Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HELP - POPUP h*** - MELTDOWN PENDING


  • This topic is locked This topic is locked

#1
chadsmom

chadsmom

    New Member

  • Member
  • Pip
  • 5 posts
:tazz:

I use my computer for work and made the mistake of letting my 7-year-old play a game on the internet - needless to say - I did not watch him as closely as I should have and now I have popup h***.

I have tried running virus scan, AdAware, Spybot S & D to no avail.

Keep getting popups from loadingwebsite and nyc1 and a bunch more.

I also keep getting trojan warnings for a Downloader-VG from McAfee. It says that it has cleaned and deleted the file - but then just keeps popping up again and again and again to the point that it is now just a "permanent part of my desktop".

I thought that maybe the trojan file was in system restore - so I turned off sytem restore - rebooted in safe mode and ran virus scan, AdAware and Spybot S&D again, and then rebooted again, but still there. Little bugger!!!!!!

I have searched, between popups, and tried to find a similar solution, but nothing seems to quite match what I "have".

Here is my HJT log - I certainly hope that someone can help me - if not - looks like I will be spending the next wiping everything out and starting over from scratch. This log is just after a reboot before posting.

Thanks so much in advance. ................and yes - I have ordered a computer just for the children................

Best!

Logfile of HijackThis v1.99.1
Scan saved at 10:32:14, on 2/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BLUEXENON\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\BITWARE\NT\bwprnmon.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\lxamsp32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\WINDOWS\System32\Mbrpmw.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\system\qhcflqq.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\WINDOWS\system32\rundll32.exe
C:\windows\system32\sflaacj.exe
C:\windows\system32\packager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Gateway User\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\SYSTEM\Userinit.exe
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [YPager.exe] C:\Program Files\Yahoo!\Messenger\YPager.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [bwprnmon.exe] C:\BITWARE\NT\bwprnmon.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Pqgmrf.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Mbrpmw.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O8 - Extra context menu item: RemindU - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm
O9 - Extra button: RemindU - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O12 - Plugin for .nwc: C:\Program Files\NoteWorthy Software\NWC Browser Plugin\npnwcw32.dll
O15 - Trusted Zone: www.lancome.com
O15 - Trusted Zone: http://www.pokerroom.com
O16 - DPF: Aces Up! by pogo - http://game3.pogo.co...s-ob-assets.cab
O16 - DPF: Backgammon by pogo - http://gammon.pogo.c...n-ob-assets.cab
O16 - DPF: Btax1099miscy4 - http://www.taxsoftwa...x1099miscy4.CAB
O16 - DPF: BtaxBase - http://www.taxsoftwa...om/BTAXBase.CAB
O16 - DPF: BtaxFIREy3 - http://www.taxsoftwa.../BtaxFIREy4.CAB
O16 - DPF: Canasta by pogo - http://canasta.pogo....a-ob-assets.cab
O16 - DPF: Checkers by pogo - http://game3.pogo.co...s-ob-assets.cab
O16 - DPF: Chess by pogo - http://game1.pogo.co...2-ob-assets.cab
O16 - DPF: Cribbage by pogo - http://crib.pogo.com...e-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://checkeredflag...g-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://game4.pogo.co...o-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.co...2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.po...o-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pog...k-ob-assets.cab
O16 - DPF: Hearts by pogo - http://hearts.pogo.c...s-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://game5.pogo.co...r-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://game4.pogo.co...l-ob-assets.cab
O16 - DPF: Jigsaw Detective by pogo - http://game3.pogo.co...w-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/...n-ob-assets.cab
O16 - DPF: Keno by pogo - http://keno.pogo.com...o-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.co...g-ob-assets.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Pai Gow by pogo - http://game3.pogo.co...w-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo...l-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.po...l-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game4.pogo.co...r-ob-assets.cab
O16 - DPF: Pinochle by pogo - http://game4.pogo.co...e-ob-assets.cab
O16 - DPF: Pirate's Gold by pogo - http://swashbucks.po...d-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.co...u-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://game5.pogo.co...t-ob-assets.cab
O16 - DPF: Ricochet by pogo - http://game1.pogo.co...t-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game4.pogo.co...r-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.po...s-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://sweettooth.po...h-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.co...m-ob-assets.cab
O16 - DPF: The Sims Pinball by pogo - http://game4.pogo.co...l-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.co...s-ob-assets.cab
O16 - DPF: Tumble Bees by pogo - http://jumbee.pogo.c...e-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://game5.pogo.co...1-ob-assets.cab
O16 - DPF: Video Poker by pogo - http://vpoker.pogo.c...r-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://game5.pogo.co...p-ob-assets.cab
O16 - DPF: WordJong by pogo - http://wordjong.pogo...g-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo...s-ob-assets.cab
O16 - DPF: Yahoo! Go Fish - http://download.game...nts/y/zt3_x.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptoda...pdatePortal.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {C3C9CB67-F453-479A-9AB0-94AE65F2EB2F} (QuickBooks Online Edition Import Utilities Class v3) - https://accounting.q...04/qboimax3.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {D92D7607-05D9-4DD8-B68B-D458948FB883} (QuickBooks Online Edition Utilities Class v7) - https://accounting.q....271/qboax7.cab
O16 - DPF: {DBB177CC-6908-4B53-9BEE-F1C697818D65} (QuickBooks Online Edition Utilities Class v4a) - https://accounting.q...167/qboax4a.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...421/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AC94785-CFCD-41B2-816E-87E296840893}: NameServer = 204.117.214.10,199.2.252.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{1AC94785-CFCD-41B2-816E-87E296840893}: NameServer = 204.117.214.10,199.2.252.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{1AC94785-CFCD-41B2-816E-87E296840893}: NameServer = 204.117.214.10,199.2.252.10
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O20 - Winlogon Notify: UPnP - C:\WINDOWS\system32\q4rqle951h.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi chadsmom

Welcome to or forum ;)

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Kc :tazz:
  • 0

#3
chadsmom

chadsmom

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Ok - thanks so much for taking the time to help me out!!

Here is the log from Option #1

L2MFIX find log 1.02b
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cfgmgr32]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\l8n4li5q18.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0A9F7617-BBB8-4E84-8A55-541B4D03BB4F}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}"="Universal Plug and Play Devices"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"=""
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"=""
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{8DE56A0D-E58B-41FE-9F80-3563CDCB2C22}"="Default Image Extrator for Properties"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{F802F260-519B-11D1-BB5D-0060974C6013}"="ICQ Shell Extension"
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{80646FCE-E39F-11D2-B5C9-0050041B7FF6}"="XFShellExtention Class"
"{48F45200-91E6-11CE-8A4F-0080C81A28D4}"="TMD Shell Extension"
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}"="VBPropSheet"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{acb4a560-3606-11d3-aef4-00104bd0f92d}"="KodakShellExtension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="Eudora's Shell Extension"
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="Web Folders"
"{66904C5C-51EA-4734-AF17-B6AF9242D228}"=""
"{6ec2e0e3-1116-4d47-b0c2-5bdaf4e4c308}"="eFax Messenger Plus - Shell Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BD472F60-27FA-11cf-B8B4-444553540000}]
@="Compressed Folder Right Drag Handler"

[HKEY_CLASSES_ROOT\CLSID\{BD472F60-27FA-11cf-B8B4-444553540000}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,7a,00,69,00,\
70,00,66,00,6c,00,64,00,72,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}]
@="Compressed Folder SendTo Target"
"FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\
00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,\
32,00,5c,00,7a,00,69,00,70,00,66,00,6c,00,64,00,72,00,2e,00,64,00,6c,00,6c,\
00,2c,00,2d,00,31,00,30,00,32,00,32,00,36,00,00,00
"NeverShowExt"=""
"NoOpen"="Drag Files onto this icon to compress them."
"EditFlags"=dword:00000001

[HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}\DefaultIcon]
@="C:\\WINDOWS\\SYSTEM32\\ZIPFLDR.DLL"

[HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,7a,00,69,00,\
70,00,66,00,6c,00,64,00,72,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}\ShellEx]

[HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}\ShellEx\DropHandler]
@="{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{66904C5C-51EA-4734-AF17-B6AF9242D228}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{66904C5C-51EA-4734-AF17-B6AF9242D228}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{66904C5C-51EA-4734-AF17-B6AF9242D228}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{66904C5C-51EA-4734-AF17-B6AF9242D228}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
nyshrui.dll Sun Jan 16 2005 6:49:46p ..S.R 225,872 220.58 K
capicom.dll Tue Dec 14 2004 12:24:42p A.... 466,944 456.00 K
imrnonce.dll Wed Feb 9 2005 1:25:26p ..S.R 223,983 218.73 K
h20qlc~1.dll Sat Feb 12 2005 1:14:40a ..S.R 225,485 220.20 K
bwprnmon.dll Fri Jan 21 2005 12:05:36p A.... 27,648 27.00 K
mbricons.dll Mon Feb 7 2005 7:21:44a ..S.R 222,805 217.58 K
srvsvc.dll Tue Dec 7 2004 2:34:38p A.... 79,872 78.00 K
user32.dll Tue Dec 28 2004 8:31:44p A.... 574,464 561.00 K
dnju01~1.dll Sun Feb 27 2005 2:08:58p ..S.R 222,603 217.38 K
rpcss.dll Fri Jan 14 2005 12:33:52a A.... 284,672 278.00 K
pdfmona.dll Wed Jan 19 2005 10:14:16p A.... 98,304 96.00 K
shell32.dll Tue Dec 21 2004 3:55:12p A.... 8,443,904 8.05 M
iepeers.dll Tue Dec 7 2004 11:51:58a A.... 236,032 230.50 K
cjrtmgr.dll Wed Jan 19 2005 10:05:32a ..S.R 225,872 220.58 K
xpsp2res.dll Wed Dec 1 2004 9:46:38a A.... 594,432 580.50 K
lqfax11n.dll Thu Jan 6 2005 10:06:32p A.... 223,232 218.00 K
m0ju0a~1.dll Thu Jan 13 2005 3:08:12a ..S.R 223,058 217.83 K
pdf995~1.dll Wed Jan 19 2005 10:14:16p A.... 50,364 49.18 K
p84uli~1.dll Tue Jan 11 2005 6:20:04a ..S.R 224,942 219.67 K
calsp.dll Fri Jan 7 2005 12:19:06a A.... 135,168 132.00 K
olecnv32.dll Fri Jan 14 2005 12:33:52a A.... 35,328 34.50 K
olecli32.dll Fri Jan 14 2005 12:33:52a A.... 68,608 67.00 K
ole32.dll Fri Jan 14 2005 12:33:52a A.... 1,258,496 1.20 M
hr0q05~1.dll Tue Jan 18 2005 8:30:48a ..S.R 225,872 220.58 K
browseui.dll Tue Dec 7 2004 5:41:16p A.... 1,017,856 994.00 K
cdfview.dll Tue Dec 7 2004 5:43:02p A.... 143,360 140.00 K
mshtml.dll Thu Jan 27 2005 3:35:12p A.... 2,806,272 2.68 M
shdocvw.dll Tue Dec 7 2004 5:34:48p A.... 1,337,344 1.27 M
shlwapi.dll Tue Dec 7 2004 6:11:50p A.... 402,432 393.00 K
urlmon.dll Tue Dec 7 2004 4:37:46p A.... 495,104 483.50 K
wininet.dll Tue Dec 7 2004 4:37:02p A.... 590,336 576.50 K
nccc79~1.dll Thu Dec 2 2004 5:20:40p A.... 1,843,200 1.76 M
rsedj.dll Sun Feb 27 2005 8:58:58a A.... 98,816 96.50 K
mvrml9~1.dll Sat Feb 12 2005 4:05:56a ..S.R 223,983 218.73 K
mv2sl9~1.dll Mon Jan 31 2005 9:19:38p ..S.R 222,994 217.77 K
hrl405~1.dll Sat Jan 8 2005 8:26:50a ..S.R 223,312 218.08 K
nc69d2~1.dll Thu Dec 2 2004 5:11:34p A.... 315,392 308.00 K
en8ul1~1.dll Mon Jan 10 2005 12:47:00a ..S.R 224,975 219.70 K
ir26l5~1.dll Fri Jan 14 2005 10:00:18a ..S.R 225,675 220.38 K
j04o0a~1.dll Mon Jan 10 2005 12:36:48a ..S.R 225,245 219.96 K
en44l1~1.dll Tue Jan 25 2005 10:48:14p ..S.R 223,063 217.83 K
lvlm09~1.dll Tue Jan 25 2005 10:59:50p ..S.R 225,143 219.86 K
g8040i~1.dll Fri Jan 14 2005 11:14:08p ..S.R 226,280 220.98 K
p6r40g~1.dll Fri Jan 21 2005 12:35:00p ..S.R 225,872 220.58 K
fp6403~1.dll Tue Jan 18 2005 8:34:16a ..S.R 225,872 220.58 K
j64o0g~1.dll Fri Jan 21 2005 4:05:10p ..S.R 225,872 220.58 K
enn4l1~1.dll Wed Jan 26 2005 3:45:36p ..S.R 225,525 220.24 K
u2rulc~1.dll Mon Jan 24 2005 6:55:26a ..S.R 225,872 220.58 K
mdpistub.dll Mon Jan 24 2005 3:15:52p ..S.R 225,872 220.58 K
fp0003~1.dll Thu Feb 10 2005 8:47:14p ..S.R 223,983 218.73 K
j66mlg~1.dll Sat Feb 12 2005 2:26:42a ..S.R 225,149 219.87 K
m6640g~1.dll Wed Jan 26 2005 3:50:06p ..S.R 225,004 219.73 K
xyesl.dll Sun Feb 27 2005 9:19:46a A.... 99,840 97.50 K
f0l02a~1.dll Wed Feb 2 2005 11:42:08p ..S.R 225,004 219.73 K
l62slg~1.dll Tue Feb 8 2005 9:57:44p ..S.R 222,805 217.58 K
t8r8li~1.dll Sat Feb 5 2005 3:28:04p ..S.R 223,033 217.80 K
o0660a~1.dll Sat Feb 5 2005 11:18:28p ..S.R 225,010 219.73 K
l8n4li~1.dll Sun Feb 27 2005 12:18:18p ..S.R 222,603 217.38 K
mvjml9~1.dll Wed Feb 16 2005 4:07:12p ..S.R 225,617 220.33 K
k6pm0g~1.dll Mon Feb 21 2005 2:05:26a ..S.R 225,793 220.50 K
notaud~1.dll Mon Feb 21 2005 2:05:26a ..S.R 225,617 220.33 K
enr8l1~1.dll Mon Feb 21 2005 6:22:28a ..S.R 225,617 220.33 K
e4jm0e~1.dll Mon Feb 21 2005 6:26:44a ..S.R 225,617 220.33 K
n82uli~1.dll Wed Feb 23 2005 7:06:14a ..S.R 225,617 220.33 K
kt42l7~1.dll Fri Feb 25 2005 9:57:06a ..S.R 222,585 217.37 K
aunbho.dll Sun Feb 27 2005 8:34:04a A.... 43,496 42.48 K
aunps.dll Sun Feb 27 2005 8:34:04a A.... 25,600 25.00 K

67 items found: 67 files (39 H/S), 0 directories.
Total of file sizes: 30,561,617 bytes 29.14 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Sun Feb 27 2005 2:13:34p A.... 222,603 217.38 K

1 item found: 1 file, 0 directories.
Total of file sizes: 222,603 bytes 217.38 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 3BA9-E26D

Directory of C:\WINDOWS\System32

02/27/2005 14:08 222,603 dnju0119e.dll
02/27/2005 12:18 222,603 l8n4li5q18.dll
02/25/2005 09:57 222,585 kt42l7ho1.dll
02/23/2005 07:06 225,617 n82ulif9182.dll
02/21/2005 06:26 225,617 e4jm0e11eh.dll
02/21/2005 06:22 225,617 enr8l19u1.dll
02/21/2005 02:05 225,617 NOTAudioEditor.dll
02/21/2005 02:05 225,793 k6pm0g71e6.dll
02/16/2005 16:07 225,617 mvjml9111.dll
02/12/2005 04:05 223,983 mvrml9911.dll
02/12/2005 02:26 225,149 j66mlgj116o.dll
02/12/2005 01:14 225,485 h20qlcd51f0.dll
02/10/2005 20:47 223,983 fp0003dme.dll
02/09/2005 13:25 223,983 imrnonce.dll
02/09/2005 08:29 40,960 Thumbs.db
02/08/2005 21:57 222,805 l62slgf7162.dll
02/07/2005 07:21 222,805 mbricons.dll
02/05/2005 23:18 225,010 o0660ajsedo60.dll
02/05/2005 15:28 223,033 t8r8li9u18.dll
02/02/2005 23:42 225,004 f0l02a3mgd.dll
01/31/2005 21:19 222,994 mv2sl9f71.dll
01/26/2005 15:50 225,004 m6640gjqe6oe0.dll
01/26/2005 15:45 225,525 enn4l15q1.dll
01/25/2005 22:59 225,143 lvlm0931e.dll
01/25/2005 22:48 223,063 en44l1hq1.dll
01/24/2005 15:15 225,872 mDpistub.dll
01/24/2005 06:55 225,872 u2rulc991f.dll
01/21/2005 16:05 225,872 j64o0gh3e64.dll
01/21/2005 12:35 225,872 p6r40g9qe6.dll
01/19/2005 10:05 225,872 cjrtmgr.dll
01/18/2005 08:34 225,872 fp6403jqe.dll
01/18/2005 08:30 225,872 hr0q05d5e.dll
01/16/2005 18:49 225,872 nyshrui.dll
01/14/2005 23:14 226,280 g8040idqe80e0.dll
01/14/2005 10:00 225,675 ir26l5fs1.dll
01/13/2005 03:08 223,058 m0ju0a19ed.dll
01/11/2005 06:20 224,942 p84ulih9184.dll
01/10/2005 00:47 224,975 en8ul1l91.dll
01/10/2005 00:36 225,245 j04o0ah3ed4.dll
01/08/2005 08:26 223,312 hrl4053qe.dll
04/02/2004 14:47 1,104 IpuFmd.017
03/10/2004 20:33 <DIR> Microsoft
03/10/2004 19:52 <DIR> dllcache
41 File(s) 8,807,165 bytes
2 Dir(s) 1,313,849,344 bytes free
  • 0

#4
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi chadsmom

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!


Credit: Shadowwar, OSC

Kc :tazz:
  • 0

#5
chadsmom

chadsmom

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Okay - Log from Option #2 first:

L2Mfix 1.02b

Running From:
C:\Documents and Settings\Gateway User\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C access for really "Everyone"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Gateway User\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Gateway User\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1524 'explorer.exe'
Killing PID 1524 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\nyshrui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\imrnonce.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\h20qlcd51f0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mbricons.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dnju0119e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cjrtmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lqfax11n.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m0ju0a19ed.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p84ulih9184.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hr0q05d5e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvrml9911.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mv2sl9f71.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hrl4053qe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en8ul1l91.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir26l5fs1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j04o0ah3ed4.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en44l1hq1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvlm0931e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\g8040idqe80e0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p6r40g9qe6.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp6403jqe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j64o0gh3e64.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\enn4l15q1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\u2rulc991f.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mDpistub.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp0003dme.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j66mlgj116o.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m6640gjqe6oe0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\f0l02a3mgd.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l62slgf7162.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\t8r8li9u18.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o0660ajsedo60.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvjml9111.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k6pm0g71e6.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\NOTAudioEditor.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\enr8l19u1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\e4jm0e11eh.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\n82ulif9182.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kt42l7ho1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\nyshrui.dll
Successfully Deleted: C:\WINDOWS\system32\nyshrui.dll
deleting: C:\WINDOWS\system32\imrnonce.dll
Successfully Deleted: C:\WINDOWS\system32\imrnonce.dll
deleting: C:\WINDOWS\system32\h20qlcd51f0.dll
Successfully Deleted: C:\WINDOWS\system32\h20qlcd51f0.dll
deleting: C:\WINDOWS\system32\mbricons.dll
Successfully Deleted: C:\WINDOWS\system32\mbricons.dll
deleting: C:\WINDOWS\system32\dnju0119e.dll
Successfully Deleted: C:\WINDOWS\system32\dnju0119e.dll
deleting: C:\WINDOWS\system32\cjrtmgr.dll
Successfully Deleted: C:\WINDOWS\system32\cjrtmgr.dll
deleting: C:\WINDOWS\system32\lqfax11n.dll
Successfully Deleted: C:\WINDOWS\system32\lqfax11n.dll
deleting: C:\WINDOWS\system32\m0ju0a19ed.dll
Successfully Deleted: C:\WINDOWS\system32\m0ju0a19ed.dll
deleting: C:\WINDOWS\system32\p84ulih9184.dll
Successfully Deleted: C:\WINDOWS\system32\p84ulih9184.dll
deleting: C:\WINDOWS\system32\hr0q05d5e.dll
Successfully Deleted: C:\WINDOWS\system32\hr0q05d5e.dll
deleting: C:\WINDOWS\system32\mvrml9911.dll
Successfully Deleted: C:\WINDOWS\system32\mvrml9911.dll
deleting: C:\WINDOWS\system32\mv2sl9f71.dll
Successfully Deleted: C:\WINDOWS\system32\mv2sl9f71.dll
deleting: C:\WINDOWS\system32\hrl4053qe.dll
Successfully Deleted: C:\WINDOWS\system32\hrl4053qe.dll
deleting: C:\WINDOWS\system32\en8ul1l91.dll
Successfully Deleted: C:\WINDOWS\system32\en8ul1l91.dll
deleting: C:\WINDOWS\system32\ir26l5fs1.dll
Successfully Deleted: C:\WINDOWS\system32\ir26l5fs1.dll
deleting: C:\WINDOWS\system32\j04o0ah3ed4.dll
Successfully Deleted: C:\WINDOWS\system32\j04o0ah3ed4.dll
deleting: C:\WINDOWS\system32\en44l1hq1.dll
Successfully Deleted: C:\WINDOWS\system32\en44l1hq1.dll
deleting: C:\WINDOWS\system32\lvlm0931e.dll
Successfully Deleted: C:\WINDOWS\system32\lvlm0931e.dll
deleting: C:\WINDOWS\system32\g8040idqe80e0.dll
Successfully Deleted: C:\WINDOWS\system32\g8040idqe80e0.dll
deleting: C:\WINDOWS\system32\p6r40g9qe6.dll
Successfully Deleted: C:\WINDOWS\system32\p6r40g9qe6.dll
deleting: C:\WINDOWS\system32\fp6403jqe.dll
Successfully Deleted: C:\WINDOWS\system32\fp6403jqe.dll
deleting: C:\WINDOWS\system32\j64o0gh3e64.dll
Successfully Deleted: C:\WINDOWS\system32\j64o0gh3e64.dll
deleting: C:\WINDOWS\system32\enn4l15q1.dll
Successfully Deleted: C:\WINDOWS\system32\enn4l15q1.dll
deleting: C:\WINDOWS\system32\u2rulc991f.dll
Successfully Deleted: C:\WINDOWS\system32\u2rulc991f.dll
deleting: C:\WINDOWS\system32\mDpistub.dll
Successfully Deleted: C:\WINDOWS\system32\mDpistub.dll
deleting: C:\WINDOWS\system32\fp0003dme.dll
Successfully Deleted: C:\WINDOWS\system32\fp0003dme.dll
deleting: C:\WINDOWS\system32\j66mlgj116o.dll
Successfully Deleted: C:\WINDOWS\system32\j66mlgj116o.dll
deleting: C:\WINDOWS\system32\m6640gjqe6oe0.dll
Successfully Deleted: C:\WINDOWS\system32\m6640gjqe6oe0.dll
deleting: C:\WINDOWS\system32\f0l02a3mgd.dll
Successfully Deleted: C:\WINDOWS\system32\f0l02a3mgd.dll
deleting: C:\WINDOWS\system32\l62slgf7162.dll
Successfully Deleted: C:\WINDOWS\system32\l62slgf7162.dll
deleting: C:\WINDOWS\system32\t8r8li9u18.dll
Successfully Deleted: C:\WINDOWS\system32\t8r8li9u18.dll
deleting: C:\WINDOWS\system32\o0660ajsedo60.dll
Successfully Deleted: C:\WINDOWS\system32\o0660ajsedo60.dll
deleting: C:\WINDOWS\system32\mvjml9111.dll
Successfully Deleted: C:\WINDOWS\system32\mvjml9111.dll
deleting: C:\WINDOWS\system32\k6pm0g71e6.dll
Successfully Deleted: C:\WINDOWS\system32\k6pm0g71e6.dll
deleting: C:\WINDOWS\system32\NOTAudioEditor.dll
Successfully Deleted: C:\WINDOWS\system32\NOTAudioEditor.dll
deleting: C:\WINDOWS\system32\enr8l19u1.dll
Successfully Deleted: C:\WINDOWS\system32\enr8l19u1.dll
deleting: C:\WINDOWS\system32\e4jm0e11eh.dll
Successfully Deleted: C:\WINDOWS\system32\e4jm0e11eh.dll
deleting: C:\WINDOWS\system32\n82ulif9182.dll
Successfully Deleted: C:\WINDOWS\system32\n82ulif9182.dll
deleting: C:\WINDOWS\system32\kt42l7ho1.dll
Successfully Deleted: C:\WINDOWS\system32\kt42l7ho1.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Desktop.ini sucessfully removed


Zipping up files for submission:
adding: nyshrui.dll (deflated 5%)
adding: imrnonce.dll (deflated 4%)
adding: h20qlcd51f0.dll (deflated 5%)
adding: mbricons.dll (deflated 3%)
adding: dnju0119e.dll (deflated 3%)
adding: cjrtmgr.dll (deflated 5%)
adding: lqfax11n.dll (deflated 3%)
adding: m0ju0a19ed.dll (deflated 3%)
adding: p84ulih9184.dll (deflated 4%)
adding: hr0q05d5e.dll (deflated 5%)
adding: mvrml9911.dll (deflated 4%)
adding: mv2sl9f71.dll (deflated 3%)
adding: hrl4053qe.dll (deflated 4%)
adding: en8ul1l91.dll (deflated 4%)
adding: ir26l5fs1.dll (deflated 5%)
adding: j04o0ah3ed4.dll (deflated 4%)
adding: en44l1hq1.dll (deflated 3%)
adding: lvlm0931e.dll (deflated 4%)
adding: g8040idqe80e0.dll (deflated 5%)
adding: p6r40g9qe6.dll (deflated 5%)
adding: fp6403jqe.dll (deflated 5%)
adding: j64o0gh3e64.dll (deflated 5%)
adding: enn4l15q1.dll (deflated 5%)
adding: u2rulc991f.dll (deflated 5%)
adding: mDpistub.dll (deflated 5%)
adding: fp0003dme.dll (deflated 4%)
adding: j66mlgj116o.dll (deflated 4%)
adding: m6640gjqe6oe0.dll (deflated 4%)
adding: f0l02a3mgd.dll (deflated 4%)
adding: l62slgf7162.dll (deflated 3%)
adding: t8r8li9u18.dll (deflated 3%)
adding: o0660ajsedo60.dll (deflated 4%)
adding: mvjml9111.dll (deflated 5%)
adding: k6pm0g71e6.dll (deflated 5%)
adding: NOTAudioEditor.dll (deflated 5%)
adding: enr8l19u1.dll (deflated 5%)
adding: e4jm0e11eh.dll (deflated 5%)
adding: n82ulif9182.dll (deflated 5%)
adding: kt42l7ho1.dll (deflated 3%)
adding: guard.tmp (deflated 3%)
adding: echo.reg (deflated 9%)
adding: clear.reg (deflated 46%)
adding: desktop.ini (deflated 13%)
adding: readme.txt (deflated 49%)
adding: direct.txt (stored 0%)
adding: report.txt (deflated 67%)
adding: lo2.txt (deflated 84%)
adding: test2.txt (deflated 33%)
adding: test3.txt (deflated 25%)
adding: test5.txt (deflated 25%)
adding: test.txt (deflated 80%)
adding: xfind.txt (deflated 75%)
adding: backregs/shell.reg (deflated 74%)
adding: backregs/BD472F60-27FA-11cf-B8B4-444553540000.reg (deflated 64%)
adding: backregs/888DCA60-FC0A-11CF-8F0F-00C04FD7D062.reg (deflated 75%)
adding: backregs/66904C5C-51EA-4734-AF17-B6AF9242D228.reg (deflated 70%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for really "Everyone"


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: nyshrui.dll
deleting local copy: imrnonce.dll
deleting local copy: h20qlcd51f0.dll
deleting local copy: mbricons.dll
deleting local copy: dnju0119e.dll
deleting local copy: cjrtmgr.dll
deleting local copy: lqfax11n.dll
deleting local copy: m0ju0a19ed.dll
deleting local copy: p84ulih9184.dll
deleting local copy: hr0q05d5e.dll
deleting local copy: mvrml9911.dll
deleting local copy: mv2sl9f71.dll
deleting local copy: hrl4053qe.dll
deleting local copy: en8ul1l91.dll
deleting local copy: ir26l5fs1.dll
deleting local copy: j04o0ah3ed4.dll
deleting local copy: en44l1hq1.dll
deleting local copy: lvlm0931e.dll
deleting local copy: g8040idqe80e0.dll
deleting local copy: p6r40g9qe6.dll
deleting local copy: fp6403jqe.dll
deleting local copy: j64o0gh3e64.dll
deleting local copy: enn4l15q1.dll
deleting local copy: u2rulc991f.dll
deleting local copy: mDpistub.dll
deleting local copy: fp0003dme.dll
deleting local copy: j66mlgj116o.dll
deleting local copy: m6640gjqe6oe0.dll
deleting local copy: f0l02a3mgd.dll
deleting local copy: l62slgf7162.dll
deleting local copy: t8r8li9u18.dll
deleting local copy: o0660ajsedo60.dll
deleting local copy: mvjml9111.dll
deleting local copy: k6pm0g71e6.dll
deleting local copy: NOTAudioEditor.dll
deleting local copy: enr8l19u1.dll
deleting local copy: e4jm0e11eh.dll
deleting local copy: n82ulif9182.dll
deleting local copy: kt42l7ho1.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\nyshrui.dll
C:\WINDOWS\system32\imrnonce.dll
C:\WINDOWS\system32\h20qlcd51f0.dll
C:\WINDOWS\system32\mbricons.dll
C:\WINDOWS\system32\dnju0119e.dll
C:\WINDOWS\system32\cjrtmgr.dll
C:\WINDOWS\system32\lqfax11n.dll
C:\WINDOWS\system32\m0ju0a19ed.dll
C:\WINDOWS\system32\p84ulih9184.dll
C:\WINDOWS\system32\hr0q05d5e.dll
C:\WINDOWS\system32\mvrml9911.dll
C:\WINDOWS\system32\mv2sl9f71.dll
C:\WINDOWS\system32\hrl4053qe.dll
C:\WINDOWS\system32\en8ul1l91.dll
C:\WINDOWS\system32\ir26l5fs1.dll
C:\WINDOWS\system32\j04o0ah3ed4.dll
C:\WINDOWS\system32\en44l1hq1.dll
C:\WINDOWS\system32\lvlm0931e.dll
C:\WINDOWS\system32\g8040idqe80e0.dll
C:\WINDOWS\system32\p6r40g9qe6.dll
C:\WINDOWS\system32\fp6403jqe.dll
C:\WINDOWS\system32\j64o0gh3e64.dll
C:\WINDOWS\system32\enn4l15q1.dll
C:\WINDOWS\system32\u2rulc991f.dll
C:\WINDOWS\system32\mDpistub.dll
C:\WINDOWS\system32\fp0003dme.dll
C:\WINDOWS\system32\j66mlgj116o.dll
C:\WINDOWS\system32\m6640gjqe6oe0.dll
C:\WINDOWS\system32\f0l02a3mgd.dll
C:\WINDOWS\system32\l62slgf7162.dll
C:\WINDOWS\system32\t8r8li9u18.dll
C:\WINDOWS\system32\o0660ajsedo60.dll
C:\WINDOWS\system32\mvjml9111.dll
C:\WINDOWS\system32\k6pm0g71e6.dll
C:\WINDOWS\system32\NOTAudioEditor.dll
C:\WINDOWS\system32\enr8l19u1.dll
C:\WINDOWS\system32\e4jm0e11eh.dll
C:\WINDOWS\system32\n82ulif9182.dll
C:\WINDOWS\system32\kt42l7ho1.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{BD472F60-27FA-11cf-B8B4-444553540000}"=-
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"=-
"{66904C5C-51EA-4734-AF17-B6AF9242D228}"=-
[-HKEY_CLASSES_ROOT\CLSID\{BD472F60-27FA-11cf-B8B4-444553540000}]
[-HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}]
[-HKEY_CLASSES_ROOT\CLSID\{66904C5C-51EA-4734-AF17-B6AF9242D228}]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0A9F7617-BBB8-4E84-8A55-541B4D03BB4F}"=-
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{0A9F7617-BBB8-4E84-8A55-541B4D03BB4F}</IDone>
<IDtwo>DS3</IDtwo>
<VERSION>200</VERSION>
****************************************************************************












Now HJT log after Option #2 was run.

Logfile of HijackThis v1.99.1
Scan saved at 15:08:13, on 2/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\BITWARE\NT\bwprnmon.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\lxamsp32.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\dhnklxgg.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\system\qhcflqq.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BLUEXENON\Binn\sqlservr.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Gateway User\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\SYSTEM\Userinit.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [YPager.exe] C:\Program Files\Yahoo!\Messenger\YPager.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [bwprnmon.exe] C:\BITWARE\NT\bwprnmon.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [9QxjyF9fE] C:\WINDOWS\dhnklxgg.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O8 - Extra context menu item: RemindU - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: RemindU - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (file missing) (HKCU)
O12 - Plugin for .nwc: C:\Program Files\NoteWorthy Software\NWC Browser Plugin\npnwcw32.dll
O15 - Trusted Zone: www.lancome.com
O15 - Trusted Zone: http://www.pokerroom.com
O16 - DPF: Aces Up! by pogo - http://game3.pogo.co...s-ob-assets.cab
O16 - DPF: Backgammon by pogo - http://gammon.pogo.c...n-ob-assets.cab
O16 - DPF: Btax1099miscy4 - http://www.taxsoftwa...x1099miscy4.CAB
O16 - DPF: BtaxBase - http://www.taxsoftwa...om/BTAXBase.CAB
O16 - DPF: BtaxFIREy3 - http://www.taxsoftwa.../BtaxFIREy4.CAB
O16 - DPF: Canasta by pogo - http://canasta.pogo....a-ob-assets.cab
O16 - DPF: Checkers by pogo - http://game3.pogo.co...s-ob-assets.cab
O16 - DPF: Chess by pogo - http://game1.pogo.co...2-ob-assets.cab
O16 - DPF: Cribbage by pogo - http://crib.pogo.com...e-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://checkeredflag...g-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://game4.pogo.co...o-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.co...2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.po...o-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pog...k-ob-assets.cab
O16 - DPF: Hearts by pogo - http://hearts.pogo.c...s-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://game5.pogo.co...r-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://game4.pogo.co...l-ob-assets.cab
O16 - DPF: Jigsaw Detective by pogo - http://game3.pogo.co...w-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/...n-ob-assets.cab
O16 - DPF: Keno by pogo - http://keno.pogo.com...o-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.co...g-ob-assets.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Pai Gow by pogo - http://game3.pogo.co...w-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo...l-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.po...l-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game4.pogo.co...r-ob-assets.cab
O16 - DPF: Pinochle by pogo - http://game4.pogo.co...e-ob-assets.cab
O16 - DPF: Pirate's Gold by pogo - http://swashbucks.po...d-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.co...u-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://game5.pogo.co...t-ob-assets.cab
O16 - DPF: Ricochet by pogo - http://game1.pogo.co...t-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game4.pogo.co...r-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.po...s-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://sweettooth.po...h-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.co...m-ob-assets.cab
O16 - DPF: The Sims Pinball by pogo - http://game4.pogo.co...l-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.co...s-ob-assets.cab
O16 - DPF: Tumble Bees by pogo - http://jumbee.pogo.c...e-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://game5.pogo.co...1-ob-assets.cab
O16 - DPF: Video Poker by pogo - http://vpoker.pogo.c...r-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://game5.pogo.co...p-ob-assets.cab
O16 - DPF: WordJong by pogo - http://wordjong.pogo...g-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo...s-ob-assets.cab
O16 - DPF: Yahoo! Go Fish - http://download.game...nts/y/zt3_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptoda...pdatePortal.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {C3C9CB67-F453-479A-9AB0-94AE65F2EB2F} (QuickBooks Online Edition Import Utilities Class v3) - https://accounting.q...04/qboimax3.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {D92D7607-05D9-4DD8-B68B-D458948FB883} (QuickBooks Online Edition Utilities Class v7) - https://accounting.q....271/qboax7.cab
O16 - DPF: {DBB177CC-6908-4B53-9BEE-F1C697818D65} (QuickBooks Online Edition Utilities Class v4a) - https://accounting.q...167/qboax4a.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...421/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AC94785-CFCD-41B2-816E-87E296840893}: NameServer = 204.117.214.10,199.2.252.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{1AC94785-CFCD-41B2-816E-87E296840893}: NameServer = 204.117.214.10,199.2.252.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{1AC94785-CFCD-41B2-816E-87E296840893}: NameServer = 204.117.214.10,199.2.252.10
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

Thanks again for your help!
  • 0

#6
Guest_thatman_*

Guest_thatman_*
  • Guest
Hichadsmom

Please set your system to show all files; see here for how to do this if you're unsure.

Copy and paste document and save it to your desktop. Or if you have a printer you can print these instructions.

Close all programs down, leaving only HijackThis running.
Place a check against the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Pqgmrf.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Mbrpmw.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)


Click on Fix Checked and exit HijackThis.

Reboot into Safe Mode: see here if you don't know how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\dlmax.dll <--Delete this file
C:\WINDOWS\systb.dll <--Delete this file
C:\WINDOWS\System32\Pqgmrf.exe <--Delete this file
C:\WINDOWS\System32\Mbrpmw.exe <--Delete this file
C:\WINDOWS\System32\winupdt.exe <--Delete this file
C:\WINDOWS\farmmext.exe <--Delete this file
C:\WINDOWS\wupdt.exe <--Delete this file

Exit Explorer, and reboot as normal afterwards.

Post back a fresh HijackThis log and we'll take another look.

Kc :tazz:
  • 0

#7
chadsmom

chadsmom

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
ok - here we go

Logfile of HijackThis v1.99.1
Scan saved at 16:12:56, on 2/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\BITWARE\NT\bwprnmon.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\lxamsp32.exe
C:\WINDOWS\dhnklxgg.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\system\qhcflqq.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BLUEXENON\Binn\sqlservr.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\WINDOWS\system32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Gateway User\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\SYSTEM\Userinit.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [YPager.exe] C:\Program Files\Yahoo!\Messenger\YPager.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [bwprnmon.exe] C:\BITWARE\NT\bwprnmon.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [9QxjyF9fE] C:\WINDOWS\dhnklxgg.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O8 - Extra context menu item: RemindU - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: RemindU - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (file missing) (HKCU)
O12 - Plugin for .nwc: C:\Program Files\NoteWorthy Software\NWC Browser Plugin\npnwcw32.dll
O15 - Trusted Zone: www.lancome.com
O15 - Trusted Zone: http://www.pokerroom.com
O16 - DPF: Aces Up! by pogo - http://game3.pogo.co...s-ob-assets.cab
O16 - DPF: Backgammon by pogo - http://gammon.pogo.c...n-ob-assets.cab
O16 - DPF: Btax1099miscy4 - http://www.taxsoftwa...x1099miscy4.CAB
O16 - DPF: BtaxBase - http://www.taxsoftwa...om/BTAXBase.CAB
O16 - DPF: BtaxFIREy3 - http://www.taxsoftwa.../BtaxFIREy4.CAB
O16 - DPF: Canasta by pogo - http://canasta.pogo....a-ob-assets.cab
O16 - DPF: Checkers by pogo - http://game3.pogo.co...s-ob-assets.cab
O16 - DPF: Chess by pogo - http://game1.pogo.co...2-ob-assets.cab
O16 - DPF: Cribbage by pogo - http://crib.pogo.com...e-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://checkeredflag...g-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://game4.pogo.co...o-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.co...2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.po...o-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pog...k-ob-assets.cab
O16 - DPF: Hearts by pogo - http://hearts.pogo.c...s-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://game5.pogo.co...r-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://game4.pogo.co...l-ob-assets.cab
O16 - DPF: Jigsaw Detective by pogo - http://game3.pogo.co...w-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/...n-ob-assets.cab
O16 - DPF: Keno by pogo - http://keno.pogo.com...o-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.co...g-ob-assets.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Pai Gow by pogo - http://game3.pogo.co...w-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo...l-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.po...l-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game4.pogo.co...r-ob-assets.cab
O16 - DPF: Pinochle by pogo - http://game4.pogo.co...e-ob-assets.cab
O16 - DPF: Pirate's Gold by pogo - http://swashbucks.po...d-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.co...u-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://game5.pogo.co...t-ob-assets.cab
O16 - DPF: Ricochet by pogo - http://game1.pogo.co...t-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game4.pogo.co...r-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.po...s-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://sweettooth.po...h-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.co...m-ob-assets.cab
O16 - DPF: The Sims Pinball by pogo - http://game4.pogo.co...l-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.co...s-ob-assets.cab
O16 - DPF: Tumble Bees by pogo - http://jumbee.pogo.c...e-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://game5.pogo.co...1-ob-assets.cab
O16 - DPF: Video Poker by pogo - http://vpoker.pogo.c...r-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://game5.pogo.co...p-ob-assets.cab
O16 - DPF: WordJong by pogo - http://wordjong.pogo...g-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo...s-ob-assets.cab
O16 - DPF: Yahoo! Go Fish - http://download.game...nts/y/zt3_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptoda...pdatePortal.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {C3C9CB67-F453-479A-9AB0-94AE65F2EB2F} (QuickBooks Online Edition Import Utilities Class v3) - https://accounting.q...04/qboimax3.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {D92D7607-05D9-4DD8-B68B-D458948FB883} (QuickBooks Online Edition Utilities Class v7) - https://accounting.q....271/qboax7.cab
O16 - DPF: {DBB177CC-6908-4B53-9BEE-F1C697818D65} (QuickBooks Online Edition Utilities Class v4a) - https://accounting.q...167/qboax4a.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...421/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AC94785-CFCD-41B2-816E-87E296840893}: NameServer = 204.117.214.10,199.2.252.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{1AC94785-CFCD-41B2-816E-87E296840893}: NameServer = 204.117.214.10,199.2.252.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{1AC94785-CFCD-41B2-816E-87E296840893}: NameServer = 204.117.214.10,199.2.252.10
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

Thanks!
  • 0

#8
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi chadsmom

Copy and paste this document and save it to your desktop. Or if you have a printer you can print these instructions.

Please set your system to show all files; see here for how to do this if you're unsure.

Using Add remove Program please unistall the following Programs:
C:\Program Files\ISTsvc\istsvc.exe


Click on the Processes tab and end the following processes:

C:\WINDOWS\dhnklxgg.exe
C:\WINDOWS\system\qhcflqq.exe

Exit the Task Manager when finished

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\SYSTEM\Userinit.exe
O4 - HKLM\..\Run: [YPager.exe] C:\Program Files\Yahoo!\Messenger\YPager.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe


Click on Fix Checked and exit HijackThis.

Reboot into Safe Mode: see here if you don't know how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\dhnklxgg.exe <--Delete this file

C:\WINDOWS\system\qhcflqq.exe<--Delete this file

C:\Program Files\ISTsvc\istsvc.exe <--Delete this whole folder

C:\Program Files\Yahoo!\Messenger\YPager.exe<--Delete this whole folder

C:\WINDOWS\System32\winupdt.exe[/B]<--Delete this file

Exit Explorer, and reboot as normal afterwards.

[color=red]Please run the following free, online virus scans:

http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm


Post back a fresh HijackThis log and we'll take another look.

Kc :tazz:
  • 0

#9
chadsmom

chadsmom

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Okay - did all of that - but will let you know that while running trendmicro online virus scan, I received about 70-80 popups.

Here is the lastest HJT log.

Why are these popups happening - shouldn't the software that I have paid a small fortune for be stopping/blocking these?

Logfile of HijackThis v1.99.1
Scan saved at 18:12:44, on 2/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\BITWARE\NT\bwprnmon.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\lxamsp32.exe
C:\WINDOWS\system\qhcflqq.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BLUEXENON\Binn\sqlservr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\wuauclt.exe
c:\windows\system32\sflaacj.exe
c:\windows\system32\calc.exe
C:\Documents and Settings\Gateway User\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [bwprnmon.exe] C:\BITWARE\NT\bwprnmon.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [sflaacj] c:\windows\system32\sflaacj.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O8 - Extra context menu item: RemindU - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: RemindU - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (file missing) (HKCU)
O12 - Plugin for .nwc: C:\Program Files\NoteWorthy Software\NWC Browser Plugin\npnwcw32.dll
O15 - Trusted Zone: www.lancome.com
O15 - Trusted Zone: http://www.pokerroom.com
O16 - DPF: Aces Up! by pogo - http://game3.pogo.co...s-ob-assets.cab
O16 - DPF: Backgammon by pogo - http://gammon.pogo.c...n-ob-assets.cab
O16 - DPF: Btax1099miscy4 - http://www.taxsoftwa...x1099miscy4.CAB
O16 - DPF: BtaxBase - http://www.taxsoftwa...om/BTAXBase.CAB
O16 - DPF: BtaxFIREy3 - http://www.taxsoftwa.../BtaxFIREy4.CAB
O16 - DPF: Canasta by pogo - http://canasta.pogo....a-ob-assets.cab
O16 - DPF: Checkers by pogo - http://game3.pogo.co...s-ob-assets.cab
O16 - DPF: Chess by pogo - http://game1.pogo.co...2-ob-assets.cab
O16 - DPF: Cribbage by pogo - http://crib.pogo.com...e-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://checkeredflag...g-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://game4.pogo.co...o-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.co...2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.po...o-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pog...k-ob-assets.cab
O16 - DPF: Hearts by pogo - http://hearts.pogo.c...s-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://game5.pogo.co...r-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://game4.pogo.co...l-ob-assets.cab
O16 - DPF: Jigsaw Detective by pogo - http://game3.pogo.co...w-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/...n-ob-assets.cab
O16 - DPF: Keno by pogo - http://keno.pogo.com...o-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.co...g-ob-assets.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Pai Gow by pogo - http://game3.pogo.co...w-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo...l-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.po...l-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game4.pogo.co...r-ob-assets.cab
O16 - DPF: Pinochle by pogo - http://game4.pogo.co...e-ob-assets.cab
O16 - DPF: Pirate's Gold by pogo - http://swashbucks.po...d-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.co...u-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://game5.pogo.co...t-ob-assets.cab
O16 - DPF: Ricochet by pogo - http://game1.pogo.co...t-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game4.pogo.co...r-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.po...s-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://sweettooth.po...h-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.co...m-ob-assets.cab
O16 - DPF: The Sims Pinball by pogo - http://game4.pogo.co...l-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.co...s-ob-assets.cab
O16 - DPF: Tumble Bees by pogo - http://jumbee.pogo.c...e-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://game5.pogo.co...1-ob-assets.cab
O16 - DPF: Video Poker by pogo - http://vpoker.pogo.c...r-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://game5.pogo.co...p-ob-assets.cab
O16 - DPF: WordJong by pogo - http://wordjong.pogo...g-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo...s-ob-assets.cab
O16 - DPF: Yahoo! Go Fish - http://download.game...nts/y/zt3_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...up1.0.0.8-2.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptoda...pdatePortal.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {C3C9CB67-F453-479A-9AB0-94AE65F2EB2F} (QuickBooks Online Edition Import Utilities Class v3) - https://accounting.q...04/qboimax3.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {D92D7607-05D9-4DD8-B68B-D458948FB883} (QuickBooks Online Edition Utilities Class v7) - https://accounting.q....271/qboax7.cab
O16 - DPF: {DBB177CC-6908-4B53-9BEE-F1C697818D65} (QuickBooks Online Edition Utilities Class v4a) - https://accounting.q...167/qboax4a.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...421/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AC94785-CFCD-41B2-816E-87E296840893}: NameServer = 204.117.214.10,199.2.252.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{1AC94785-CFCD-41B2-816E-87E296840893}: NameServer = 204.117.214.10,199.2.252.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{1AC94785-CFCD-41B2-816E-87E296840893}: NameServer = 204.117.214.10,199.2.252.10
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
  • 0

#10
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi chadsmom

Please set your system to show all files; see here for how to do this if you're unsure.

Press Control-Alt-Del to enter the Task Manager.
Click on the Processes tab and end the following processes:

C:\WINDOWS\system\qhcflqq.exe

c:\windows\system32\sflaacj.exe

c:\windows\system32\calc.exe

Exit the Task Manager when finished

Close all programs down, leaving only HijackThis running.
Place a check against the following items:

O4 - HKLM\..\Run: [sflaacj] c:\windows\system32\sflaacj.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...up1.0.0.8-2.cab


Click on Fix Checked and exit HijackThis.

Reboot into Safe Mode: see here if you don't know how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\system\qhcflqq.exe

c:\windows\system32\sflaacj.exe


Exit Explorer, and reboot as normal afterwards.

Post back a fresh HijackThis log and we'll take another look.

Kc :tazz:

[edit] As there has been no response from the original poster, this topic is now closed. If you have any other problems, please post a new topic.

Edited by bananafanafo, 15 April 2005 - 01:20 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP