Recently, I have been experiencing unwanted pop-ups in both Firefox and IE. There are also some cases of freeprod and mc-110-12-0000206 popping out in the C drive and the desktop. I've already tried CastleCops' Malware Removal and Prevention but the malwares are still popping up.

Please help me with cleaning my PC from these.


HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:57:56 AM, on 2/18/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\snmpapi\install.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\snmpapi\msacm32.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\System32\crss.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\WINDOWS\System32\winxpstats.exe
C:\windows\winsysban9.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\Documents and Settings\Family room\Desktop\walang gagalaw nito II\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBStore\DSS\dssagent.exe
O4 - HKLM\..\Run: [WindowsUpdatecrss] crss.exe
O4 - HKLM\..\Run: [newupdate32] SysWsc.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [internet Monitoring service] winxpstats.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd9.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban9.exe
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\RunServices: [Windows Security Protocol] win32sprot.exe
O4 - HKLM\..\RunServices: [internet Monitoring service] winxpstats.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Windows Security Protocol] win32sprot.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\l0j8la1u1d.dll
O23 - Service: 32bit Printer Driver - Unknown owner - C:\WINDOWS\system32\snmpapi\install.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: commdlg (commdlg32) - Unknown owner - C:\WINDOWS\commdlg32.exe (file missing)
O23 - Service: Client Server Runtime Service (csrss32) - Unknown owner - C:\WINDOWS\csr.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: fwnet64 (fwnet) - Unknown owner - C:\WINDOWS\fwnet64.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: msinit (Microsoft Scheduling Agent) - Unknown owner - C:\WINDOWS\msinit.exe (file missing)
O23 - Service: msacm32 - Unknown owner - C:\WINDOWS\system32\snmpapi\install.exe
O23 - Service: MsLX32 - Unknown owner - C:\WINDOWS\MsLX32.exe (file missing)
O23 - Service: netconf32 - Unknown owner - C:\WINDOWS\netconf32.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Performance True Type Fonts (PerfFont) - Unknown owner - C:\WINDOWS\System32\perfont.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\hpzipm12.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINDOWS\system32\Wmsngr.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Win32Sr - Unknown owner - C:\WINDOWS\win32ssr.exe (file missing)


Hope you guys'll help me with this. Thank you!

The infections you have are due to one primary reason. You are not keeping your system updated. You must get Windows XP SP2 and all subsequent critical updates from the Windows Update site and do so routinely or you are doomed to keep having these infections. That is the single most important thing you can do to protect your system. Wait until we are done becuase some of these infections are designed to keep you from updating.

First do the following,

Download the latest version of Look2Me-Remover.exe to your desktop.

* Close all windows before continuing.
* Double-click Look2Me-Remover.exe to run it.
* Put a check next to Run this program as a task.
* You will receive a message saying Look2Me-Remover will close and re-open in approximately 10 seconds. Click OK
* When Look2Me-Remover re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
* Once it's done scanning, click the Remove L2M button.
* You will receive a Done Scanning message, click OK.
* When completed, you will receive this message: Done removing infected files! Look2Me-Remover will now shutdown your computer, click OK.
* Your computer will then shutdown.
* Turn your computer back on.

1. After the download is complete, double click on the file to launch the install process.
2. During installation under the Additonal Options menu, you will be asked if you want to "Install background guard (required for automatic updates)" and "Install scan via context menu". Please UNCHECK both of these options.
3. Once installation is complete, launch Ewido by double-clicking the big "E" icon on your desktop. The program will prompt you to update -- click the 'OK' button.
4. The program will now go to the main screen. On the left hand side of the main screen, click on Update and then click 'Start Update'. The update will start and a progress bar will show the updates being installed. After the updates are installed, you will see 'Update Successful' in the lower left corner.
5. Close Ewido.

Reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key (or F5 on some computers)
Use the arrow keys to highlight Safe Mode and press the Enter key.

Now Click Start>> Run>> Type in Services.msc and Click OK!

Sroll that list and locate each of the following services. When you find each on right click each of those services and Select "Properties">> Click "Stop">> Go up and Change the "Startup Type" to "Disabled"

32bit Printer Driver

and

commdlg

and

Client Server Runtime Service

and

fwnet64

and

msinit

and

msacm32

and

MsLX32

and

netconf32

and

Performance True Type Fonts

and

Remote Procedure Call (RPC) Monitoring

and

Win32Sr

Now Click Start>> Run>> Copy&Paste each command below into the Open box, one at a time and Click OK! If you get an error message ignore it and go to the next line.

sc delete 32bit Printer Driver
sc delete commdlg32
sc delete csrss32
sc delete fwnet
sc delete Microsoft Scheduling Agent
sc delete msacm32
sc delete MsLX32
sc delete netconf32
sc delete PerfFont
sc delete Rpcmon
sc delete Win32Sr

Close all windows and Scan with hijackthis. Place a check mark next to each of the following that are still listed and click the "Fix Checked" button.


O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBStore\DSS\dssagent.exe
O4 - HKLM\..\Run: [WindowsUpdatecrss] crss.exe
O4 - HKLM\..\Run: [newupdate32] SysWsc.exe
O4 - HKLM\..\Run: [internet Monitoring service] winxpstats.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd9.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban9.exe
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\RunServices: [Windows Security Protocol] win32sprot.exe
O4 - HKLM\..\RunServices: [internet Monitoring service] winxpstats.exe
O4 - HKCU\..\Run: [Windows Security Protocol] win32sprot.exe

O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\l0j8la1u1d.dll

O23 - Service: 32bit Printer Driver - Unknown owner - C:\WINDOWS\system32\snmpapi\install.exe
O23 - Service: commdlg (commdlg32) - Unknown owner - C:\WINDOWS\commdlg32.exe (file missing)
O23 - Service: Client Server Runtime Service (csrss32) - Unknown owner - C:\WINDOWS\csr.exe (file missing)
O23 - Service: fwnet64 (fwnet) - Unknown owner - C:\WINDOWS\fwnet64.exe (file missing)
O23 - Service: msinit (Microsoft Scheduling Agent) - Unknown owner - C:\WINDOWS\msinit.exe (file missing)
O23 - Service: msacm32 - Unknown owner - C:\WINDOWS\system32\snmpapi\install.exe
O23 - Service: MsLX32 - Unknown owner - C:\WINDOWS\MsLX32.exe (file missing)
O23 - Service: netconf32 - Unknown owner - C:\WINDOWS\netconf32.exe (file missing)
O23 - Service: Performance True Type Fonts (PerfFont) - Unknown owner - C:\WINDOWS\System32\perfont.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINDOWS\system32\Wmsngr.exe (file missing)
O23 - Service: Win32Sr - Unknown owner - C:\WINDOWS\win32ssr.exe (file missing)

Open CCleaner.

Before first use, check under Options, Settings, and ensure "Only delete files in Windows Temp folder older than 48 hours" is unchecked.

Then open it and select the items you wish to clean up.

In the Windows Tab:

I recommend cleaning all entries in the "Internet Explorer" section except Cookies.
Clean all the entries in the "Windows Explorer" section
Clean all entries in the "System" section
Clean all entries in the "Advanced" section.

In the Applications Tab:

Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

Then click the "Run Cleaner" button

Open Ewido

1. Click on 'Scanner' (the 3rd bar from the top on the left) and Choose 'Settings'
2. Please make sure 'Scan Every File' is selected. Finally, please click 'OK'
3. On the main screen, please select 'Complete System Scan' and the scan should begin.
4. While the scan is in progress, you will be prompted to clean the first infected file it finds. Choose clean, then put a check next to 'Perform action on all infections' in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.
5. When the scan is complete, click "Save Report". You scan results will be saved in a textfile. Please submit that with your next post.

If during your scan Ewido "crashes" or "hangs", please try scanning again. Before running the scan, click on 'Scanner' (the 3rd bar from the top on the left) and Choose 'Settings'. Uncheck 'Scan in NTFS Alternate Data Streams' as this can cause problems in overly infected systems. Click 'OK' and then follow the instructions from step #3 again.

Exclamation Note: Ewido is a free trial product for 14 days. Since Ewido is a trial version, the realtime guard and automatic update will stop functioning after 14 days (which is the reason we uncheck them during installation). You can use Ewido as an on-demand scanner (recommended) but you will have to manually update the definition file each time you scan.

If you decide to purchase Ewido, you can enable the 'Realtime Protect' and 'Automatic Update' functions by clicking on the 'Status' bar (Top left) and clicking on both items under "Your Security Status".

Now close ewido security suite.

Open killbox.exe.

First

Click on Tools>Delete Temp Files

A box will open with a list of all user profiles.

Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.

Temporary Internet Files
Temp Files
XP Prefetch

If you want to clean your cookies, history, and list of recent files run you may check those boxes as well.

Then,,

Check on the Button titled "Delete Selected Temp Files"

Exit by clicking the Button titled "Exit(Save Settings)"

Once back into the main killbox program.

Check the following boxes:

Delete on Reboot

Highlight all the entries in the quote box below and then Copy them.


Quote:

C:\WINDOWS\system32\crss.exe C:\WINDOWS\system32\SysWsc.exe C:\WINDOWS\System32\winxpstats.exe C:\windows\winsysban9.exe C:\windows\winsysupd9.exe C:\Program Files\Network\ipnetwork.exe C:\WINDOWS\system32\win32sprot.exe C:\WINDOWS\system32\l0j8la1u1d.dll C:\WINDOWS\system32\snmpapi\install.exe C:\WINDOWS\commdlg32.exe C:\WINDOWS\csr.exe C:\WINDOWS\fwnet64.exe C:\WINDOWS\msinit.exe C:\WINDOWS\MsLX32.exe C:\WINDOWS\netconf32.exe C:\WINDOWS\System32\perfont.exe C:\WINDOWS\system32\Wmsngr.exe C:\WINDOWS\win32ssr.exe


Then in killbox click File>>Paste from Clipboard

At this point the "All Files" button should be enabled so you can click it.

Click the "All Files" button.

Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes

A second message will ask to Reboot now? you will need to click Yes to allow the reboot.

Note: Killbox will let you know if a file does not exist.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot

Thank you for taking time in helping me.

Here are the logs after I did the procedures you told me:

HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 12:12:48 PM, on 2/19/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Documents and Settings\Family room\Desktop\walang gagalaw nito II\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000206.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{032D5287-D5BB-4BBA-A985-076AF2EB7670}: NameServer = 58.69.254.43 203.84.191.216
O17 - HKLM\System\CS3\Services\Tcpip\..\{032D5287-D5BB-4BBA-A985-076AF2EB7670}: NameServer = 58.69.254.43 203.84.191.216
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\hpzipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


ewido:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:52:10 AM, 2/19/2006
+ Report-Checksum: 700F17C2

+ Scan result:

HKU\S-1-5-21-1547161642-2052111302-725345543-1003\Software\DNS -> Adware.Shorty : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.183:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.184:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.185:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.186:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.187:C:\Documents and Settings\Family room\Application Data\Mozilla\Firefox\Profiles\d2uom7tk.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Family room\Cookies\family room@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Family room\Cookies\family room@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Family room\Cookies\family room@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Family room\Cookies\family room@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Family room\Cookies\family room@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Family room\Cookies\family room@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Family room\Cookies\family room@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Family room\Cookies\family room@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Family room\Cookies\family room@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Family room\Cookies\family room@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Family room\Cookies\family room@targetnet[2].txt -> TrackingCookie.Targetnet : Cleaned with backup
C:\Documents and Settings\Family room\Cookies\family room@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Family room\Cookies\family room@www.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Family room\Cookies\family room@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Family room\Desktop\walang gagalaw nito II\backups\backup-20060218-105221-721.dll -> Adware.Softomate : Cleaned with backup
C:\Documents and Settings\Family room\lup.exe -> Backdoor.Rbot.aeu : Cleaned with backup
C:\Program Files\Common Files\InetGet\mc-110-12-0000206.exe -> Dropper.Agent.aac : Cleaned with backup
C:\Program Files\Common Files\Windows\mc-110-12-0000206.exe -> Dropper.Agent.aac : Cleaned with backup
C:\Program Files\Common Files\Windows\services32.exe -> Adware.Maxifiles : Cleaned with backup
C:\Program Files\Common Files\Windows\__delete_on_reboot__services32.exe -> Adware.Maxifiles : Cleaned with backup
C:\Program Files\Network\__delete_on_reboot__ipnetwork.exe -> Adware.Maxifiles : Cleaned with backup
C:\Program Files\Toolbar888\ToolBar888.dll -> Adware.Softomate : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\int_ver34.ocx -> Dialer.VB.j : Cleaned with backup
C:\WINDOWS\system32\bot.exe -> Backdoor.Rbot.aht : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G1U30TU3\rp5[1].exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\WINDOWS\system32\eraseme_28244.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\WINDOWS\system32\eraseme_30433.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\WINDOWS\system32\eraseme_35163.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\eraseme_44403.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\WINDOWS\system32\eraseme_56874.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\WINDOWS\system32\eraseme_56887.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\eraseme_57847.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\eraseme_72281.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\WINDOWS\system32\eraseme_74516.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\WINDOWS\system32\eraseme_77110.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\WINDOWS\system32\eraseme_77637.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\WINDOWS\system32\eraseme_78660.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\WINDOWS\system32\irlul5391.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\k8no0i53e8.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ksdgr.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mswindtc.exe -> Trojan.Crypt.d : Cleaned with backup
C:\WINDOWS\system32\myiqtz32.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\oqffilt.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\phr.exe -> Backdoor.Rbot.aeu : Cleaned with backup
C:\WINDOWS\system32\q068laju1do8.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\win32ssr.exe -> Backdoor.SdBot.ale : Cleaned with backup
C:\WINDOWS\system32\win33.exe -> Backdoor.Rbot : Cleaned with backup


::Report End


Look2Me-Remover:


Look2Me-Destroyer V1.0.5

Scanning for infected files.....
Scan started at 2/19/2006 10:38:04 AM

Infected! C:\WINDOWS\system32\k8no0i53e8.dll
Infected! C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032626.dll
Infected! C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032636.dll
Infected! C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032643.dll
Infected! C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032661.dll
Infected! C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032682.dll
Infected! C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032704.dll
Infected! C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032715.dll
Infected! C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032736.dll
Infected! C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032746.dll
Infected! C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032792.dll
Infected! C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032845.dll
Infected! C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032846.dll
Infected! C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0033801.dll
Infected! C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP54\A0034804.dll
Infected! C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP54\A0034809.dll
Infected! C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP54\A0034836.dll
Infected! C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP56\A0035649.dll
Infected! C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP56\A0035656.dll
Infected! C:\WINDOWS\system32\dn2u01f9e.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\k8no0i53e8.dll
C:\WINDOWS\system32\k8no0i53e8.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032626.dll
C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032626.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032636.dll
C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032636.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032643.dll
C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032643.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032661.dll
C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032661.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032682.dll
C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032682.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032704.dll
C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032704.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032715.dll
C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032715.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032736.dll
C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032736.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032746.dll
C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032746.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032792.dll
C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032792.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032845.dll
C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032845.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032846.dll
C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0032846.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0033801.dll
C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP53\A0033801.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP54\A0034804.dll
C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP54\A0034804.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP54\A0034809.dll
C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP54\A0034809.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP54\A0034836.dll
C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP54\A0034836.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP56\A0035649.dll
C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP56\A0035649.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP56\A0035656.dll
C:\System Volume Information\_restore{12B802B7-EBCA-4D5A-811D-7069E1DD3A85}\RP56\A0035656.dllcould not be deleted!

Attempting to delete: C:\WINDOWS\system32\dn2u01f9e.dll
C:\WINDOWS\system32\dn2u01f9e.dllcould not be deleted!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B3DCBB5C-01B5-4176-ACDB-3BA4ADF5E543}"
HKCR\Clsid\{B3DCBB5C-01B5-4176-ACDB-3BA4ADF5E543}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


look1.txt:

doesn't exist HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System
doesn't exist HKEY_LOCAL_MACHINE\SSYSTEM\CurrentControlSet\Services\windowsnetwork
doesn't exist HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
-----------------------
-----------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"Type"=dword:00000020
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)"
"DependOnService"=hex(7):4e,65,74,6d,61,6e,00,4e,4c,41,00,52,61,73,4d,61,6e,00,\
41,4c,47,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"
"Description"="Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,69,70,6e,61,74,68,6c,70,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum]
"0"="Root\\LEGACY_SHAREDACCESS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall"=dword:00000000


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Start"=dword:00000004


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000000
"requiresecuritysignature"=dword:00000000
"NullSessionPipes"=hex(7):43,4f,4d,4e,41,50,00,43,4f,4d,4e,4f,44,45,00,53,51,\
4c,5c,51,55,45,52,59,00,53,50,4f,4f,4c,53,53,00,4c,4c,53,52,50,43,00,45,50,\
4d,41,50,50,45,52,00,4c,4f,43,41,54,4f,52,00,54,72,6b,57,6b,73,00,54,72,6b,\
53,76,72,00,00
"NullSessionShares"=hex(7):43,4f,4d,43,46,47,00,44,46,53,24,00,00
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,73,72,76,73,76,63,2e,64,6c,6c,00
"Lmannounce"=dword:00000000
"Size"=dword:00000001
"Guid"=hex:2b,fe,f8,74,4b,74,48,42,91,5a,d5,f5,5c,c8,f1,7d
"AutoShareWks"=dword:00000000
"AutoShareServer"=dword:00000000


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]
"enableplaintextpassword"=dword:00000000
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,77,6b,73,73,76,63,2e,64,6c,6c,00
"OtherDomains"=hex(7):00
"AutoShareWks"=dword:00000000
"AutoShareServer"=dword:00000000


[HKEY_CURRENT_USER\Software\Microsoft\OLE]
"ethernet"="msfpc.exe"
"MediaP"="BSDMPlyr32.exe"
"Service"="ccApp.exe"
"BnCtest2"="lfxss.exe"
"Sonytest"="jswTss.exe"
"internet service"="ssvhoost94.exe"
"ServicesLog2"="MScdDriverLK872.exe"
"internet Monitoring service"="winxpstats.exe"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]
"Type"=dword:00000020
"Start"=dword:00000004
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Messenger"
"DependOnService"=hex(7):4c,61,6e,6d,61,6e,57,6f,72,6b,73,74,61,74,69,6f,6e,00,\
4e,65,74,42,49,4f,53,00,50,6c,75,67,50,6c,61,79,00,52,70,63,53,53,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"
"Description"="Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,6d,73,67,73,76,63,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Enum]
"0"="Root\\LEGACY_MESSENGER\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Description"="Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start."
"DependOnService"=hex(7):52,50,43,53,53,00,00
"DisplayName"="Remote Registry"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,4c,6f,63,61,6c,53,65,72,\
76,69,63,65,00
"ObjectName"="NT AUTHORITY\\LocalService"
"Group"=""
"Start"=dword:00000004
"Type"=dword:00000020
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,e0,ad,08,\
00,01,00,00,00,e8,03,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,72,65,67,73,76,63,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum]
"0"="Root\\LEGACY_REMOTEREGISTRY\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]
"Type"=dword:00000010
"Start"=dword:00000004
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,53,79,73,74,65,6d,33,32,5c,\
74,6c,6e,74,73,76,72,2e,65,78,65,00
"DisplayName"="Telnet"
"DependOnService"=hex(7):52,50,43,53,53,00,54,43,50,49,50,00,4e,54,4c,4d,53,53,\
50,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"
"Description"=hex(2):45,6e,61,62,6c,65,73,20,61,20,72,65,6d,6f,74,65,20,75,73,\
65,72,20,74,6f,20,6c,6f,67,20,6f,6e,20,74,6f,20,74,68,69,73,20,63,6f,6d,70,\
75,74,65,72,20,61,6e,64,20,72,75,6e,20,70,72,6f,67,72,61,6d,73,2c,20,61,6e,\
64,20,73,75,70,70,6f,72,74,73,20,76,61,72,69,6f,75,73,20,54,43,50,2f,49,50,\
20,54,65,6c,6e,65,74,20,63,6c,69,65,6e,74,73,2c,20,69,6e,63,6c,75,64,69,6e,\
67,20,55,4e,49,58,2d,62,61,73,65,64,20,61,6e,64,20,57,69,6e,64,6f,77,73,2d,\
62,61,73,65,64,20,63,6f,6d,70,75,74,65,72,73,2e,20,49,66,20,74,68,69,73,20,\
73,65,72,76,69,63,65,20,69,73,20,73,74,6f,70,70,65,64,2c,20,72,65,6d,6f,74,\
65,20,75,73,65,72,20,61,63,63,65,73,73,20,74,6f,20,70,72,6f,67,72,61,6d,73,\
20,6d,69,67,68,74,20,62,65,20,75,6e,61,76,61,69,6c,61,62,6c,65,2e,20,49,66,\
20,74,68,69,73,20,73,65,72,76,69,63,65,20,69,73,20,64,69,73,61,62,6c,65,64,\
2c,20,61,6e,79,20,73,65,72,76,69,63,65,73,20,74,68,61,74,20,65,78,70,6c,69,\
63,69,74,6c,79,20,64,65,70,65,6e,64,20,6f,6e,20,69,74,20,77,69,6c,6c,20,66,\
61,69,6c,20,74,6f,20,73,74,61,72,74,2e,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotAllowXPSP2"=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="N"
"MSI_Place_holder"="\"9x Msi uninstaller fix\""


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,6e,77,70,72,6f,76,61,75,\
00,00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,65,72,62,65,72,6f,73,00,6d,73,76,31,5f,30,00,73,\
63,68,61,6e,6e,65,6c,00,77,64,69,67,65,73,74,00,00
"LsaPid"=dword:00000308
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000001
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,69,6e,64,6f,77,73,20,4e,54,20,41,63,63,65,73,73,20,\
50,72,6f,76,69,64,65,72,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,6e,74,6d,61,72,74,61,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:6b,a8,28,f0,67,b7,06,c6,1f,04,f0,d1,42,f6,2f,89,35,34,32,64,31,\
63,35,35,00,68,07,00,01,00,00,00,d8,00,00,00,dc,00,00,00,48,fa,06,00,d6,48,\
5a,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,a4,97,ad,2a

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:95,bd,9a,fe,c7,79,e5,16,df

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:2c,91,a8,df,6a,a7

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"Auth132"="IISSUBA"
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:dc,05,86,4e,1c,b8,2e,e0,25,b4,c4,b1,67,1b,b5,6c

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:d8,5c,1f,05,02,fb,c5,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,cd,02,d0,ca,4e,c2,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,e0,58,14,88,2b,c1,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,35,8c,d9,ca,4e,c2,01
"Type"=dword:00000031


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify"=dword:00000000
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall"=dword:00000000


There, that's it. Thanks again!

That looks much better. Fix the following with hijack this.

O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL (file missing)

O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888.dll (file missing)

O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000206.exe

O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab

Then we need to reverse the changes made by the viruses and trojans you had.

Copy the information in the quote box into notepad. Save it to your desktop as type "all files" and name it remove.reg.
Double click on the remove.reg file and grant it permission to add the registry entries.

Thanks again!

Here's the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:22:02 PM, on 2/19/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Family room\Desktop\walang gagalaw nito II\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\hpzipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


Haven't downloaded and installed the Windows Updates yet. I want to make sure that this PC is really clean first.

Thanks again!

Oh and by the way, the PC's doing fairly fine right now. There aren't any pop-ups anymore and the freeprod icons have stopped appearing. I hope it's really clean this time.

It does appear to be clean now.

I just tried to download and install the latest updates and the high priority updates from Microsoft but the installation failed. What should I do? Does it have something to do with the malwares in the system?