Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

Dargos

6 Posts

847

July 25th, 2005 17:00

Fatal Error in IE

Upon starting up my computer I'm geting the following message, set as a blue wall paper, on my pc:
 
'Fatal error in Ie has occured at 0028:C0011E36 in VXD VMM (01)+ 00010E36
Error was casued by Trojan-spy.HTML.Smitfraud.c
*System cannot function in normal mode.  Please check your security settings.
*Scan your PC with any available antivirus/spyware remover program to fix problem."
 
I have used both my antivirus protection, McAfree, and download spybot, neither program was able to aid me in saving my computer.
 
Researching different forums I discover Hijackthis, and have downloaded the program,   The following is the log created by Hijack:
 

Logfile of HijackThis v1.99.1

Scan saved at 10:46:33 AM, on 7/25/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\rundll32.exe

c:\PROGRA~1\mcafee.com\mps\mscifapp.exe

C:\WINDOWS\Explorer.exe

c:\windows\system32\jynpapk.exe

C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mcafee.com/myaccount/default.asp?area=myaccount&oemid=1790-642

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O1 - Hosts: 66.180.173.39 www.google.ae

O1 - Hosts: 66.180.173.39 www.google.am

O1 - Hosts: 66.180.173.39 www.google.as

O1 - Hosts: 66.180.173.39 www.google.at

O1 - Hosts: 66.180.173.39 www.google.az

O1 - Hosts: 66.180.173.39 www.google.be

O1 - Hosts: 66.180.173.39 www.google.bi

O1 - Hosts: 66.180.173.39 www.google.ca

O1 - Hosts: 66.180.173.39 www.google.cd

O1 - Hosts: 66.180.173.39 www.google.cg

O1 - Hosts: 66.180.173.39 www.google.ch

O1 - Hosts: 66.180.173.39 www.google.ci

O1 - Hosts: 66.180.173.39 www.google.cl

O1 - Hosts: 66.180.173.39 www.google.co.cr

O1 - Hosts: 66.180.173.39 www.google.co.hu

O1 - Hosts: 66.180.173.39 www.google.co.il

O1 - Hosts: 66.180.173.39 www.google.co.in

O1 - Hosts: 66.180.173.39 www.google.co.je

O1 - Hosts: 66.180.173.39 www.google.co.jp

O1 - Hosts: 66.180.173.39 www.google.co.ke

O1 - Hosts: 66.180.173.39 www.google.co.kr

O1 - Hosts: 66.180.173.39 www.google.co.ls

O1 - Hosts: 66.180.173.39 www.google.co.nz

O1 - Hosts: 66.180.173.39 www.google.co.th

O1 - Hosts: 66.180.173.39 www.google.co.ug

O1 - Hosts: 66.180.173.39 www.google.co.uk

O1 - Hosts: 66.180.173.39 www.google.co.ve

O1 - Hosts: 66.180.173.39 www.google.com

O1 - Hosts: 66.180.173.39 www.google.com.ag

O1 - Hosts: 66.180.173.39 www.google.com.ar

O1 - Hosts: 66.180.173.39 www.google.com.au

O1 - Hosts: 66.180.173.39 www.google.com.br

O1 - Hosts: 66.180.173.39 www.google.com.co

O1 - Hosts: 66.180.173.39 www.google.com.cu

O1 - Hosts: 66.180.173.39 www.google.com.do

O1 - Hosts: 66.180.173.39 www.google.com.ec

O1 - Hosts: 66.180.173.39 www.google.com.fj

O1 - Hosts: 66.180.173.39 www.google.com.gi

O1 - Hosts: 66.180.173.39 www.google.com.gr

O1 - Hosts: 66.180.173.39 www.google.com.gt

O1 - Hosts: 66.180.173.39 www.google.com.hk

O1 - Hosts: 66.180.173.39 www.google.com.ly

O1 - Hosts: 66.180.173.39 www.google.com.mt

O1 - Hosts: 66.180.173.39 www.google.com.mx

O1 - Hosts: 66.180.173.39 www.google.com.my

O1 - Hosts: 66.180.173.39 www.google.com.na

O1 - Hosts: 66.180.173.39 www.google.com.nf

O1 - Hosts: 66.180.173.39 www.google.com.ni

O1 - Hosts: 66.180.173.39 www.google.com.np

O1 - Hosts: 66.180.173.39 www.google.com.pa

O1 - Hosts: 66.180.173.39 www.google.com.pe

O1 - Hosts: 66.180.173.39 www.google.com.ph

O1 - Hosts: 66.180.173.39 www.google.com.pk

O1 - Hosts: 66.180.173.39 www.google.com.pr

O1 - Hosts: 66.180.173.39 www.google.com.py

O1 - Hosts: 66.180.173.39 www.google.com.sa

O1 - Hosts: 66.180.173.39 www.google.com.sg

O1 - Hosts: 66.180.173.39 www.google.com.sv

O1 - Hosts: 66.180.173.39 www.google.com.tr

O1 - Hosts: 66.180.173.39 www.google.com.tw

O1 - Hosts: 66.180.173.39 www.google.com.ua

O1 - Hosts: 66.180.173.39 www.google.com.uy

O1 - Hosts: 66.180.173.39 www.google.com.vc

O1 - Hosts: 66.180.173.39 www.google.com.vn

O1 - Hosts: 66.180.173.39 www.google.de

O1 - Hosts: 66.180.173.39 www.google.dj

O1 - Hosts: 66.180.173.39 www.google.dk

O1 - Hosts: 66.180.173.39 www.google.es

O1 - Hosts: 66.180.173.39 www.google.fi

O1 - Hosts: 66.180.173.39 www.google.fm

O1 - Hosts: 66.180.173.39 www.google.fr

O1 - Hosts: 66.180.173.39 www.google.gg

O1 - Hosts: 66.180.173.39 www.google.gl

O1 - Hosts: 66.180.173.39 www.google.gm

O1 - Hosts: 66.180.173.39 www.google.hn

O1 - Hosts: 66.180.173.39 www.google.ie

O1 - Hosts: 66.180.173.39 www.google.it

O1 - Hosts: 66.180.173.39 www.google.kz

O1 - Hosts: 66.180.173.39 www.google.li

O1 - Hosts: 66.180.173.39 www.google.lt

O1 - Hosts: 66.180.173.39 www.google.lu

O1 - Hosts: 66.180.173.39 www.google.lv

O1 - Hosts: 66.180.173.39 www.google.mn

O1 - Hosts: 66.180.173.39 www.google.ms

O1 - Hosts: 66.180.173.39 www.google.mu

O1 - Hosts: 66.180.173.39 www.google.mw

O1 - Hosts: 66.180.173.39 www.google.nl

O1 - Hosts: 66.180.173.39 www.google.no

O1 - Hosts: 66.180.173.39 www.google.off.ai

O1 - Hosts: 66.180.173.39 www.google.pl

O1 - Hosts: 66.180.173.39 www.google.pn

O1 - Hosts: 66.180.173.39 www.google.pt

O1 - Hosts: 66.180.173.39 www.google.ro

O1 - Hosts: 66.180.173.39 www.google.ru

O1 - Hosts: 66.180.173.39 www.google.rw

O1 - Hosts: 66.180.173.39 www.google.se

O1 - Hosts: 66.180.173.39 www.google.sh

O1 - Hosts: 66.180.173.39 www.google.sk

O1 - Hosts: 66.180.173.39 www.google.sm

O1 - Hosts: 66.180.173.39 www.google.td

O1 - Hosts: 66.180.173.39 www.google.tm

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll

O2 - BHO: (no name) - {5483427F-93B8-1470-5A89-E6B56484CDB2} - C:\DOCUME~1\Jen\LOCALS~1\Temp\sbshyzezihs.dll (file missing)

O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll

O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe

O4 - HKLM\..\Run: [secserv.exe] C:\WINDOWS\System32\secserv.exe

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitewje32.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\parqrr.exe reg_run

O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe

O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe

O4 - HKLM\..\Run: [exp] C:\WINDOWS\System32\exp

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"

O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16

O4 - HKLM\..\Run: [apisvc.exe] C:\WINDOWS\System32\apisvc.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [53tT3tP] msopcsvc.exe

O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding

O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe

O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe

O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [fbqfyes] c:\windows\system32\jynpapk.exe r

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - Global Startup: rpku.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab

O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll

O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\MXL_MTF.DLL

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

 

Any advice or support that can be offered to aiding me in resolving this matter would be much appreciated.

 

Sincerely,

Dargos

RKinner

2 Intern

 • 

5.9K Posts

July 26th, 2005 00:00

Download the Hoster from:
Unpack to your desktop and run it.   Select Restore Original Hosts.
 

Get DelDomain.inf from:
 
http://www.mvps.org/winhelp2002/restricted.htm  and then right click on it and Install. 
Get smitfraud.reg from:
Save it to your desktop.
You will need ABIRemover from
unpack (extract) it to your desktop but don't run it yet.

Also download and install ccleaner.exe from http://www.ccleaner.com. Don't let
it clean anything yet. 
Download a new wininet.dll file from:
and save it to C:\.
 
Run HijackThis and check the box in front of each and then ADD TO IGNORE LIST.  THese are the good guys!
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mcafee.com/myaccount/default.asp?area=myaccount&oemid=1790-642
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 
Now press Config.
CHECK the box in front of:  Mark everything found for fixing after a scan.
Insure that all other boxes are still checked.
Press Back.
Press SCAN
Press Fix Checked and ignore any warnings.
 
Shutdown again and restart then boot into Safe Mode by tapping the F8 key when you see the PC maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option.
Run HijackThis and SCAN and Fix Checked.

Run ABI Remover.  It should reboot your system.  WHen it does try and get it to go back into Safe Mode as before and rerun HijackThis and fix checked anything that still shows up.
Run ccleaner.exe, uncheck everything on the first page except the two entries
with Temporary and then Run Cleaner.
Doubleclick on smitfraud.reg and let it install.
Reboot into regular mode and again install deldomain.inf and run hoster
just to make sure.
If you lose your desktop then you will need to follow the following procedure.  NOTE:  ONLY IF AFTER REBOOT YOU HAVE NO DESKTOP!
This assumes you downloaded the good wininet.dll and saved it to the c:\
**********
Boot into Safe Mode and select the Command Prompt option.
 
Type:
 
 
cd \
 
(Moves you to the root ( \ ) folder.)
 
del /f \windows\system32\dllcache\wininet.dll
ren \windows\system32\wininet.bad
copy c:\wininet.dll c:\windows\system32\
*******
Run another HijackThis log and post it as a reply. Let's
see how we did.
Ron

Dargos

6 Posts

July 26th, 2005 17:00

Thank you Ron for the advice, it is much appreciated.
Here is the Hijackthis log from after I completed all your instructions:

Logfile of HijackThis v1.99.1
Scan saved at 11:18:22 AM, on 7/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\McAfee.com\MPS\mscifapp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\System32\parqrr.exe
C:\WINDOWS\System32\exptui.exe
C:\WINDOWS\system\tjexqpbjor.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\exptui.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\parqrr.exe reg_run
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKCU\..\Run: [exptui] C:\WINDOWS\System32\exptui.exe
O4 - HKCU\..\RunOnce: [exptui] C:\WINDOWS\System32\exptui.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\MXL_MTF.DLL

A final check would be appreciated, thanks for the help.

Sincerely,
Dargos

RKinner

2 Intern

 • 

5.9K Posts

July 26th, 2005 18:00

You make it harder when you keep adding new software.  You still have:
 
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\parqrr.exe reg_run
O4 - HKCU\..\Run: [exptui] C:\WINDOWS\System32\exptui.exe
O4 - HKCU\..\RunOnce: [exptui] C:\WINDOWS\System32\exptui.exe
 
This might be qoologic in which case we will need some other software but first let's try Killbox.
 
 
Get Killbox.exe from:
Save it to your desktop.

Run it and where it says Full Path of File to Delete put in:
C:\WINDOWS\system32\C:\WINDOWS\System32\parqrr.exe reg_run
Check the Delete on Reboot option and press the red button.  Agree you want it to delete and but do not let it reboot.  Repeat for:
C:\WINDOWS\System32\exptui.exe and let it reboot this time.
 
When it restarts, boot into Safe Mode by tapping the F8 key when you see the PC
maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option.
Run HijackThis and just do a Scan only. Check then Fix
Checked the following:
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\parqrr.exe reg_run
O4 - HKCU\..\Run: [exptui] C:\WINDOWS\System32\exptui.exe
O4 - HKCU\..\RunOnce: [exptui] C:\WINDOWS\System32\exptui.exe
 
Wait 60 seconds and repeat the scan. Did any of the above come back? IF so
leave HijackThis up and right click on the clock and select Task Manager. Then
Processes. Find Explorer.exe, right click on it and select End Process. The
desktop will disappear but HijackThis should still be there. IF you don't see
it switch to Applications in Task Manager and highlight it there then press
Switch To or just double click on it. Check and Fix Checked the above again.
Restart Explorer by Task Manager, File, New Task(Run), explorer.exe, OK.
 
Run Killbox again and delete the same things if they showed up again in HijackThis after your second attempt.
 
  Let it reboot and
Run another HijackThis log and Post it as a reply. Let's
see how we did.
 
Ron

Dargos

6 Posts

July 26th, 2005 21:00

Here is the current log, however, I ran through your instructions and still 04-HKLM\.\Run:[winsync] C:\WINDOWS\System32\parqrr.exe reg_run is still appearing.

Logfile of HijackThis v1.99.1
Scan saved at 3:20:11 PM, on 7/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\intel32.exe
C:\WINDOWS\system\tjexqpbjor.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rpku.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\parqrr.exe reg_run
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\MXL_MTF.DLL

Thank you for the support.

Sincerely,

Dargos

RKinner

2 Intern

 • 

5.9K Posts

July 26th, 2005 23:00

This is trying to morph into the infection that eats your wininet.dll file.
 
Use HijackThis in Safe Mode to remove these:
 
 
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\parqrr.exe reg_run
Then Killbox to remove these on reboot:
 
C:\WINDOWS\System32\intel32.exe
C:\WINDOWS\system\tjexqpbjor.exe
C:\WINDOWS\System32\parqrr.exe
C:\Windows\System32\OLEADM32.DLL
C:\Windows\OLEADM.DLL
C:\Windows\UNINSTIU.EXE
 
 
The last 3 may not be there.  IF they are your C:\Windows\System32\wininet/dll may have been replaced by the infection.  You should download a new one and save it to your C:\ so you can replace it if needed.  (Look at my first post.)
 
IF the first two are still in the processes list or the third one still shows up in HijackTHis then we will need to see if it is qoologic. 
 
1. Download the the FindQoologic-Narrator.zip and save it to your Desktop.

2. Extract (unzip) the files inside into their own folder called FindQoologic.
3. Open the FindQoologic folder.
4. Find and double-click the Activesetup.vbs file to run it.
Please wait until a "Finished" message appears.
5. When the set-up is complete a file named "Activesetup components[Machine ID][date].txt" will have been saved in the FindQoologic folder.
6. find and double-click the Find-Qoologic.bat to run it.
The tool will open a DOS window and begin to check your system.
When it is finished a text file will open in Notepad called "file.txt".
7. Save this text file in the FindQoologic folder.
8. Find the Activesetup components[Machine ID][date].txt file and the file.txt file you saved.
Copy and paste the contents of both logs into your next post
 
Instead of posting them you may need to email me directly rkinner AT att DOT net.
 
Also try l2mfix.bat:
 
Download L2mfix from one of these two locations:


http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe


Save the file to your desktop and double click l2mfix.exe. Read and Accept the agreement. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into a reply.
 
Ron

RKinner

2 Intern

 • 

5.9K Posts

July 27th, 2005 16:00

Correction:

Where I talked about replacing wininet.dll it should read:

 

ren \windows\system\wininet.dll \windows\system\wininet.bad

 

instead of

 

ren \windows\system\wininet.bad

 

Sorry about that.

 

Ron

RKinner

2 Intern

 • 

5.9K Posts

July 28th, 2005 20:00

So that's how it is doing it.  It has infected the dllcache so Windows is restoring them.  Run l2mfix.bat again and select option 2.  That should remove all of those evil things but if it doesn't at least we know what to look for now.

Ron

Message Edited by RKinner on 07-28-2005 04:48 PM

Dargos

6 Posts

July 28th, 2005 20:00

Ron here is the record from FindQoologic:
 

some examples are MRT.EXE NTDLL.DLL.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Packed files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f75fae

Global Startup:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

.

..

DESKTOP.INI

rpku.exe

User Startup:

C:\Documents and Settings\Jen\Start Menu\Programs\Startup

.

..

DESKTOP.INI

Please note that I was receiving an error window, since I am running Window's XP.

Dargos

6 Posts

July 28th, 2005 20:00

Finally, for postarity, here is the current Hijackthis Log, that I got in normal mode:

Logfile of HijackThis v1.99.1
Scan saved at 2:20:23 PM, on 7/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rpku.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\WINDOWS\System32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\parqrr.exe reg_run
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\MXL_MTF.DLL

Thanks for the help.  I will also post this on the forum.

Sincerely,

Dargos

Dargos

6 Posts

July 28th, 2005 20:00

Here is the l2mfix.bat log:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\MXL_MTF.DLL"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3E993EA6-EE71-F3A8-E931-1A7D9877F1DF}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{245DF48F-4492-4B8E-8422-26E5D51EA280}"=""
"{A833AB67-7368-457E-B8BF-249CCD8DDD14}"="Date Bar"
"{A2DD73E2-3575-4FA1-AC75-46E4B6CE49D0}"=""
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{245DF48F-4492-4B8E-8422-26E5D51EA280}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{245DF48F-4492-4B8E-8422-26E5D51EA280}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{245DF48F-4492-4B8E-8422-26E5D51EA280}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{245DF48F-4492-4B8E-8422-26E5D51EA280}\InprocServer32]
@="C:\\WINDOWS\\system32\\OZBCCR32.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A2DD73E2-3575-4FA1-AC75-46E4B6CE49D0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A2DD73E2-3575-4FA1-AC75-46E4B6CE49D0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A2DD73E2-3575-4FA1-AC75-46E4B6CE49D0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A2DD73E2-3575-4FA1-AC75-46E4B6CE49D0}\InprocServer32]
@="C:\\WINDOWS\\system32\\NASHRUI.DLL"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
**********************************************************************************
Directory Listing of system files:
 Volume in drive C has no label.
 Volume Serial Number is D4C4-B983

 Directory of C:\WINDOWS\System32

07/28/2005  02:11 PM           417,792 OZBCCR32.DLL
07/28/2005  01:58 PM           417,792 NASHRUI.DLL
07/28/2005  01:45 PM           417,792 CZDBControlRoxio.dll
07/27/2005  11:00 AM           417,792 IXETRES.DLL
07/27/2005  10:52 AM           417,792 wvcdlg.dll
07/26/2005  03:09 PM           417,792 CLMMDLG.DLL
07/26/2005  03:06 PM           417,792 MAPORTS.DLL
07/26/2005  02:46 PM           417,792 KQDUZB.DLL
07/26/2005  02:35 PM   

         DLLCACHE
07/26/2005  10:15 AM           417,792 mcxml3a.dll
07/26/2005  09:08 AM           417,792 URRVOICA.DLL
07/25/2005  10:39 AM           417,792 CLUTIL.DLL
07/24/2005  09:51 PM           417,792 WVADMOD.DLL
07/24/2005  09:33 PM           417,792 dssynth.dll
07/24/2005  08:53 PM           417,792 SJFRDM.DLL
07/24/2005  07:25 PM           417,792 MKACM32.DLL
07/24/2005  07:20 PM           417,792 nqrszhc.dll
07/24/2005  06:03 PM           417,792 IOMPAGNT.DLL
07/24/2005  04:38 PM           417,792 MUIMG32.DLL
07/24/2005  11:35 AM           417,792 MXL_MTF.DLL
07/23/2005  11:10 PM           417,792 IVRTPRIO.DLL
07/23/2005  11:09 PM           417,792 IOETCPLC.DLL
07/23/2005  11:09 PM           417,792 ddusic.dll
07/15/2005  01:15 PM           417,792 KUDMON.DLL
07/15/2005  01:13 PM           417,792 fSahvoas.dll
07/11/2005  05:17 PM           417,792 PVRFDISK.DLL
07/11/2005  05:17 PM           417,792 PARFPROC.DLL
07/11/2005  05:16 PM           417,792 mkcpx32r.dLL
07/07/2005  10:05 PM           417,792 guard.tmp
07/07/2005  06:59 PM           417,792 ddbkcoin.dll
07/07/2005  06:57 PM           417,792 DIKQUOTA.DLL
07/07/2005  06:57 PM           417,792 DOUIEXT.DLL
06/29/2005  08:31 AM           401,408 l?gonui.exe
08/28/2003  12:46 PM            Microsoft
08/29/2002  03:00 AM            13,832 apisvc.exe
08/29/2002  03:00 AM            35,328 secserv.exe
             34 File(s)     13,402,120 bytes
              2 Dir(s)  75,589,455,872 bytes free

Was this post helpful?

View All

No Events found!

Top