Hi there, I've gotten the virus/trojan VX2.Look2Me in my computer, and it seems almost impossible to remove. I think this has to be a pretty new version of the malware, because I've already downloaded LAvasoft's VX2 cleaner plug-in for Ad-Aware, and that doesn't work either! And I've followed the steps thoroughly. When I run the VX2 cleaner, all that is says is "possible new variant found. Please submit the file contained in C:\vx2logs.tct for analysis." And that is the following file, C:\WINDOWS\system32\m4ju0e19eh.dll, but it changes everytime I resart the computer, but is always very similar. I've also runned Spy Doctor, and that always finds the three following items, with variations of the dll file:

VX2.Look2Me C:\WINDOWS\system32\l86olij318o.dll

VX2.Look2Me HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Internet Settings

VX2.Look2Me multiple

I've managed to delete almost everything in the registry, well, everything I know of anyways. But that god damn DLL file in system32 is impossible to remove. I've tried so much! I've even installed unlockIT, which is an application that lets you end the processes that runs a particular DLL file. But all it says is: "this file is not locked to any process".. or something.. But it is. So what can I do? Can you help me?!

THANK YOU SO MUCH!!!!

Download Pocket Killbox to remove that.

http://www.downloads.subratam.org/KillBox.zip

Once you have done that.

# Download Find It NT-2K-XP.zip.
http://computercops.biz/zx/Zupe/Find%20It%20NT-2K-XP.zip
# Unzip the contents of Find It NT-2K-XP.zip to a convenient location.
# Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
# A command prompt will open and it will search your computer for malicious files.
# Once it has finished a Notepad window will pop up with output.txt.

Another tool.

Download HiJackThis, install & run to get a log file. Don't fix anything yet.
You then post the log file at the site provided below & it will tell you what to fix.
http://www.merijn.org/downloads.html
http://tomcoyote.com/hjt/

HijackThis log file analysis & repair ( online )
http://hijackthis.de/index.php?langselect=english
Or,
http://startup.networktechs.com/page-68.html
http://hjt.iamnotageek.com/

Try this with look2me:

Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified. You can download Hijack This at this link http://www.tomcoyote.org/hjt/ then place it into a folder of it's on, such as C:\HJT, so that back up copies can be made and not clutter your desktop or other folders and the backup copies of deleted items can be easily located if needed.

Once saved double click HijackThis.exe, and press "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents into the text editor at this forum.

Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.

After posting thge HT log please download L2Mfix from this link http://www.atribune.org/downloads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into this topic. Be sure to copy all of it.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

This Fix must NOT be run in safe mode for it to work.

If you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

I've tried the first, and killbox wasn't able to delete the dll file either. So it's obviously a stubborn hijacker.
I will try the other alternatives later, but one thing that came to mind: I'm using Spyware Doctor to track down the files, but can I be sure that this program isn't malware in itself! Can anybody confirm that Spyware Doctor is real/trustable?

Spyware Doctor is not on the rogue list so it must be ok. Killbox will not delete look2me in most cases.L2M on the other hand will kill it but you have to run the second part and it is not recommended to run it if L2M is not present on the computer therefore viewing the L2Mfix log and Hijack This which can detect L2M would be a good way to reveal it.

Ok, I've runned Hijack This, and this is the logfile:

Logfile of HijackThis v1.99.1
Scan saved at 15:36:36, on 06.01.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programfiler\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DeltTray.exe
C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\banmanpro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Spyware Doctor\swdoctor.exe
C:\Programfiler\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programfiler\Windows NT\Tilbehør\wordpad.exe
C:\HJT\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Programfiler\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Programfiler\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [enewsletterpro] C:\windows\enewsletterpro.exe
O4 - HKLM\..\Run: [banmanpro] C:\windows\banmanpro.exe
O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programfiler\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\programfiler\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programfiler\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programfiler\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programfiler\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\programfiler\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programfiler\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134086056997
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\ir6ml5j11.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Programfiler\Spyware Doctor\sdhelp.exe

And this is the log from L2Mfix: (don't know if it's relevant, but I was connected to the internet while running l2mfix, but NOT when I was running Hijack This)

L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ir6ml5j11.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{6BE07332-EA39-5209-32A4-654B75C6B36D}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Egenskapsside for multimediefil"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM skannerbehandling"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS-sikkerhetsside"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Egenskapsside for OLE DOC-fil"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Skallutvidelse for deling"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Kontrollpanelsutvidelse for skjermkort"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Kontrollpanelsutvidelse for skjermtype"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Kontrollpanelsutvidelse for skjermpanorering"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS-sikkerhetsside"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Kompatibilitetsside"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Diskkopieringsutvidelse"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Skallutvidelser for Microsoft Windows-nettverksobjekter"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM skjermbehandling"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM skriverbehandling"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Skallutvidelser for filkomprimering"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Skallutvidelse for Web-skriver"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Hurtigmeny for kryptering"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Koffert"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Ikonutvidelse for HyperTerminal"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Skrifter"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-profil"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Skriversikkerhetsside"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Skallutvidelse for deling"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO-utvidelse"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign-utvidelse"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Nettverkstilkoblinger"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Nettverkstilkoblinger"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Skannere og kameraer"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Skannere og kameraer"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Skannere og kameraer"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Skannere og kameraer"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Skannere og kameraer"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Skallutvidelser for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft-datakobling"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Planlagte oppgaver"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Oppgavelinje og Start-meny"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="S›k"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Hjelp og st›tte"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Hjelp og st›tte"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Kj›r..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internett"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-post"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative verkt›y"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internett-verkt›ylinje"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Nedlastingsstatus"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="B†ndproxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft-tjeneste for tidligere URL-adresser"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Logg"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Midlertidige Internett-filer"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Midlertidige Internett-filer"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft-binding for URL-s›k"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Velkomstbilde for Internet Explorer 4.0"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internett"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer-b†nd"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="Mappe for ActiveX-hurtigbuffer"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Abonnementsmappe"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Behandling av skallprogrammer"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Enumerator for installerte programmer"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin Programpubliserer"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Uttrekking av miniatyrbilder i GDI+-filer"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Behandling av informasjon om miniatyrbilder"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Uttrekking av HTML-miniatyrbilder"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Veiviser for Web-publisering"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Bestille utskrifter via Weben"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Veiviserobjekt for skallpublisering"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="F† en passport-veiviser"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Brukerkontoer"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Kanalfil"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Kanalsnarvei"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Kanalbehandlingsobjekt"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Mappe for Frakoblede filer"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="Etter &personer..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.6 Context Menu Shell Extension"
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.6 DragDrop Shell Extension"
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.6 Context Menu Shell Extension"
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.6 Property Sheet Shell Extension"
"{93AB0E0E-E65C-4606-9D51-0A65B7796390}"=""
"{7B9FAB40-2716-4976-B349-A8992E9B9990}"=""
"{8E860110-1C60-40ED-AD85-0C31231184F7}"=""
"{554D3BCB-12AC-41C0-B7CC-00A9FBDEA031}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{93AB0E0E-E65C-4606-9D51-0A65B7796390}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{93AB0E0E-E65C-4606-9D51-0A65B7796390}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{93AB0E0E-E65C-4606-9D51-0A65B7796390}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{93AB0E0E-E65C-4606-9D51-0A65B7796390}\InprocServer32]
@="C:\\WINDOWS\\system32\\kcdtuf.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7B9FAB40-2716-4976-B349-A8992E9B9990}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7B9FAB40-2716-4976-B349-A8992E9B9990}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7B9FAB40-2716-4976-B349-A8992E9B9990}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7B9FAB40-2716-4976-B349-A8992E9B9990}\InprocServer32]
@="C:\\WINDOWS\\system32\\wdcdlg.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8E860110-1C60-40ED-AD85-0C31231184F7}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8E860110-1C60-40ED-AD85-0C31231184F7}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8E860110-1C60-40ED-AD85-0C31231184F7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8E860110-1C60-40ED-AD85-0C31231184F7}\InprocServer32]
@="C:\\WINDOWS\\system32\\ctrtmgr.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{554D3BCB-12AC-41C0-B7CC-00A9FBDEA031}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{554D3BCB-12AC-41C0-B7CC-00A9FBDEA031}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{554D3BCB-12AC-41C0-B7CC-00A9FBDEA031}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{554D3BCB-12AC-41C0-B7CC-00A9FBDEA031}\InprocServer32]
@="C:\\WINDOWS\\system32\\ipmon.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Thu 24 Nov 2005 1:39:22 A.... 1 022 464 998,50 K
cdfview.dll Fri 21 Oct 2005 4:41:50 A.... 151 552 148,00 K
ctrtmgr.dll Thu 5 Jan 2006 18:09:46 ..S.R 234 789 229,29 K
danim.dll Sat 5 Nov 2005 4:20:34 A.... 1 054 720 1,00 M
dxtrans.dll Fri 21 Oct 2005 4:41:50 A.... 205 312 200,50 K
en28l1~1.dll Fri 6 Jan 2006 3:49:10 ..S.R 236 409 230,87 K
esent.dll Thu 20 Oct 2005 23:31:12 A.... 1 082 368 1,03 M
extmgr.dll Fri 21 Oct 2005 4:41:50 ..... 55 808 54,50 K
gccoll~1.dll Tue 15 Nov 2005 12:12:08 A.... 126 680 123,71 K
gcunco~1.dll Tue 15 Nov 2005 12:12:06 A.... 95 448 93,21 K
gdi32.dll Thu 29 Dec 2005 3:56:08 A.... 280 064 273,50 K
gwfspi~1.dll Fri 4 Nov 2005 16:27:18 A.... 23 304 22,76 K
hashlib.dll Tue 15 Nov 2005 12:12:08 A.... 117 976 115,21 K
i2060c~1.dll Thu 5 Jan 2006 21:03:18 ..S.R 235 370 229,85 K
iepeers.dll Fri 21 Oct 2005 4:41:50 A.... 251 392 245,50 K
inseng.dll Fri 21 Oct 2005 4:41:50 A.... 96 768 94,50 K
ipmon.dll Thu 5 Jan 2006 22:02:00 ..S.R 234 768 229,27 K
ir6ml5~1.dll Fri 6 Jan 2006 3:05:38 ..S.R 235 682 230,16 K
izrdbg32.dll Thu 5 Jan 2006 16:46:54 ..S.R 234 075 228,59 K
kcdtuf.dll Fri 6 Jan 2006 14:59:16 ..S.R 235 682 230,16 K
kmdhe319.dll Thu 5 Jan 2006 19:08:38 ..S.R 234 111 228,62 K
legitc~1.dll Fri 4 Nov 2005 16:27:24 A.... 534 280 521,76 K
mshtml.dll Thu 24 Nov 2005 1:39:24 A.... 3 013 632 2,87 M
mshtmled.dll Fri 21 Oct 2005 4:41:52 A.... 448 512 438,00 K
msrating.dll Fri 21 Oct 2005 4:41:52 A.... 146 432 143,00 K
mstime.dll Fri 21 Oct 2005 4:41:54 A.... 530 944 518,50 K
mvrating.dll Thu 5 Jan 2006 15:36:58 ..S.R 237 088 231,53 K
pngfilt.dll Fri 21 Oct 2005 4:41:54 A.... 39 424 38,50 K
risppp.dll Thu 5 Jan 2006 22:24:38 ..S.R 235 682 230,16 K
scvsvc.dll Thu 5 Jan 2006 8:28:20 ..S.R 235 352 229,84 K
shdocvw.dll Thu 1 Dec 2005 4:33:22 A.... 1 492 480 1,42 M
shlwapi.dll Fri 21 Oct 2005 4:41:54 A.... 473 600 462,50 K
sirenacm.dll Thu 13 Oct 2005 0:11:06 A.... 118 784 116,00 K
spmsg.dll Thu 13 Oct 2005 0:20:56 ..... 14 560 14,22 K
urlmon.dll Sat 5 Nov 2005 4:20:40 A.... 604 160 590,00 K
wbcsvc.dll Thu 5 Jan 2006 15:21:26 ..S.R 235 970 230,44 K
wdcdlg.dll Thu 5 Jan 2006 15:53:02 ..S.R 233 917 228,43 K
wfpshell.dll Thu 5 Jan 2006 17:04:04 ..S.R 234 077 228,59 K
wininet.dll Fri 21 Oct 2005 4:41:54 A.... 657 920 642,50 K
wonfax.dll Thu 5 Jan 2006 21:14:06 ..S.R 234 768 229,27 K
wupcd.dll Thu 5 Jan 2006 18:33:32 ..S.R 236 700 231,15 K
zlbw.dll Thu 5 Jan 2006 6:47:58 A.... 46 592 45,50 K

42 items found: 42 files (16 H/S), 0 directories.
Total of file sizes: 16 449 616 bytes 15,69 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
ld378a.tmp Sat 10 Dec 2005 18:03:54 A.... 24 064 23,50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 24 064 bytes 23,50 K
**********************************************************************************
Directory Listing of system files:
Volumet i stasjon C er System
Volumserienummeret er E032-9B65

Innhold i C:\WINDOWS\System32

06.01.2006 14:59 235ÿ682 kcdtuf.dll
06.01.2006 03:49 236ÿ409 en28l1fu1.dll
06.01.2006 03:05 235ÿ682 ir6ml5j11.dll
05.01.2006 22:24 235ÿ682 rIsppp.dll
05.01.2006 22:01 234ÿ768 ipmon.dll
05.01.2006 21:14 234ÿ768 wonfax.dll
05.01.2006 21:03 235ÿ370 i2060cdsef060.dll
05.01.2006 19:08 234ÿ111 kmdhe319.dll
05.01.2006 18:33 236ÿ700 wupcd.dll
05.01.2006 18:09 234ÿ789 ctrtmgr.dll
05.01.2006 17:04 234ÿ077 wfpshell.dll
05.01.2006 16:46 234ÿ075 izrdbg32.dll
05.01.2006 15:53 233ÿ917 wdcdlg.dll
05.01.2006 15:36 237ÿ088 mvrating.dll
05.01.2006 15:21 235ÿ970 wbcsvc.dll
05.01.2006 08:28 235ÿ352 scvsvc.dll
10.12.2005 03:20 <DIR> dllcache
09.12.2005 01:27 <DIR> Microsoft
16 fil(er) 3ÿ764ÿ440 byte
2 mappe(r) 4ÿ415ÿ438ÿ848 byte ledig

Run ewido in safe mode Palmolive & post the hijackthis log again.

ewido security suite free for Windows 2000/XP
http://www.ewido.net/en/features/
http://www.ewido.net/en/download/
Please use the online update after the installation. Only then can the recent signature database be transferred and installed.

Ok, I downloaded Ewido and ran it in safe mode. And I was impressed; It found 63 obvious infections which ad-aware or MS antispyware didn't find. And alot of them were VX2.L2M. ewido also deleted the dreaded dll file, and I hoped everything now was ok.. But it wasn't.
When I again ran a memory scan with ewido, it found 1 infection:

[648] C:\WINDOWS\system32\iv41_qc.dll -> Spyware.Look2Me : Error during cleaning

Note, this is NOT the same dll as the one i've been struggling with before.

It seemed to delete it, but as you can see, is says error during cleaning. And when i ran a memory scan again, it was back.

So, I then opened Process Explorer, and found this particular dll under rundll.exe. I then ended rundll.exe, and scanned memory again. Nothing found.
I then searched for the file i Windows folder, and found the following in system32:

C:\WINDOWS\system32\__delete_on_reboot__mmgina.dll

Note: this is after a reboot, so the name of this file has changed from the one above...

I deleted this, and the went on to search for this dll in the registry. I found it there, and deleted it.
I also found something else associated whith it:

Something called PendingFileRename with the data: \??\C:\Windows\System32\wcsdmod.dll

(again i've rebooted, so another name to the dll file)

I then deleted this.

I also found something called AllowProtectedRename , in Registry.. But I don't know if this is associated with L2M, so I didn't delete it..

After deleting and doing all this s---, I rebooted.

And voila, VX2 was still there! And the OLD dll file was back to..

So, it have to be this darn NEW dll file that I find in memory with Ewido, which cannot be deleted...

After all this, i ran HiJack This again, and here's the logfile:

Logfile of HijackThis v1.99.1
Scan saved at 20:28:12, on 06.01.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Spyware Doctor\swdoctor.exe
C:\HJT\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Programfiler\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Programfiler\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [banmanpro] C:\windows\banmanpro.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programfiler\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134086056997
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\d20mlcd11f0.dll
O23 - Service: ewido security suite control - ewido networks - C:\Programfiler\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programfiler\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Programfiler\Spyware Doctor\sdhelp.exe

I must add:

I said in the post above, that in the ewido log it said: error during cleaning.
This is only sometimes, other times it in fact says cleaned succesfully.. But the file always is found on another follow up scan..

Posting the log at > HijackThis log file analysis & repair ( online )
http://hijackthis.de/index.php?langselect=english

Shows the below as the culprit.
http://searchbar.findthewebsiteyouneed.com

Putting > searchbar.findthewebsiteyouneed into Google, gets the manual removal of it.
This is just the registry part, read the rest of the page for other bits.
http://www.google.com.au/search?hl=en&q=searchbar.findthewebsiteyouneed&btnG=Search&meta=

===================================

http://securityresponse.symantec.com/avcenter/venc/data/spyware.dotcomtoolbar.html
1. Click Start, and then click Run. (The Run dialog box appears.)
2. Type regedit

Then click OK. (The Registry Editor opens.)

3. Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value

"redirect" = "[path to adware file]"

4. Navigate to and delete the following keys:

HKEY_CLASSES_ROOT\CLSID\{29DD1EA6-1FDA-44A4-B083-C9900547BC48}
HKEY_CLASSES_ROOT\CLSID\{5F1ABCDB-A875-46c1-8345-B72A4567E486}
HKEY_CLASSES_ROOT\CLSID\{FC2493D6-A673-49FE-A2EE-EFE03E95C27C}
HKEY_CLASSES_ROOT\Interface\{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}
HKEY_CLASSES_ROOT\Interface\{7C479D09-1280-41D2-945F-2377736B8CF7}
HKEY_CLASSES_ROOT\Interface\{EAF2CCEE-21A1-4203-9F36-4929FD104D43}
HKEY_CLASSES_ROOT\TypeLib\{6D3F5DE4-E980-4407-A10F-9AC771ABAAE6}
HKEY_CLASSES_ROOT\GoRSDN.ContextItem
HKEY_CLASSES_ROOT\GoRSDN.ContextItem.1
HKEY_CLASSES_ROOT\Pugi.PugiObj
HKEY_CLASSES_ROOT\Pugi.PugiObj.1
HKEY_CLASSES_ROOT\ToolBand.hits
HKEY_CLASSES_ROOT\ToolBand.hits.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{5F1ABCDB-A875-46C1-8345-B72A4567E483}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DotComToolbar
HKEY_ALL_USERS\Software\DotComToolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/toolbar_nieuw14.dll
HKEY_ALL_USERS\Software\Microsoft\Internet Explorer\MenuExt\&RSDN Search
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
HKEY_ALL_USERS\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{5F1ABCDB-A875-46C1-8345-B72A4567E486}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{5F1ABCDB-A875-46c1-8345-B72A4567E486}
HKEY_ALL_USERS\Software\Microsoft\Internet Explorer\Main\Default_Search_URL

5. Navigate to the key:

HKEY_ALL_USERS\Software\Microsoft\Internet Explorer\Search

Delete the following value:

"SearchAssistant" = "Explorer"

6. Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

7. In the right pane, delete the value:

"SharedDlls" = "C:\WINDOWS\Downloaded Program Files\toolbar_nieuw14.dll"

8. Exit the Registry Editor.

When finished the above, run hijackthis & if still there, fix these.
Do you know what banmanpro is?

R3 - Default URLSearchHook is missing

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe (file missing)

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log.

Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Do Not run in safe mode

If after the reboot the log does not open double click on it in the l2mfix folder.

Run HT again,close all windows and browsers except HT,place a check to the left of the following items and press "fix checked":

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [DeltTray] DeltTray.exe

O4 - HKLM\..\Run: [banmanpro] C:\windows\banmanpro.exe

Set up the computer to view hidden files by going to start>control panel>folder options>view tab>tick the circle beside "show hidden files and folders" and untick the box beside "hide extensions of known file types" and "hide protected system operating files">apply>ok.

Reboot into safe mode by following the directions here

While still in safe mode navigate to and delete the following files and folders if found:

C:\WINDOWS\banmanpro.exe

C:\WINDOWS\system32\DeltTray.exe

Run Ewido from safe mode then post the HT log.

Now I'm getting really annoyed...

None of the above works.

I tried what jonny said, deleting i manually. But I found only a couple of those... of course deleted them...

Then I ran lm2fix, and here's the log:

L2mfix 010406
Creating Account.
Kommandoen er fullf›rt.

Adding Administrative privleges.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/notibac.reg (164 bytes security) (deflated 63%)

I seems that it didn't find anything, but that it found something missing...? ...

And then, I ran HT, and I checked everything jabuck wrote..

Banmanpro is very suspiscious, so i deleted everything i found of that, in registry to.
Deltray is ok, it's for my soundcard.

After fixing in HT, it was still there. I found that dll file operating in memory, with Ewido.

Here's the log from HT, after i cleaned and rebooted, and as you can see, 020 is back..

Logfile of HijackThis v1.99.1
Scan saved at 01:33:58, on 07.01.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\ewido anti-malware\ewidoctrl.exe
C:\Programfiler\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programfiler\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Spyware Doctor\swdoctor.exe
C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programfiler\Microsoft AntiSpyware\gcasDtServ.exe
C:\HJT\hijackthis\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Programfiler\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Programfiler\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programfiler\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\programfiler\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programfiler\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programfiler\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programfiler\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\programfiler\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programfiler\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134086056997
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WASHData - C:\WINDOWS\system32\p8p6li7s18.dll
O23 - Service: ewido security suite control - ewido networks - C:\Programfiler\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programfiler\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Programfiler\Spyware Doctor\sdhelp.exe

# Download Find It NT-2K-XP.zip.
http://computercops.biz/zx/Zupe/Find%20It%20NT-2K-XP.zip

Post the log please.

Have you turned off system restore?

How to turn off System Restore, read your Windows documentation, or one of the following articles:
How to turn off or turn on Windows XP System Restore.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039

Diable real time protection for any of these spyware tools that you have as directed at this link http://wiki.castlecops.com/Securing_Your_Computer:_Temporarily_Disable_Real_Time_Monitoring_Programs

Then run the #2 option of the L2Mfix again

Reboot to reset the protection.

I've downloaded and runned Dr. Web, Spysweeper, and something shortened mvaw, by kaspersky.. all very good.. I now have a total of four antispywares running in the background, MS antispyware, Ewido, Spyware Doctor, and Spysweeper.. I shut them down, But l2mfix shows excactly the same.. maybe interessting though: when I open task manager I see associated exe files still running.. Like sdhelp.exe (spyware doctor), WRSSSDK.exe (spysweeper), and Ewidoctrl.exe (Ewido). And I'm not able to shut these down. Not even in administrator mode.

I have also now shut down system restore, and ran all spywares again. no difference.

Here's the log from Find It NT-2K-XP.zip:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Steffen Gr›nbech.STEFFEN\Skrivebord\Find It NT-2K-XP\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volumet i stasjon C er System
Volumserienummeret er E032-9B65

Innhold i C:\WINDOWS\System32

07.01.2006 13:59 236ÿ106 guard.tmp
07.01.2006 13:47 234ÿ205 irjul5191.dll
07.01.2006 13:36 236ÿ106 hr6005jme.dll
07.01.2006 13:25 236ÿ537 ravpperf.dll
07.01.2006 13:21 236ÿ537 cslbact.dll
07.01.2006 13:21 237ÿ294 jtns0757e.dll
10.12.2005 03:20 <DIR> dllcache
09.12.2005 01:27 <DIR> Microsoft
6 fil(er) 1ÿ416ÿ785 byte
2 mappe(r) 5ÿ702ÿ283ÿ264 byte ledig

------- Hidden Files in System32 Directory -------

Volumet i stasjon C er System
Volumserienummeret er E032-9B65

Innhold i C:\WINDOWS\System32

10.12.2005 03:20 <DIR> dllcache
08.12.2005 01:02 488 logonui.exe.manifest
08.12.2005 01:02 488 WindowsLogon.manifest
08.12.2005 01:02 749 wuaucpl.cpl.manifest
08.12.2005 01:02 749 cdplayer.exe.manifest
08.12.2005 01:02 749 sapi.cpl.manifest
08.12.2005 01:02 749 nwc.cpl.manifest
08.12.2005 01:02 749 ncpa.cpl.manifest
7 fil(er) 4ÿ721 byte
1 mappe(r) 5ÿ702ÿ283ÿ264 byte ledig

------------ Files Named "Guard" ---------------

Volumet i stasjon C er System
Volumserienummeret er E032-9B65

Innhold i C:\WINDOWS\System32

07.01.2006 13:59 236ÿ106 guard.tmp
1 fil(er) 236ÿ106 byte
0 mappe(r) 5ÿ702ÿ283ÿ264 byte ledig

------ Temp Files in System32 Directory ------

Volumet i stasjon C er System
Volumserienummeret er E032-9B65

Innhold i C:\WINDOWS\System32

07.01.2006 13:59 236ÿ106 guard.tmp
09.10.2001 13:00 2ÿ573 CONFIG.TMP
2 fil(er) 238ÿ679 byte
0 mappe(r) 5ÿ702ÿ283ÿ264 byte ledig

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{6BE07332-EA39-5209-32A4-654B75C6B36D}"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hr6005jme.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
cdplay~1.man Thu 8 Dec 2005 1:02:46 A..HR 749 0,73 K
cslbact.dll Sat 7 Jan 2006 13:21:16 ..S.R 236 537 230,99 K
guard.tmp Sat 7 Jan 2006 13:59:38 ..S.R 236 106 230,57 K
hr6005~1.dll Sat 7 Jan 2006 13:36:12 ..S.R 236 106 230,57 K
irjul5~1.dll Sat 7 Jan 2006 13:47:38 ..S.R 234 205 228,71 K
jtns07~1.dll Sat 7 Jan 2006 13:21:16 ..S.R 237 294 231,73 K
logonu~1.man Thu 8 Dec 2005 1:02:52 A..HR 488 0,48 K
ncpacp~1.man Thu 8 Dec 2005 1:02:46 A..HR 749 0,73 K
nwccpl~1.man Thu 8 Dec 2005 1:02:46 A..HR 749 0,73 K
ravpperf.dll Sat 7 Jan 2006 13:25:40 ..S.R 236 537 230,99 K
sapicp~1.man Thu 8 Dec 2005 1:02:46 A..HR 749 0,73 K
window~1.man Thu 8 Dec 2005 1:02:52 A..HR 488 0,48 K
wuaucp~1.man Thu 8 Dec 2005 1:02:46 A..HR 749 0,73 K

13 items found: 13 files, 0 directories.
Total of file sizes: 1 421 506 bytes 1,36 M

-------- Strings.exe Qoologic Results --------

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\d3dx9_25.dll: D3DXUVAtlasPack
C:\WINDOWS\system32\MRT.exe: (ASPack)
C:\WINDOWS\system32\MRT.exe: (AsPack2k)
C:\WINDOWS\system32\MRT.exe: (ASPack 1.00b)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.1)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.12)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.11)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.000)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.001)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.11x)
C:\WINDOWS\system32\MRT.exe: ASPack2000
C:\WINDOWS\system32\MRT.exe: ASPack 1.61
C:\WINDOWS\system32\MRT.exe: ASPack 1.084
C:\WINDOWS\system32\MRT.exe: ASPack 1.083
C:\WINDOWS\system32\MRT.exe: ASPack 1.08.02b
C:\WINDOWS\system32\MRT.exe: ASPack 1.07b
C:\WINDOWS\system32\MRT.exe: ASPack 1.05b
C:\WINDOWS\system32\MRT.exe: ASPack 1.02
C:\WINDOWS\system32\MRT.exe: ASPACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\ntdll.dll: .aspack
C:\WINDOWS\system32\d3dx9_25.dll: D3DXUVAtlasPack
C:\WINDOWS\system32\MRT.exe: (ASPack)
C:\WINDOWS\system32\MRT.exe: (AsPack2k)
C:\WINDOWS\system32\MRT.exe: (ASPack 1.00b)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.1)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.12)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.11)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.000)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.001)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.11x)
C:\WINDOWS\system32\MRT.exe: ASPack2000
C:\WINDOWS\system32\MRT.exe: ASPack 1.61
C:\WINDOWS\system32\MRT.exe: ASPack 1.084
C:\WINDOWS\system32\MRT.exe: ASPack 1.083
C:\WINDOWS\system32\MRT.exe: ASPack 1.08.02b
C:\WINDOWS\system32\MRT.exe: ASPack 1.07b
C:\WINDOWS\system32\MRT.exe: ASPack 1.05b
C:\WINDOWS\system32\MRT.exe: ASPack 1.02
C:\WINDOWS\system32\MRT.exe: ASPACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"gcasServ"="\"C:\\Programfiler\\Microsoft AntiSpyware\\gcasServ.exe\""
"SunJavaUpdateSched"="C:\\Programfiler\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"SpySweeper"="\"C:\\Programfiler\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"



I think "guard" is ewido guard..

Or not... just found out, after a new scan with dr. web, that guard is l2m.

Guard is L2M

well, have anyway deleted guard without getting rid of l2m.. so, anything else to do? get any sense out of that FIND IT NT-2k-XP log?

Go offline, run the L2M option #2 fix again after disabling the real time protection as requested in response #17. Then reboot and post a that log and a HT log.

Ok guys. I threw in the towel. I surrendered.
I installed windows xp over again, and now it's fine..

But thank you very much for your help anyway!

Thats OK Palmolive, to me it looked like we were nearly there, possibly removing these files with Pocket Killbox & a new HJ logfile would have have done it.
07.01.2006 13:59 236ÿ106 guard.tmp
07.01.2006 13:47 234ÿ205 irjul5191.dll
07.01.2006 13:36 236ÿ106 hr6005jme.dll
07.01.2006 13:25 236ÿ537 ravpperf.dll
07.01.2006 13:21 236ÿ537 cslbact.dll
07.01.2006 13:21 237ÿ294 jtns0757e.dll

Here are a few extra tools for your preventative armory.
To save me rereading your post again, excuse any duplication.

Extract from link below, I use Avast myself.
http://www.avast.com/i_idt_153.html
http://www.avast.com/iavs4pro/setupeng.exe
Reregister after 14 months free use ( Still stays free )
http://www.avast.com/i_kat_207.php?lang=ENG
Home edition is a full-featured antivirus package designed for home usage. Our company offers Home Edition free of charge.
"By combining the free AVG anti-virus scanner, the free version of Ewido anti-Trojan scanner and the free Microsoft Antispyware scanner, I managed to achieve a 95% detection rate against a particularly nasty set of 104 assorted malware products that I had downloaded from P2P networks."
By combining the free AVG anti-virus scanner, the free version of Ewido anti-Trojan scanner and the free Microsoft Antispyware scanner, I managed to achieve a 95% detection rate against a particularly nasty set of 104 assorted malware products that I had downloaded from P2P networks.
Ewido Security Suite Setup: Version 3.5
http://rstones12.geekstogo.com/ewidosetup.htm
http://www.techsupportalert.com/issues/issue122.htm
http://www.techsupportalert.com/issues/issue123.htm
http://www.techsupportalert.com/best_46_free_utilities.htm
http://www.techsupportalert.com/issues/back_issues.htm
Trojan and Spyware Tool -- Ewido Security Suite
http://georgeh123.blogspot.com/2005/09/trojan-and-spyware-tool-ewido-security.html
Microsoft Antispyware
http://www.majorgeeks.com/download4466.html

============================================

SpyBot
http://www.softpedia.com/get/Internet/Popup-Ad-Spyware-Blockers/SpyBotSearch-Destroy.shtml
http://www.safer-networking.org/en/index.html
http://beam.to/spybotsd
Update from MajorGeeks if unable to get from Spybot > Spybot Search and Destroy Detection Update
http://majorgeeks.com/
Bad Checksum message
http://www.safer-networking.org/en/faq/20.html
Once you have the program installed, open SpyBot, Select > Mode > Advanced ( menu at the top, gives you more options ) then select the "Immunize" icon on the left & Click on Immunize ( the green icon up the top ) in the new page. Repeat this process every time you Update, unless you get a message that everything is blocked.
Tick > Enable permanent blocking of bad addresses in Internet Explorer & Select > Block all bad pages silently.
Select your download site.
Open Spybot Search and Destroy. After clicking the button that says "Search for Updates" & the check is finished, you will see 5 items near the top of the window, "Search for Updates", "Download Updates", UniDo(Europe), "Show Log" and "Help". Next to UniDo(Europe) you will see a "down" arrow. Click the "down" arrow and you will see download site choices (3 in Europe, 1 in USA and 1 in Australia). Right click on your selection to make it default.
A Beginner's Guide to Spybot
http://www.trincoll.edu/depts/cc/documentation/security/spyware/Spybot_guide.htm
http://tomcoyote.org/SPYBOT/index1.php
http://tomcoyote.org/SPYBOT/index2.php
What the Heck is Teatimer?
http://www.voiceofthepublic.com/SSD/SI/teatimer.swf.html
Tea Timer info
http://forums.net-integration.net/index.php?showtopic=13433
http://www.wilderssecurity.com/showthread.php?t=32276
http://www.wilderssecurity.com/showthread.php?t=32034
SpyBot lock host files greyed out.
If it doesn't have a hosts file you cant lock it, so that tweak will be grayed out.
Have SpyBot install its hosts file.
http://www.zerosrealm.com/immunizing.php

SpywareBlaster
http://www.wilderssecurity.net/spywareblaster.html
SpywareBlaster doesn't scan and clean for spyware - it prevents it from ever being installed.

========================================

NetDetox
http://www.netdetox.com/
95/98/NT/ME/2000/XP/2003
Never see another ad again Blocks unwanted pop-ups Prevent infection by spyware Surf Faster Fully Compatible with Windows 95 or later Automatic Free Updates. Prevents spyware infection and stops spyware from phoning home Blocks ads and unwanted pop-ups No configuration required - just install and then let it work its magic Automatically downloads updates silently in the background

=======================================

CCleaner
http://www.ccleaner.com/
CCleaner, one advantage of this cleaner is, when Issues is clicked & the boxes ticked, it will tell you before you fix ( doing one file at a time ) why the file is there.
Configure the Windows, Applications & Issues panels to suit.

=======================================

RegSeeker
http://www.hoverdesk.net/freeware.htm
RegSeeker is a perfect companion for your Windows regsitry!
RegSeeker includes a powerful registry cleaner and can display various informations like your startup entries, several histories (even index.dat files), installed applications and much more! With RegSeeker you can search for any item inside your registry, export/delete the results, open them in the registry. RegSeeker also includes a tweaks panel to optimize your OS! RegSeeker is FREE for personal use only!
Click on Clean the Registry & tick ( new version 1.45 has this already ticked > Scan Drives for old exe entries in the registry. Click OK.
My personal use, is to, delete only the Green entries.
Click on Select All and choose > Select all Green items.
Right click to delete.

=========================================

Binman
http://steveseymour.0catch.com/
http://anothermirror.tripod.com/free.htm
Seeks out the rubbish left behind by other programs. Use regularly it will save space. It can auto run at times set by you. Cleans automatically at boot up.

Or, ( dos'nt hurt to use both )

XP
Auto Delete Temporary Folder
http://www.tweakxp.com/display.aspx?id=2021

First go into gpedit.msc ( only available in the Pro version of XP )

Start > Run, type in > gpedit.msc & press Enter.

Next select -> Computer Configuration/Administrative Templates/Windows Components/Terminal Services/Temporary Folder

Then right click "Do Not Delete Temp Folder Upon Exit"

Go to properties and hit disable.

Now next time Windows puts a temp file in that folder it will automatically delete it when its done!

====================================

Port Monster
http://www.portmonster.com/
Worried about Hackers? Viruses? Port Probes? Trojan Horses? Well, now you don't have to worry anymore. With Port Monster, you can not only be protected from Internet offenses and attacks, but also, you can know for sure if anyone is trying to connect to your computer. Get your copy today for free!

Hi,
I've gotten the virus/trojan VX2.Look2Me in my computer.
I've runned Hijack This, and this is the logfile:

Logfile of HijackThis v1.99.1
Scan saved at 10:14:03 AM, on 1/28/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
D:\WINDOWS\services.exe
D:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\TEMP\YJB813.EXE
D:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
D:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Google\Google Talk\googletalk.exe
D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
D:\Program Files\Sify Broadband\BBImpSec.exe
D:\Program Files\Spyware Doctor\swdoctor.exe
D:\Program Files\WordWeb\wweb32.exe
D:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
D:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
D:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
D:\Program Files\Sify Broadband\BBClient.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJK\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DataLayer] D:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "D:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [googletalk] "D:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [PcSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [SifyBB] D:\Program Files\Sify Broadband\BBImpSec.exe
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: WordWeb.lnk = D:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: &WordWeb... - res://D:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://D:\Program Files\Offline Explorer\Add_UrlO.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.kumudam.com/wfplayer/tdserver.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6FA57A80-575C-4645-9D4C-DC1A02C3D9F9}: NameServer = 202.144.10.50,202.144.66.6
O20 - Winlogon Notify: RunOnceEx - D:\WINDOWS\system32\j00s0ad7ed0.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - D:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - D:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - D:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Microsoft Windows HelpFile (Windows Helpfile) - Unknown owner - D:\WINDOWS\services.exe

And this is the log from L2Mfix:

L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnceEx]
"Asynchronous"=dword:00000000
"DllName"="D:\\WINDOWS\\system32\\j00s0ad7ed0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{178BEB9E-84C0-9179-70FA-F9D98B09982B}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Sh