Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

ISRVS problem [resolved]

Started by Teesside Tim , Mar 24 2005 01:59 PM

  • This topic is locked This topic is locked

#1
Teesside Tim
Posted 24 March 2005 - 01:59 PM

Teesside Tim

    Member

  • Member
  • PipPip
  • 20 posts
Have been infected by isrvs and cannot delete infected files as they are protected. helps please :tazz:

Logfile of HijackThis v1.99.0
Scan saved at 19:53:38, on 03/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\WService.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasSWUpdater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\My Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toysrus.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [nsvcin] C:\WINDOWS\system32\n20050308.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.toysrus.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095882103250
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D6867DAF-DDD2-4559-ACFB-A46C38E847D0} (ActiveXATS.ActiveXDemo2) - http://cl-0062.web.u.../ActiveXATS.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A31ECC5-93B3-4291-80BE-98A087EF03D3}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{4A31ECC5-93B3-4291-80BE-98A087EF03D3}: NameServer = 194.168.4.100 194.168.8.100
O18 - Protocol: asp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: hsp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-asp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-hsp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - C:\WINDOWS\System32\wowctl2.dll
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WinTab Service - Unknown - C:\WINDOWS\System32\DRIVERS\WtSrv.exe
  • 0

Advertisements

#2
starjax
Posted 24 March 2005 - 02:38 PM

starjax

    Global Moderator

  • Global Moderator
  • 6,678 posts
Please set your system to show all files; please seehereif you're unsure how to do this.

Using Taskmanager kill the following process:
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\isrvs\ffisearch.exe

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

C:\WINDOWS\System32\DRIVERS\WtSrv.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [nsvcin] C:\WINDOWS\system32\n20050308.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O23 - Service: WinTab Service - Unknown - C:\WINDOWS\System32\DRIVERS\WtSrv.exe

Click on Fix Checked when finished and exit HijackThis.

[*]Reboot into Safe Mode: please see here if you are not sure how to do this.
Using Windows Explorer, locate the following files/folders, and delete them:

c:\windows\isrvs
C:\WINDOWS\system32\n20050308.exe


please rerun HJT and repost the log.

Thanks,
Starjax
  • 0

#3
Teesside Tim
Posted 25 March 2005 - 04:13 AM

Teesside Tim

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thanks for the advice :tazz: . Did as you said and the following is the new log (PS anything you can suggest for the pesky BHOs as 01 or should I ask seperately when this is cleared ?)

Logfile of HijackThis v1.99.0
Scan saved at 10:10:46, on 03/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\WService.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toysrus.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.toysrus.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095882103250
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D6867DAF-DDD2-4559-ACFB-A46C38E847D0} (ActiveXATS.ActiveXDemo2) - http://cl-0062.web.u.../ActiveXATS.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A31ECC5-93B3-4291-80BE-98A087EF03D3}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{4A31ECC5-93B3-4291-80BE-98A087EF03D3}: NameServer = 194.168.4.100 194.168.8.100
O18 - Protocol: asp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: hsp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-asp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-hsp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - C:\WINDOWS\System32\wowctl2.dll
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#4
starjax
Posted 25 March 2005 - 09:49 AM

starjax

    Global Moderator

  • Global Moderator
  • 6,678 posts
Edited by Geek U Mod

Teesside Tim

You are in very good hands with thatman!

starjax

Check my PM.

ScHwErV :tazz:

Edited by ScHwErV, 27 March 2005 - 09:03 AM.

  • 0

#5
Guest_thatman_*
Posted 27 March 2005 - 06:53 AM

Guest_thatman_*
  • Guest
Hi Teesside Tim

You are badly infected please post back let me help you clean your system you are infected with VX2

Kc :tazz:
  • 0

#6
Teesside Tim
Posted 28 March 2005 - 09:11 AM

Teesside Tim

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thanks thatman, new post as requested

Logfile of HijackThis v1.99.0
Scan saved at 16:10:12, on 03/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\WService.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toysrus.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.toysrus.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095882103250
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D6867DAF-DDD2-4559-ACFB-A46C38E847D0} (ActiveXATS.ActiveXDemo2) - http://cl-0062.web.u.../ActiveXATS.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A31ECC5-93B3-4291-80BE-98A087EF03D3}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{4A31ECC5-93B3-4291-80BE-98A087EF03D3}: NameServer = 194.168.4.100 194.168.8.100
O18 - Protocol: asp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: hsp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-asp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-hsp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - C:\WINDOWS\System32\wowctl2.dll
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#7
Guest_thatman_*
Posted 28 March 2005 - 09:38 AM

Guest_thatman_*
  • Guest
Hi Teesside Tim

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Kc :tazz:
  • 0

#8
Teesside Tim
Posted 28 March 2005 - 12:28 PM

Teesside Tim

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
VX2 find log as requested...

thanks for your continuing help (both Starjax and Thatman)

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\policies]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mv64l9jq1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{23B7AD86-1E1C-0BC9-1B31-1C943CAF6C74}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{C56C4E21-706D-11d0-AFC5-444553540002}"="My Digital Camera"
"{472083B0-C522-11CF-8763-00608CC02F24}"="avast"
"{acb4a560-3606-11d3-aef4-00104bd0f92d}"="KodakShellExtension"
"{F7CE8B6E-8F1A-405C-B373-EB858758253A}"=""
"{3385ABC6-7FBC-4EE7-8911-16DB5EE270DD}"=""
"{46D1CC85-84A2-4C17-936D-630E030767B0}"=""
"{1185E887-B917-4C9E-8C96-3B407276A50D}"=""
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{12E8DE8C-6A32-4ADE-B857-DD6D661ECBEF}"=""
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{24BC6C42-D76E-420C-BA68-B2AF83BB15AC}"=""
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{EBABE51C-2665-4DA7-AF49-C3ED803C3ABA}"=""
"{B149CD49-AFDC-41E0-978C-B1D3423B4780}"=""
"{1B71BC6C-D6D2-42FA-B85F-E5A4B6458AAD}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F7CE8B6E-8F1A-405C-B373-EB858758253A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F7CE8B6E-8F1A-405C-B373-EB858758253A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F7CE8B6E-8F1A-405C-B373-EB858758253A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F7CE8B6E-8F1A-405C-B373-EB858758253A}\InprocServer32]
@="C:\\WINDOWS\\system32\\rer20.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3385ABC6-7FBC-4EE7-8911-16DB5EE270DD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3385ABC6-7FBC-4EE7-8911-16DB5EE270DD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3385ABC6-7FBC-4EE7-8911-16DB5EE270DD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3385ABC6-7FBC-4EE7-8911-16DB5EE270DD}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{46D1CC85-84A2-4C17-936D-630E030767B0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{46D1CC85-84A2-4C17-936D-630E030767B0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{46D1CC85-84A2-4C17-936D-630E030767B0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{46D1CC85-84A2-4C17-936D-630E030767B0}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1185E887-B917-4C9E-8C96-3B407276A50D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1185E887-B917-4C9E-8C96-3B407276A50D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1185E887-B917-4C9E-8C96-3B407276A50D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1185E887-B917-4C9E-8C96-3B407276A50D}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{12E8DE8C-6A32-4ADE-B857-DD6D661ECBEF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{12E8DE8C-6A32-4ADE-B857-DD6D661ECBEF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{12E8DE8C-6A32-4ADE-B857-DD6D661ECBEF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{12E8DE8C-6A32-4ADE-B857-DD6D661ECBEF}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{24BC6C42-D76E-420C-BA68-B2AF83BB15AC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{24BC6C42-D76E-420C-BA68-B2AF83BB15AC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{24BC6C42-D76E-420C-BA68-B2AF83BB15AC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{24BC6C42-D76E-420C-BA68-B2AF83BB15AC}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{EBABE51C-2665-4DA7-AF49-C3ED803C3ABA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EBABE51C-2665-4DA7-AF49-C3ED803C3ABA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EBABE51C-2665-4DA7-AF49-C3ED803C3ABA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EBABE51C-2665-4DA7-AF49-C3ED803C3ABA}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B149CD49-AFDC-41E0-978C-B1D3423B4780}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B149CD49-AFDC-41E0-978C-B1D3423B4780}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B149CD49-AFDC-41E0-978C-B1D3423B4780}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B149CD49-AFDC-41E0-978C-B1D3423B4780}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1B71BC6C-D6D2-42FA-B85F-E5A4B6458AAD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1B71BC6C-D6D2-42FA-B85F-E5A4B6458AAD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1B71BC6C-D6D2-42FA-B85F-E5A4B6458AAD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1B71BC6C-D6D2-42FA-B85F-E5A4B6458AAD}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Locate .tmp files:
**********************************************************************************
Directory Listing of system files:
Volume in drive C is BOOT
Volume Serial Number is 0032-C24C

Directory of C:\WINDOWS\System32

03/28/2005 19:21 234,282 rer20.dll
03/28/2005 17:51 232,813 i624lgfq162e.dll
03/28/2005 14:55 234,282 mv64l9jq1.dll
03/25/2005 11:16 235,361 wfbcheck(2).dll
03/25/2005 10:36 235,762 irq.dll
03/24/2005 21:04 235,418 mv66l9js1.dll
03/23/2005 22:12 235,630 ktp4l77q1.dll
03/22/2005 09:43 234,775 k2260cfsef260.dll
03/21/2005 17:36 234,262 p6r40g9qe6.dll
03/21/2005 16:58 234,262 lv0m09d1e.dll
03/21/2005 16:28 234,153 dnpm0171e.dll
03/21/2005 16:25 234,153 rLsman.dll
03/21/2005 16:23 233,248 s088lalu1dq8.dll
03/21/2005 15:39 233,248 kcdsw.dll
03/20/2005 23:23 <DIR> dllcache
03/20/2005 20:41 234,779 enlql1351.dll
03/17/2005 09:11 225,474 vxa64k.dll
03/15/2005 19:59 0 hrps0577e.dll
03/15/2005 08:43 223,821 anvapi32.dll
03/08/2005 19:50 222,784 i2nmlc511f.dll
03/05/2005 15:20 225,359 g2040cdqef0e0.dll
03/05/2005 13:25 225,359 ljfil11n.DLL
03/05/2005 13:23 224,067 p26slcj71fo.dll
03/01/2005 09:35 225,860 q4860elsehq60.dll
02/27/2005 10:56 225,860 qQsf.dll
02/24/2005 18:00 224,067 wfbvw.dll
02/22/2005 21:46 224,067 o2480chuef480.dll
02/22/2005 18:49 224,067 nxrsar.dll
02/22/2005 18:49 225,050 fp8u03l9e.dll
02/20/2005 21:00 224,581 g0jo0a13ed.dll
02/19/2005 15:51 223,098 ems.dll
02/18/2005 18:57 224,980 mkcsubs.dll
02/12/2005 22:48 224,828 j00s0ad7ed0.dll
02/12/2005 10:13 224,612 iexpromn.dll
02/04/2005 20:47 224,612 diocx.dll
02/03/2005 21:32 225,326 ccmctl32.dll
02/02/2005 19:17 224,612 rbbdyctl.dll
02/01/2005 21:36 223,042 ktlql7351.dll
02/01/2005 20:01 223,042 nltevent.dll
01/31/2005 23:27 225,137 kgdir.dll
01/30/2005 17:58 223,042 npdesk32.dll
01/29/2005 17:27 225,137 mljdbc10.dll
01/29/2005 17:27 222,801 l68mlgl116q.dll
01/29/2005 16:54 222,836 ktn2l75o1.dll
01/29/2005 16:07 224,201 dduiext.dll
01/29/2005 10:11 224,201 sefolder.dll
01/28/2005 21:56 225,137 MWIMUSIC.DLL
01/28/2005 18:03 224,201 dcdiagn.dll
01/25/2005 18:56 223,847 llfil11n.DLL
01/24/2005 22:40 224,660 mv80l9lm1.dll
01/24/2005 21:53 223,847 pbrfts.dll
01/24/2005 21:06 223,847 btowselc.dll
01/24/2005 21:06 224,190 fp4o03h3e.dll
01/21/2005 18:05 225,611 iysutil.dll
01/20/2005 22:18 223,894 uznpui.dll
01/19/2005 21:42 222,927 DPnetlib.dll
01/19/2005 21:28 224,060 iwpromon.dll
01/19/2005 21:09 224,795 LGCMP11n.DLL
01/19/2005 20:55 224,060 jfsh400.dll
01/19/2005 20:43 224,795 nvmkcert.dll
01/19/2005 08:33 224,060 qWsf.dll
01/18/2005 21:52 223,077 pmdgen.dll
01/18/2005 21:10 224,562 ir84l5lq1.dll
01/18/2005 21:01 223,438 dn6o01j3e.dll
01/18/2005 20:57 222,700 richost.dll
01/18/2005 20:46 223,077 cmmrepl.dll
01/18/2005 19:37 222,700 mxaatext.dll
01/17/2005 21:49 222,700 vahelper.dll
01/11/2005 23:34 224,609 ktj0l71m1.dll
01/11/2005 21:31 222,700 mmjetoledb40.dll
01/11/2005 15:34 223,076 KTDAL.DLL
01/09/2005 22:32 223,076 csmodem.dll
01/08/2005 14:05 226,251 kgdfr.dll
01/02/2005 21:32 222,569 oGkley.dll
01/02/2005 19:42 222,569 dHtime.dll
01/02/2005 15:34 225,669 ipq.dll
01/02/2005 15:34 222,569 l22s0cf7ef2.dll
01/01/2005 21:09 225,669 WYNGDE.DLL
12/28/2004 13:01 224,634 cknsole.dll
12/25/2004 12:00 224,321 hoetcfg.dll
12/24/2004 17:39 224,806 irn4l55q1.dll
12/24/2004 12:19 224,806 rJsman.dll
12/24/2004 12:13 224,321 vgsapi.dll
12/23/2004 19:01 225,664 nprsit.dll
12/18/2004 13:52 224,321 damap.dll
12/18/2004 09:27 223,791 mmisam11.dll
12/18/2004 09:22 224,321 qRsf.dll
12/16/2004 20:32 223,791 LRCMP11n.DLL
12/14/2004 18:25 222,889 wW5inf32.dll
12/12/2004 14:59 225,293 nytcfgx.dll
12/11/2004 18:23 225,576 fp8203loe.dll
12/11/2004 10:56 224,484 lv8609lse.dll
02/20/2004 00:19 <DIR> Microsoft
91 File(s) 20,330,311 bytes
2 Dir(s) 29,163,761,664 bytes free
  • 0

#9
Guest_thatman_*
Posted 28 March 2005 - 01:36 PM

Guest_thatman_*
  • Guest
Hi Teesside Tim

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Kc :tazz:
  • 0

#10
Teesside Tim
Posted 29 March 2005 - 11:23 AM

Teesside Tim

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Done as requested l2mfix and hijack this files attached

L2Mfix 1.03

Running From:
C:\Documents and Settings\Paul Campbell\Desktop\vx2\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Paul Campbell\Desktop\vx2\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Paul Campbell\Desktop\vx2\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1056 'explorer.exe'
Killing PID 1056 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1608 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\anvapi32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\btowselc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ccmctl32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cknsole.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cmmrepl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\csmodem.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\damap.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dcdiagn.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dduiext.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dHtime.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\diocx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dn6o01j3e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dnpm0171e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\DPnetlib.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ems.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\enlql1351.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp4o03h3e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp8203loe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp8u03l9e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\g0jo0a13ed.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\g2040cdqef0e0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gfi32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gpp4l37q1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hoetcfg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i2nmlc511f.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iexpromn.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ipq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir84l5lq1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\irn4l55q1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\irq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iwpromon.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iysutil.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j00s0ad7ed0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jfsh400.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jt4o07h3e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k2260cfsef260.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k6260gfse6260.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kcdsw.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kgdfr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kgdir.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\khdsl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\KTDAL.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktj0l71m1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktlql7351.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktn2l75o1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktp4l77q1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l22s0cf7ef2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l68mlgl116q.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\LGCMP11n.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ljfil11n.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\llfil11n.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\LRCMP11n.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv0m09d1e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv4u09h9e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv8609lse.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mkcsubs.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mljdbc10.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mmisam11.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mmjetoledb40.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mv66l9js1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mv80l9lm1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MWIMUSIC.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mxaatext.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nltevent.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\npdesk32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nprsit.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nvmkcert.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nxrsar.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nytcfgx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o2480chuef480.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\obbctrac.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\oGkley.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p26slcj71fo.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p6r40g9qe6.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pbrfts.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pmdgen.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\q4860elsehq60.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\qQsf.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\qRsf.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\qWsf.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rbbdyctl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\richost.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rJsman.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rLsman.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\s088lalu1dq8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sefolder.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\tbpmonui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uznpui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\vahelper.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\vgsapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\vxa64k.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wfbcheck(2).dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wfbvw.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wW5inf32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\WYNGDE.DLL
1 file(s) copied.
deleting: C:\WINDOWS\system32\anvapi32.dll
Successfully Deleted: C:\WINDOWS\system32\anvapi32.dll
deleting: C:\WINDOWS\system32\btowselc.dll
Successfully Deleted: C:\WINDOWS\system32\btowselc.dll
deleting: C:\WINDOWS\system32\ccmctl32.dll
Successfully Deleted: C:\WINDOWS\system32\ccmctl32.dll
deleting: C:\WINDOWS\system32\cknsole.dll
Successfully Deleted: C:\WINDOWS\system32\cknsole.dll
deleting: C:\WINDOWS\system32\cmmrepl.dll
Successfully Deleted: C:\WINDOWS\system32\cmmrepl.dll
deleting: C:\WINDOWS\system32\csmodem.dll
Successfully Deleted: C:\WINDOWS\system32\csmodem.dll
deleting: C:\WINDOWS\system32\damap.dll
Successfully Deleted: C:\WINDOWS\system32\damap.dll
deleting: C:\WINDOWS\system32\dcdiagn.dll
Successfully Deleted: C:\WINDOWS\system32\dcdiagn.dll
deleting: C:\WINDOWS\system32\dduiext.dll
Successfully Deleted: C:\WINDOWS\system32\dduiext.dll
deleting: C:\WINDOWS\system32\dHtime.dll
Successfully Deleted: C:\WINDOWS\system32\dHtime.dll
deleting: C:\WINDOWS\system32\diocx.dll
Successfully Deleted: C:\WINDOWS\system32\diocx.dll
deleting: C:\WINDOWS\system32\dn6o01j3e.dll
Successfully Deleted: C:\WINDOWS\system32\dn6o01j3e.dll
deleting: C:\WINDOWS\system32\dnpm0171e.dll
Successfully Deleted: C:\WINDOWS\system32\dnpm0171e.dll
deleting: C:\WINDOWS\system32\DPnetlib.dll
Successfully Deleted: C:\WINDOWS\system32\DPnetlib.dll
deleting: C:\WINDOWS\system32\ems.dll
Successfully Deleted: C:\WINDOWS\system32\ems.dll
deleting: C:\WINDOWS\system32\enlql1351.dll
Successfully Deleted: C:\WINDOWS\system32\enlql1351.dll
deleting: C:\WINDOWS\system32\fp4o03h3e.dll
Successfully Deleted: C:\WINDOWS\system32\fp4o03h3e.dll
deleting: C:\WINDOWS\system32\fp8203loe.dll
Successfully Deleted: C:\WINDOWS\system32\fp8203loe.dll
deleting: C:\WINDOWS\system32\fp8u03l9e.dll
Successfully Deleted: C:\WINDOWS\system32\fp8u03l9e.dll
deleting: C:\WINDOWS\system32\g0jo0a13ed.dll
Successfully Deleted: C:\WINDOWS\system32\g0jo0a13ed.dll
deleting: C:\WINDOWS\system32\g2040cdqef0e0.dll
Successfully Deleted: C:\WINDOWS\system32\g2040cdqef0e0.dll
deleting: C:\WINDOWS\system32\gfi32.dll
Successfully Deleted: C:\WINDOWS\system32\gfi32.dll
deleting: C:\WINDOWS\system32\gpp4l37q1.dll
Successfully Deleted: C:\WINDOWS\system32\gpp4l37q1.dll
deleting: C:\WINDOWS\system32\hoetcfg.dll
Successfully Deleted: C:\WINDOWS\system32\hoetcfg.dll
deleting: C:\WINDOWS\system32\i2nmlc511f.dll
Successfully Deleted: C:\WINDOWS\system32\i2nmlc511f.dll
deleting: C:\WINDOWS\system32\iexpromn.dll
Successfully Deleted: C:\WINDOWS\system32\iexpromn.dll
deleting: C:\WINDOWS\system32\ipq.dll
Successfully Deleted: C:\WINDOWS\system32\ipq.dll
deleting: C:\WINDOWS\system32\ir84l5lq1.dll
Successfully Deleted: C:\WINDOWS\system32\ir84l5lq1.dll
deleting: C:\WINDOWS\system32\irn4l55q1.dll
Successfully Deleted: C:\WINDOWS\system32\irn4l55q1.dll
deleting: C:\WINDOWS\system32\irq.dll
Successfully Deleted: C:\WINDOWS\system32\irq.dll
deleting: C:\WINDOWS\system32\iwpromon.dll
Successfully Deleted: C:\WINDOWS\system32\iwpromon.dll
deleting: C:\WINDOWS\system32\iysutil.dll
Successfully Deleted: C:\WINDOWS\system32\iysutil.dll
deleting: C:\WINDOWS\system32\j00s0ad7ed0.dll
Successfully Deleted: C:\WINDOWS\system32\j00s0ad7ed0.dll
deleting: C:\WINDOWS\system32\jfsh400.dll
Successfully Deleted: C:\WINDOWS\system32\jfsh400.dll
deleting: C:\WINDOWS\system32\jt4o07h3e.dll
Successfully Deleted: C:\WINDOWS\system32\jt4o07h3e.dll
deleting: C:\WINDOWS\system32\k2260cfsef260.dll
Successfully Deleted: C:\WINDOWS\system32\k2260cfsef260.dll
deleting: C:\WINDOWS\system32\k6260gfse6260.dll
Successfully Deleted: C:\WINDOWS\system32\k6260gfse6260.dll
deleting: C:\WINDOWS\system32\kcdsw.dll
Successfully Deleted: C:\WINDOWS\system32\kcdsw.dll
deleting: C:\WINDOWS\system32\kgdfr.dll
Successfully Deleted: C:\WINDOWS\system32\kgdfr.dll
deleting: C:\WINDOWS\system32\kgdir.dll
Successfully Deleted: C:\WINDOWS\system32\kgdir.dll
deleting: C:\WINDOWS\system32\khdsl.dll
Successfully Deleted: C:\WINDOWS\system32\khdsl.dll
deleting: C:\WINDOWS\system32\KTDAL.DLL
Successfully Deleted: C:\WINDOWS\system32\KTDAL.DLL
deleting: C:\WINDOWS\system32\ktj0l71m1.dll
Successfully Deleted: C:\WINDOWS\system32\ktj0l71m1.dll
deleting: C:\WINDOWS\system32\ktlql7351.dll
Successfully Deleted: C:\WINDOWS\system32\ktlql7351.dll
deleting: C:\WINDOWS\system32\ktn2l75o1.dll
Successfully Deleted: C:\WINDOWS\system32\ktn2l75o1.dll
deleting: C:\WINDOWS\system32\ktp4l77q1.dll
Successfully Deleted: C:\WINDOWS\system32\ktp4l77q1.dll
deleting: C:\WINDOWS\system32\l22s0cf7ef2.dll
Successfully Deleted: C:\WINDOWS\system32\l22s0cf7ef2.dll
deleting: C:\WINDOWS\system32\l68mlgl116q.dll
Successfully Deleted: C:\WINDOWS\system32\l68mlgl116q.dll
deleting: C:\WINDOWS\system32\LGCMP11n.DLL
Successfully Deleted: C:\WINDOWS\system32\LGCMP11n.DLL
deleting: C:\WINDOWS\system32\ljfil11n.DLL
Successfully Deleted: C:\WINDOWS\system32\ljfil11n.DLL
deleting: C:\WINDOWS\system32\llfil11n.DLL
Successfully Deleted: C:\WINDOWS\system32\llfil11n.DLL
deleting: C:\WINDOWS\system32\LRCMP11n.DLL
Successfully Deleted: C:\WINDOWS\system32\LRCMP11n.DLL
deleting: C:\WINDOWS\system32\lv0m09d1e.dll
Successfully Deleted: C:\WINDOWS\system32\lv0m09d1e.dll
deleting: C:\WINDOWS\system32\lv4u09h9e.dll
Successfully Deleted: C:\WINDOWS\system32\lv4u09h9e.dll
deleting: C:\WINDOWS\system32\lv8609lse.dll
Successfully Deleted: C:\WINDOWS\system32\lv8609lse.dll
deleting: C:\WINDOWS\system32\mkcsubs.dll
Successfully Deleted: C:\WINDOWS\system32\mkcsubs.dll
deleting: C:\WINDOWS\system32\mljdbc10.dll
Successfully Deleted: C:\WINDOWS\system32\mljdbc10.dll
deleting: C:\WINDOWS\system32\mmisam11.dll
Successfully Deleted: C:\WINDOWS\system32\mmisam11.dll
deleting: C:\WINDOWS\system32\mmjetoledb40.dll
Successfully Deleted: C:\WINDOWS\system32\mmjetoledb40.dll
deleting: C:\WINDOWS\system32\mv66l9js1.dll
Successfully Deleted: C:\WINDOWS\system32\mv66l9js1.dll
deleting: C:\WINDOWS\system32\mv80l9lm1.dll
Successfully Deleted: C:\WINDOWS\system32\mv80l9lm1.dll
deleting: C:\WINDOWS\system32\MWIMUSIC.DLL
Successfully Deleted: C:\WINDOWS\system32\MWIMUSIC.DLL
deleting: C:\WINDOWS\system32\mxaatext.dll
Successfully Deleted: C:\WINDOWS\system32\mxaatext.dll
deleting: C:\WINDOWS\system32\nltevent.dll
Successfully Deleted: C:\WINDOWS\system32\nltevent.dll
deleting: C:\WINDOWS\system32\npdesk32.dll
Successfully Deleted: C:\WINDOWS\system32\npdesk32.dll
deleting: C:\WINDOWS\system32\nprsit.dll
Successfully Deleted: C:\WINDOWS\system32\nprsit.dll
deleting: C:\WINDOWS\system32\nvmkcert.dll
Successfully Deleted: C:\WINDOWS\system32\nvmkcert.dll
deleting: C:\WINDOWS\system32\nxrsar.dll
Successfully Deleted: C:\WINDOWS\system32\nxrsar.dll
deleting: C:\WINDOWS\system32\nytcfgx.dll
Successfully Deleted: C:\WINDOWS\system32\nytcfgx.dll
deleting: C:\WINDOWS\system32\o2480chuef480.dll
Successfully Deleted: C:\WINDOWS\system32\o2480chuef480.dll
deleting: C:\WINDOWS\system32\obbctrac.dll
Successfully Deleted: C:\WINDOWS\system32\obbctrac.dll
deleting: C:\WINDOWS\system32\oGkley.dll
Successfully Deleted: C:\WINDOWS\system32\oGkley.dll
deleting: C:\WINDOWS\system32\p26slcj71fo.dll
Successfully Deleted: C:\WINDOWS\system32\p26slcj71fo.dll
deleting: C:\WINDOWS\system32\p6r40g9qe6.dll
Successfully Deleted: C:\WINDOWS\system32\p6r40g9qe6.dll
deleting: C:\WINDOWS\system32\pbrfts.dll
Successfully Deleted: C:\WINDOWS\system32\pbrfts.dll
deleting: C:\WINDOWS\system32\pmdgen.dll
Successfully Deleted: C:\WINDOWS\system32\pmdgen.dll
deleting: C:\WINDOWS\system32\q4860elsehq60.dll
Successfully Deleted: C:\WINDOWS\system32\q4860elsehq60.dll
deleting: C:\WINDOWS\system32\qQsf.dll
Successfully Deleted: C:\WINDOWS\system32\qQsf.dll
deleting: C:\WINDOWS\system32\qRsf.dll
Successfully Deleted: C:\WINDOWS\system32\qRsf.dll
deleting: C:\WINDOWS\system32\qWsf.dll
Successfully Deleted: C:\WINDOWS\system32\qWsf.dll
deleting: C:\WINDOWS\system32\rbbdyctl.dll
Successfully Deleted: C:\WINDOWS\system32\rbbdyctl.dll
deleting: C:\WINDOWS\system32\richost.dll
Successfully Deleted: C:\WINDOWS\system32\richost.dll
deleting: C:\WINDOWS\system32\rJsman.dll
Successfully Deleted: C:\WINDOWS\system32\rJsman.dll
deleting: C:\WINDOWS\system32\rLsman.dll
Successfully Deleted: C:\WINDOWS\system32\rLsman.dll
deleting: C:\WINDOWS\system32\s088lalu1dq8.dll
Successfully Deleted: C:\WINDOWS\system32\s088lalu1dq8.dll
deleting: C:\WINDOWS\system32\sefolder.dll
Successfully Deleted: C:\WINDOWS\system32\sefolder.dll
deleting: C:\WINDOWS\system32\tbpmonui.dll
Successfully Deleted: C:\WINDOWS\system32\tbpmonui.dll
deleting: C:\WINDOWS\system32\uznpui.dll
Successfully Deleted: C:\WINDOWS\system32\uznpui.dll
deleting: C:\WINDOWS\system32\vahelper.dll
Successfully Deleted: C:\WINDOWS\system32\vahelper.dll
deleting: C:\WINDOWS\system32\vgsapi.dll
Successfully Deleted: C:\WINDOWS\system32\vgsapi.dll
deleting: C:\WINDOWS\system32\vxa64k.dll
Successfully Deleted: C:\WINDOWS\system32\vxa64k.dll
deleting: C:\WINDOWS\system32\wfbcheck(2).dll
Successfully Deleted: C:\WINDOWS\system32\wfbcheck(2).dll
deleting: C:\WINDOWS\system32\wfbvw.dll
Successfully Deleted: C:\WINDOWS\system32\wfbvw.dll
deleting: C:\WINDOWS\system32\wW5inf32.dll
Successfully Deleted: C:\WINDOWS\system32\wW5inf32.dll
deleting: C:\WINDOWS\system32\WYNGDE.DLL
Successfully Deleted: C:\WINDOWS\system32\WYNGDE.DLL

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: anvapi32.dll (164 bytes security) (deflated 4%)
adding: btowselc.dll (164 bytes security) (deflated 4%)
adding: ccmctl32.dll (164 bytes security) (deflated 5%)
adding: cknsole.dll (164 bytes security) (deflated 4%)
adding: cmmrepl.dll (164 bytes security) (deflated 4%)
adding: csmodem.dll (164 bytes security) (deflated 4%)
adding: damap.dll (164 bytes security) (deflated 4%)
adding: dcdiagn.dll (164 bytes security) (deflated 4%)
adding: dduiext.dll (164 bytes security) (deflated 4%)
adding: dHtime.dll (164 bytes security) (deflated 3%)
adding: diocx.dll (164 bytes security) (deflated 4%)
adding: dn6o01j3e.dll (164 bytes security) (deflated 4%)
adding: dnpm0171e.dll (164 bytes security) (deflated 5%)
adding: DPnetlib.dll (164 bytes security) (deflated 4%)
adding: ems.dll (164 bytes security) (deflated 4%)
adding: enlql1351.dll (164 bytes security) (deflated 5%)
adding: fp4o03h3e.dll (164 bytes security) (deflated 4%)
adding: fp8203loe.dll (164 bytes security) (deflated 4%)
adding: fp8u03l9e.dll (164 bytes security) (deflated 4%)
adding: g0jo0a13ed.dll (164 bytes security) (deflated 4%)
adding: g2040cdqef0e0.dll (164 bytes security) (deflated 5%)
adding: gfi32.dll (164 bytes security) (deflated 5%)
adding: gpp4l37q1.dll (164 bytes security) (deflated 4%)
adding: hoetcfg.dll (164 bytes security) (deflated 4%)
adding: i2nmlc511f.dll (164 bytes security) (deflated 3%)
adding: iexpromn.dll (164 bytes security) (deflated 4%)
adding: ipq.dll (164 bytes security) (deflated 5%)
adding: ir84l5lq1.dll (164 bytes security) (deflated 4%)
adding: irn4l55q1.dll (164 bytes security) (deflated 4%)
adding: irq.dll (164 bytes security) (deflated 5%)
adding: iwpromon.dll (164 bytes security) (deflated 4%)
adding: iysutil.dll (164 bytes security) (deflated 5%)
adding: j00s0ad7ed0.dll (164 bytes security) (deflated 4%)
adding: jfsh400.dll (164 bytes security) (deflated 4%)
adding: jt4o07h3e.dll (164 bytes security) (deflated 5%)
adding: k2260cfsef260.dll (164 bytes security) (deflated 5%)
adding: k6260gfse6260.dll (164 bytes security) (deflated 5%)
adding: kcdsw.dll (164 bytes security) (deflated 4%)
adding: kgdfr.dll (164 bytes security) (deflated 5%)
adding: kgdir.dll (164 bytes security) (deflated 4%)
adding: khdsl.dll (164 bytes security) (deflated 4%)
adding: KTDAL.DLL (164 bytes security) (deflated 4%)
adding: ktj0l71m1.dll (164 bytes security) (deflated 4%)
adding: ktlql7351.dll (164 bytes security) (deflated 4%)
adding: ktn2l75o1.dll (164 bytes security) (deflated 3%)
adding: ktp4l77q1.dll (164 bytes security) (deflated 5%)
adding: l22s0cf7ef2.dll (164 bytes security) (deflated 3%)
adding: l68mlgl116q.dll (164 bytes security) (deflated 3%)
adding: LGCMP11n.DLL (164 bytes security) (deflated 4%)
adding: ljfil11n.DLL (164 bytes security) (deflated 5%)
adding: llfil11n.DLL (164 bytes security) (deflated 4%)
adding: LRCMP11n.DLL (164 bytes security) (deflated 4%)
adding: lv0m09d1e.dll (164 bytes security) (deflated 5%)
adding: lv4u09h9e.dll (164 bytes security) (deflated 4%)
adding: lv8609lse.dll (164 bytes security) (deflated 4%)
adding: mkcsubs.dll (164 bytes security) (deflated 4%)
adding: mljdbc10.dll (164 bytes security) (deflated 4%)
adding: mmisam11.dll (164 bytes security) (deflated 4%)
adding: mmjetoledb40.dll (164 bytes security) (deflated 3%)
adding: mv66l9js1.dll (164 bytes security) (deflated 5%)
adding: mv80l9lm1.dll (164 bytes security) (deflated 4%)
adding: MWIMUSIC.DLL (164 bytes security) (deflated 4%)
adding: mxaatext.dll (164 bytes security) (deflated 3%)
adding: nltevent.dll (164 bytes security) (deflated 4%)
adding: npdesk32.dll (164 bytes security) (deflated 4%)
adding: nprsit.dll (164 bytes security) (deflated 5%)
adding: nvmkcert.dll (164 bytes security) (deflated 4%)
adding: nxrsar.dll (164 bytes security) (deflated 4%)
adding: nytcfgx.dll (164 bytes security) (deflated 4%)
adding: o2480chuef480.dll (164 bytes security) (deflated 4%)
adding: obbctrac.dll (164 bytes security) (deflated 4%)
adding: oGkley.dll (164 bytes security) (deflated 3%)
adding: p26slcj71fo.dll (164 bytes security) (deflated 4%)
adding: p6r40g9qe6.dll (164 bytes security) (deflated 5%)
adding: pbrfts.dll (164 bytes security) (deflated 4%)
adding: pmdgen.dll (164 bytes security) (deflated 4%)
adding: q4860elsehq60.dll (164 bytes security) (deflated 5%)
adding: qQsf.dll (164 bytes security) (deflated 5%)
adding: qRsf.dll (164 bytes security) (deflated 4%)
adding: qWsf.dll (164 bytes security) (deflated 4%)
adding: rbbdyctl.dll (164 bytes security) (deflated 4%)
adding: richost.dll (164 bytes security) (deflated 3%)
adding: rJsman.dll (164 bytes security) (deflated 4%)
adding: rLsman.dll (164 bytes security) (deflated 5%)
adding: s088lalu1dq8.dll (164 bytes security) (deflated 4%)
adding: sefolder.dll (164 bytes security) (deflated 4%)
adding: tbpmonui.dll (164 bytes security) (deflated 4%)
adding: uznpui.dll (164 bytes security) (deflated 4%)
adding: vahelper.dll (164 bytes security) (deflated 3%)
adding: vgsapi.dll (164 bytes security) (deflated 4%)
adding: vxa64k.dll (164 bytes security) (deflated 5%)
adding: wfbcheck(2).dll (164 bytes security) (deflated 5%)
adding: wfbvw.dll (164 bytes security) (deflated 4%)
adding: wW5inf32.dll (164 bytes security) (deflated 3%)
adding: WYNGDE.DLL (164 bytes security) (deflated 5%)
adding: clear.reg (164 bytes security) (deflated 63%)
adding: echo.reg (164 bytes security) (deflated 10%)
adding: desktop.ini (164 bytes security) (deflated 14%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 88%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: test.txt (164 bytes security) (deflated 84%)
adding: test2.txt (164 bytes security) (deflated 44%)
adding: test3.txt (164 bytes security) (deflated 44%)
adding: test5.txt (164 bytes security) (deflated 44%)
adding: xfind.txt (164 bytes security) (deflated 80%)
adding: backregs/1185E887-B917-4C9E-8C96-3B407276A50D.reg (164 bytes security) (deflated 70%)
adding: backregs/12E8DE8C-6A32-4ADE-B857-DD6D661ECBEF.reg (164 bytes security) (deflated 70%)
adding: backregs/1B71BC6C-D6D2-42FA-B85F-E5A4B6458AAD.reg (164 bytes security) (deflated 70%)
adding: backregs/24BC6C42-D76E-420C-BA68-B2AF83BB15AC.reg (164 bytes security) (deflated 70%)
adding: backregs/3385ABC6-7FBC-4EE7-8911-16DB5EE270DD.reg (164 bytes security) (deflated 70%)
adding: backregs/46D1CC85-84A2-4C17-936D-630E030767B0.reg (164 bytes security) (deflated 70%)
adding: backregs/B149CD49-AFDC-41E0-978C-B1D3423B4780.reg (164 bytes security) (deflated 70%)
adding: backregs/EBABE51C-2665-4DA7-AF49-C3ED803C3ABA.reg (164 bytes security) (deflated 70%)
adding: backregs/F7CE8B6E-8F1A-405C-B373-EB858758253A.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: anvapi32.dll
deleting local copy: btowselc.dll
deleting local copy: ccmctl32.dll
deleting local copy: cknsole.dll
deleting local copy: cmmrepl.dll
deleting local copy: csmodem.dll
deleting local copy: damap.dll
deleting local copy: dcdiagn.dll
deleting local copy: dduiext.dll
deleting local copy: dHtime.dll
deleting local copy: diocx.dll
deleting local copy: dn6o01j3e.dll
deleting local copy: dnpm0171e.dll
deleting local copy: DPnetlib.dll
deleting local copy: ems.dll
deleting local copy: enlql1351.dll
deleting local copy: fp4o03h3e.dll
deleting local copy: fp8203loe.dll
deleting local copy: fp8u03l9e.dll
deleting local copy: g0jo0a13ed.dll
deleting local copy: g2040cdqef0e0.dll
deleting local copy: gfi32.dll
deleting local copy: gpp4l37q1.dll
deleting local copy: hoetcfg.dll
deleting local copy: i2nmlc511f.dll
deleting local copy: iexpromn.dll
deleting local copy: ipq.dll
deleting local copy: ir84l5lq1.dll
deleting local copy: irn4l55q1.dll
deleting local copy: irq.dll
deleting local copy: iwpromon.dll
deleting local copy: iysutil.dll
deleting local copy: j00s0ad7ed0.dll
deleting local copy: jfsh400.dll
deleting local copy: jt4o07h3e.dll
deleting local copy: k2260cfsef260.dll
deleting local copy: k6260gfse6260.dll
deleting local copy: kcdsw.dll
deleting local copy: kgdfr.dll
deleting local copy: kgdir.dll
deleting local copy: khdsl.dll
deleting local copy: KTDAL.DLL
deleting local copy: ktj0l71m1.dll
deleting local copy: ktlql7351.dll
deleting local copy: ktn2l75o1.dll
deleting local copy: ktp4l77q1.dll
deleting local copy: l22s0cf7ef2.dll
deleting local copy: l68mlgl116q.dll
deleting local copy: LGCMP11n.DLL
deleting local copy: ljfil11n.DLL
deleting local copy: llfil11n.DLL
deleting local copy: LRCMP11n.DLL
deleting local copy: lv0m09d1e.dll
deleting local copy: lv4u09h9e.dll
deleting local copy: lv8609lse.dll
deleting local copy: mkcsubs.dll
deleting local copy: mljdbc10.dll
deleting local copy: mmisam11.dll
deleting local copy: mmjetoledb40.dll
deleting local copy: mv66l9js1.dll
deleting local copy: mv80l9lm1.dll
deleting local copy: MWIMUSIC.DLL
deleting local copy: mxaatext.dll
deleting local copy: nltevent.dll
deleting local copy: npdesk32.dll
deleting local copy: nprsit.dll
deleting local copy: nvmkcert.dll
deleting local copy: nxrsar.dll
deleting local copy: nytcfgx.dll
deleting local copy: o2480chuef480.dll
deleting local copy: obbctrac.dll
deleting local copy: oGkley.dll
deleting local copy: p26slcj71fo.dll
deleting local copy: p6r40g9qe6.dll
deleting local copy: pbrfts.dll
deleting local copy: pmdgen.dll
deleting local copy: q4860elsehq60.dll
deleting local copy: qQsf.dll
deleting local copy: qRsf.dll
deleting local copy: qWsf.dll
deleting local copy: rbbdyctl.dll
deleting local copy: richost.dll
deleting local copy: rJsman.dll
deleting local copy: rLsman.dll
deleting local copy: s088lalu1dq8.dll
deleting local copy: sefolder.dll
deleting local copy: tbpmonui.dll
deleting local copy: uznpui.dll
deleting local copy: vahelper.dll
deleting local copy: vgsapi.dll
deleting local copy: vxa64k.dll
deleting local copy: wfbcheck(2).dll
deleting local copy: wfbvw.dll
deleting local copy: wW5inf32.dll
deleting local copy: WYNGDE.DLL

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\anvapi32.dll
C:\WINDOWS\system32\btowselc.dll
C:\WINDOWS\system32\ccmctl32.dll
C:\WINDOWS\system32\cknsole.dll
C:\WINDOWS\system32\cmmrepl.dll
C:\WINDOWS\system32\csmodem.dll
C:\WINDOWS\system32\damap.dll
C:\WINDOWS\system32\dcdiagn.dll
C:\WINDOWS\system32\dduiext.dll
C:\WINDOWS\system32\dHtime.dll
C:\WINDOWS\system32\diocx.dll
C:\WINDOWS\system32\dn6o01j3e.dll
C:\WINDOWS\system32\dnpm0171e.dll
C:\WINDOWS\system32\DPnetlib.dll
C:\WINDOWS\system32\ems.dll
C:\WINDOWS\system32\enlql1351.dll
C:\WINDOWS\system32\fp4o03h3e.dll
C:\WINDOWS\system32\fp8203loe.dll
C:\WINDOWS\system32\fp8u03l9e.dll
C:\WINDOWS\system32\g0jo0a13ed.dll
C:\WINDOWS\system32\g2040cdqef0e0.dll
C:\WINDOWS\system32\gfi32.dll
C:\WINDOWS\system32\gpp4l37q1.dll
C:\WINDOWS\system32\hoetcfg.dll
C:\WINDOWS\system32\i2nmlc511f.dll
C:\WINDOWS\system32\iexpromn.dll
C:\WINDOWS\system32\ipq.dll
C:\WINDOWS\system32\ir84l5lq1.dll
C:\WINDOWS\system32\irn4l55q1.dll
C:\WINDOWS\system32\irq.dll
C:\WINDOWS\system32\iwpromon.dll
C:\WINDOWS\system32\iysutil.dll
C:\WINDOWS\system32\j00s0ad7ed0.dll
C:\WINDOWS\system32\jfsh400.dll
C:\WINDOWS\system32\jt4o07h3e.dll
C:\WINDOWS\system32\k2260cfsef260.dll
C:\WINDOWS\system32\k6260gfse6260.dll
C:\WINDOWS\system32\kcdsw.dll
C:\WINDOWS\system32\kgdfr.dll
C:\WINDOWS\system32\kgdir.dll
C:\WINDOWS\system32\khdsl.dll
C:\WINDOWS\system32\KTDAL.DLL
C:\WINDOWS\system32\ktj0l71m1.dll
C:\WINDOWS\system32\ktlql7351.dll
C:\WINDOWS\system32\ktn2l75o1.dll
C:\WINDOWS\system32\ktp4l77q1.dll
C:\WINDOWS\system32\l22s0cf7ef2.dll
C:\WINDOWS\system32\l68mlgl116q.dll
C:\WINDOWS\system32\LGCMP11n.DLL
C:\WINDOWS\system32\ljfil11n.DLL
C:\WINDOWS\system32\llfil11n.DLL
C:\WINDOWS\system32\LRCMP11n.DLL
C:\WINDOWS\system32\lv0m09d1e.dll
C:\WINDOWS\system32\lv4u09h9e.dll
C:\WINDOWS\system32\lv8609lse.dll
C:\WINDOWS\system32\mkcsubs.dll
C:\WINDOWS\system32\mljdbc10.dll
C:\WINDOWS\system32\mmisam11.dll
C:\WINDOWS\system32\mmjetoledb40.dll
C:\WINDOWS\system32\mv66l9js1.dll
C:\WINDOWS\system32\mv80l9lm1.dll
C:\WINDOWS\system32\MWIMUSIC.DLL
C:\WINDOWS\system32\mxaatext.dll
C:\WINDOWS\system32\nltevent.dll
C:\WINDOWS\system32\npdesk32.dll
C:\WINDOWS\system32\nprsit.dll
C:\WINDOWS\system32\nvmkcert.dll
C:\WINDOWS\system32\nxrsar.dll
C:\WINDOWS\system32\nytcfgx.dll
C:\WINDOWS\system32\o2480chuef480.dll
C:\WINDOWS\system32\obbctrac.dll
C:\WINDOWS\system32\oGkley.dll
C:\WINDOWS\system32\p26slcj71fo.dll
C:\WINDOWS\system32\p6r40g9qe6.dll
C:\WINDOWS\system32\pbrfts.dll
C:\WINDOWS\system32\pmdgen.dll
C:\WINDOWS\system32\q4860elsehq60.dll
C:\WINDOWS\system32\qQsf.dll
C:\WINDOWS\system32\qRsf.dll
C:\WINDOWS\system32\qWsf.dll
C:\WINDOWS\system32\rbbdyctl.dll
C:\WINDOWS\system32\richost.dll
C:\WINDOWS\system32\rJsman.dll
C:\WINDOWS\system32\rLsman.dll
C:\WINDOWS\system32\s088lalu1dq8.dll
C:\WINDOWS\system32\sefolder.dll
C:\WINDOWS\system32\tbpmonui.dll
C:\WINDOWS\system32\uznpui.dll
C:\WINDOWS\system32\vahelper.dll
C:\WINDOWS\system32\vgsapi.dll
C:\WINDOWS\system32\vxa64k.dll
C:\WINDOWS\system32\wfbcheck(2).dll
C:\WINDOWS\system32\wfbvw.dll
C:\WINDOWS\system32\wW5inf32.dll
C:\WINDOWS\system32\WYNGDE.DLL

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{F7CE8B6E-8F1A-405C-B373-EB858758253A}"=-
"{3385ABC6-7FBC-4EE7-8911-16DB5EE270DD}"=-
"{46D1CC85-84A2-4C17-936D-630E030767B0}"=-
"{1185E887-B917-4C9E-8C96-3B407276A50D}"=-
"{12E8DE8C-6A32-4ADE-B857-DD6D661ECBEF}"=-
"{24BC6C42-D76E-420C-BA68-B2AF83BB15AC}"=-
"{EBABE51C-2665-4DA7-AF49-C3ED803C3ABA}"=-
"{B149CD49-AFDC-41E0-978C-B1D3423B4780}"=-
"{1B71BC6C-D6D2-42FA-B85F-E5A4B6458AAD}"=-
[-HKEY_CLASSES_ROOT\CLSID\{F7CE8B6E-8F1A-405C-B373-EB858758253A}]
[-HKEY_CLASSES_ROOT\CLSID\{3385ABC6-7FBC-4EE7-8911-16DB5EE270DD}]
[-HKEY_CLASSES_ROOT\CLSID\{46D1CC85-84A2-4C17-936D-630E030767B0}]
[-HKEY_CLASSES_ROOT\CLSID\{1185E887-B917-4C9E-8C96-3B407276A50D}]
[-HKEY_CLASSES_ROOT\CLSID\{12E8DE8C-6A32-4ADE-B857-DD6D661ECBEF}]
[-HKEY_CLASSES_ROOT\CLSID\{24BC6C42-D76E-420C-BA68-B2AF83BB15AC}]
[-HKEY_CLASSES_ROOT\CLSID\{EBABE51C-2665-4DA7-AF49-C3ED803C3ABA}]
[-HKEY_CLASSES_ROOT\CLSID\{B149CD49-AFDC-41E0-978C-B1D3423B4780}]
[-HKEY_CLASSES_ROOT\CLSID\{1B71BC6C-D6D2-42FA-B85F-E5A4B6458AAD}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{FCAFBC93-B830-45CD-A47E-7DFBA99237E8}</IDone>
<IDtwo>VT00</IDtwo>
<VERSION>200</VERSION>
****************************************************************************


Logfile of HijackThis v1.99.0
Scan saved at 18:20:55, on 03/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\WINDOWS\System32\WService.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe
C:\Program Files\Outlook Express\msimn.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toysrus.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.toysrus.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095882103250
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D6867DAF-DDD2-4559-ACFB-A46C38E847D0} (ActiveXATS.ActiveXDemo2) - http://cl-0062.web.u.../ActiveXATS.CAB
O18 - Protocol: asp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: hsp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-asp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-hsp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - C:\WINDOWS\System32\wowctl2.dll
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

Advertisements

#11
Guest_thatman_*
Posted 29 March 2005 - 01:13 PM

Guest_thatman_*
  • Guest
Hi Teesside Tim

Rerun the l2mfix again option 1 first then run option 2

Post option 2.log and a new HJT.log

Kc :tazz:
  • 0

#12
Teesside Tim
Posted 30 March 2005 - 06:15 AM

Teesside Tim

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
new logs as requested,

L2Mfix 1.03

Running From:
C:\Documents and Settings\Paul Campbell\Desktop\vx2\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Paul Campbell\Desktop\vx2\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Paul Campbell\Desktop\vx2\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1044 'explorer.exe'
Killing PID 1044 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
updating: clear.reg (164 bytes security) (deflated 2%)
updating: echo.reg (164 bytes security) (deflated 10%)
updating: direct.txt (164 bytes security) (stored 0%)
updating: lo2.txt (164 bytes security) (deflated 73%)
updating: readme.txt (164 bytes security) (deflated 49%)
updating: test.txt (164 bytes security) (stored 0%)
updating: test2.txt (164 bytes security) (stored 0%)
updating: test3.txt (164 bytes security) (stored 0%)
updating: test5.txt (164 bytes security) (stored 0%)
adding: l2mfix log.txt (164 bytes security) (deflated 86%)
adding: log.txt (164 bytes security) (deflated 86%)
adding: report.txt (164 bytes security) (deflated 63%)
updating: backregs/1185E887-B917-4C9E-8C96-3B407276A50D.reg (164 bytes security) (deflated 70%)
updating: backregs/12E8DE8C-6A32-4ADE-B857-DD6D661ECBEF.reg (164 bytes security) (deflated 70%)
updating: backregs/1B71BC6C-D6D2-42FA-B85F-E5A4B6458AAD.reg (164 bytes security) (deflated 70%)
updating: backregs/24BC6C42-D76E-420C-BA68-B2AF83BB15AC.reg (164 bytes security) (deflated 70%)
updating: backregs/3385ABC6-7FBC-4EE7-8911-16DB5EE270DD.reg (164 bytes security) (deflated 70%)
updating: backregs/46D1CC85-84A2-4C17-936D-630E030767B0.reg (164 bytes security) (deflated 70%)
updating: backregs/B149CD49-AFDC-41E0-978C-B1D3423B4780.reg (164 bytes security) (deflated 70%)
updating: backregs/EBABE51C-2665-4DA7-AF49-C3ED803C3ABA.reg (164 bytes security) (deflated 70%)
updating: backregs/F7CE8B6E-8F1A-405C-B373-EB858758253A.reg (164 bytes security) (deflated 70%)
updating: backregs/shell.reg (164 bytes security) (deflated 74%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****
************************************************************************

Logfile of HijackThis v1.99.0
Scan saved at 13:14:56, on 03/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\WService.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toysrus.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.toysrus.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095882103250
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D6867DAF-DDD2-4559-ACFB-A46C38E847D0} (ActiveXATS.ActiveXDemo2) - http://cl-0062.web.u.../ActiveXATS.CAB
O18 - Protocol: asp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: hsp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-asp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-hsp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - C:\WINDOWS\System32\wowctl2.dll
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#13
Guest_thatman_*
Posted 30 March 2005 - 06:51 AM

Guest_thatman_*
  • Guest
Hi Teesside Tim

Welcome to geekstogo

Please read through the instructions before you start (you may want to print this out).

Please download and install these programs - don't run them yet!!

Please download and unzip
About:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.
AboutBuster MUST be updated before you use it.
Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet.

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first.

Download and unzip cwsserviceremove to your desktop. use either link below:
cwsserviceremove

cwsserviceremove.zip


Download CW-Shredder at the link below:
CWShredder

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that. Do this so you can see hidden files and folders - Click here to download xphidden.zip. Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.

+++++++++++++++++++++++++++++++++++++++++++++++++

Here's the fix:

2. Reboot into Safe Mode: Click here if you don't know how to do this.


3. Press Ctrl+Alt+Delete once -> Click Task Manager -> Click the Processes tab -> Double-click the Image Name column header to alphabetically sort the processes -> Scroll through the list and look for:


If you find the files, click on them, and then click End Process -> Exit the Task Manager.

4. CLOSE ALL WINDOWS AND BROWSERS Scan with HijackThis and put checks next to all the following,

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {D6867DAF-DDD2-4559-ACFB-A46C38E847D0} (ActiveXATS.ActiveXDemo2) - http://cl-0062.web.u.../ActiveXATS.CAB

Then click on "Fix Checked"

5. Using Windows Explorer delete the following files if present:
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

C:\WINDOWS\web\related.htm<--Delete this file

(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)

6. Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

7. Scan with AdAware and let it remove any bad files found.

8. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Download the ccleaner
I use this Program and is setup like this all boxs are check. Click on auto-startup

Clean out all temp files in Mozilla, Internet Explorer.
Internet Explorer: Tools/ Internet Options/ General/ Temporary internet files/ Delete Files (NOTE, that this may take very long!). You can also set the memory limit to about 80 MB at the Settings.

Mozilla: Edit/ Options/ Extended/ Cache/ Clear Cache

9. Double click on the cwsserviceremove and when asked to merge say yes.

10. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

11. Reboot into normal mode.

12. Download the Hoster from here Press "Restore Original Hosts. and press "OK". Exit Program.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

Please post the logs From both virus scans and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#14
Teesside Tim
Posted 30 March 2005 - 10:55 AM

Teesside Tim

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
one as asked - couldn ot get access to Pandasoftware site, trend micro came up clear
Logfile of HijackThis v1.99.0
Scan saved at 17:55:56, on 03/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\WService.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.toysrus.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095882103250
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A31ECC5-93B3-4291-80BE-98A087EF03D3}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{4A31ECC5-93B3-4291-80BE-98A087EF03D3}: NameServer = 194.168.4.100 194.168.8.100
O18 - Protocol: asp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: hsp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-asp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-hsp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - C:\WINDOWS\System32\wowctl2.dll
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

:tazz:
  • 0

#15
Guest_thatman_*
Posted 30 March 2005 - 11:30 AM

Guest_thatman_*
  • Guest
Hi Teesside Tim

Congratulations! Your system is CLEAN :tazz:

Download the Microsoft Antispyware

Download the CCleaner unzip the file to install.
Open CCleaner.
Place a check by everything in the Applications tab.
Place a check by Internet Explorer, Windows explorer, and System in the Windows tab.
Run the ccleaner

Clean out all temp files in Mozilla, Internet Explorer.
Internet Explorer: Tools/ Internet Options/ General/ Temporary internet files/ Delete Files (NOTE, that this may take very long!). You can also set the memory limit to about 80 MB at the Settings.

Mozilla: Edit/ Options/ Extended/ Cache/ Clear Cache

Turn of system restore
Disabling or enabling Windows XP System Restore

Turn system restore back on and create a new restore point. Defrag your hard drive

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use). Click Here
QUOTE
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here http://windowsupdate.microsoft.com/ to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox user posted image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

After doing all these, your system will be thoroughly protected from future threats. ;)

Kc ;)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP