l02s0a~1.dll
C:\WINDOWS\SYSTEM32\l22slc~1.dll
C:\WINDOWS\SYSTEM32\l26o0c~1.dll
C:\WINDOWS\SYSTEM32\ndprint.dll
C:\WINDOWS\SYSTEM32\r8p80i~1.dll
C:\WINDOWS\SYSTEM32\s6rslg~1.dll
C:\WINDOWS\SYSTEM32\xcnroll.dll
C:\Windows\System32\Guard.tmp

On that last file, close all programs and Reboot your computer.

Post another log from dllcompare please.

Kladd · January 2006

Oooops... didn't see the "stay offline" part before I did it(typical:shakehead ), and after restarting I wasn't able to connect again - but it might be that the main server is down(I hope) or something like that cause I was unable to ping it.

anyway - hope that it does not matter(ant I hope that my wrong made the internet connection not function), here's the log:

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\bmpanui.dll Wed 11 Jan 2006 21:55:40 ..S.R 235 810 230,28 K
________________________________________________

1 413 items found: 1 413 files (1 H/S), 0 directories.
Total of file sizes: 304 915 646 bytes 290,79 M

Administrator Account = True

End log

Trogan · January 2006

Can you do the same as above but for this file

C:\WINDOWS\SYSTEM32\bmpanui.dll

Don't forget to stay offline.

Reboot and post a new DLLcompare log

Kladd · January 2006

yep, got it to work again. Now it looks clean:

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found

"
________________________________________________

1 413 items found: 1 413 files, 0 directories.
Total of file sizes: 304 679 892 bytes 290,56 M

Administrator Account = True

End log

Trogan · January 2006

Great

Can you post a new HJT log.

Kladd · January 2006

Logfile of HijackThis v1.99.1
Scan saved at 14:16:04, on 13.01.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Programfiler\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe
C:\WINDOWS\PowerS.exe
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
C:\Programfiler\SundryTools\ST.exe
C:\WINDOWS\system32\rundll32.exe
C:\programfiler\powerstrip\pstrip.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\OpenOffice.org 2.0\program\soffice.exe
C:\Programfiler\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\Programfiler\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\Programfiler\Mozilla Firefox\firefox.exe
G:\Downloaded Programs\utorrent.exe
G:\Downloaded Programs\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.online.no/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programfiler\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SundryTools] C:\Programfiler\SundryTools\ST.exe -h
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PowerStrip] c:\programfiler\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [gcasServ] "C:\Programfiler\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programfiler\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Programfiler\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download with &DAP - C:\Programfiler\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Programfiler\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: WebPage Spy - {46A89114-6553-4d55-8F0E-B1FF437D5857} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://E:\Content\include\msSecUcd.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4416/mcfscan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\l26o0cj3efo.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET Admin Service (aspnet_admin) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

Trogan · January 2006

Check the following in HJT and click 'Fix Checked' - Close ALL open Browsers first

O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\l26o0cj3efo.dll
==

Reboot and post a new HJT log

Kladd · January 2006

aaaaaand... *drumroll* the bad entry is annihilated!!!
thank you so much

Logfile of HijackThis v1.99.1
Scan saved at 14:37:20, on 13.01.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Programfiler\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe
C:\WINDOWS\PowerS.exe
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
C:\Programfiler\SundryTools\ST.exe
C:\WINDOWS\system32\rundll32.exe
C:\programfiler\powerstrip\pstrip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programfiler\OpenOffice.org 2.0\program\soffice.exe
C:\Programfiler\OpenOffice.org 2.0\program\soffice.BIN
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\Programfiler\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ntvdm.exe
G:\Downloaded Programs\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.online.no/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programfiler\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SundryTools] C:\Programfiler\SundryTools\ST.exe -h
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PowerStrip] c:\programfiler\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [gcasServ] "C:\Programfiler\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programfiler\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Programfiler\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download with &DAP - C:\Programfiler\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Programfiler\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: WebPage Spy - {46A89114-6553-4d55-8F0E-B1FF437D5857} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://E:\Content\include\msSecUcd.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4416/mcfscan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET Admin Service (aspnet_admin) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

Trogan · January 2006

Now that is sorted, you need to do the folllowing

I don't see an Anti-Virus or Firewall in your log. If your using Windows Firewall thats fine. If not, then get these:

Anti-Virus
AVG Free Edition

Firewall
Zone Alarm

Note: You should only be running one of each.
==

Run an online scan to remove any bad files:

Panda ActiveScan
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report,

Kladd · January 2006

I didnt scan my g:\ h:\ i:\ and j:\ drive.. no point(no progs installed here - but many big raw DV .avi's for an example), taking eternity. I scanned them when I got Look2me, back then I scanned everything and deleteded everything that coul harm. I have Windows XP firewall activated. Removed virus tools after scanning with 5 different tools or so. Now I only have Dr.Web.

here's the report from Panda:

Incident Status Location

Adware:adware/cws.yexe Not disinfected C:\WINDOWS\inet20003
Spyware:spyware/searchcentrix Not disinfected Windows Registry
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[as1.falkag.de/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[.as1.falkag.de/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[as1.falkag.de/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[servedby.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[.overture.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[.linksynergy.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[server.iad.liveperson.net/hc/86678446]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[.bfast.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[server.iad.liveperson.net/hc/72874171]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[.azjmp.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[.tribalfusion.com/]
Adware:Adware/Look2Me Not disinfected C:\!KillBox\bmpanui.dll
Adware:Adware/Look2Me Not disinfected C:\!KillBox\dnlo01~1.dll
Adware:Adware/Look2Me Not disinfected C:\!KillBox\dzdskres.dll
Adware:Adware/Look2Me Not disinfected C:\!KillBox\ennsl1~1.dll
Adware:Adware/Look2Me Not disinfected C:\!KillBox\f4l02e~1.dll
Adware:Adware/Look2Me Not disinfected C:\!KillBox\fpj803~1.dll
Adware:Adware/Look2Me Not disinfected C:\!KillBox\hrn405~1.dll
Adware:Adware/Look2Me Not disinfected C:\!KillBox\ir0sl5~1.dll
Adware:Adware/Look2Me Not disinfected C:\!KillBox\ir60l5~1.dll
Adware:Adware/Look2Me Not disinfected C:\!KillBox\kfdusx.dll
Adware:Adware/Look2Me Not disinfected C:\!KillBox\l02s0a~1.dll
Adware:Adware/Look2Me Not disinfected C:\!KillBox\l22slc~1.dll
Adware:Adware/Look2Me Not disinfected C:\!KillBox\ndprint.dll
Adware:Adware/Look2Me Not disinfected C:\!KillBox\r8p80i~1.dll
Adware:Adware/Look2Me Not disinfected C:\!KillBox\s6rslg~1.dll
Adware:Adware/Look2Me Not disinfected C:\!KillBox\xcnroll.dll
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\John\Lokale innstillinger\Temp\Cookies\john@2o7[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\John\Lokale innstillinger\Temp\Cookies\john@ads.pointroll[2].txt
Virus:EICAR-AV-TEST-FILE Disinfected C:\Documents and Settings\John\Mine dokumenter\Mine mottatte filer\eicar_com.zip.mwt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[86678446]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[72874171]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\John\Programdata\Mozilla\Firefox\Profiles\7iixlu1i.default\cookies.txt[]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\John\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-69430f0d-2563cac8.zip.mwt[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\John\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-69430f0d-2563cac8.zip.mwt[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\John\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-69430f0d-2563cac8.zip.mwt[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\John\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-69430f0d-2563cac8.zip.mwt[Beyond.class]
Potentially unwanted tool:Application/Processor Not disinfected C:\l2mfix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

Trogan · January 2006

Delete Cookies:

Go Start
Control Panel
Click on Internet Options
Click the General Tab and under Temporary Internet Files click...
Delete Cookies...

==

Please download the free Ad-Aware SE and install it. If you already have Ad-Aware SE, please configure it as indicated below. If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

1) Run Ad-Aware, and click Check for updates now.

2) Select Configurations (click the Gear wheel at the top) as follows:

General Button > Safety & Settings: Check (Green) all three.
Tweak Button > Cleaning Engine > UNcheck "Always try to unload modules before deletion".

Click Proceed.
3) To start the scan, Click > "Scan Now" at left

Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
Select "Search for low-risk threats"
Select "Perform full system scan"
Click Next

4) When the scan has completed, select Next.

In the Scanning Results window, select the "Critical Objects" tab.
Right-click on the screen and choose "Select all objects"
Click Next to remove the infections found, and click OK to the prompt.
Restart the computer.

==

After restarting...

Download Spybot S & D from here.

Download and Install Spybot S&D (if you haven't already), accept the Default Settings
In the Menu Bar at the top of the Spybot window you will see 'Mode'.
Make certain that 'default mode' has a check mark beside it.
Close ALL windows except Spybot S&D
Click the button to ‘Search for Updates’ then download and install the updates.
Next click the button ‘Check for Problems'
When Spybot is complete, it will be showing ‘RED’ entries bold 'BLACK' entries and ‘GREEN’ entries in the window
Make certain there is a check mark beside all of the RED entries ONLY.
Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.
REBOOT normally to complete the scan and clear memory.

==

Go here and in the box provided, paste the following. Then press SUBMIT

C:\WINDOWS\system32\Process.exe

The file will be scanned by various Anti-Virus scanners. If it is found to be bad then delete it. If you are unsure, post the results here

Kladd · January 2006

ok, Adaware found 2 tracking cookies for IE
Spybot S&D found about 15 of them for Firefox (that I use mostly)
(I aint stupid, so I did not delete DAP when it showed up red)

I deleted Prosess.exe (I've done it before too, once...) because:
AntiVir | Found SecurityPrivacyRisk/Processor.20 riskware
Dr.Web | Found Tool.Prockill
Fortinet | Found Process

one more thing... I can delete the !killbox folder, right?

if thers nothing more to add, then Thank you So Much!

Trogan · January 2006

No problem. Everything looks good

Can I mark this resolved?
=====

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

Use a firewall to help prevent your PC's control being usurped by undesireables.

Install and keep updated, Ad-Aware SE, and Spybot S&D.
Run them both on a regular basis, following the manufacturer's recommendations.

Install and keep updated, SpywareBlaster 3.4

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

Clear your Temp folders.
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start>Run and type msconfig. Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.

===============

If you have any more problems, post back.

Please consider joining the Folding@Home Project

Join our Folding@Home team! Alzheimer's, Parkinson's, cancer... we're trying to cure them with our computers! You've at least read a little about it in the greeting I sent you when you signed up for the site. We're always really pleased to greet new members to the team, and it's a quick way to become an appreciated member of the community.
MORE INFO: READ THIS

Kladd · January 2006

Yepp, this is definetly Resolved!

Trogan · January 2006

Thread Closed!

If you need help again then start a new thread.

popup problem, yyy102 and yyy65

Comments