Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Totally Stuck-Spyware,virus-HELP!


  • Please log in to reply

#1
mihirkr

mihirkr

    Member

  • Member
  • PipPip
  • 15 posts
Logfile of HijackThis v1.99.0
Scan saved at 10:37:36 PM, on 3/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Mihir\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.in/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.in/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-xa\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Check for QCharts Updates.lnk = C:\Program Files\Quote.com\QCharts 5.1\WiseUpdt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://thatstelugu.i...er/tdserver.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com...stall/AxCtp.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX28.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtange...gent/wtinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
  • 0

Advertisements


#2
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
mihirkr,

Welcome.
You are currently running an outdated version of HJT.
Please download the newest version 1.99.1
HERE

You are also running HJT out of a temporary directory:

Create a folder on your C:\ drive and rename it C:\HJT then place HJT in that folder and run it from that location from now on.

Once you have done this post back a new HJT log and I will take a look at it.

Thanks,
rstones12
  • 0

#3
mihirkr

mihirkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thanks a lot. I have downloaded the latest ver of Hijackthis and saved in the C: drive. I have also scanned my PC with MS anti-spy,Adaware,Spybot,Ewido,Norton and a host of other tools. I was ready to reformat the hard drive before your message. I look forward to your help. Many Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 10:36:59 AM, on 3/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Downloads\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.in/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.in/
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-xa\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [gcasServ] C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] C:\Program Files\MSN Messenger\MsnMsgr.Exe /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe -a
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://thatstelugu.i...er/tdserver.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com...stall/AxCtp.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX28.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtange...gent/wtinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\k626lgfs1626.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

:tazz: ;) ;) :) :) :) :) :) :)
  • 0

#4
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
mihirkr,

This is going to take series of steps, please read through the directions on each post before proceeding, this is very important.

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Thanks,
rstones12
  • 0

#5
mihirkr

mihirkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
MANY thanks!
Log below
Cheers-M

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\k626lgfs1626.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D1097613-168C-D120-52AC-E6E52B8C1CE5}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{40950107-FEA6-4d53-A65F-B2DCBA57DD58}"="Nokia Phone Browser"
"{FBFE7864-D495-41f0-B7DC-4BB601CC295E}"="Contact View"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{D498C9B4-1CF5-49F7-A0C8-BB01C0AB6687}"=""
"{BBA474FB-C941-4218-91B7-7F634B60DFCE}"=""
"{CF6E1B16-3CC0-4477-AE36-35FC5FDC5363}"=""
"{6FFD5CA1-389D-45C1-8D32-79C71BAE6507}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D498C9B4-1CF5-49F7-A0C8-BB01C0AB6687}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D498C9B4-1CF5-49F7-A0C8-BB01C0AB6687}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D498C9B4-1CF5-49F7-A0C8-BB01C0AB6687}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D498C9B4-1CF5-49F7-A0C8-BB01C0AB6687}\InprocServer32]
@="C:\\WINDOWS\\system32\\mwdex.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BBA474FB-C941-4218-91B7-7F634B60DFCE}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BBA474FB-C941-4218-91B7-7F634B60DFCE}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BBA474FB-C941-4218-91B7-7F634B60DFCE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BBA474FB-C941-4218-91B7-7F634B60DFCE}\InprocServer32]
@="C:\\WINDOWS\\system32\\fsccodec32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{CF6E1B16-3CC0-4477-AE36-35FC5FDC5363}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CF6E1B16-3CC0-4477-AE36-35FC5FDC5363}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CF6E1B16-3CC0-4477-AE36-35FC5FDC5363}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CF6E1B16-3CC0-4477-AE36-35FC5FDC5363}\InprocServer32]
@="C:\\WINDOWS\\system32\\donwsock.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6FFD5CA1-389D-45C1-8D32-79C71BAE6507}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6FFD5CA1-389D-45C1-8D32-79C71BAE6507}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6FFD5CA1-389D-45C1-8D32-79C71BAE6507}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6FFD5CA1-389D-45C1-8D32-79C71BAE6507}\InprocServer32]
@="C:\\WINDOWS\\system32\\dsrgui.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Locate .tmp files:
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 2629-16F0

Directory of C:\WINDOWS\System32

03/30/2005 09:29 AM 233,335 guard.tmp
03/30/2005 09:05 AM 233,335 en4ml1h11.dll
03/30/2005 08:45 AM 233,335 k626lgfs1626.dll
03/30/2005 07:10 AM 233,335 m282lclo1fqc.dll
03/29/2005 06:27 AM 235,747 l4n4le5q1h.dll
03/28/2005 09:33 PM 233,963 mvjsl9171.dll
03/19/2005 06:21 AM 233,119 m0rm0a91ed.dll
03/16/2005 06:12 AM 233,248 shnike.dll
03/16/2005 06:09 AM 233,558 jtnu0759e.dll
03/16/2005 06:09 AM 232,601 oiethk32.dll
03/15/2005 10:58 AM 232,601 fpl0033me.dll
03/15/2005 09:56 AM 232,570 c2000cdmef0a0.dll
03/15/2005 01:16 AM 235,242 ir48l5hu1.dll
03/10/2005 09:45 AM 234,658 n22ulcf91f2.dll
03/10/2005 09:18 AM 232,954 f8j20i1oe8.dll
03/10/2005 08:56 AM 234,440 j40sled71h0.dll
03/10/2005 08:39 AM 225,195 mvp0l97m1.dll
03/10/2005 08:39 AM 224,116 okdbse32.dll
03/09/2005 11:12 AM 232,736 wkpcore.dll
03/09/2005 11:12 AM 232,736 wkpasf.dll
03/09/2005 09:11 AM 232,736 XseedCry.dll
03/09/2005 09:11 AM 232,736 stmedia.dll
03/09/2005 08:11 AM 232,736 pDutoenr.dll
03/09/2005 08:11 AM 232,736 rVsppp.dll
03/09/2005 07:11 AM 232,736 sgsvcs.dll
03/09/2005 07:11 AM 232,736 sysvcs.dll
03/09/2005 06:11 AM 232,736 dqskadp.dll
03/09/2005 06:11 AM 232,736 dYdrm.dll
03/08/2005 08:13 AM 224,116 gplql3351.dll
03/07/2005 06:14 AM 224,116 irnul5591.dll
03/07/2005 06:10 AM 224,116 j44o0eh3eh4.dll
03/06/2005 09:48 AM 226,071 dnju0119e.dll
02/27/2005 06:18 AM 224,886 o2rolc931f.dll
02/10/2005 02:36 PM 223,600 vpscript.dll
01/20/2005 09:10 AM 223,600 r28s0cl7efq.dll
01/18/2005 10:47 PM 223,600 fpn4035qe.dll
01/18/2005 10:40 PM 223,600 jt8m07l1e.dll
01/18/2005 10:38 PM 223,600 dn6001jme.dll
01/06/2005 08:44 PM 223,600 irjql5151.dll
01/06/2005 08:43 PM 223,600 d80m0id1e80.dll
01/03/2005 12:46 PM 223,600 n6n6lg5s16.dll
01/01/2005 12:32 PM 225,384 o684lglq16qe.dll
12/29/2004 10:22 AM 223,803 kt62l7jo1.dll
12/29/2004 10:09 AM 224,508 s2pulc791f.dll
12/29/2004 09:49 AM 223,380 o4480ehueh480.dll
12/29/2004 09:42 AM 224,506 s0pula791d.dll
12/29/2004 09:29 AM 222,536 jtl4073qe.dll
12/29/2004 09:27 AM 226,228 o8luli3918.dll
12/26/2004 06:10 PM 224,336 i8nmli5118.dll
12/26/2004 06:02 PM 223,696 i8jq0i15e8.dll
12/23/2004 02:12 PM 225,320 h0n0la5m1d.dll
12/22/2004 11:33 AM 223,122 mv28l9fu1.dll
12/22/2004 10:26 AM 222,332 i8420ihoe84c0.dll
12/22/2004 10:18 AM 223,036 ktn6l75s1.dll
12/21/2004 11:35 PM 223,106 o8pqli7518.dll
12/15/2004 10:30 AM 223,207 gp02l3do1.dll
12/15/2004 10:09 AM 223,893 kt0ul7d91.dll
12/14/2004 07:34 AM 223,207 KZDAL.DLL
12/14/2004 07:27 AM 224,283 j6p0lg7m16.dll
01/15/2004 12:14 AM 32 {40F818C0-8244-4058-ACA9-6D290502C5AE}.dat
12/28/2003 11:54 AM <DIR> Microsoft
12/28/2003 11:25 AM <DIR> dllcache
60 File(s) 13,456,732 bytes
2 Dir(s) 64,850,919,424 bytes free
  • 0

#6
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
mihirkr,

OK, nice job.

Make sure to read these directions before proceeding.

Now we need to do the next part of the fix.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left. :tazz:

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Thanks,
rstones12
  • 0

#7
mihirkr

mihirkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I am posting the l2m fix log. I will post the hijackthis log in another thread to avoid any confusion. Thanks-M

L2Mfix 1.03

Running From:
C:\Documents and Settings\Mihir\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Mihir\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Mihir\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1272 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\oiethk32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\okdbse32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dqskadp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\vpscript.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\irjql5151.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\KZDAL.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dnju0119e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\irnul5591.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\shnike.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gp02l3do1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kt0ul7d91.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktn6l75s1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mv28l9fu1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sysvcs.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sgsvcs.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\stmedia.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wkpasf.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wkpcore.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dn6001jme.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jtl4073qe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dYdrm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kt62l7jo1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jt8m07l1e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fpn4035qe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\n6n6lg5s16.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\d80m0id1e80.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\r28s0cl7efq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j6p0lg7m16.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o8pqli7518.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o8luli3918.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i8420ihoe84c0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\h0n0la5m1d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i8jq0i15e8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rVsppp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i8nmli5118.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\s0pula791d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o4480ehueh480.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\s2pulc791f.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pDutoenr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o684lglq16qe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j44o0eh3eh4.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o2rolc931f.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\XseedCry.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvp0l97m1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gplql3351.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j40sled71h0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\f8j20i1oe8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir48l5hu1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jtnu0759e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fpl0033me.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\n22ulcf91f2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\c2000cdmef0a0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jt8407lqe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvn6095se.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\irjol5131.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvjsl9171.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en4ml1h11.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m0rm0a91ed.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l4n4le5q1h.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m282lclo1fqc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\oiethk32.dll
Successfully Deleted: C:\WINDOWS\system32\oiethk32.dll
deleting: C:\WINDOWS\system32\okdbse32.dll
Successfully Deleted: C:\WINDOWS\system32\okdbse32.dll
deleting: C:\WINDOWS\system32\dqskadp.dll
Successfully Deleted: C:\WINDOWS\system32\dqskadp.dll
deleting: C:\WINDOWS\system32\vpscript.dll
Successfully Deleted: C:\WINDOWS\system32\vpscript.dll
deleting: C:\WINDOWS\system32\irjql5151.dll
Successfully Deleted: C:\WINDOWS\system32\irjql5151.dll
deleting: C:\WINDOWS\system32\KZDAL.DLL
Successfully Deleted: C:\WINDOWS\system32\KZDAL.DLL
deleting: C:\WINDOWS\system32\dnju0119e.dll
Successfully Deleted: C:\WINDOWS\system32\dnju0119e.dll
deleting: C:\WINDOWS\system32\irnul5591.dll
Successfully Deleted: C:\WINDOWS\system32\irnul5591.dll
deleting: C:\WINDOWS\system32\shnike.dll
Successfully Deleted: C:\WINDOWS\system32\shnike.dll
deleting: C:\WINDOWS\system32\gp02l3do1.dll
Successfully Deleted: C:\WINDOWS\system32\gp02l3do1.dll
deleting: C:\WINDOWS\system32\kt0ul7d91.dll
Successfully Deleted: C:\WINDOWS\system32\kt0ul7d91.dll
deleting: C:\WINDOWS\system32\ktn6l75s1.dll
Successfully Deleted: C:\WINDOWS\system32\ktn6l75s1.dll
deleting: C:\WINDOWS\system32\mv28l9fu1.dll
Successfully Deleted: C:\WINDOWS\system32\mv28l9fu1.dll
deleting: C:\WINDOWS\system32\sysvcs.dll
Successfully Deleted: C:\WINDOWS\system32\sysvcs.dll
deleting: C:\WINDOWS\system32\sgsvcs.dll
Successfully Deleted: C:\WINDOWS\system32\sgsvcs.dll
deleting: C:\WINDOWS\system32\stmedia.dll
Successfully Deleted: C:\WINDOWS\system32\stmedia.dll
deleting: C:\WINDOWS\system32\wkpasf.dll
Successfully Deleted: C:\WINDOWS\system32\wkpasf.dll
deleting: C:\WINDOWS\system32\wkpcore.dll
Successfully Deleted: C:\WINDOWS\system32\wkpcore.dll
deleting: C:\WINDOWS\system32\dn6001jme.dll
Successfully Deleted: C:\WINDOWS\system32\dn6001jme.dll
deleting: C:\WINDOWS\system32\jtl4073qe.dll
Successfully Deleted: C:\WINDOWS\system32\jtl4073qe.dll
deleting: C:\WINDOWS\system32\dYdrm.dll
Successfully Deleted: C:\WINDOWS\system32\dYdrm.dll
deleting: C:\WINDOWS\system32\kt62l7jo1.dll
Successfully Deleted: C:\WINDOWS\system32\kt62l7jo1.dll
deleting: C:\WINDOWS\system32\jt8m07l1e.dll
Successfully Deleted: C:\WINDOWS\system32\jt8m07l1e.dll
deleting: C:\WINDOWS\system32\fpn4035qe.dll
Successfully Deleted: C:\WINDOWS\system32\fpn4035qe.dll
deleting: C:\WINDOWS\system32\n6n6lg5s16.dll
Successfully Deleted: C:\WINDOWS\system32\n6n6lg5s16.dll
deleting: C:\WINDOWS\system32\d80m0id1e80.dll
Successfully Deleted: C:\WINDOWS\system32\d80m0id1e80.dll
deleting: C:\WINDOWS\system32\r28s0cl7efq.dll
Successfully Deleted: C:\WINDOWS\system32\r28s0cl7efq.dll
deleting: C:\WINDOWS\system32\j6p0lg7m16.dll
Successfully Deleted: C:\WINDOWS\system32\j6p0lg7m16.dll
deleting: C:\WINDOWS\system32\o8pqli7518.dll
Successfully Deleted: C:\WINDOWS\system32\o8pqli7518.dll
deleting: C:\WINDOWS\system32\o8luli3918.dll
Successfully Deleted: C:\WINDOWS\system32\o8luli3918.dll
deleting: C:\WINDOWS\system32\i8420ihoe84c0.dll
Successfully Deleted: C:\WINDOWS\system32\i8420ihoe84c0.dll
deleting: C:\WINDOWS\system32\h0n0la5m1d.dll
Successfully Deleted: C:\WINDOWS\system32\h0n0la5m1d.dll
deleting: C:\WINDOWS\system32\i8jq0i15e8.dll
Successfully Deleted: C:\WINDOWS\system32\i8jq0i15e8.dll
deleting: C:\WINDOWS\system32\rVsppp.dll
Successfully Deleted: C:\WINDOWS\system32\rVsppp.dll
deleting: C:\WINDOWS\system32\i8nmli5118.dll
Successfully Deleted: C:\WINDOWS\system32\i8nmli5118.dll
deleting: C:\WINDOWS\system32\s0pula791d.dll
Successfully Deleted: C:\WINDOWS\system32\s0pula791d.dll
deleting: C:\WINDOWS\system32\o4480ehueh480.dll
Successfully Deleted: C:\WINDOWS\system32\o4480ehueh480.dll
deleting: C:\WINDOWS\system32\s2pulc791f.dll
Successfully Deleted: C:\WINDOWS\system32\s2pulc791f.dll
deleting: C:\WINDOWS\system32\pDutoenr.dll
Successfully Deleted: C:\WINDOWS\system32\pDutoenr.dll
deleting: C:\WINDOWS\system32\o684lglq16qe.dll
Successfully Deleted: C:\WINDOWS\system32\o684lglq16qe.dll
deleting: C:\WINDOWS\system32\j44o0eh3eh4.dll
Successfully Deleted: C:\WINDOWS\system32\j44o0eh3eh4.dll
deleting: C:\WINDOWS\system32\o2rolc931f.dll
Successfully Deleted: C:\WINDOWS\system32\o2rolc931f.dll
deleting: C:\WINDOWS\system32\XseedCry.dll
Successfully Deleted: C:\WINDOWS\system32\XseedCry.dll
deleting: C:\WINDOWS\system32\mvp0l97m1.dll
Successfully Deleted: C:\WINDOWS\system32\mvp0l97m1.dll
deleting: C:\WINDOWS\system32\gplql3351.dll
Successfully Deleted: C:\WINDOWS\system32\gplql3351.dll
deleting: C:\WINDOWS\system32\j40sled71h0.dll
Successfully Deleted: C:\WINDOWS\system32\j40sled71h0.dll
deleting: C:\WINDOWS\system32\f8j20i1oe8.dll
Successfully Deleted: C:\WINDOWS\system32\f8j20i1oe8.dll
deleting: C:\WINDOWS\system32\ir48l5hu1.dll
Successfully Deleted: C:\WINDOWS\system32\ir48l5hu1.dll
deleting: C:\WINDOWS\system32\jtnu0759e.dll
Successfully Deleted: C:\WINDOWS\system32\jtnu0759e.dll
deleting: C:\WINDOWS\system32\fpl0033me.dll
Successfully Deleted: C:\WINDOWS\system32\fpl0033me.dll
deleting: C:\WINDOWS\system32\n22ulcf91f2.dll
Successfully Deleted: C:\WINDOWS\system32\n22ulcf91f2.dll
deleting: C:\WINDOWS\system32\c2000cdmef0a0.dll
Successfully Deleted: C:\WINDOWS\system32\c2000cdmef0a0.dll
deleting: C:\WINDOWS\system32\jt8407lqe.dll
Successfully Deleted: C:\WINDOWS\system32\jt8407lqe.dll
deleting: C:\WINDOWS\system32\lvn6095se.dll
Successfully Deleted: C:\WINDOWS\system32\lvn6095se.dll
deleting: C:\WINDOWS\system32\irjol5131.dll
Successfully Deleted: C:\WINDOWS\system32\irjol5131.dll
deleting: C:\WINDOWS\system32\mvjsl9171.dll
Successfully Deleted: C:\WINDOWS\system32\mvjsl9171.dll
deleting: C:\WINDOWS\system32\en4ml1h11.dll
Successfully Deleted: C:\WINDOWS\system32\en4ml1h11.dll
deleting: C:\WINDOWS\system32\m0rm0a91ed.dll
Successfully Deleted: C:\WINDOWS\system32\m0rm0a91ed.dll
deleting: C:\WINDOWS\system32\l4n4le5q1h.dll
Successfully Deleted: C:\WINDOWS\system32\l4n4le5q1h.dll
deleting: C:\WINDOWS\system32\m282lclo1fqc.dll
Successfully Deleted: C:\WINDOWS\system32\m282lclo1fqc.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Desktop.ini sucessfully removed


Zipping up files for submission:
adding: oiethk32.dll (deflated 4%)
adding: okdbse32.dll (deflated 4%)
adding: dqskadp.dll (deflated 4%)
adding: vpscript.dll (deflated 4%)
adding: irjql5151.dll (deflated 4%)
adding: KZDAL.DLL (deflated 3%)
adding: dnju0119e.dll (deflated 5%)
adding: irnul5591.dll (deflated 4%)
adding: shnike.dll (deflated 4%)
adding: gp02l3do1.dll (deflated 3%)
adding: kt0ul7d91.dll (deflated 4%)
adding: ktn6l75s1.dll (deflated 3%)
adding: mv28l9fu1.dll (deflated 3%)
adding: sysvcs.dll (deflated 4%)
adding: sgsvcs.dll (deflated 4%)
adding: stmedia.dll (deflated 4%)
adding: wkpasf.dll (deflated 4%)
adding: wkpcore.dll (deflated 4%)
adding: dn6001jme.dll (deflated 4%)
adding: jtl4073qe.dll (deflated 3%)
adding: dYdrm.dll (deflated 4%)
adding: kt62l7jo1.dll (deflated 4%)
adding: jt8m07l1e.dll (deflated 4%)
adding: fpn4035qe.dll (deflated 4%)
adding: n6n6lg5s16.dll (deflated 4%)
adding: d80m0id1e80.dll (deflated 4%)
adding: r28s0cl7efq.dll (deflated 4%)
adding: j6p0lg7m16.dll (deflated 4%)
adding: o8pqli7518.dll (deflated 3%)
adding: o8luli3918.dll (deflated 5%)
adding: i8420ihoe84c0.dll (deflated 3%)
adding: h0n0la5m1d.dll (deflated 4%)
adding: i8jq0i15e8.dll (deflated 4%)
adding: rVsppp.dll (deflated 4%)
adding: i8nmli5118.dll (deflated 4%)
adding: s0pula791d.dll (deflated 4%)
adding: o4480ehueh480.dll (deflated 4%)
adding: s2pulc791f.dll (deflated 4%)
adding: pDutoenr.dll (deflated 4%)
adding: o684lglq16qe.dll (deflated 5%)
adding: j44o0eh3eh4.dll (deflated 4%)
adding: o2rolc931f.dll (deflated 4%)
adding: XseedCry.dll (deflated 4%)
adding: mvp0l97m1.dll (deflated 4%)
adding: gplql3351.dll (deflated 4%)
adding: j40sled71h0.dll (deflated 5%)
adding: f8j20i1oe8.dll (deflated 4%)
adding: ir48l5hu1.dll (deflated 5%)
adding: jtnu0759e.dll (deflated 5%)
adding: fpl0033me.dll (deflated 4%)
adding: n22ulcf91f2.dll (deflated 5%)
adding: c2000cdmef0a0.dll (deflated 4%)
adding: jt8407lqe.dll (deflated 4%)
adding: lvn6095se.dll (deflated 5%)
adding: irjol5131.dll (deflated 5%)
adding: mvjsl9171.dll (deflated 5%)
adding: en4ml1h11.dll (deflated 5%)
adding: m0rm0a91ed.dll (deflated 4%)
adding: l4n4le5q1h.dll (deflated 6%)
adding: m282lclo1fqc.dll (deflated 5%)
adding: guard.tmp (deflated 5%)
adding: echo.reg (deflated 9%)
adding: clear.reg (deflated 52%)
adding: desktop.ini (stored 0%)
adding: readme.txt (deflated 49%)
adding: direct.txt (stored 0%)
adding: lo2.txt (deflated 85%)
adding: test2.txt (deflated 33%)
adding: test3.txt (deflated 33%)
adding: test5.txt (deflated 33%)
adding: test.txt (deflated 82%)
adding: xfind.txt (deflated 77%)
adding: backregs/shell.reg (deflated 73%)
adding: backregs/D498C9B4-1CF5-49F7-A0C8-BB01C0AB6687.reg (deflated 70%)
adding: backregs/BBA474FB-C941-4218-91B7-7F634B60DFCE.reg (deflated 70%)
adding: backregs/CF6E1B16-3CC0-4477-AE36-35FC5FDC5363.reg (deflated 70%)
adding: backregs/6FFD5CA1-389D-45C1-8D32-79C71BAE6507.reg (deflated 70%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: oiethk32.dll
deleting local copy: okdbse32.dll
deleting local copy: dqskadp.dll
deleting local copy: vpscript.dll
deleting local copy: irjql5151.dll
deleting local copy: KZDAL.DLL
deleting local copy: dnju0119e.dll
deleting local copy: irnul5591.dll
deleting local copy: shnike.dll
deleting local copy: gp02l3do1.dll
deleting local copy: kt0ul7d91.dll
deleting local copy: ktn6l75s1.dll
deleting local copy: mv28l9fu1.dll
deleting local copy: sysvcs.dll
deleting local copy: sgsvcs.dll
deleting local copy: stmedia.dll
deleting local copy: wkpasf.dll
deleting local copy: wkpcore.dll
deleting local copy: dn6001jme.dll
deleting local copy: jtl4073qe.dll
deleting local copy: dYdrm.dll
deleting local copy: kt62l7jo1.dll
deleting local copy: jt8m07l1e.dll
deleting local copy: fpn4035qe.dll
deleting local copy: n6n6lg5s16.dll
deleting local copy: d80m0id1e80.dll
deleting local copy: r28s0cl7efq.dll
deleting local copy: j6p0lg7m16.dll
deleting local copy: o8pqli7518.dll
deleting local copy: o8luli3918.dll
deleting local copy: i8420ihoe84c0.dll
deleting local copy: h0n0la5m1d.dll
deleting local copy: i8jq0i15e8.dll
deleting local copy: rVsppp.dll
deleting local copy: i8nmli5118.dll
deleting local copy: s0pula791d.dll
deleting local copy: o4480ehueh480.dll
deleting local copy: s2pulc791f.dll
deleting local copy: pDutoenr.dll
deleting local copy: o684lglq16qe.dll
deleting local copy: j44o0eh3eh4.dll
deleting local copy: o2rolc931f.dll
deleting local copy: XseedCry.dll
deleting local copy: mvp0l97m1.dll
deleting local copy: gplql3351.dll
deleting local copy: j40sled71h0.dll
deleting local copy: f8j20i1oe8.dll
deleting local copy: ir48l5hu1.dll
deleting local copy: jtnu0759e.dll
deleting local copy: fpl0033me.dll
deleting local copy: n22ulcf91f2.dll
deleting local copy: c2000cdmef0a0.dll
deleting local copy: jt8407lqe.dll
deleting local copy: lvn6095se.dll
deleting local copy: irjol5131.dll
deleting local copy: mvjsl9171.dll
deleting local copy: en4ml1h11.dll
deleting local copy: m0rm0a91ed.dll
deleting local copy: l4n4le5q1h.dll
deleting local copy: m282lclo1fqc.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\oiethk32.dll
C:\WINDOWS\system32\okdbse32.dll
C:\WINDOWS\system32\dqskadp.dll
C:\WINDOWS\system32\vpscript.dll
C:\WINDOWS\system32\irjql5151.dll
C:\WINDOWS\system32\KZDAL.DLL
C:\WINDOWS\system32\dnju0119e.dll
C:\WINDOWS\system32\irnul5591.dll
C:\WINDOWS\system32\shnike.dll
C:\WINDOWS\system32\gp02l3do1.dll
C:\WINDOWS\system32\kt0ul7d91.dll
C:\WINDOWS\system32\ktn6l75s1.dll
C:\WINDOWS\system32\mv28l9fu1.dll
C:\WINDOWS\system32\sysvcs.dll
C:\WINDOWS\system32\sgsvcs.dll
C:\WINDOWS\system32\stmedia.dll
C:\WINDOWS\system32\wkpasf.dll
C:\WINDOWS\system32\wkpcore.dll
C:\WINDOWS\system32\dn6001jme.dll
C:\WINDOWS\system32\jtl4073qe.dll
C:\WINDOWS\system32\dYdrm.dll
C:\WINDOWS\system32\kt62l7jo1.dll
C:\WINDOWS\system32\jt8m07l1e.dll
C:\WINDOWS\system32\fpn4035qe.dll
C:\WINDOWS\system32\n6n6lg5s16.dll
C:\WINDOWS\system32\d80m0id1e80.dll
C:\WINDOWS\system32\r28s0cl7efq.dll
C:\WINDOWS\system32\j6p0lg7m16.dll
C:\WINDOWS\system32\o8pqli7518.dll
C:\WINDOWS\system32\o8luli3918.dll
C:\WINDOWS\system32\i8420ihoe84c0.dll
C:\WINDOWS\system32\h0n0la5m1d.dll
C:\WINDOWS\system32\i8jq0i15e8.dll
C:\WINDOWS\system32\rVsppp.dll
C:\WINDOWS\system32\i8nmli5118.dll
C:\WINDOWS\system32\s0pula791d.dll
C:\WINDOWS\system32\o4480ehueh480.dll
C:\WINDOWS\system32\s2pulc791f.dll
C:\WINDOWS\system32\pDutoenr.dll
C:\WINDOWS\system32\o684lglq16qe.dll
C:\WINDOWS\system32\j44o0eh3eh4.dll
C:\WINDOWS\system32\o2rolc931f.dll
C:\WINDOWS\system32\XseedCry.dll
C:\WINDOWS\system32\mvp0l97m1.dll
C:\WINDOWS\system32\gplql3351.dll
C:\WINDOWS\system32\j40sled71h0.dll
C:\WINDOWS\system32\f8j20i1oe8.dll
C:\WINDOWS\system32\ir48l5hu1.dll
C:\WINDOWS\system32\jtnu0759e.dll
C:\WINDOWS\system32\fpl0033me.dll
C:\WINDOWS\system32\n22ulcf91f2.dll
C:\WINDOWS\system32\c2000cdmef0a0.dll
C:\WINDOWS\system32\jt8407lqe.dll
C:\WINDOWS\system32\lvn6095se.dll
C:\WINDOWS\system32\irjol5131.dll
C:\WINDOWS\system32\mvjsl9171.dll
C:\WINDOWS\system32\en4ml1h11.dll
C:\WINDOWS\system32\m0rm0a91ed.dll
C:\WINDOWS\system32\l4n4le5q1h.dll
C:\WINDOWS\system32\m282lclo1fqc.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{D498C9B4-1CF5-49F7-A0C8-BB01C0AB6687}"=-
"{BBA474FB-C941-4218-91B7-7F634B60DFCE}"=-
"{CF6E1B16-3CC0-4477-AE36-35FC5FDC5363}"=-
"{6FFD5CA1-389D-45C1-8D32-79C71BAE6507}"=-
[-HKEY_CLASSES_ROOT\CLSID\{D498C9B4-1CF5-49F7-A0C8-BB01C0AB6687}]
[-HKEY_CLASSES_ROOT\CLSID\{BBA474FB-C941-4218-91B7-7F634B60DFCE}]
[-HKEY_CLASSES_ROOT\CLSID\{CF6E1B16-3CC0-4477-AE36-35FC5FDC5363}]
[-HKEY_CLASSES_ROOT\CLSID\{6FFD5CA1-389D-45C1-8D32-79C71BAE6507}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************

  • 0

#8
mihirkr

mihirkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Logfile of HijackThis v1.99.1
Scan saved at 3:10:58 AM, on 3/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Downloads\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.in/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.in/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-xa\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [gcasServ] C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] C:\Program Files\MSN Messenger\MsnMsgr.Exe /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe -a
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://thatstelugu.i...er/tdserver.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com...stall/AxCtp.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX28.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtange...gent/wtinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
  • 0

#9
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
mihirkr,

OK, that looks much better.
We need to remove a few more items.
You will need to print this out or save it to notepad since you will not be connected to the Internet and we will be in Safe Mode

Disconnect from the Internet, that means physically remove the cable from your modem or router.

Reboot into Safe Mode, you can do this by tapping the F8 key while your system restarts. I will take a little while longer so be patient.


Go to Start | Control Panel | Add-Remove Programs
Remove the following if found:

Desktop Search
ISRVS
FFIS


Next:

Scan with HJT and place a checkmark next to the following items:

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtange...gent/wtinst.cab

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll


Now do a search on your system and remove the following folders/files if found.

Start | Search

C:\WINDOWS\isrvs\ <-- Folder

Delete your temp files

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty Your Recycle Bin

Reboot normally and post a new HJT log by using Add Reply:


Thanks,
rstones12

Edited by rstones12, 30 March 2005 - 05:43 PM.

  • 0

#10
mihirkr

mihirkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi- Did everything as per your instructions. I had a problem deleting the file in the temp folder (after typing %temp% in the runbox). there was a file called D5B8D2.temp refusing to close saying that application was still running. The rest has gone OK and the HJT log below is after doing everything else.

Thanx once again.

Cheers-M

Logfile of HijackThis v1.99.1
Scan saved at 12:40:31 PM, on 3/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Downloads\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.in/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-xa\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [gcasServ] C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] C:\Program Files\MSN Messenger\MsnMsgr.Exe /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe -a
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://thatstelugu.i...er/tdserver.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com...stall/AxCtp.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX28.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
  • 0

#11
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
mihirkr,
Good job, your log looks good. :tazz:

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera is OK as well.
Be sure to also keep up with Windows and IE updates.

Windows security and critical updates.
http://v4.windowsupd.../en/default.asp

Internet Explorer security and critical updates.
http://www.microsoft.../ie/default.asp

And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.

Thanks,
rstones12
  • 0

#12
mihirkr

mihirkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
My computer is working so smooth today it is unbelievable! ;)
Thank you for a job well done!!

:tazz:

Cheers
M
  • 0

#13
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
You are welcome.

rstones12 :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP