Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Can't remove adware


  • This topic is locked This topic is locked

#1
nsbnab

nsbnab

    New Member

  • Member
  • Pip
  • 5 posts
Hello,

Hope someone can help me with this. I have run all the suggested procedures prior to posting on this forum. I can not seem to get rid of this adware, it keeps popping up browsers instances with ads. Following is the HiJackThis log.

Any help would be greatly appreciated. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 7:46:16 PM, on 4/2/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
F:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
F:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\Program Files\PC Magazine Utilities\CookieCop\CookieCop.exe
F:\Program Files\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://CookieCop:8100
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ProDsl.exe] ProDsl.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - Global Startup: CookieCop.lnk = F:\Program Files\PC Magazine Utilities\CookieCop\CookieCop.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .aad: C:\PROGRA~1\Plus!\MICROS~1\PLUGINS\NPSchedule.dll
O13 - WWW. Prefix: http://
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {FE67C682-F5EA-11CF-9C2F-0000C0C83ADC} (Jamba Class Library) - http://www.kidscarni...om/Jambalib.cab
O20 - Winlogon Notify: ShellScrap - C:\WINNT\system32\en06l1ds1.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - F:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - F:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

Advertisements


#2
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi pgb and welcome to the Geeks to Go Forums.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

My name is Trevuren and I will be helping you with your log.

Your system has a Look2Me infection in addition to other malware. We will go after the bigie first.:
------------------------------------
You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Regards,

Trevuren

  • 0

#3
nsbnab

nsbnab

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hello Trevuren,

Thanks for the help. Here is my log from l2mfix.

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\dnn0015me.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F83F8025-4C56-A5B2-54FE-32C6BE9AE0F7}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{3AD1E410-AAB9-11d0-89D7-00C04FC9E26E}"="Name Space Control Band"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{7D688A77-C613-11D0-999B-00C04FD655E1}"="SlowFile Icon Overlay"
"{E0D79300-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79301-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79302-84BE-11CE-9641-444553540000}"="WinZip"
"{49707377-6974-6368-2E4A-756E6F644A01}"="WS_FTP Pro Explorer"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{aec64940-59e9-11cf-b3ef-00805f1408f3}"="Asset Storage CopyHook Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="Web Folders"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{4f22bf60-da86-11cf-a530-08003601e232}"="GLZDPP CPL Extension"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{8D5D01EE-D54A-4059-B1E4-D84B1265EB8E}"=""
"{5E6977B6-37DE-4BA8-875F-A4D4F0B4B8CD}"=""
"{A1ED1719-C395-493A-9988-CF5E49A4950C}"=""
"{B7A24E9E-F6C0-44E2-BB3D-6BD3A5A96EDF}"=""
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{02B13230-010E-418E-A027-BD8C28CAB5B7}"=""
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8D5D01EE-D54A-4059-B1E4-D84B1265EB8E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8D5D01EE-D54A-4059-B1E4-D84B1265EB8E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8D5D01EE-D54A-4059-B1E4-D84B1265EB8E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8D5D01EE-D54A-4059-B1E4-D84B1265EB8E}\InprocServer32]
@="C:\\WINNT\\system32\\rxcrt4.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A1ED1719-C395-493A-9988-CF5E49A4950C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A1ED1719-C395-493A-9988-CF5E49A4950C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A1ED1719-C395-493A-9988-CF5E49A4950C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A1ED1719-C395-493A-9988-CF5E49A4950C}\InprocServer32]
@="C:\\WINNT\\system32\\vgajet32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{02B13230-010E-418E-A027-BD8C28CAB5B7}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{02B13230-010E-418E-A027-BD8C28CAB5B7}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{02B13230-010E-418E-A027-BD8C28CAB5B7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{02B13230-010E-418E-A027-BD8C28CAB5B7}\InprocServer32]
@="C:\\WINNT\\system32\\iuakeng.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
adycfilt.dll Thu Mar 24 2005 10:53:10p ..S.R 228,771 223.41 K
agctres.dll Sun Feb 27 2005 10:54:10p ..S.R 230,156 224.76 K
astiveds.dll Sun Mar 20 2005 2:10:58a ..S.R 231,262 225.84 K
aztiveds.dll Sun Mar 20 2005 9:04:38a ..S.R 229,068 223.70 K
bs.dll Sun Feb 27 2005 2:17:40p A.... 90,112 88.00 K
bss.dll Sun Feb 27 2005 2:17:40p A.... 3,584 3.50 K
c200lc~1.dll Sun Mar 27 2005 10:35:54p ..S.R 233,520 228.05 K
cenfmsp.dll Sun Mar 27 2005 12:57:54p ..S.R 229,147 223.77 K
cfyptui.dll Fri Mar 18 2005 4:59:34p ..S.R 228,952 223.59 K
chmsvcs.dll Thu Mar 3 2005 12:09:06a ..S.R 229,171 223.80 K
clbview.dll Sun Mar 20 2005 9:46:02p ..S.R 230,038 224.64 K
cssstgu.dll Thu Mar 3 2005 1:14:10p ..S.R 229,157 223.79 K
davoice.dll Mon Mar 7 2005 5:22:44p ..S.R 231,318 225.89 K
dmnput8.dll Sat Apr 2 2005 2:51:58p ..S.R 233,574 228.10 K
dn6u01~1.dll Sat Apr 2 2005 6:21:52p ..S.R 234,535 229.04 K
dn7vb.dll Wed Mar 2 2005 7:33:36p ..S.R 229,738 224.35 K
dnn001~1.dll Sat Apr 2 2005 8:54:26p ..S.R 235,175 229.66 K
dnp201~1.dll Fri Mar 25 2005 12:38:04a ..S.R 230,242 224.84 K
dnspex.dll Thu Mar 3 2005 1:40:28p ..S.R 229,157 223.79 K
docore.dll Sun Feb 27 2005 8:43:20p A.... 151,552 148.00 K
dosync.dll Sun Feb 27 2005 8:43:14p A.... 114,688 112.00 K
drnet.dll Sun Feb 27 2005 5:07:54p ..S.R 230,142 224.75 K
en6ml1~1.dll Sat Mar 19 2005 10:59:40p ..S.R 231,592 226.16 K
frsrch.dll Thu Mar 3 2005 1:21:42p ..S.R 230,614 225.21 K
fzxt30.dll Sat Apr 2 2005 1:22:46a ..S.R 233,014 227.55 K
gpjsl3~1.dll Sat Apr 2 2005 8:59:18p ..S.R 233,247 227.78 K
hr6205~1.dll Sat Apr 2 2005 2:13:00p ..S.R 233,014 227.55 K
hrls05~1.dll Tue Mar 1 2005 10:27:06p ..S.R 230,473 225.07 K
i0420a~1.dll Sun Mar 27 2005 12:28:52p ..S.R 229,147 223.77 K
ieetres.dll Wed Mar 2 2005 9:22:22p ..S.R 229,738 224.35 K
ihetwh32.dll Tue Mar 1 2005 9:54:10p ..S.R 230,751 225.34 K
ijetwh32.dll Wed Mar 2 2005 9:47:56p ..S.R 229,738 224.35 K
ispromon.dll Sun Mar 20 2005 9:59:14a ..S.R 231,904 226.47 K
iuakeng.dll Sat Apr 2 2005 9:53:32p ..... 235,175 229.66 K
izrt3225.dll Wed Mar 2 2005 9:54:36p ..S.R 230,105 224.71 K
jhaw400.dll Tue Mar 1 2005 10:45:22p ..S.R 230,347 224.95 K
k8440i~1.dll Fri Mar 18 2005 4:59:32p ..S.R 229,400 224.02 K
kudes.dll Wed Mar 2 2005 11:06:50p ..S.R 229,171 223.80 K
mdjdbc10.dll Tue Mar 1 2005 7:21:36p ..S.R 229,738 224.35 K
mdjter35.dll Sun Feb 27 2005 5:48:34p ..S.R 230,142 224.75 K
meihnd.dll Thu Mar 3 2005 12:51:02p ..S.R 229,157 223.79 K
mjmg14n.dll Wed Mar 2 2005 11:46:32p ..S.R 229,014 223.64 K
mmihnd.dll Thu Mar 3 2005 1:03:26p ..S.R 229,865 224.48 K
mmimsg.dll Sun Feb 27 2005 6:39:18p ..S.R 231,420 225.99 K
mnpi32.dll Sun Feb 27 2005 7:00:16p ..S.R 232,143 226.70 K
mqimrt.dll Wed Mar 2 2005 10:08:44p ..S.R 229,014 223.64 K
mscsubs.dll Sun Mar 20 2005 9:55:02p ..S.R 231,306 225.88 K
mshtml.dll Thu Jan 27 2005 3:35:12p A.... 2,806,272 2.68 M
mspi.dll Thu Mar 3 2005 12:44:00p ..S.R 230,622 225.21 K
mv48l9~1.dll Sun Mar 27 2005 11:00:50p ..S.R 234,863 229.36 K
mvp6l9~1.dll Sun Mar 27 2005 12:57:46p ..S.R 230,826 225.41 K
mwxml.dll Wed Mar 2 2005 10:02:44p ..S.R 230,763 225.35 K
mximsg.dll Tue Mar 1 2005 10:27:08p ..S.R 229,738 224.35 K
myprivs.dll Fri Mar 25 2005 5:08:40p ..S.R 228,771 223.41 K
ndhtml.dll Sat Mar 19 2005 11:30:32p ..S.R 232,255 226.81 K
nith.dll Sat Mar 19 2005 11:23:52p ..S.R 231,262 225.84 K
nutui2.dll Sat Mar 19 2005 8:55:36p ..S.R 230,431 225.03 K
oge2nls.dll Fri Mar 25 2005 12:26:00a ..S.R 230,242 224.84 K
ojedlg.dll Sat Mar 19 2005 11:17:46p ..S.R 230,431 225.03 K
ole32.dll Thu Jan 13 2005 5:27:10p A.... 957,200 934.77 K
olecli32.dll Thu Jan 13 2005 5:27:10p A.... 69,392 67.77 K
olecnv32.dll Thu Jan 13 2005 5:27:10p A.... 36,624 35.77 K
ovtlwab.dll Sun Feb 27 2005 10:33:12p ..S.R 230,036 224.64 K
pmrfos.dll Sat Apr 2 2005 2:08:58p ..S.R 233,014 227.55 K
q8rqli~1.dll Sun Mar 27 2005 5:23:00p ..S.R 233,023 227.56 K
qksname.dll Tue Mar 1 2005 9:12:36p ..S.R 231,557 226.13 K
resapi32.dll Sun Feb 27 2005 11:05:08p ..S.R 228,845 223.48 K
rpcss.dll Thu Jan 13 2005 5:27:10p A.... 212,240 207.27 K
rvsauth.dll Sun Mar 6 2005 9:48:56a ..S.R 231,026 225.61 K
rxcrt4.dll Sun Feb 27 2005 7:40:42p A.... 228,845 223.48 K
scmpapi.dll Sun Mar 20 2005 9:05:06p ..S.R 229,085 223.71 K
shnscfg.dll Fri Mar 25 2005 4:08:58p ..S.R 228,771 223.41 K
slnscfg.dll Sat Mar 19 2005 11:44:56p ..S.R 231,262 225.84 K
socurity.dll Sun Mar 27 2005 11:00:52p ..S.R 233,014 227.55 K
sp3res.dll Wed Jan 5 2005 8:29:18p ..... 6,278,656 5.98 M
sx3res.dll Tue Mar 1 2005 9:19:38p ..S.R 229,738 224.35 K
sxcsspi.dll Sat Apr 2 2005 11:22:26a ..S.R 233,574 228.10 K
uder32.dll Sun Feb 27 2005 10:47:08p ..S.R 228,845 223.48 K
vgajet32.dll Wed Mar 2 2005 7:44:24p A.... 231,482 226.05 K
vqpodbc.dll Sat Mar 19 2005 10:59:40p ..S.R 230,431 225.03 K
vut3216.dll Sat Mar 19 2005 9:41:54p ..S.R 232,248 226.80 K
wbaudsdk.dll Fri Mar 18 2005 7:07:20p ..S.R 228,952 223.59 K
wbock32.dll Fri Mar 25 2005 12:41:22a ..S.R 228,771 223.41 K
wfg0411.dll Fri Mar 25 2005 3:56:30p ..S.R 228,771 223.41 K
wqbvw.dll Wed Mar 2 2005 9:33:00p ..S.R 230,030 224.64 K
wsdap32.dll Tue Mar 1 2005 10:36:32p ..S.R 229,738 224.35 K

86 items found: 86 files (73 H/S), 0 directories.
Total of file sizes: 28,253,934 bytes 26.94 M
Locate .tmp files:

C:\WINNT\SYSTEM32\
guard.tmp Sat Apr 2 2005 9:54:34p ..S.R 235,175 229.66 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 235,175 bytes 229.66 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C is Local Disk
Volume Serial Number is 0CA3-6B81

Directory of C:\WINNT\System32

04/02/2005 09:54p 235,175 guard.tmp
04/02/2005 08:59p 233,247 gpjsl3171.dll
04/02/2005 08:54p 235,175 dnn0015me.dll
04/02/2005 06:21p 234,535 dn6u01j9e.dll
04/02/2005 02:51p 233,574 dmnput8.dll
04/02/2005 02:12p 233,014 hr6205joe.dll
04/02/2005 02:08p 233,014 pmrfos.dll
04/02/2005 11:22a 233,574 sxcsspi.dll
04/02/2005 01:22a 233,014 fZxt30.dll
03/27/2005 11:00p 233,014 socurity.dll
03/27/2005 11:00p 234,863 mv48l9hu1.dll
03/27/2005 10:41p <DIR> dllcache
03/27/2005 10:35p 233,520 c200lcdm1f0a.dll
03/27/2005 05:22p 233,023 q8rqli9518.dll
03/27/2005 12:57p 229,147 cenfmsp.dll
03/27/2005 12:57p 230,826 mvp6l97s1.dll
03/27/2005 12:28p 229,147 i0420ahoed4c0.dll
03/25/2005 05:08p 228,771 MYPRIVS.DLL
03/25/2005 04:08p 228,771 shnscfg.dll
03/25/2005 03:56p 228,771 wfg0411.dll
03/25/2005 12:41a 228,771 wbock32.dll
03/25/2005 12:38a 230,242 dnp2017oe.dll
03/25/2005 12:25a 230,242 oge2nls.dll
03/24/2005 10:53p 228,771 ADYCFILT.DLL
03/20/2005 09:55p 231,306 mscsubs.dll
03/20/2005 09:46p 230,038 cLbview.dll
03/20/2005 09:05p 229,085 SCMPAPI.DLL
03/20/2005 09:59a 231,904 ispromon.dll
03/20/2005 09:04a 229,068 aztiveds.dll
03/20/2005 02:10a 231,262 astiveds.dll
03/19/2005 11:44p 231,262 slnscfg.dll
03/19/2005 11:30p 232,255 ndhtml.dll
03/19/2005 11:23p 231,262 nith.dll
03/19/2005 11:17p 230,431 ojedlg.dll
03/19/2005 10:59p 230,431 vqpodbc.dll
03/19/2005 10:59p 231,592 en6ml1j11.dll
03/19/2005 09:41p 232,248 vut3216.dll
03/19/2005 08:55p 230,431 nutui2.dll
03/18/2005 07:07p 228,952 wbaudsdk.dll
03/18/2005 04:59p 228,952 CFYPTUI.DLL
03/18/2005 04:59p 229,400 k8440ihqe84e0.dll
03/07/2005 05:22p 231,318 davoice.dll
03/06/2005 09:48a 231,026 rVsauth.dll
03/03/2005 01:40p 229,157 dnspex.dll
03/03/2005 01:21p 230,614 frsrch.dll
03/03/2005 01:14p 229,157 CSSSTGU.DLL
03/03/2005 01:03p 229,865 mmihnd.dll
03/03/2005 12:51p 229,157 meihnd.dll
03/03/2005 12:43p 230,622 MSPI.DLL
03/03/2005 12:09a 229,171 chmsvcs.dll
03/02/2005 11:46p 229,014 MJMG14N.DLL
03/02/2005 11:06p 229,171 kudes.dll
03/02/2005 10:08p 229,014 MQIMRT.DLL
03/02/2005 10:02p 230,763 mwxml.dll
03/02/2005 09:54p 230,105 IZRT3225.dll
03/02/2005 09:47p 229,738 IJETWH32.dll
03/02/2005 09:32p 230,030 wqbvw.dll
03/02/2005 09:22p 229,738 ieetres.dll
03/02/2005 07:33p 229,738 dn7vb.dll
03/01/2005 10:45p 230,347 jhaw400.dll
03/01/2005 10:36p 229,738 WSDAP32.DLL
03/01/2005 10:27p 229,738 mximsg.dll
03/01/2005 10:27p 230,473 hrls0537e.dll
03/01/2005 09:54p 230,751 IHETWH32.dll
03/01/2005 09:19p 229,738 sx3res.dll
03/01/2005 09:12p 231,557 qksname.dll
03/01/2005 07:21p 229,738 mdjdbc10.dll
02/27/2005 11:05p 228,845 RESAPI32.DLL
02/27/2005 10:54p 230,156 agctres.dll
02/27/2005 10:47p 228,845 UDER32.DLL
02/27/2005 10:33p 230,036 OVTLWAB.DLL
02/27/2005 07:00p 232,143 MNPI32.DLL
02/27/2005 06:39p 231,420 mmimsg.dll
02/27/2005 05:48p 230,142 MDJTER35.DLL
02/27/2005 05:07p 230,142 drnet.dll
09/30/1999 07:21p 166,672 mstext35.dll
09/28/1999 09:42p 1,050,896 msjet35.dll
09/09/1999 10:06p 252,688 msexcl35.dll
09/09/1999 10:06p 168,720 msltus35.dll
08/25/1999 02:57p 415,504 msrepl35.dll
06/07/1999 06:59p 250,128 mspdox35.dll
80 File(s) 19,377,895 bytes
1 Dir(s) 139,262,976 bytes free
  • 0

#4
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi nsbnab,

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.


Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Regards,

Trevuren

  • 0

#5
nsbnab

nsbnab

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hello Trevuren,

I ran option 2 from l2mfix and here is the log and the latest HJT log.

C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 928 'explorer.exe'
Killing PID 928 'explorer.exe'
Error 0x5 : Access is denied.


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINNT\system32\ADYCFILT.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\agctres.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\astiveds.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\aztiveds.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\c200lcdm1f0a.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\cenfmsp.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\CFYPTUI.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\chmsvcs.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\cLbview.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\CSSSTGU.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\davoice.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dmnput8.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dn6u01j9e.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dn7vb.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dnp2017oe.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dnspex.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\drnet.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\en6ml1j11.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\frsrch.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\fZxt30.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\hr6205joe.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\hrls0537e.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\i0420ahoed4c0.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\ieetres.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\IHETWH32.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\IJETWH32.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\ispromon.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\IZRT3225.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\j0p0la7m1d.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\jhaw400.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\k8440ihqe84e0.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\kudes.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mdjdbc10.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\MDJTER35.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\meihnd.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\MJMG14N.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\mmihnd.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mmimsg.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\MNPI32.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\MQIMRT.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\mscsubs.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\MSPI.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\mv48l9hu1.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mvp6l97s1.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mwxml.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mximsg.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\MYPRIVS.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\ndhtml.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\nith.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\nutui2.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\oge2nls.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\ojedlg.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\OVTLWAB.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\pmrfos.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\q8rqli9518.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\qksname.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\RESAPI32.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\rVsauth.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\rxcrt4.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\SCMPAPI.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\shnscfg.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\slnscfg.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\socurity.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\sx3res.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\sxcsspi.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\UDER32.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\vgajet32.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\vqpodbc.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\vut3216.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wbaudsdk.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wbock32.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wfg0411.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wqbvw.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\WSDAP32.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINNT\system32\ADYCFILT.DLL
Successfully Deleted: C:\WINNT\system32\ADYCFILT.DLL
deleting: C:\WINNT\system32\agctres.dll
Successfully Deleted: C:\WINNT\system32\agctres.dll
deleting: C:\WINNT\system32\astiveds.dll
Successfully Deleted: C:\WINNT\system32\astiveds.dll
deleting: C:\WINNT\system32\aztiveds.dll
Successfully Deleted: C:\WINNT\system32\aztiveds.dll
deleting: C:\WINNT\system32\c200lcdm1f0a.dll
Successfully Deleted: C:\WINNT\system32\c200lcdm1f0a.dll
deleting: C:\WINNT\system32\cenfmsp.dll
Successfully Deleted: C:\WINNT\system32\cenfmsp.dll
deleting: C:\WINNT\system32\CFYPTUI.DLL
Successfully Deleted: C:\WINNT\system32\CFYPTUI.DLL
deleting: C:\WINNT\system32\chmsvcs.dll
Successfully Deleted: C:\WINNT\system32\chmsvcs.dll
deleting: C:\WINNT\system32\cLbview.dll
Successfully Deleted: C:\WINNT\system32\cLbview.dll
deleting: C:\WINNT\system32\CSSSTGU.DLL
Successfully Deleted: C:\WINNT\system32\CSSSTGU.DLL
deleting: C:\WINNT\system32\davoice.dll
Successfully Deleted: C:\WINNT\system32\davoice.dll
deleting: C:\WINNT\system32\dmnput8.dll
Successfully Deleted: C:\WINNT\system32\dmnput8.dll
deleting: C:\WINNT\system32\dn6u01j9e.dll
Successfully Deleted: C:\WINNT\system32\dn6u01j9e.dll
deleting: C:\WINNT\system32\dn7vb.dll
Successfully Deleted: C:\WINNT\system32\dn7vb.dll
deleting: C:\WINNT\system32\dnp2017oe.dll
Successfully Deleted: C:\WINNT\system32\dnp2017oe.dll
deleting: C:\WINNT\system32\dnspex.dll
Successfully Deleted: C:\WINNT\system32\dnspex.dll
deleting: C:\WINNT\system32\drnet.dll
Successfully Deleted: C:\WINNT\system32\drnet.dll
deleting: C:\WINNT\system32\en6ml1j11.dll
Successfully Deleted: C:\WINNT\system32\en6ml1j11.dll
deleting: C:\WINNT\system32\frsrch.dll
Successfully Deleted: C:\WINNT\system32\frsrch.dll
deleting: C:\WINNT\system32\fZxt30.dll
Successfully Deleted: C:\WINNT\system32\fZxt30.dll
deleting: C:\WINNT\system32\hr6205joe.dll
Successfully Deleted: C:\WINNT\system32\hr6205joe.dll
deleting: C:\WINNT\system32\hrls0537e.dll
Successfully Deleted: C:\WINNT\system32\hrls0537e.dll
deleting: C:\WINNT\system32\i0420ahoed4c0.dll
Successfully Deleted: C:\WINNT\system32\i0420ahoed4c0.dll
deleting: C:\WINNT\system32\ieetres.dll
Successfully Deleted: C:\WINNT\system32\ieetres.dll
deleting: C:\WINNT\system32\IHETWH32.dll
Successfully Deleted: C:\WINNT\system32\IHETWH32.dll
deleting: C:\WINNT\system32\IJETWH32.dll
Successfully Deleted: C:\WINNT\system32\IJETWH32.dll
deleting: C:\WINNT\system32\ispromon.dll
Successfully Deleted: C:\WINNT\system32\ispromon.dll
deleting: C:\WINNT\system32\IZRT3225.dll
Successfully Deleted: C:\WINNT\system32\IZRT3225.dll
deleting: C:\WINNT\system32\j0p0la7m1d.dll
Successfully Deleted: C:\WINNT\system32\j0p0la7m1d.dll
deleting: C:\WINNT\system32\jhaw400.dll
Successfully Deleted: C:\WINNT\system32\jhaw400.dll
deleting: C:\WINNT\system32\k8440ihqe84e0.dll
Successfully Deleted: C:\WINNT\system32\k8440ihqe84e0.dll
deleting: C:\WINNT\system32\kudes.dll
Successfully Deleted: C:\WINNT\system32\kudes.dll
deleting: C:\WINNT\system32\mdjdbc10.dll
Successfully Deleted: C:\WINNT\system32\mdjdbc10.dll
deleting: C:\WINNT\system32\MDJTER35.DLL
Successfully Deleted: C:\WINNT\system32\MDJTER35.DLL
deleting: C:\WINNT\system32\meihnd.dll
Successfully Deleted: C:\WINNT\system32\meihnd.dll
deleting: C:\WINNT\system32\MJMG14N.DLL
Successfully Deleted: C:\WINNT\system32\MJMG14N.DLL
deleting: C:\WINNT\system32\mmihnd.dll
Successfully Deleted: C:\WINNT\system32\mmihnd.dll
deleting: C:\WINNT\system32\mmimsg.dll
Successfully Deleted: C:\WINNT\system32\mmimsg.dll
deleting: C:\WINNT\system32\MNPI32.DLL
Successfully Deleted: C:\WINNT\system32\MNPI32.DLL
deleting: C:\WINNT\system32\MQIMRT.DLL
Successfully Deleted: C:\WINNT\system32\MQIMRT.DLL
deleting: C:\WINNT\system32\mscsubs.dll
Successfully Deleted: C:\WINNT\system32\mscsubs.dll
deleting: C:\WINNT\system32\MSPI.DLL
Successfully Deleted: C:\WINNT\system32\MSPI.DLL
deleting: C:\WINNT\system32\mv48l9hu1.dll
Successfully Deleted: C:\WINNT\system32\mv48l9hu1.dll
deleting: C:\WINNT\system32\mvp6l97s1.dll
Successfully Deleted: C:\WINNT\system32\mvp6l97s1.dll
deleting: C:\WINNT\system32\mwxml.dll
Successfully Deleted: C:\WINNT\system32\mwxml.dll
deleting: C:\WINNT\system32\mximsg.dll
Successfully Deleted: C:\WINNT\system32\mximsg.dll
deleting: C:\WINNT\system32\MYPRIVS.DLL
Successfully Deleted: C:\WINNT\system32\MYPRIVS.DLL
deleting: C:\WINNT\system32\ndhtml.dll
Successfully Deleted: C:\WINNT\system32\ndhtml.dll
deleting: C:\WINNT\system32\nith.dll
Successfully Deleted: C:\WINNT\system32\nith.dll
deleting: C:\WINNT\system32\nutui2.dll
Successfully Deleted: C:\WINNT\system32\nutui2.dll
deleting: C:\WINNT\system32\oge2nls.dll
Successfully Deleted: C:\WINNT\system32\oge2nls.dll
deleting: C:\WINNT\system32\ojedlg.dll
Successfully Deleted: C:\WINNT\system32\ojedlg.dll
deleting: C:\WINNT\system32\OVTLWAB.DLL
Successfully Deleted: C:\WINNT\system32\OVTLWAB.DLL
deleting: C:\WINNT\system32\pmrfos.dll
Successfully Deleted: C:\WINNT\system32\pmrfos.dll
deleting: C:\WINNT\system32\q8rqli9518.dll
Successfully Deleted: C:\WINNT\system32\q8rqli9518.dll
deleting: C:\WINNT\system32\qksname.dll
Successfully Deleted: C:\WINNT\system32\qksname.dll
deleting: C:\WINNT\system32\RESAPI32.DLL
Successfully Deleted: C:\WINNT\system32\RESAPI32.DLL
deleting: C:\WINNT\system32\rVsauth.dll
Successfully Deleted: C:\WINNT\system32\rVsauth.dll
deleting: C:\WINNT\system32\rxcrt4.dll
Successfully Deleted: C:\WINNT\system32\rxcrt4.dll
deleting: C:\WINNT\system32\SCMPAPI.DLL
Successfully Deleted: C:\WINNT\system32\SCMPAPI.DLL
deleting: C:\WINNT\system32\shnscfg.dll
Successfully Deleted: C:\WINNT\system32\shnscfg.dll
deleting: C:\WINNT\system32\slnscfg.dll
Successfully Deleted: C:\WINNT\system32\slnscfg.dll
deleting: C:\WINNT\system32\socurity.dll
Successfully Deleted: C:\WINNT\system32\socurity.dll
deleting: C:\WINNT\system32\sx3res.dll
Successfully Deleted: C:\WINNT\system32\sx3res.dll
deleting: C:\WINNT\system32\sxcsspi.dll
Successfully Deleted: C:\WINNT\system32\sxcsspi.dll
deleting: C:\WINNT\system32\UDER32.DLL
Successfully Deleted: C:\WINNT\system32\UDER32.DLL
deleting: C:\WINNT\system32\vgajet32.dll
Successfully Deleted: C:\WINNT\system32\vgajet32.dll
deleting: C:\WINNT\system32\vqpodbc.dll
Successfully Deleted: C:\WINNT\system32\vqpodbc.dll
deleting: C:\WINNT\system32\vut3216.dll
Successfully Deleted: C:\WINNT\system32\vut3216.dll
deleting: C:\WINNT\system32\wbaudsdk.dll
Successfully Deleted: C:\WINNT\system32\wbaudsdk.dll
deleting: C:\WINNT\system32\wbock32.dll
Successfully Deleted: C:\WINNT\system32\wbock32.dll
deleting: C:\WINNT\system32\wfg0411.dll
Successfully Deleted: C:\WINNT\system32\wfg0411.dll
deleting: C:\WINNT\system32\wqbvw.dll
Successfully Deleted: C:\WINNT\system32\wqbvw.dll
deleting: C:\WINNT\system32\WSDAP32.DLL
Successfully Deleted: C:\WINNT\system32\WSDAP32.DLL
deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: ADYCFILT.DLL (92 bytes security) (deflated 4%)
adding: agctres.dll (92 bytes security) (deflated 5%)
adding: astiveds.dll (92 bytes security) (deflated 5%)
adding: aztiveds.dll (92 bytes security) (deflated 5%)
adding: c200lcdm1f0a.dll (92 bytes security) (deflated 4%)
adding: cenfmsp.dll (92 bytes security) (deflated 5%)
adding: CFYPTUI.DLL (92 bytes security) (deflated 4%)
adding: chmsvcs.dll (92 bytes security) (deflated 5%)
adding: cLbview.dll (92 bytes security) (deflated 5%)
adding: CSSSTGU.DLL (92 bytes security) (deflated 5%)
adding: davoice.dll (92 bytes security) (deflated 5%)
adding: dmnput8.dll (92 bytes security) (deflated 5%)
adding: dn6u01j9e.dll (92 bytes security) (deflated 5%)
adding: dn7vb.dll (92 bytes security) (deflated 5%)
adding: dnp2017oe.dll (92 bytes security) (deflated 5%)
adding: dnspex.dll (92 bytes security) (deflated 5%)
adding: drnet.dll (92 bytes security) (deflated 5%)
adding: en6ml1j11.dll (92 bytes security) (deflated 6%)
adding: frsrch.dll (92 bytes security) (deflated 5%)
adding: fZxt30.dll (92 bytes security) (deflated 4%)
adding: hr6205joe.dll (92 bytes security) (deflated 4%)
adding: hrls0537e.dll (92 bytes security) (deflated 5%)
adding: i0420ahoed4c0.dll (92 bytes security) (deflated 5%)
adding: ieetres.dll (92 bytes security) (deflated 5%)
adding: IHETWH32.dll (92 bytes security) (deflated 5%)
adding: IJETWH32.dll (92 bytes security) (deflated 5%)
adding: ispromon.dll (92 bytes security) (deflated 6%)
adding: IZRT3225.dll (92 bytes security) (deflated 5%)
adding: j0p0la7m1d.dll (92 bytes security) (deflated 5%)
adding: jhaw400.dll (92 bytes security) (deflated 5%)
adding: k8440ihqe84e0.dll (92 bytes security) (deflated 5%)
adding: kudes.dll (92 bytes security) (deflated 5%)
adding: mdjdbc10.dll (92 bytes security) (deflated 5%)
adding: MDJTER35.DLL (92 bytes security) (deflated 5%)
adding: meihnd.dll (92 bytes security) (deflated 5%)
adding: MJMG14N.DLL (92 bytes security) (deflated 4%)
adding: mmihnd.dll (92 bytes security) (deflated 5%)
adding: mmimsg.dll (92 bytes security) (deflated 5%)
adding: MNPI32.DLL (92 bytes security) (deflated 6%)
adding: MQIMRT.DLL (92 bytes security) (deflated 4%)
adding: mscsubs.dll (92 bytes security) (deflated 5%)
adding: MSPI.DLL (92 bytes security) (deflated 5%)
adding: mv48l9hu1.dll (92 bytes security) (deflated 5%)
adding: mvp6l97s1.dll (92 bytes security) (deflated 5%)
adding: mwxml.dll (92 bytes security) (deflated 5%)
adding: mximsg.dll (92 bytes security) (deflated 5%)
adding: MYPRIVS.DLL (92 bytes security) (deflated 4%)
adding: ndhtml.dll (92 bytes security) (deflated 6%)
adding: nith.dll (92 bytes security) (deflated 5%)
adding: nutui2.dll (92 bytes security) (deflated 5%)
adding: oge2nls.dll (92 bytes security) (deflated 5%)
adding: ojedlg.dll (92 bytes security) (deflated 5%)
adding: OVTLWAB.DLL (92 bytes security) (deflated 5%)
adding: pmrfos.dll (92 bytes security) (deflated 4%)
adding: q8rqli9518.dll (92 bytes security) (deflated 4%)
adding: qksname.dll (92 bytes security) (deflated 6%)
adding: RESAPI32.DLL (92 bytes security) (deflated 4%)
adding: rVsauth.dll (92 bytes security) (deflated 5%)
adding: rxcrt4.dll (92 bytes security) (deflated 4%)
adding: SCMPAPI.DLL (92 bytes security) (deflated 5%)
adding: shnscfg.dll (92 bytes security) (deflated 4%)
adding: slnscfg.dll (92 bytes security) (deflated 5%)
adding: socurity.dll (92 bytes security) (deflated 4%)
adding: sx3res.dll (92 bytes security) (deflated 5%)
adding: sxcsspi.dll (92 bytes security) (deflated 5%)
adding: UDER32.DLL (92 bytes security) (deflated 4%)
adding: vgajet32.dll (92 bytes security) (deflated 6%)
adding: vqpodbc.dll (92 bytes security) (deflated 5%)
adding: vut3216.dll (92 bytes security) (deflated 6%)
adding: wbaudsdk.dll (92 bytes security) (deflated 4%)
adding: wbock32.dll (92 bytes security) (deflated 4%)
adding: wfg0411.dll (92 bytes security) (deflated 4%)
adding: wqbvw.dll (92 bytes security) (deflated 5%)
adding: WSDAP32.DLL (92 bytes security) (deflated 5%)
adding: guard.tmp (92 bytes security) (deflated 4%)
adding: clear.reg (92 bytes security) (deflated 55%)
adding: desktop.ini (92 bytes security) (deflated 13%)
adding: lo2.txt (92 bytes security) (deflated 89%)
adding: test.txt (92 bytes security) (deflated 83%)
adding: test2.txt (92 bytes security) (deflated 37%)
adding: test3.txt (92 bytes security) (deflated 37%)
adding: test5.txt (92 bytes security) (deflated 37%)
adding: xfind.txt (92 bytes security) (deflated 78%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: ADYCFILT.DLL
deleting local copy: agctres.dll
deleting local copy: astiveds.dll
deleting local copy: aztiveds.dll
deleting local copy: c200lcdm1f0a.dll
deleting local copy: cenfmsp.dll
deleting local copy: CFYPTUI.DLL
deleting local copy: chmsvcs.dll
deleting local copy: cLbview.dll
deleting local copy: CSSSTGU.DLL
deleting local copy: davoice.dll
deleting local copy: dmnput8.dll
deleting local copy: dn6u01j9e.dll
deleting local copy: dn7vb.dll
deleting local copy: dnp2017oe.dll
deleting local copy: dnspex.dll
deleting local copy: drnet.dll
deleting local copy: en6ml1j11.dll
deleting local copy: frsrch.dll
deleting local copy: fZxt30.dll
deleting local copy: hr6205joe.dll
deleting local copy: hrls0537e.dll
deleting local copy: i0420ahoed4c0.dll
deleting local copy: ieetres.dll
deleting local copy: IHETWH32.dll
deleting local copy: IJETWH32.dll
deleting local copy: ispromon.dll
deleting local copy: IZRT3225.dll
deleting local copy: j0p0la7m1d.dll
deleting local copy: jhaw400.dll
deleting local copy: k8440ihqe84e0.dll
deleting local copy: kudes.dll
deleting local copy: mdjdbc10.dll
deleting local copy: MDJTER35.DLL
deleting local copy: meihnd.dll
deleting local copy: MJMG14N.DLL
deleting local copy: mmihnd.dll
deleting local copy: mmimsg.dll
deleting local copy: MNPI32.DLL
deleting local copy: MQIMRT.DLL
deleting local copy: mscsubs.dll
deleting local copy: MSPI.DLL
deleting local copy: mv48l9hu1.dll
deleting local copy: mvp6l97s1.dll
deleting local copy: mwxml.dll
deleting local copy: mximsg.dll
deleting local copy: MYPRIVS.DLL
deleting local copy: ndhtml.dll
deleting local copy: nith.dll
deleting local copy: nutui2.dll
deleting local copy: oge2nls.dll
deleting local copy: ojedlg.dll
deleting local copy: OVTLWAB.DLL
deleting local copy: pmrfos.dll
deleting local copy: q8rqli9518.dll
deleting local copy: qksname.dll
deleting local copy: RESAPI32.DLL
deleting local copy: rVsauth.dll
deleting local copy: rxcrt4.dll
deleting local copy: SCMPAPI.DLL
deleting local copy: shnscfg.dll
deleting local copy: slnscfg.dll
deleting local copy: socurity.dll
deleting local copy: sx3res.dll
deleting local copy: sxcsspi.dll
deleting local copy: UDER32.DLL
deleting local copy: vgajet32.dll
deleting local copy: vqpodbc.dll
deleting local copy: vut3216.dll
deleting local copy: wbaudsdk.dll
deleting local copy: wbock32.dll
deleting local copy: wfg0411.dll
deleting local copy: wqbvw.dll
deleting local copy: WSDAP32.DLL
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINNT\system32\ADYCFILT.DLL
C:\WINNT\system32\agctres.dll
C:\WINNT\system32\astiveds.dll
C:\WINNT\system32\aztiveds.dll
C:\WINNT\system32\c200lcdm1f0a.dll
C:\WINNT\system32\cenfmsp.dll
C:\WINNT\system32\CFYPTUI.DLL
C:\WINNT\system32\chmsvcs.dll
C:\WINNT\system32\cLbview.dll
C:\WINNT\system32\CSSSTGU.DLL
C:\WINNT\system32\davoice.dll
C:\WINNT\system32\dmnput8.dll
C:\WINNT\system32\dn6u01j9e.dll
C:\WINNT\system32\dn7vb.dll
C:\WINNT\system32\dnp2017oe.dll
C:\WINNT\system32\dnspex.dll
C:\WINNT\system32\drnet.dll
C:\WINNT\system32\en6ml1j11.dll
C:\WINNT\system32\frsrch.dll
C:\WINNT\system32\fZxt30.dll
C:\WINNT\system32\hr6205joe.dll
C:\WINNT\system32\hrls0537e.dll
C:\WINNT\system32\i0420ahoed4c0.dll
C:\WINNT\system32\ieetres.dll
C:\WINNT\system32\IHETWH32.dll
C:\WINNT\system32\IJETWH32.dll
C:\WINNT\system32\ispromon.dll
C:\WINNT\system32\IZRT3225.dll
C:\WINNT\system32\j0p0la7m1d.dll
C:\WINNT\system32\jhaw400.dll
C:\WINNT\system32\k8440ihqe84e0.dll
C:\WINNT\system32\kudes.dll
C:\WINNT\system32\mdjdbc10.dll
C:\WINNT\system32\MDJTER35.DLL
C:\WINNT\system32\meihnd.dll
C:\WINNT\system32\MJMG14N.DLL
C:\WINNT\system32\mmihnd.dll
C:\WINNT\system32\mmimsg.dll
C:\WINNT\system32\MNPI32.DLL
C:\WINNT\system32\MQIMRT.DLL
C:\WINNT\system32\mscsubs.dll
C:\WINNT\system32\MSPI.DLL
C:\WINNT\system32\mv48l9hu1.dll
C:\WINNT\system32\mvp6l97s1.dll
C:\WINNT\system32\mwxml.dll
C:\WINNT\system32\mximsg.dll
C:\WINNT\system32\MYPRIVS.DLL
C:\WINNT\system32\ndhtml.dll
C:\WINNT\system32\nith.dll
C:\WINNT\system32\nutui2.dll
C:\WINNT\system32\oge2nls.dll
C:\WINNT\system32\ojedlg.dll
C:\WINNT\system32\OVTLWAB.DLL
C:\WINNT\system32\pmrfos.dll
C:\WINNT\system32\q8rqli9518.dll
C:\WINNT\system32\qksname.dll
C:\WINNT\system32\RESAPI32.DLL
C:\WINNT\system32\rVsauth.dll
C:\WINNT\system32\rxcrt4.dll
C:\WINNT\system32\SCMPAPI.DLL
C:\WINNT\system32\shnscfg.dll
C:\WINNT\system32\slnscfg.dll
C:\WINNT\system32\socurity.dll
C:\WINNT\system32\sx3res.dll
C:\WINNT\system32\sxcsspi.dll
C:\WINNT\system32\UDER32.DLL
C:\WINNT\system32\vgajet32.dll
C:\WINNT\system32\vqpodbc.dll
C:\WINNT\system32\vut3216.dll
C:\WINNT\system32\wbaudsdk.dll
C:\WINNT\system32\wbock32.dll
C:\WINNT\system32\wfg0411.dll
C:\WINNT\system32\wqbvw.dll
C:\WINNT\system32\WSDAP32.DLL
C:\WINNT\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{8D5D01EE-D54A-4059-B1E4-D84B1265EB8E}"=-
"{5E6977B6-37DE-4BA8-875F-A4D4F0B4B8CD}"=-
"{A1ED1719-C395-493A-9988-CF5E49A4950C}"=-
"{B7A24E9E-F6C0-44E2-BB3D-6BD3A5A96EDF}"=-
"{02B13230-010E-418E-A027-BD8C28CAB5B7}"=-
[-HKEY_CLASSES_ROOT\CLSID\{8D5D01EE-D54A-4059-B1E4-D84B1265EB8E}]
[-HKEY_CLASSES_ROOT\CLSID\{5E6977B6-37DE-4BA8-875F-A4D4F0B4B8CD}]
[-HKEY_CLASSES_ROOT\CLSID\{A1ED1719-C395-493A-9988-CF5E49A4950C}]
[-HKEY_CLASSES_ROOT\CLSID\{B7A24E9E-F6C0-44E2-BB3D-6BD3A5A96EDF}]
[-HKEY_CLASSES_ROOT\CLSID\{02B13230-010E-418E-A027-BD8C28CAB5B7}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{D28FE558-AC0F-40F9-9ADD-277EF8DCB2FE}</IDone>
<IDtwo>BWk</IDtwo>
<VERSION>200</VERSION>
****************************************************************************


Logfile of HijackThis v1.99.1
Scan saved at 5:22:15 PM, on 4/3/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
F:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
F:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\QuickTime\qttask.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\Program Files\PC Magazine Utilities\CookieCop\CookieCop.exe
C:\WINNT\explorer.exe
F:\Program Files\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://CookieCop:8100
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ProDsl.exe] ProDsl.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Global Startup: CookieCop.lnk = F:\Program Files\PC Magazine Utilities\CookieCop\CookieCop.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .aad: C:\PROGRA~1\Plus!\MICROS~1\PLUGINS\NPSchedule.dll
O13 - WWW. Prefix: http://
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {FE67C682-F5EA-11CF-9C2F-0000C0C83ADC} (Jamba Class Library) - http://www.kidscarni...om/Jambalib.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - F:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - F:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#6
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi nsbnab,

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Now let's do some work on your log:

Place a check mark beside each one of the following items:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://CookieCop:8100
O13 - WWW. Prefix: http://
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {FE67C682-F5EA-11CF-9C2F-0000C0C83ADC} (Jamba Class Library) - http://www.kidscarni...om/Jambalib.cab


Now with all the items selected, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System.

Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks now.

Regards,

Trevuren

  • 0

#7
nsbnab

nsbnab

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Trevuren,

I do not see the follwing entry to check:

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe

Instead I have:

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe

Should I check this one?
  • 0

#8
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi nsbnab,

Are they not the same?

In any event, get rid of it


Trevuren
  • 0

#9
nsbnab

nsbnab

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hello Trevuren,

Here is the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:28:49 PM, on 4/3/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
F:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
F:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\QuickTime\qttask.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\Program Files\PC Magazine Utilities\CookieCop\CookieCop.exe
F:\Program Files\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://CookieCop:8100
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ProDsl.exe] ProDsl.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Global Startup: CookieCop.lnk = F:\Program Files\PC Magazine Utilities\CookieCop\CookieCop.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .aad: C:\PROGRA~1\Plus!\MICROS~1\PLUGINS\NPSchedule.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - F:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - F:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#10
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi victim,

If you start to have problems, it could be from Media Manager. Some people have trouble with it on their machines

Congratulations, your new log shows that your SYSTEM IS CLEAN

There are a few things you must do once you are completely clean:

1. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:

TO DISABLE SYSTEM RESTORE
1. Right-click "My Computer", and then left click "Properties".
2. Left click on "System Restore Tab"
3. Check box beside "Turn Off System Restore"
4. Left click on "Apply"

TO ENABLE SYSTEM RESTORE
1.Remove check mark from "Turn Off System Restore"
2.Click on "Apply"

2. Another cleanup that will help is to go to Start>Programs>Acccessories>System Tools> Disk Cleanup and put a check mark beside all the entries in the disk cleanup window that ask you what you want to clean. Clean all hard drives and all files. This will get rid of any malware that is hiding in the temporary folders.

3. Make sure that all are gone, by checking the folders that the Temporary Internet Files and Temp files are stored in. To do so use Control Panel > Internet Options(or right click the IE icon on the desktop and choose Properties). Click Delete Files on the General Tab - place a check in the Delete all offline content box, then 'Clear History' and then press OK (or go direct to the C:\Documents and Settings\userprofilename\Local Settings\Temp\ folder) and
C:\Documents and Settings\userprofilename\Local Settings\Temporary Internet Files\)

4. Empty your Recycle Bin

5. Double Check the following folders to make sure they are empty:
C:\WINDOWS\Profiles\your account\Temporary Internet Files
Delete all the files in (and any subfolders of) the C:\Windows\Temp\ folder (or go direct to the C:\Documents and Settings\userprofilename\Local Settings\Temp\ folder) and C:\Documents and Settings\userprofilename\Local Settings\Temporary Internet Files\)

6. You may find that you have to repeat the steps a couple of times.

7.Finally, Re-hide your System Files and Folders to prevent any future accidents.


Here are some tips to reduce the potential for spyware infection in the future:

I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
And also see TonyKlein's good advice
So how did I get infected in the first place? (My Favorite)


Regards,


Trevuren

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP