buffer overflow virus Solved/Closed

Question

Hello, I need help solving a blockage issue due to a buffer overflow detected by Virus Scan Enterprise 8.0  Message type: c\:windows\system32\svchost.exe:: loadlibrarya   Thank you in advance   gdf

Regis59 · Answer

Hello

download HijackThis here:
http://telechargement.zebulon.fr/138-hijackthis-1991.html

Unzip it into a designated folder.
For example C:\hijackthis < Make sure to save it in c: !
Demo: (Thanks to Balltrap34 for this production)
http://pageperso.aol.fr/balltrap34/Hijenr.gif

Launch it then:
click on "do a system scan and save logfile" (see demo)
copy and paste the entire log on the forum

Demo: (Thanks to Balltrap34 for this production)
http://pageperso.aol.fr/balltrap34/demohijack.htm

Good luck

See you later

Regis59 · Answer

Hello  do you have this in add/remove programs?  Surfairy  thanks

Regis59 · Answer

Hello;

Download this: (thanks to S!RI for this program).
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Run it, double-click on Smitfraudfix.cmd, choose option 1, it will generate a report
Copy/paste it on the post please.

See you later!

Regis59 · Answer

Hi  Start in safe mode, run smitfraudfix, choose option 2 and then save the report. Restart the PC and copy-paste the report here.  See you!

Regis59 · Answer

Hi  put back a hijack this  see you+

Regis59 · Answer

Hello,

Follow the method in order...

Windows is not up to date, your system is therefore open to all infections and hackers.
----------------------------------------------------------------------------
¤Download these programs but do not use them right away:

1/

Spybot S&D 1.4
https://www.safer-networking.org/

Usage demo (thanks to Balltrap34 for this implementation).
http://pageperso.aol.fr/Balltrap34/demo%20spybot.htm

2/

Ad-Aware SE 1.06
https://www.adaware.com/
-A help guide:
http://usa.lucretius-ada.com/zcvisitor/8782d344-4821-11ea-83ce-0a2cdf2c6be7?campaignid=0d1dff40-82d7-11e9-9533-0a157bfa6bfc
- Install the French patch, you can find it here:
http://download.lavasoft.de.edgesuite.net/public/pllangs.exe
and a short usage video here: (thanks to Moe31 for this implementation).
http://pageperso.aol.fr/balltrap34/adawrevid.asf

3/ Ewido:
http://download.ewido.net/ewido-setup.exe

4/ Ccleaner:

https://www.pcastuces.com/logitheque/ccleaner.htm
----------------------------------------------------------------------------
¤Show all files and folders:
Click on start/control panel/tool/folder options/view

Check "show hidden files and folders"

Uncheck the box "Hide protected operating system files (recommended)"

Uncheck "hide extensions for known file types"
Then click "Ok" to validate the changes.

And apply!
----------------------------------------------------------------------------
¤Restart HijackThis, check the boxes next to these lines and then click on fix checked:

O2 - BHO: SurfairyHlp Class - {E0B9B5FE-B66E-4FB0-A1D9-726F0E743CFD} - C:\Program Files\Surfairy\SurfairyPP.dll

O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll

O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\winIogon.exe

O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\iexplore.exe

O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINDOWS\System32\algs.exe

O9 - Extra button: Suggestions - {2223664C-1942-4276-9A2D-E8D8F547C5D2} - res://EffiPeled (file missing)

O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\fp4403hqe.dll

O23 - Service: Remote Administrator Services - Unknown owner - C:\WINDOWS\system32\lscas.exe

----------------------------------------------------------------------------
¤Start in safe mode:
To do this, tap the F8 key as soon as you turn on the pc without stopping
A window will open, navigate with the arrow keys to start in safe mode and then hit enter.
Once on the desktop if there are not all the colors and others it’s normal!
(If F8 doesn’t work use the F5 key).
----------------------------------------------------------------------------
¤Search and delete this:
attention only the files (if present).

C:\Program Files\Surfairy
C:\Program Files\TheSearchAccelerator
C:\WINDOWS\System32\winIogon.exe << with a I
C:\WINDOWS\System32\algs.exe
C:\WINDOWS\system32\lscas.exe
----------------------------------------------------------------------------
¤Stop these services:

Click on Start->run->type: services.msc

Double-click: Service: Remote Administrator Services

Set it to "Stopped" and "Disabled".
----------------------------------------------------------------------------
¤ Launch and run Ewido for a full scan and copy/paste the report on the forum.
----------------------------------------------------------------------------
¤ Run Ad-Aware and delete everything it finds + delete quarantines...
----------------------------------------------------------------------------
¤ Run Spybot and fix everything it finds + vaccinate + delete quarantines...
-------------------------------------------------------------------------------------------
¤ Run CCleaner.

Deleting temporary files

Go to the "Options" section located in the left margin. Go to "Advanced" and uncheck "Delete only files in the Windows Temp folder older than 48 hours". Then go back to the "Cleaner" section
Be sure to check all boxes in the left margin (Internet Explorer/Windows Explorer/System/Advanced)
• Click on Analyze
• Wait for the scan, which may take a little time if it's the first time.
• Once the scan is completed, click on Run the Cleaning

Fixing registry inconsistencies

• Click on the Errors icon located in the left margin.
• Then click on Analyze errors
• Wait while CCleaner scans your registry.
• Once the scan is finished, check all the entries it found.
• You can then click on Fix errors.
If you are unsure of what you are doing, you can choose to back up the checked entries for later restoration.
----------------------------------------------------------------------------
¤ Empty your Recycle Bin.
----------------------------------------------------------------------------
¤ Restart in normal mode, relaunch Hijackthis and copy/paste a new report on the forum.

Specify your issues if any remain....

Keep me updated

See you soon

gdf · Answer

Hi   Note: I’m connecting from a mobile device to communicate with you   I’ve performed the actions you requested and encountered several issues:   No Iscas.exe file to delete   Unable to launch Spybot in safe mode as I couldn’t update it, so I updated it in normal mode...  after that Spybot worked   Ewido scan then report   ---------------------------------------------------------  AVG Anti-Spyware - Scan Report  ---------------------------------------------------------   + Created at: 18:20:05 14/10/2006   + Scan result:    C:\Documents and Settings\grand\Local Settings\Temporary Internet Files\Content.IE5\RYW7POQG\AppWrap[1].exe -> Adware.AdURL: Ignored. C:\System Volume Information\_restore{B2E81E50-A630-4002-822C-1C120AAC30F2}\RP2\A0001505.exe -> Adware.AdURL: Ignored. C:\System Volume Information\_restore{B2E81E50-A630-4002-822C-1C120AAC30F2}\RP2\A0000297.dll -> Adware.Look2Me: Ignored. C:\System Volume Information\_restore{B2E81E50-A630-4002-822C-1C120AAC30F2}\RP2\A0000302.dll -> Adware.Look2Me: Ignored. C:\System Volume Information\_restore{B2E81E50-A630-4002-822C-1C120AAC30F2}\RP2\A0000312.dll -> Adware.Look2Me: Ignored. C:\System Volume Information\_restore{B2E81E50-A630-4002-822C-1C120AAC30F2}\RP2\A0000324.dll -> Adware.Look2Me: Ignored. C:\System Volume Information\_restore{B2E81E50-A630-4002-822C-1C120AAC30F2}\RP2\A0000334.dll -> Adware.Look2Me: Ignored. C:\System Volume Information\_restore{B2E81E50-A630-4002-822C-1C120AAC30F2}\RP2\A0000345.dll -> Adware.Look2Me: Ignored. C:\System Volume Information\_restore{B2E81E50-A630-4002-822C-1C120AAC30F2}\RP2\A0000355.dll -> Adware.Look2Me: Ignored. C:\System Volume Information\_restore{B2E81E50-A630-4002-822C-1C120AAC30F2}\RP2\A0000360.dll -> Adware.Look2Me: Ignored. C:\System Volume Information\_restore{B2E81E50-A630-4002-822C-1C120AAC30F2}\RP2\A0000396.dll -> Adware.Look2Me: Ignored. C:\System Volume Information\_restore{B2E81E50-A630-4002-822C-1C120AAC30F2}\RP2\A0001414.dll -> Adware.Look2Me: Ignored. C:\System Volume Information\_restore{B2E81E50-A630-4002-822C-1C120AAC30F2}\RP2\A0001416.dll -> Adware.Look2Me: Ignored. C:\System Volume Information\_restore{B2E81E50-A630-4002-822C-1C120AAC30F2}\RP2\A0001467.dll -> Adware.Look2Me: Ignored. C:\System Volume Information\_restore{B2E81E50-A630-4002-822C-1C120AAC30F2}\RP2\A0001495.dll -> Adware.Look2Me: Ignored. C:\System Volume Information\_restore{B2E81E50-A630-4002-822C-1C120AAC30F2}\RP2\A0001511.dll -> Adware.Look2Me: Ignored. C:\System Volume Information\_restore{B2E81E50-A630-4002-822C-1C120AAC30F2}\RP2\A0001522.dll -> Adware.Look2Me: Ignored. C:\WINDOWS\system32\__delete_on_reboot__c_z_y_p_t_d_l_l_._d_l_l_ -> Adware.Look2Me: Ignored. C:\WINDOWS\system32\__delete_on_reboot__g_u_a_r_d_._t_m_p_ -> Adware.Look2Me: Ignored. C:\WINDOWS\system32\aysnt.dll -> Adware.Look2Me: Ignored. C:\WINDOWS\system32\cucfg32.dll -> Adware.Look2Me: Ignored. C:\WINDOWS\system32\dwdlgs.dll -> Adware.Look2Me: Ignored. C:\WINDOWS\system32\e6020gdoe60c0.dll -> Adware.Look2Me: Ignored. C:\WINDOWS\system32\guard.tmp_tobedeleted -> Adware.Look2Me: Ignored. C:\WINDOWS\system32\h0n0la5m1d.dll -> Adware.Look2Me: Ignored. C:\WINDOWS\system32\iwv6mon.dll -> Adware.Look2Me: Ignored. C:\WINDOWS\system32\ixseng.dll -> Adware.Look2Me: Ignored. C:\WINDOWS\system32\mpwmdm.dll -> Adware.Look2Me: Ignored. C:\WINDOWS\system32
kevtmsg.dll -> Adware.Look2Me: Ignored. C:\WINDOWS\system32\pKqsp.dll -> Adware.Look2Me: Ignored. C:\WINDOWS\system32\pfchdprf.dll -> Adware.Look2Me: Ignored. C:\WINDOWS\system32\ubrvpa.dll -> Adware.Look2Me: Ignored. C:\WINDOWS\system32\uhtheme.dll -> Adware.Look2Me: Ignored. [584] C:\WINDOWS\system32\uqandlg.dll -> Adware.Look2Me: Ignored. [716] C:\WINDOWS\system32\uqandlg.dll -> Adware.Look2Me: Ignored. C:\WINDOWS\system32\iexplore.exe -> Backdoor.Agobot.aix: Ignored. C:\WINDOWS\system32\hlzx.exe -> Backdoor.PoeBot.j: Ignored. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8L2ZGPIZ\drsmartload1022a[1].exe -> Downloader.Adload.fu: Ignored. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\D5NRWLNA\drsmartload45a[1].exe -> Downloader.Adload.fu: Ignored. C:\System Volume Information\_restore{B2E81E50-A630-4002-822C-1C120AAC30F2}\RP2\A0000263.exe -> Downloader.Adload.fu: Ignored. C:\System Volume Information\_restore{B2E81E50-A630-4002-822C-1C120AAC30F2}\RP2\A0000266.exe -> Downloader.Adload.fu: Ignored. C:\System Volume Information\_restore{B2E81E50-A630-4002-822C-1C120AAC30F2}\RP2\A0001490.exe -> Downloader.Adload.fu: Ignored. C:\WINDOWS\dov9.exe -> Downloader.Adload.fu: Ignored. C:\doc.exe -> Downloader.Adload.fu: Ignored. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8L2ZGPIZ\MTE3NDI6ODoxNgV2[1].exe -> Downloader.Agent.azc: Ignored. C:\System Volume Information\_restore{B2E81E50-A630-4002-822C-1C120AAC30F2}\RP2\A0001492.exe -> Downloader.Agent.azc: Ignored. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\D5NRWLNA\ac3_0010[1].exe -> Downloader.Small: Ignored. C:\System Volume Information\_restore{B2E81E50-A630-4002-822C-1C120AAC30F2}\RP2\A0001489.exe -> Downloader.Small: Ignored. C:\System Volume Information\_restore{B2E81E50-A630-4002-822C-1C120AAC30F2}\RP2\A0001428.exe -> Dropper.Paradrop.a: Ignored. :mozilla.15:C:\Documents and Settings\grand\Application Data\Mozilla\Profiles\default\7ajw1r8i.slt\cookies.txt -> TrackingCookie.Cpvfeed: Ignored. :mozilla.16:C:\Documents and Settings\grand\Application Data\Mozilla\Profiles\default\7ajw1r8i.slt\cookies.txt -> TrackingCookie.Cpvfeed: Ignored. :mozilla.17:C:\Documents and Settings\grand\Application Data\Mozilla\Profiles\default\7ajw1r8i.slt\cookies.txt -> TrackingCookie.Cpvfeed: Ignored. :mozilla.18:C:\Documents and Settings\grand\Application Data\Mozilla\Profiles\default\7ajw1r8i.slt\cookies.txt -> TrackingCookie.Cpvfeed: Ignored. :mozilla.52:C:\Documents and Settings\grand\Application Data\Mozilla\Profiles\default\7ajw1r8i.slt\cookies.txt -> TrackingCookie.Reliablestats: Ignored. :mozilla.53:C:\Documents and Settings\grand\Application Data\Mozilla\Profiles\default\7ajw1r8i.slt\cookies.txt -> TrackingCookie.Reliablestats: Ignored. :mozilla.54:C:\Documents and Settings\grand\Application Data\Mozilla\Profiles\default\7ajw1r8i.slt\cookies.txt -> TrackingCookie.Reliablestats: Ignored. :mozilla.55:C:\Documents and Settings\grand\Application Data\Mozilla\Profiles\default\7ajw1r8i.slt\cookies.txt -> TrackingCookie.Reliablestats: Ignored. :mozilla.56:C:\Documents and Settings\grand\Application Data\Mozilla\Profiles\default\7ajw1r8i.slt\cookies.txt -> TrackingCookie.Reliablestats: Ignored. :mozilla.10:C:\Documents and Settings\grand\Application Data\Mozilla\Profiles\default\7ajw1r8i.slt\cookies.txt -> TrackingCookie.Yieldmanager: Ignored. :mozilla.11:C:\Documents and Settings\grand\Application Data\Mozilla\Profiles\default\7ajw1r8i.slt\cookies.txt -> TrackingCookie.Yieldmanager: Ignored. :mozilla.12:C:\Documents and Settings\grand\Application Data\Mozilla\Profiles\default\7ajw1r8i.slt\cookies.txt -> TrackingCookie.Yieldmanager: Ignored. :mozilla.13:C:\Documents and Settings\grand\Application Data\Mozilla\Profiles\default\7ajw1r8i.slt\cookies.txt -> TrackingCookie.Yieldmanager: Ignored. :mozilla.6:C:\Documents and Settings\grand\Application Data\Mozilla\Profiles\default\7ajw1r8i.slt\cookies.txt -> TrackingCookie.Yieldmanager: Ignored. :mozilla.7:C:\Documents and Settings\grand\Application Data\Mozilla\Profiles\default\7ajw1r8i.slt\cookies.txt -> TrackingCookie.Yieldmanager: Ignored. :mozilla.8:C:\Documents and Settings\grand\Application Data\Mozilla\Profiles\default\7ajw1r8i.slt\cookies.txt -> TrackingCookie.Yieldmanager: Ignored. :mozilla.9:C:\Documents and Settings\grand\Application Data\Mozilla\Profiles\default\7ajw1r8i.slt\cookies.txt -> TrackingCookie.Yieldmanager: Ignored. C:\System Volume Information\_restore{B2E81E50-A630-4002-822C-1C120AAC30F2}\RP2\A0000247.exe -> Trojan.Dialer.u: Ignored. C:\System Volume Information\_restore{B2E81E50-A630-4002-822C-1C120AAC30F2}\RP2\A0000262.exe -> Trojan.Dialer.u: Ignored. C:\mv.exe -> Trojan.Dialer.u: Ignored.    End of report   Ad Adware process:  detection of Adware.Look2Me files (C\WINDOW\System32\irp2157o1.dll) and Adware.Look2Me (C\WINDOW\System32Fsctrs.dll) unable to delete. The program indicates they will be deleted on the next restart???   Spybot process  detection of the Look2Me.Topcobversing file, unable to delete, file still active, will be deleted on the next restart???   CCleaner run: no problems apparently   Final Hijackthis report:   Logfile of HijackThis v1.99.1  Scan saved at 19:34:49, on 14/10/2006  Platform: Windows XP (WinNT 5.01.2600)  MSIE: Internet Explorer v6.00 (6.00.2600.0000)   Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32undll32.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\grand\Local Settings\Temp\Temporary directory 1 for hijackthis.zip\HijackThis.exe   R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Planetis  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links  O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx  O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll  O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe  O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe  O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE  O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE  O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey  O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"  O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background  O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"  O14 - IERESET.INF: START_PAGE_URL=www.packardbell.fr/center  O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\o4480ehueh480.dll  O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe  O23 - Service: Service Framework McAfee (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe  O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe  O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe   Remaining problems:   Unwanted launching of Mozilla on gambling sites or antivirus sales sites...   This morning, system shutdown due to the following problem message:   Problem with file C\WINDOW\System 32\Iass.exe error type 107 37 418 19   That's all I can tell you, good luck   See you   GDF

Regis59 · Answer

Hi  Follow up with ewido and at the end of the scan, choose delete Then submit the report  See you+

Regis59 · Answer

Hi;

Download l2mfix.exe from http://www.downloads.subratam.org/l2mfix.exe

- Disconnect from the internet, close the browser, and any other application windows;
- Unzip l2mfix.exe to the desktop;
- In the program folder, double-click on l2mfix.bat;
- Choose OPTION 1 (Run find log) and confirm by pressing the [Enter] key

See you!

gdf · Answer

Hello, I used the program in question, I'm sending you the report just in case

L2MFIX find log 051206
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\azas0c77ef.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{6EF6876E-8CCB-3784-1CE9-221E167E383C}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia file property sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE DocFile Properties Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Sharing Environment Extensions"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Control Panel Display Card Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Control Panel Screen Display Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Control Panel Panorama Display Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Damaged Environment Data Manager"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Floppy Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Environment Extensions for Microsoft Windows Network Objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Screen Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="File Compression Environment Extensions"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Environment Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption context menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Clipboard"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Extension"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printer Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Sharing Environment Extensions"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="PKO Cryptography Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Sign Cryptography Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners and Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners and Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners and Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners and Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners and Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Automatic Update Property Page Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Windows Script Host Environment Command Interpreter Extensions"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Binding"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="Email"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Expanded Desktop Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft Browser Band"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="Integrated Search Pane"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address Entry Input Box"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoComplete List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Auto-opening Progress Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Analyzer"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Desktop Bar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assistance"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Parameters"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Startup Image"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Registration Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11D0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Environment Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Applications Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin Application Publishing"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="File + GDI Thumbnail Extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Thumbnail Manager - Summary Info (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Site Publishing Assistant"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Web Print Command"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Assistant Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport identity Assistant"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Chain File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Chain Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="From &people..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Unbind"
"{A0752120-6D75-D111-B5B1-0800095A2318}"="HandyBits EasyCrypto Shell Extensions"
"{BE7FC451-2B79-42E6-8408-3F28D7447790}"=""
"{3334FE85-C609-4B41-B1C1-1E52CD79F1FC}"=""
"{96E0C116-31FD-4DB6-9228-6F91ABF97CBA}"=""
"{29068B4E-5D2F-4B88-B946-A272CA4A3E0E}"=""
"{7A1445DC-30A9-4F8D-9B4F-E039EE2B14EC}"=""
"{0F97195D-DFB2-44BB-9478-7AF687B7A2A3}"=""
"{59EE1164-21F9-4916-BF4B-4BF5E20379C0}"=""
"{F01C7487-C6F7-4B3B-86E0-5CFB15A600FA}"=""
"{A152C159-37D3-4080-94FE-9D697715D876}"=""

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
aysnt.dll Sat 14 Oct 2006 11:50:26 ..S.R 236 646 231.10 K
azas0c~1.dll Wed 18 Oct 2006 13:53:06 ..S.R 236 934 231.38 K
cucfg32.dll Fri 13 Oct 2006 17:58:56 ..S.R 234 167 228.68 K
dnr401~1.dll Wed 18 Oct 2006 14:00:06 ..S.R 233 493 228.02 K
dwdlgs.dll Thu 12 Oct 2006 22:23:02 ..S.R 236 191 230.65 K
e6020g~1.dll Sat 14 Oct 2006 11:22:52 ..S.R 235 721 230.20 K
fpro03~1.dll Sun 15 Oct 2006 11:07:12 ..S.R 235 467 229.95 K
h0n0la~1.dll Sat 14 Oct 2006 13:52:28 ..S.R 234 037 228.55 K
iwv6mon.dll Thu 12 Oct 2006 14:36:06 ..S.R 234 251 228.76 K
ixseng.dll Sat 14 Oct 2006 11:46:22 ..S.R 235 721 230.20 K
jivart.dll Wed 18 Oct 2006 14:00:06 ..S.R 236 934 231.38 K
jt8s07~1.dll Wed 18 Oct 2006 13:56:06 ..S.R 235 846 230.32 K
k4440e~1.dll Sun 15 Oct 2006 12:00:04 ..S.R 235 518 229.99 K
k8pmli~1.dll Tue 17 Oct 2006 20:12:52 ..S.R 236 252 230.71 K
l26o0c~1.dll Sun 15 Oct 2006 11:00:30 ..S.R 235 436 229.92 K
mlrating.dll Tue 17 Oct 2006 20:15:18 ..S.R 235 074 229.56 K
mpwmdm.dll Wed 11 Oct 2006 19:18:16 ..S.R 235 747 230.22 K

17 items found: 17 files (17 H/S), 0 directories.
Total of file sizes: 4 003 435 bytes 3.82 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard~1.tmp Sat 14 Oct 2006 19:14:36 ..... 235 752 230.23 K

1 item found: 1 file, 0 directories.
Total of file sizes: 235 752 bytes 230.23 K
**********************************************************************************
Directory Listing of system files:
The volume in drive C is called HDD
The serial number of the volume is 18CF-1E3A

Directory of C:\WINDOWS\System32

18/10/2006 14:00 236ÿ934 jIvart.dll
18/10/2006 14:00 233ÿ493 dnr4019qe.dll
18/10/2006 13:56 235ÿ846 jt8s07l7e.dll
18/10/2006 13:53 236ÿ934 azas0c77ef.dll
17/10/2006 20:15 235ÿ074 mlrating.dll
17/10/2006 20:12 236ÿ252 k8pmli7118.dll
15/10/2006 12:00 235ÿ518 k4440ehqeh4e0.dll
15/10/2006 11:07 235ÿ467 fpro0393e.dll
15/10/2006 11:00 235ÿ436 l26o0cj3efo.dll
14/10/2006 13:52 234ÿ037 h0n0la5m1d.dll
14/10/2006 11:50 236ÿ646 aysnt.dll
14/10/2006 11:46 235ÿ721 ixseng.dll
14/10/2006 11:22 235ÿ721 e6020gdoe60c0.dll
13/10/2006 17:58 234ÿ167 cucfg32.dll
12/10/2006 22:23 236ÿ191 dwdlgs.dll
12/10/2006 14:36 234ÿ251 iwv6mon.dll
11/10/2006 19:35 <REP> dllcache
11/10/2006 19:18 235ÿ747 mpwmdm.dll
10/10/2006 21:38 75ÿ264 lscas.exe
10/10/2006 20:00 <REP> Microsoft
18 files 4ÿ078ÿ699 bytes
2 Reps 34ÿ329ÿ030ÿ656 bytes free

a+

gdf

Regis59 · Answer

Re,  Now restart l2mfix.bat and choose option 2 It will ask you to press a key to restart press any key and let the PC restart the notepad will open, copy and paste the content here  See you+

Regis59 · Answer

hi  follow up lm2fix option 1 and send the report please  see you+

Regis59 · Answer

Hi

Download: Pocket Killbox here
http://www.downloads.subratam.org/KillBox.exe

:: Usage demo (thanks to Balltrap34 for this creation) ::
http://pageperso.aol.fr/balltrap34/killbox.htm

Use the Notepad method (see video)
Here is the list:

C:\WINDOWS\System32\uabmon.dll
C:\WINDOWS\System32\mv60l9jm1.dll
C:\WINDOWS\System32\pBnmap.dll
C:\WINDOWS\System32\c600lgdm160a.dll
C:\WINDOWS\System32\iogutil.dll
C:\WINDOWS\System32\lvnu0959e.dll
C:\WINDOWS\System32\solwid.dll
C:\WINDOWS\System32\aza40ehqeh4e0.dll
C:\WINDOWS\System32\maastmib.dll
C:\WINDOWS\System32\jt8s07l7e.dll
C:\WINDOWS\System32\mlrating.dll
C:\WINDOWS\System32\k8pmli7118.dll
C:\WINDOWS\System32\k4440ehqeh4e0.dll
C:\WINDOWS\System32\fpro0393e.dll
C:\WINDOWS\System32\l26o0cj3efo.dll
C:\WINDOWS\System32\h0n0la5m1d.dll
C:\WINDOWS\System32\aysnt.dll
C:\WINDOWS\System32\ixseng.dll
C:\WINDOWS\System32\e6020gdoe60c0.dll
C:\WINDOWS\System32\cucfg32.dll
C:\WINDOWS\System32\dwdlgs.dll
C:\WINDOWS\System32\iwv6mon.dll
C:\WINDOWS\System32\mpwmdm.dll
C:\WINDOWS\System32\lscas.exe

Restart and run an lm2fix option 1.

See you+

Regis59 · Answer

Re,

Ok do it again but with this:

C:\WINDOWS\System32\drmrtp.dll
C:\WINDOWS\System32\fplo0333e.dll
C:\WINDOWS\System32\cbmres.dll
C:\WINDOWS\System32\e6jmlg1116.dll
C:\WINDOWS\System32\aza0l9jm1.dll
C:\WINDOWS\System32\jtr8079ue.dll

Then send a report

see you+

Regis59 · Answer

Hi

Please print these instructions or paste them into a text file for reading during this fix. Make sure to check the three little notes at the bottom before starting.
Download Look2Me-Destroyer.exe (by Atribune) to your Desktop.
http://www.atribune.org/ccount/click.php?id=7

Close all active windows before moving to the next step.
• Double-click Look2Me-Destroyer.exe to launch the tool.
• Check Run this program as a task
• A message will appear saying: "Look2Me-Destroyer will close and re-open in approximately 10 seconds." Click OK
• It will restart after 10 seconds, then click the Scan for L2M button; the icons on your Desktop will disappear: this is normal.
• When the scan is complete, click the Remove L2M button
• A Done Scanning message will appear, click OK.
• A new message will appear: Done removing infected files! Look2Me-Destroyer will now shutdown your computer; click OK.
• Your PC will now shut down.
• Start your PC normally.
• Paste the generated report, located here: C:\Look2Me-Destroyer.txt, along with a new HijackThis! report in your next response.
*If Look2Me-Destroyer does not restart automatically after 10 seconds, restart and try again.

**If you receive a message from your firewall that the tool is trying to access the internet: accept it.

***If a runtime error '339' message appears: download MSWINSCK.OCX from the link below, and place it in the C:\Windows\System32 folder.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

Then resend a HijackThis + a LM2FIX option 1.

See you+

Regis59 · Answer

Hi  It's much better, please put a hijack this back  See you+

Regis59 · Answer

Hi

It seems okay, what about your issues?
However, Windows is not up to date and therefore, you're leaving vulnerabilities for hackers and infections.
It would be good to download Service Pack 1 or 2 (SP1 or SP2)

See you later

Regis59 · Answer

Hello  Here it is: http://update.microsoft.com/windowsupdate/v6/default.aspx?ln=en  See you!

Regis59 · Answer

Hi

Please give me a Hijack This, I'll check if SP2 is installed.

Yes, you can delete what's on the desktop

The infections are inactive...

¤Disable your system restore (only if you're on XP):
Right-click on My Computer, then
properties, click on the System Restore tab
check the box "Disable System Restore" and apply.

Then,

¤Reactivate your system restore (only if you're on XP):
Right-click on My Computer, then
properties, click on the System Restore tab
uncheck the box "Disable System Restore" and apply.

See you later

Regis59 · Answer

Re  The SP2 is not installed, did you download it properly?  See you+

Regis59 · Answer

Impeccable, he is installed  How are your issues?  See you later

Regis59 · Answer

Hi gdf,  Yes, with pleasure. Let me know all the programs you have on your PC and I will detail the frequencies for you.  See you later.

Regis59 · Answer

Hi;  Ad Aware < to be updated every week. + a quick scan, if it doesn’t detect anything, do it every 2/3 weeks.  Spybot Search and Destroy < same as for Ad Aware  AVG Anti Spyware < if you browse a lot and are often connected, I suggest doing it every month. Of course, don’t forget the updates every week.  Virus Scan <- updates as well!  See you+

Regis59 · Answer

Hi gdf,  You're welcome, it was a pleasure!  If you need anything, come back to the forum  See you!

Core121 · Answer

Hello,  I’m posting here because I have the same problem as these people, so I did a hijack and I’m posting the log if someone can tell me what’s wrong....  Thanks in advance  Logfile of HijackThis v1.99.1 Scan saved at 20:55:24, on 22.01.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011)  Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\eHome\ehmsas.exe C:\Acer\Empowering Technology\ePerformance\MemCheck.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\PROGRA~1\LAUNCH~1\LManager.exe C:\Acer\Empowering Technology\ePresentation\ePresentation.exe C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe C:\Acer\Empowering Technology\eRecovery\eRAgent.exe C:\Program Files\Fichiers communs\Real\Update_OBealsched.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Fichiers communs\Network Associates\TalkBack\TBMon.exe C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\PrintKey2000\Printkey2000.exe C:\Acer\Empowering Technology\eLock\Monitor\LockMon.exe C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe C:\Acer\Empowering Technology\eLock\LockServ.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32
vsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Fichiers communs\Sony Shared\AVLib\SSScsiSV.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\svchost.exe D:\Programmes\HijackThis.exe  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shccourt.ch/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://fr.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links R3 - URLSearchHook: Yahoo! Toolbar with pop-up blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe O4 - HKLM\..\Run: [eLockMonitor] C:\Acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0 O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OBealsched.exe" -osboot O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Fichiers communs\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [audioatomcityenc] C:\Documents and Settings\All Users\Application Data\axis balm audio atom\Flag exit.exe O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Bend Trans] C:\DOCUME~1\Admin\APPLIC~1\GRIDBI~1\ForkLoveHtm.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe O8 - Extra context menu item: E&xporter to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Search - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/... O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe O23 - Service: LockServ - Unknown owner - C:\Acer\Empowering Technology\eLock\LockServ.exe O23 - Service: Service Framework McAfee (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
vsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\SSScsiSV.exe

Regis59 · Answer

Hi,  Download LopxpMH to your Desktop.  http://perso.numericable.fr/~altshift/Info/Fichiers/lopxpMH2.zip  Unzip it (right-click >> Extract here) and double-click on the file lopxpMH.bat.  Post the content of the report that will open.  See you later -- "I had a dream of a better world...Without differences in colors...Equality..."-MLK-

Core121 · Answer

Hello, thank you for your response. Here are the results of the tool you provided: Report made at 7:28:33.78 on 01/23/2007 ****************************************** ## Application Data Directories The volume in drive C is named ACER The volume serial number is C3E7-10CB Directory of C:\Documents and Settings\Default User\Application Data 12/17/2006 01:08 . 12/17/2006 01:08 .. 12/17/2006 00:18 Identities 04/15/2005 14:36 Microsoft 04/15/2005 14:36 62 desktop.ini 1 file(s) 62 bytes 4 Dir(s) 39,422,754,816 bytes free The volume in drive C is named ACER The volume serial number is C3E7-10CB Directory of C:\Documents and Settings\Default User\Local Settings\Application Data 12/17/2006 01:08 . 12/17/2006 01:08 .. 12/17/2006 00:18 ApplicationHistory 04/15/2005 14:47 Microsoft 12/17/2006 00:18 137 fusioncache.dat 12/17/2006 00:18 35,008 GDIPFONTCACHEV1.DAT 12/17/2006 00:18 2,109,288 IconCache.db 3 file(s) 2,144,433 bytes 4 Dir(s) 39,422,754,816 bytes free The volume in drive C is named ACER The volume serial number is C3E7-10CB Directory of C:\Documents and Settings\All Users\Application Data 12/17/2006 01:08 . 12/17/2006 01:08 .. 08/30/2006 20:41 Adobe 12/25/2006 11:40 axis balm audio atom 12/17/2006 09:07 CyberLink 12/27/2006 19:46 DVD Shrink 12/17/2006 09:14 Google 04/15/2005 14:36 Microsoft 12/17/2006 09:18 Network Associates 01/03/2007 20:39 Sony Corporation 12/27/2006 20:06 Spybot - Search & Destroy 08/30/2006 20:50 Symantec 12/20/2006 20:37 Windows Genuine Advantage 04/15/2005 14:36 62 desktop.ini 1 file(s) 62 bytes 13 Dir(s) 39,422,722,048 bytes free The volume in drive C is named ACER The volume serial number is C3E7-10CB Directory of C:\Documents and Settings\NetworkService\Application Data 12/17/2006 01:08 . 12/17/2006 01:08 .. 04/15/2005 14:36 Microsoft 0 file(s) 0 bytes 3 Dir(s) 39,422,722,048 bytes free The volume in drive C is named ACER The volume serial number is C3E7-10CB Directory of C:\Documents and Settings\NetworkService\Local Settings\Application Data 12/17/2006 01:08 . 12/17/2006 01:08 .. 04/15/2005 14:52 Microsoft 0 file(s) 0 bytes 3 Dir(s) 39,422,722,048 bytes free The volume in drive C is named ACER The volume serial number is C3E7-10CB Directory of C:\Documents and Settings\LocalService\Application Data 12/17/2006 01:08 . 12/17/2006 01:08 .. 04/15/2005 14:36 Microsoft 0 file(s) 0 bytes 3 Dir(s) 39,422,722,048 bytes free The volume in drive C is named ACER The volume serial number is C3E7-10CB Directory of C:\Documents and Settings\LocalService\Local Settings\Application Data 12/17/2006 01:08 . 12/17/2006 01:08 .. 04/15/2005 14:52 Microsoft 0 file(s) 0 bytes 3 Dir(s) 39,422,722,048 bytes free The volume in drive C is named ACER The volume serial number is C3E7-10CB Directory of C:\Documents and Settings\Administrator\Application Data 12/17/2006 01:08 . 12/17/2006 01:08 .. 04/15/2005 14:55 Identities 04/15/2005 14:36 Microsoft 04/15/2005 14:36 62 desktop.ini 1 file(s) 62 bytes 4 Dir(s) 39,422,722,048 bytes free The volume in drive C is named ACER The volume serial number is C3E7-10CB Directory of C:\Documents and Settings\Administrator\Local Settings\Application Data 12/17/2006 01:08 . 12/17/2006 01:08 .. 08/30/2006 20:46 ApplicationHistory 04/15/2005 14:47 Microsoft 08/30/2006 20:46 137 fusioncache.dat 08/31/2006 08:10 100,336 GDIPFONTCACHEV1.DAT 09/06/2006 13:26 2,109,288 IconCache.db 3 file(s) 2,209,761 bytes 4 Dir(s) 39,422,722,048 bytes free The volume in drive C is named ACER The volume serial number is C3E7-10CB Directory of C:\Documents and Settings\Admin\Application Data 12/17/2006 00:19 . 12/17/2006 00:19 .. 12/22/2006 13:38 Adobe 12/22/2006 13:39 AdobeUM 12/17/2006 09:08 CyberLink 12/17/2006 09:26 Google 12/25/2006 11:40 GRID BIKE 12/17/2006 00:19 Identities 12/25/2006 16:28 Lavasoft 12/17/2006 00:21 Macromedia 12/17/2006 00:19 Microsoft 12/17/2006 09:09 Real 01/03/2007 20:37 Sony Corporation 12/17/2006 15:14 Vso 12/17/2006 00:19 62 desktop.ini 12/17/2006 15:14 87,608 ezpinst.exe 12/17/2006 15:14 7,824 pcouffin.cat 12/17/2006 15:14 1,144 pcouffin.inf 12/17/2006 15:14 34 pcouffin.log 12/17/2006 15:14 47,360 pcouffin.sys 6 file(s) 144,032 bytes 14 Dir(s) 39,422,722,048 bytes free The volume in drive C is named ACER The volume serial number is C3E7-10CB Directory of C:\Documents and Settings\Admin\Local Settings\Application Data 12/17/2006 00:19 . 12/17/2006 00:19 .. 12/22/2006 13:38 Adobe 12/17/2006 00:19 ApplicationHistory 12/17/2006 09:12 Google 12/17/2006 00:19 Microsoft 12/18/2006 19:23 WMTools Downloaded Files 12/16/2006 20:20 6,656 DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 12/17/2006 00:19 128 fusioncache.dat 12/17/2006 00:19 35,008 GDIPFONTCACHEV1.DAT 12/17/2006 20:38 5,019,598 IconCache.db 4 file(s) 5,061,390 bytes 7 Dir(s) 39,422,722,048 bytes free The volume in drive C is named ACER The volume serial number is C3E7-10CB Directory of C:\Documents and Settings\Admin1\Application Data 12/30/2006 12:15 . 12/30/2006 12:15 .. 12/30/2006 12:15 Identities 12/30/2006 12:16 Macromedia 12/30/2006 12:15 Microsoft 12/30/2006 12:15 Real 12/30/2006 12:15 62 desktop.ini 1 file(s) 62 bytes 6 Dir(s) 39,422,722,048 bytes free The volume in drive C is named ACER The volume serial number is C3E7-10CB Directory of C:\Documents and Settings\Admin1\Local Settings\Application Data 12/30/2006 12:15 . 12/30/2006 12:15 .. 12/30/2006 12:15 ApplicationHistory 12/30/2006 12:15 Microsoft 12/30/2006 12:34 4,608 DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 12/30/2006 12:15 129 fusioncache.dat 12/30/2006 12:15 35,008 GDIPFONTCACHEV1.DAT 12/30/2006 12:15 4,459,564 IconCache.db 4 file(s) 4,499,309 bytes 4 Dir(s) 39,422,722,048 bytes free The volume in drive C is named ACER The volume serial number is C3E7-10CB Directory of C:\Documents and Settings\ad\Application Data 01/20/2007 15:58 . 01/20/2007 15:58 .. 01/20/2007 15:58 Identities 01/20/2007 16:01 Macromedia 01/20/2007 15:58 Microsoft 01/20/2007 15:59 Real 01/20/2007 15:58 62 desktop.ini 1 file(s) 62 bytes 6 Dir(s) 39,422,722,048 bytes free The volume in drive C is named ACER The volume serial number is C3E7-10CB Directory of C:\Documents and Settings\ad\Local Settings\Application Data 01/20/2007 15:58 . 01/20/2007 15:58 .. 01/20/2007 15:58 ApplicationHistory 01/20/2007 15:58 Microsoft 01/20/2007 15:58 125 fusioncache.dat 01/20/2007 15:58 35,008 GDIPFONTCACHEV1.DAT 01/20/2007 15:58 5,015,518 IconCache.db 3 file(s) 5,050,651 bytes 4 Dir(s) 39,422,722,048 bytes free The volume in drive C is named ACER The volume serial number is C3E7-10CB Directory of C:\WINDOWS\system32\config\systemprofile\Application Data 12/17/2006 01:05 . 12/17/2006 01:05 .. 12/17/2006 00:18 Identities 04/15/2005 14:36 Microsoft 12/17/2006 00:18 Symantec 04/15/2005 14:36 62 desktop.ini 1 file(s) 62 bytes 5 Dir(s) 39,422,722,048 bytes free The volume in drive C is named ACER The volume serial number is C3E7-10CB Directory of C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data 12/17/2006 01:05 . 12/17/2006 01:05 .. 12/17/2006 00:18 ApplicationHistory 04/15/2005 14:47 Microsoft 12/17/2006 00:18 137 fusioncache.dat 12/17/2006 00:18 35,008 GDIPFONTCACHEV1.DAT 12/17/2006 00:18 2,109,288 IconCache.db 3 file(s) 2,144,433 bytes 4 Dir(s) 39,422,722,048 bytes free ****************************************** Search for scheduled tasks in C:\WINDOWS asks The volume in drive C is named ACER The volume serial number is C3E7-10CB Directory of C:\WINDOWS\Tasks 12/25/2006 11:40 262 AC848AD592773BCD.job 12/17/2006 01:08 .. 12/17/2006 01:08 . 09/06/2006 13:26 6 SA.DAT 08/10/2004 05:00 65 desktop.ini 3 file(s) 333 bytes 2 Dir(s) 39,422,722,048 bytes free ****************************************** ## Program Files Directories The volume in drive C is named ACER The volume serial number is C3E7-10CB Directory of C:\Program Files 12/17/2006 01:09 . 12/17/2006 01:09 .. 08/30/2006 20:40 Acer Inc 08/30/2006 20:41 Adobe 12/17/2006 11:47 Ahead 12/22/2006 22:00 AndreaMosaic 01/07/2007 13:11 AviSynth 2.5 04/15/2005 14:42 ComPlus Applications 08/30/2006 20:35 CONEXANT 12/17/2006 00:21 CyberLink 08/30/2006 20:30 DIFX 12/25/2006 11:40 Download Plugin 12/27/2006 19:46 DVD Shrink 12/30/2006 14:27 eMule 04/15/2005 14:37 Common Files 08/31/2006 08:23 GemMasterFrench 12/17/2006 09:12 Google 12/25/2006 11:40 GRID BIKE 01/08/2007 21:14 Hewlett-Packard 04/15/2005 14:44 Internet Explorer 12/17/2006 00:24 Launch Manager 12/25/2006 16:28 Lavasoft 01/08/2007 21:38 Linksys 12/26/2006 13:13 Manor Foto Service 04/15/2005 14:41 Messenger 04/15/2005 14:47 Microsoft FrontPage 12/16/2006 20:52 Microsoft Office 12/16/2006 20:53 Microsoft Visual Studio 12/16/2006 20:53 Microsoft Works 12/16/2006 20:52 Microsoft.NET 04/15/2005 14:41 Movie Maker 04/15/2005 14:41 MSN 04/15/2005 14:41 MSN Gaming Zone 12/17/2006 20:19 MSXML 4.0 04/15/2005 14:44 NetMeeting 12/17/2006 09:18 Network Associates 08/30/2006 20:39 NewTech Infosystems 04/15/2005 14:44 Outlook Express 01/08/2007 21:37 Print Server 12/21/2006 19:20 PrintKey2000 12/17/2006 09:12 Real 08/30/2006 20:34 Realtek 01/07/2007 13:10 Ripp-it_AM 04/15/2005 14:45 Online Services 01/03/2007 20:38 Sony 01/03/2007 20:40 Sony Corporation 12/27/2006 20:06 Spybot - Search & Destroy 12/18/2006 20:25 Switch Off 08/30/2006 20:35 Synaptics 12/25/2006 16:04 TaxMeBe2006 12/25/2006 13:02 vso 04/15/2005 14:42 Windows Media Player 04/15/2005 14:41 Windows NT 04/15/2005 14:42 Windows Plus 12/17/2006 15:13 WinRAR 04/15/2005 14:47 Xerox 12/17/2006 00:31 Yahoo! 0 file(s) 0 bytes 57 Dir(s) 39,422,722,048 bytes free ****************************************** ## Allowed Popups * Internet Explorer ! REG.EXE VERSION 3.0 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow netsearchsoft.com REG_SZ www.netsearchsoft.com REG_SZ * Mozilla Firefox (1 allowed 2 blocked) ****************************************** ## Registry * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] audioatomcityenc REG_SZ C:\Documents and Settings\All Users\Application Data\axis balm audio atom\Flag exit.exe * [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] Bend Trans REG_SZ C:\DOCUME~1\Admin\APPLIC~1\GRIDBI~1\ForkLoveHtm.exe ****************************************** ## Security Zones * HKCU Domains (4) * P3P History (5) ****************************************** ## Search C:\WINDOWS\*.htm, "C:\WINDOWS\*.gif" The volume in drive C is named ACER The volume serial number is C3E7-10CB Directory of C:\WINDOWS The volume in drive C is named ACER The volume serial number is C3E7-10CB Directory of C:\WINDOWS *************** End of Report ****************

Regis59 · Answer

Hello,  Print or save the procedure in a file in Notepad to make sure you don't forget anything and do everything in order.  1/Download this: Clean Up 40: http://pageperso.aol.fr/balltrap34/CleanUp40.exe -Help with images: (thanks to Balltrap34).  http://pageperso.aol.fr/balltrap34/democleanup.htm  Disconnect from the Internet and close all running programs.   Restart in safe mode Restart the PC, let the BIOS screen pass, then tap the F8 key before the Windows loading screen appears. Select safe mode from the options and confirm with enter. (If F8 doesn't work, try F5)   Make hidden and system files visible Control panel > folder options > view tab Check the box next to "show hidden files and folders" Uncheck the box next to "hide extensions for known file types" Uncheck the box next to "hide protected operating system files" Click on [Apply] then [ok] to confirm  -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_   Run hijackthis and click on [do a system scan only] Check the box at the beginning of the following lines:  O4 - HKLM\..\Run: [audioatomcityenc] C:\Documents and Settings\All Users\Application Data\axis balm audio atom\Flag exit.exe  O4 - HKCU\..\Run: [Bend Trans] C:\DOCUME~1\Admin\APPLIC~1\GRIDBI~1\ForkLoveHtm.exe  Confirm by clicking on the [fix checked] button  -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_   Search for and delete these folders:  Remove the files by following the path of the infected files if possible, rather than using the "Search" function  If they are present, delete:  C:\Documents and Settings\Admin\Application Data\GRID BIKE   C:\Documents and Settings\All Users\Application Data\axis balm audio atom  -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_  Then go to Start > Run and type cmd then confirm with ok  In the window that opens, copy and paste this:  del /a C:\WINDOWS	asks\AC848AD592773BCD.job  and confirm by pressing enter  -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_  Then, very important:  :: Delete temporary files ::  Run cleanup40.  -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_  Run this: http://mvps.org/winhelp2002/DelDomains.inf  -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_  Restart normally and re-post a Hijackthis on the machine…  Let me know where your issues stand…  See you later  -- "I had a dream of a better world...Without differences in color...Equality..."-MLK-

Core121 · Answer

So I did the manipulations you asked me to, and the results should be good; in any case, I no longer have these iexplorer processes running all the time... However, I have 2 programs that used to launch at startup that now crash... well, it's not too serious if the iexplorer process issue is resolved.  Thanks for everything, and here is a Hijackthis log...  Logfile of HijackThis v1.99.1 Scan saved at 16:52:32, on 23.01.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011)  Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe C:\Acer\Empowering Technology\eRecovery\eRAgent.exe C:\Program Files\Common Files\Real\Update_OBealsched.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\WINDOWS\system32\ctfmon.exe C:\Acer\Empowering Technology\ePerformance\MemCheck.exe C:\Program Files\PrintKey2000\Printkey2000.exe C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Acer\Empowering Technology\eLock\LockServ.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32
vsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wbem\unsecapp.exe D:\Programmes\hijackthis\HijackThis.exe  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shccourt.ch/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://fr.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webproxy.swatchgroup.net:8084 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links R3 - URLSearchHook: Yahoo! Toolbar with pop-up blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe O4 - HKLM\..\Run: [eLockMonitor] C:\Acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0 O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OBealsched.exe" -osboot O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe O8 - Extra context menu item: E&xporter to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Search - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/... O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LockServ - Unknown owner - C:\Acer\Empowering Technology\eLock\LockServ.exe O23 - Service: Service Framework McAfee (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
vsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

Regis59 · Answer

Hi  What's crashing?  See you -- "I had a dream of a better world...Without differences in colors...Equality..."-MLK-

core121 · Answer

- Launch manager.exe that I reinstalled - Lockmon.exe that I didn't even have the time to see what it is!

Regis59 · Answer

Hello  In the Start < Run < type msconfig Startup tab uncheck all programs except your antivirus and your firewall  confirm and restart  upon restart, check do not show this message again  restart and let me know how your issues stand  see you+ -- "I had a dream of a better world...Without color differences...Equality..." -MLK-

dark pince · Answer

Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 11:32:56, on 25/04/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal  Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\MessengerPlus! 3\MsgPlus.exe C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Fichiers communs\Network Associates\TalkBack\TBMon.exe C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\LVComS.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE c:\progra~1\intern~1\iexplore.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\Explorer.EXE C:\Documents and Settings\florian casadio\Mes documents\Document (Logiciel)\HiJackThis_v2.exe  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Fichiers communs\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Admineqsendidle] C:\Documents and Settings\All Users.WINDOWS\Application Data\SurfTypeAdminEq\vc draw.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent O4 - HKCU\..\Run: [Baitsoft] C:\DOCUME~1\FLORIA~1\APPLIC~1\Phonemp3\BEEP CHIN.exe O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Service Framework McAfee (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: Partage de Bureau à distance NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe O23 - Service: Service Partage réseau du Lecteur Windows Media (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe  -- End of file - 8126 bytes   Here is the HijackThis report, can you tell me what I should do? Thank you.

Regis59 · Answer

Hello,  It would be better if you made your personal message, it will make the posts more understandable and the response to your problem will be more effective. Proceed as follows: http://pageperso.aol.fr/balltrap34/demofairesontmessage.htm  See you soon  -- "I had a dream of a better world...Without differences in colors...Equality..."-MLK-

Buffer overflow virus

34 réponses

Texture issues in enshrouded

Pixma mx495 printer error code b204 and still under warranty

Canon mb5350 - cartridge replacement impossible

Expired hp cartridge

Pc that turns off by itself after 10 minutes

I can't subscribe on instagram anymore.

Connection issue with the system events service

What does 250mb/500mb mobile internet represent?

My logicom riva 250 displays searching

Installation du logiciel gps x970t via michelin