Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

loadingwebsite.com

Started by jody , Apr 05 2005 01:57 PM

  • This topic is locked This topic is locked

#1
jody
Posted 05 April 2005 - 01:57 PM

jody

    New Member

  • Member
  • Pip
  • 9 posts
I have followed all of the new visitors instructions using Ad-aware SE, CWShredder, Spybot S&D and TDS-3. I cannot do the XP service pack2 update until I get this problem resolved. I still have a multitude of ID windows opening and going to a variety of websites, usually having something to do with recent web searches I've performed. Sometimes my current IE window is unexpectedly shut down stating "action canceled". Any help will be greatly appreciated.

Thanks

Here is my HJT log.
Logfile of HijackThis v1.99.1
Scan saved at 3:39:31 PM, on 4/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\hpb2ksrv.exe
C:\WINDOWS\System32\hpbhksrv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\nlnrzm.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\3M\PSNotes2\Psn2.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\3M\PSNotes2\PSNGive.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\nlnrzm.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Post-itŪ Software Notes.lnk = C:\Program Files\3M\PSNotes2\Psn2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\n24s0ch7ef4.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: HP Status - Hewlett-Packard Company - C:\WINDOWS\System32\hpb2ksrv.exe
O23 - Service: HP Status Print - Unknown owner - C:\WINDOWS\System32\hpbhksrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
  • 0

Advertisements

#2
rstones12
Posted 12 April 2005 - 04:09 PM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
jody,

Welcome to the GTG forums.

Sorry for the delayed reply, the board has been very busy lately.
If you are still looking to resolve this issue:

Please run through all the steps outlined in this Topic

Post back a new HijackThis log by using "Add Reply" to this thread.

If you have resolved this issue please let us know.

Thanks,
rstones12
  • 0

#3
jody
Posted 15 April 2005 - 06:24 AM

jody

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks for your reply, I understand busy. Sorry for the delay in posting my new HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 8:14:49 AM, on 4/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\hpb2ksrv.exe
C:\WINDOWS\System32\hpbhksrv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\System32\nlnrzm.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\hpnra.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\3M\PSNotes2\Psn2.exe
C:\PROGRA~1\3M\PSNotes2\PSNGive.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\nlnrzm.exe
O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [nsvcin] C:\WINDOWS\system32\n20050308.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-itŪ Software Notes.lnk = C:\Program Files\3M\PSNotes2\Psn2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\t8r8li9u18.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: HP Status - Hewlett-Packard Company - C:\WINDOWS\System32\hpb2ksrv.exe
O23 - Service: HP Status Print - Unknown owner - C:\WINDOWS\System32\hpbhksrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
  • 0

#4
rstones12
Posted 15 April 2005 - 10:13 PM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
Download the LSPfix here: http://www.cexx.org/lspfix.htm
HERE is the file.

Download this file and save it to your desktop.
Close all browsers and windows.
Now run LSPfix:

1. Check "I Know What I'm Doing" box.
2. Select all instances of aklsp.dll and dolsp.dll (and nothing else).
3. Move these instances to the remove pane.
4. Click Finished.
Reboot your system and post back a new HJT log by using Add Reply

Thanks,
rstones12
  • 0

#5
jody
Posted 18 April 2005 - 06:28 AM

jody

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
LSPfix has been run and system rebooted. Here is the new HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 8:24:03 AM, on 4/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\hpb2ksrv.exe
C:\WINDOWS\System32\hpbhksrv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\System32\nlnrzm.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\hpnra.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\3M\PSNotes2\Psn2.exe
C:\PROGRA~1\3M\PSNotes2\PSNGive.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\nlnrzm.exe
O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [nsvcin] C:\WINDOWS\system32\n20050308.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-itŪ Software Notes.lnk = C:\Program Files\3M\PSNotes2\Psn2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: NetCache - C:\WINDOWS\system32\OEBCTRAC.DLL
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\k480lelm1hqa.dll (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: HP Status - Hewlett-Packard Company - C:\WINDOWS\System32\hpb2ksrv.exe
O23 - Service: HP Status Print - Unknown owner - C:\WINDOWS\System32\hpbhksrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

Thanks again for your help
  • 0

#6
rstones12
Posted 18 April 2005 - 09:40 PM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
jody,

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Thanks,
rstones12
  • 0

#7
jody
Posted 19 April 2005 - 08:27 AM

jody

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Nls]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\OEBCTRAC.DLL"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\k480lelm1hqa.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{CD91E976-95D6-4217-2D76-A29C14DCCEFA}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"="Adobe.Acrobat.ContextMenu"
"{50C5122A-1294-437F-AF01-2441D20DDCBC}"=""
"{65DA74EC-194A-422E-BEF1-74F1C2828190}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{50C5122A-1294-437F-AF01-2441D20DDCBC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{50C5122A-1294-437F-AF01-2441D20DDCBC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{50C5122A-1294-437F-AF01-2441D20DDCBC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{50C5122A-1294-437F-AF01-2441D20DDCBC}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{65DA74EC-194A-422E-BEF1-74F1C2828190}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{65DA74EC-194A-422E-BEF1-74F1C2828190}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{65DA74EC-194A-422E-BEF1-74F1C2828190}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{65DA74EC-194A-422E-BEF1-74F1C2828190}\InprocServer32]
@="C:\\WINDOWS\\system32\\IUSSVCS.DLL"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
akcore.dll Tue Mar 29 2005 2:56:02p A.... 188,416 184.00 K
aklsp.dll Tue Mar 29 2005 2:56:12p A.... 196,608 192.00 K
akrules.dll Fri Apr 15 2005 9:27:56a A.... 110,592 108.00 K
akupd.dll Fri Apr 8 2005 10:10:52a A.... 155,648 152.00 K
aqanr.dll Mon Apr 4 2005 2:23:10p A.... 4,096 4.00 K
authz.dll Wed Mar 2 2005 2:20:04p A.... 53,760 52.50 K
azaql3~1.dll Tue Apr 19 2005 8:05:32a ..S.R 234,605 229.11 K
browseui.dll Fri Feb 18 2005 3:09:14p A.... 1,017,856 994.00 K
ckcui.dll Mon Apr 4 2005 1:31:00p ..S.R 234,334 228.84 K
delfin.dll Wed Feb 2 2005 5:44:48a A.... 51,712 50.50 K
docore.dll Tue Mar 29 2005 5:14:36p A.... 151,552 148.00 K
dolsp.dll Tue Mar 29 2005 5:14:38p A.... 139,264 136.00 K
dosync.dll Wed Mar 30 2005 9:52:14a A.... 114,688 112.00 K
en06l1~1.dll Tue Mar 29 2005 3:14:46p ..S.R 234,849 229.34 K
gbgpyhi.dll Mon Apr 4 2005 2:23:10p A.... 27,136 26.50 K
goldne~1.dll Wed Feb 16 2005 1:30:14p A.... 61,440 60.00 K
gp2ql3~1.dll Thu Apr 14 2005 4:04:58p ..S.R 233,134 227.67 K
iepeers.dll Fri Feb 18 2005 12:43:20p A.... 236,032 230.50 K
iglmrnt5.dll Mon Apr 4 2005 12:59:42p ..S.R 232,797 227.34 K
iussvcs.dll Tue Apr 19 2005 8:05:32a ..S.R 232,766 227.31 K
kt8sl7~1.dll Mon Apr 4 2005 2:14:46p ..S.R 232,797 227.34 K
ktl0l7~1.dll Wed Mar 30 2005 10:14:08a ..S.R 235,980 230.45 K
lt0027~1.dll Fri Apr 15 2005 4:02:06p ..S.R 235,533 230.01 K
lvrq09~1.dll Thu Apr 14 2005 2:07:42p ..S.R 236,132 230.60 K
mbc71ita.dll Mon Apr 4 2005 1:33:26p ..S.R 232,797 227.34 K
midad.dll Wed Jan 26 2005 12:24:24p A.... 356,352 348.00 K
mqad.dll Wed Mar 23 2005 2:12:48p A.... 130,048 127.00 K
mqdscli.dll Wed Mar 23 2005 2:12:48p A.... 44,032 43.00 K
mqise.dll Wed Mar 23 2005 2:12:48p A.... 14,848 14.50 K
mqqm.dll Wed Mar 23 2005 2:12:48p A.... 608,768 594.50 K
mqrt.dll Wed Mar 23 2005 2:12:48p A.... 165,888 162.00 K
mqsec.dll Wed Mar 23 2005 2:12:48p A.... 88,576 86.50 K
mqupgrd.dll Wed Mar 23 2005 2:12:48p A.... 44,544 43.50 K
mqutil.dll Wed Mar 23 2005 2:12:48p A.... 467,456 456.50 K
mshtml.dll Thu Feb 24 2005 1:23:26p A.... 2,811,904 2.68 M
msi.dll Mon Mar 21 2005 3:00:20p A.... 2,890,240 2.75 M
msihnd.dll Mon Mar 21 2005 3:00:22p A.... 271,360 265.00 K
msimsg.dll Mon Mar 21 2005 3:00:22p A.... 884,736 864.00 K
msisip.dll Mon Mar 21 2005 3:00:22p A.... 15,360 15.00 K
msrating.dll Thu Feb 24 2005 11:54:42a A.... 132,096 129.00 K
mxdad.dll Tue Apr 5 2005 3:11:18p ..... 235,689 230.16 K
o2660c~1.dll Thu Mar 31 2005 10:33:08a ..S.R 235,184 229.67 K
oebctrac.dll Mon Apr 18 2005 7:02:32a ..... 232,766 227.31 K
omexl32.dll Mon Apr 4 2005 8:38:30a ..S.R 234,943 229.43 K
pwnshare.dll Thu Apr 14 2005 2:17:16p ..S.R 235,533 230.01 K
rlogic.dll Wed Mar 2 2005 5:13:00a A.... 36,352 35.50 K
shdocvw.dll Fri Feb 18 2005 3:09:00p A.... 1,337,344 1.27 M
shell32.dll Fri Mar 11 2005 9:51:16p A.... 8,348,672 7.96 M
silgntfy.dll Thu Apr 14 2005 2:41:06p ..... 233,134 227.67 K
spmsg.dll Mon Mar 21 2005 3:00:08p ..... 13,536 13.22 K
sporder.dll Tue Mar 29 2005 2:56:08p A.... 8,464 8.27 K
user32.dll Wed Mar 2 2005 2:20:04p A.... 561,152 548.00 K
wininet.dll Fri Feb 18 2005 4:19:18p A.... 592,384 578.50 K
winsrv.dll Wed Mar 2 2005 2:20:04p A.... 277,504 271.00 K
winup2~1.dll Wed Apr 13 2005 8:03:54a A.... 5,632 5.50 K
xpsp2res.dll Fri Mar 11 2005 6:07:14p A.... 594,432 580.50 K

56 items found: 56 files (14 H/S), 0 directories.
Total of file sizes: 27,193,453 bytes 25.93 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 1CDC-644C

Directory of C:\WINDOWS\System32

04/19/2005 08:05 AM 232,766 IUSSVCS.DLL
04/19/2005 08:05 AM 234,605 azaql3f51.dll
04/15/2005 04:02 PM 235,533 lt0027dmg.dll
04/14/2005 04:58 PM <DIR> DLLCACHE
04/14/2005 04:04 PM 233,134 gp2ql3f51.dll
04/14/2005 02:17 PM 235,533 PWNShare.dll
04/14/2005 02:07 PM 236,132 lvrq0995e.dll
04/04/2005 02:14 PM 232,797 kt8sl7l71.dll
04/04/2005 01:33 PM 232,797 MBC71ITA.DLL
04/04/2005 01:30 PM 234,334 CKCUI.DLL
04/04/2005 12:59 PM 232,797 iGlmrnt5.dll
04/04/2005 08:38 AM 234,943 OMEXL32.DLL
03/31/2005 10:33 AM 235,184 o2660cjsefo60.dll
03/30/2005 10:14 AM 235,980 ktl0l73m1.dll
03/29/2005 03:14 PM 234,849 en06l1ds1.dll
11/13/2003 03:55 AM <DIR> Microsoft
14 File(s) 3,281,384 bytes
2 Dir(s) 94,405,509,120 bytes free
  • 0

#8
rstones12
Posted 19 April 2005 - 06:29 PM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
jody,
OK, your doing good so far, next please read through these instructions before proceeding.

Now we need to do the next part of the fix.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left. :tazz:

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Thanks,
rstones12
  • 0

#9
jody
Posted 20 April 2005 - 11:49 AM

jody

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
L2Mfix 1.03

Running From:
C:\Documents and Settings\JG\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\JG\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\JG\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 588 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 984 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\CKCUI.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en06l1ds1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gp2ql3f51.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\HHBHealr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iGlmrnt5.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j46mlej11ho.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\KCDBENE.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kt8sl7l71.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktl0l73m1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lt0027dmg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvrq0995e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MBC71ITA.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mxdad.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o2660cjsefo60.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\OMEXL32.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\PWNShare.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\SILGNTFY.DLL
1 file(s) copied.
deleting: C:\WINDOWS\system32\CKCUI.DLL
Successfully Deleted: C:\WINDOWS\system32\CKCUI.DLL
deleting: C:\WINDOWS\system32\en06l1ds1.dll
Successfully Deleted: C:\WINDOWS\system32\en06l1ds1.dll
deleting: C:\WINDOWS\system32\gp2ql3f51.dll
Successfully Deleted: C:\WINDOWS\system32\gp2ql3f51.dll
deleting: C:\WINDOWS\system32\HHBHealr.dll
Successfully Deleted: C:\WINDOWS\system32\HHBHealr.dll
deleting: C:\WINDOWS\system32\iGlmrnt5.dll
Successfully Deleted: C:\WINDOWS\system32\iGlmrnt5.dll
deleting: C:\WINDOWS\system32\j46mlej11ho.dll
Successfully Deleted: C:\WINDOWS\system32\j46mlej11ho.dll
deleting: C:\WINDOWS\system32\KCDBENE.DLL
Successfully Deleted: C:\WINDOWS\system32\KCDBENE.DLL
deleting: C:\WINDOWS\system32\kt8sl7l71.dll
Successfully Deleted: C:\WINDOWS\system32\kt8sl7l71.dll
deleting: C:\WINDOWS\system32\ktl0l73m1.dll
Successfully Deleted: C:\WINDOWS\system32\ktl0l73m1.dll
deleting: C:\WINDOWS\system32\lt0027dmg.dll
Successfully Deleted: C:\WINDOWS\system32\lt0027dmg.dll
deleting: C:\WINDOWS\system32\lvrq0995e.dll
Successfully Deleted: C:\WINDOWS\system32\lvrq0995e.dll
deleting: C:\WINDOWS\system32\MBC71ITA.DLL
Successfully Deleted: C:\WINDOWS\system32\MBC71ITA.DLL
deleting: C:\WINDOWS\system32\mxdad.dll
Successfully Deleted: C:\WINDOWS\system32\mxdad.dll
deleting: C:\WINDOWS\system32\o2660cjsefo60.dll
Successfully Deleted: C:\WINDOWS\system32\o2660cjsefo60.dll
deleting: C:\WINDOWS\system32\OMEXL32.DLL
Successfully Deleted: C:\WINDOWS\system32\OMEXL32.DLL
deleting: C:\WINDOWS\system32\PWNShare.dll
Successfully Deleted: C:\WINDOWS\system32\PWNShare.dll
deleting: C:\WINDOWS\system32\SILGNTFY.DLL
Successfully Deleted: C:\WINDOWS\system32\SILGNTFY.DLL


Zipping up files for submission:
adding: CKCUI.DLL (164 bytes security) (deflated 5%)
adding: en06l1ds1.dll (164 bytes security) (deflated 5%)
adding: gp2ql3f51.dll (164 bytes security) (deflated 4%)
adding: HHBHealr.dll (164 bytes security) (deflated 4%)
adding: iGlmrnt5.dll (164 bytes security) (deflated 4%)
adding: j46mlej11ho.dll (164 bytes security) (deflated 5%)
adding: KCDBENE.DLL (164 bytes security) (deflated 4%)
adding: kt8sl7l71.dll (164 bytes security) (deflated 4%)
adding: ktl0l73m1.dll (164 bytes security) (deflated 5%)
adding: lt0027dmg.dll (164 bytes security) (deflated 5%)
adding: lvrq0995e.dll (164 bytes security) (deflated 6%)
adding: MBC71ITA.DLL (164 bytes security) (deflated 4%)
adding: mxdad.dll (164 bytes security) (deflated 5%)
adding: o2660cjsefo60.dll (164 bytes security) (deflated 5%)
adding: OMEXL32.DLL (164 bytes security) (deflated 5%)
adding: PWNShare.dll (164 bytes security) (deflated 5%)
adding: SILGNTFY.DLL (164 bytes security) (deflated 4%)
adding: clear.reg (164 bytes security) (deflated 37%)
adding: echo.reg (164 bytes security) (deflated 8%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 82%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 67%)
adding: test.txt (164 bytes security) (deflated 74%)
adding: test2.txt (164 bytes security) (deflated 17%)
adding: test3.txt (164 bytes security) (deflated 17%)
adding: test5.txt (164 bytes security) (deflated 17%)
adding: xfind.txt (164 bytes security) (deflated 68%)
adding: backregs/50C5122A-1294-437F-AF01-2441D20DDCBC.reg (164 bytes security) (deflated 70%)
adding: backregs/65DA74EC-194A-422E-BEF1-74F1C2828190.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: CKCUI.DLL
deleting local copy: en06l1ds1.dll
deleting local copy: gp2ql3f51.dll
deleting local copy: HHBHealr.dll
deleting local copy: iGlmrnt5.dll
deleting local copy: j46mlej11ho.dll
deleting local copy: KCDBENE.DLL
deleting local copy: kt8sl7l71.dll
deleting local copy: ktl0l73m1.dll
deleting local copy: lt0027dmg.dll
deleting local copy: lvrq0995e.dll
deleting local copy: MBC71ITA.DLL
deleting local copy: mxdad.dll
deleting local copy: o2660cjsefo60.dll
deleting local copy: OMEXL32.DLL
deleting local copy: PWNShare.dll
deleting local copy: SILGNTFY.DLL

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\CKCUI.DLL
C:\WINDOWS\system32\en06l1ds1.dll
C:\WINDOWS\system32\gp2ql3f51.dll
C:\WINDOWS\system32\HHBHealr.dll
C:\WINDOWS\system32\iGlmrnt5.dll
C:\WINDOWS\system32\j46mlej11ho.dll
C:\WINDOWS\system32\KCDBENE.DLL
C:\WINDOWS\system32\kt8sl7l71.dll
C:\WINDOWS\system32\ktl0l73m1.dll
C:\WINDOWS\system32\lt0027dmg.dll
C:\WINDOWS\system32\lvrq0995e.dll
C:\WINDOWS\system32\MBC71ITA.DLL
C:\WINDOWS\system32\mxdad.dll
C:\WINDOWS\system32\o2660cjsefo60.dll
C:\WINDOWS\system32\OMEXL32.DLL
C:\WINDOWS\system32\PWNShare.dll
C:\WINDOWS\system32\SILGNTFY.DLL

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{50C5122A-1294-437F-AF01-2441D20DDCBC}"=-
"{65DA74EC-194A-422E-BEF1-74F1C2828190}"=-
[-HKEY_CLASSES_ROOT\CLSID\{50C5122A-1294-437F-AF01-2441D20DDCBC}]
[-HKEY_CLASSES_ROOT\CLSID\{65DA74EC-194A-422E-BEF1-74F1C2828190}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

New HJT log
Logfile of HijackThis v1.99.1
Scan saved at 1:44:24 PM, on 4/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\hpb2ksrv.exe
C:\WINDOWS\System32\hpbhksrv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\System32\nlnrzm.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\hpnra.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\PROGRA~1\ezula\mmod.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\3M\PSNotes2\Psn2.exe
C:\PROGRA~1\3M\PSNotes2\PSNGive.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\nlnrzm.exe
O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-itŪ Software Notes.lnk = C:\Program Files\3M\PSNotes2\Psn2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: HP Status - Hewlett-Packard Company - C:\WINDOWS\System32\hpb2ksrv.exe
O23 - Service: HP Status Print - Unknown owner - C:\WINDOWS\System32\hpbhksrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
  • 0

#10
rstones12
Posted 20 April 2005 - 12:13 PM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
Jody,
Please print out these instructions. Follow along exactly as they are posted.
If you have any questions along the way please ask. This is going to take some steps to get you back up and running.

1. Run HijackThis then click on:
  • Config > Misc Tools > Open process manager
  • Select the following files: (hold down the "Ctrl" key to select multiple items)
  • desktop.exe
  • edmond.exe
  • ffisearch.exe
  • Click on Kill process (Answer Yes to the "Are you sure..." question.)
2. Launch Notepad:
Copy/Paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop.

REGEDIT4

[-HKEY_CLASSES_ROOT\clsid\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}]

[-HKEY_CLASSES_ROOT\clsid\{950238fb-c706-4791-8674-4d429f85897e}]

[-HKEY_CLASSES_ROOT\mfiltis]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\ext\clsid\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}]

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_delprot]

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\services\delprot]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"desktop search"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ffis"=-

3. Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

4. Restart your computer.

5. Launch Notepad:
Copy/Paste the box below into a new text file. Save it as Unreg.bat and save it on your Desktop.

regsvr32 /u C:\Windows\isrvs\msfiltis.dll
regsvr32 /u C:\Windows\isrvs\msdbhk.dll
regsvr32 /u C:\Windows\isrvs\sysupd.dll


6. Locate Unreg.bat on your Desktop and double-click on it.

7. Delete the following files/folders (if present) in C:\Windows or C:\Windows\System32
  • delprot.ini
  • delprot.log
  • desktop.exe
  • isrvs (delete the entire folder)
8. Delete the following file: C:\Windows\System32\Drivers\Delprot.sys

9. Delete the following files/folder (if present) in C:\Documents and Settings\<your user name>\Desktop
  • anal exploits.url
  • big [bleep] school for 2.95.url
  • evidence eraser.lnk
  • popup blocker stops popups.lnk
  • spyware avenger.lnk
  • virus hunter security.lnk
  • your platinum visa.lnk
10. Restart your computer and post a new log from HijackThis.

Edited by rstones12, 20 April 2005 - 12:15 PM.

  • 0

Advertisements

#11
jody
Posted 21 April 2005 - 07:12 AM

jody

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Below is the new HJT log but I have a few notes/questions:

In Step 1 edmond.exe and ffisearch.exe were not present in the HJT process manager.

AdDestroyer is still in my system tray and VirtualBouncer continues to give warnings about infections. I did not load either of these programs and don't know whether they are good guys or bad guys.

Logfile of HijackThis v1.99.1
Scan saved at 9:05:06 AM, on 4/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\hpb2ksrv.exe
C:\WINDOWS\System32\hpbhksrv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\nlnrzm.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\hpnra.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\ezula\mmod.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\3M\PSNotes2\Psn2.exe
C:\Program Files\AdDestroyer\AdDestroyer.exe
C:\PROGRA~1\3M\PSNotes2\PSNGive.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\nlnrzm.exe
O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-itŪ Software Notes.lnk = C:\Program Files\3M\PSNotes2\Psn2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: HP Status - Hewlett-Packard Company - C:\WINDOWS\System32\hpb2ksrv.exe
O23 - Service: HP Status Print - Unknown owner - C:\WINDOWS\System32\hpbhksrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
  • 0

#12
rstones12
Posted 22 April 2005 - 10:56 AM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
jody,
This is a very stubborn infection to clean up.

First update each of the following:
Ad-Aware SE
Spybot S&D
Anti-Virus Software

OK, go to this link and follow the instructions exactly as given:

http://castlecops.com/postt106277.html

Then go here:

http://www.microsoft...re/default.mspx

and download MSAS, check for updates and run it.
Post a new HJT log and let me know what they removed.

rstones12
  • 0

#13
jody
Posted 27 April 2005 - 01:46 PM

jody

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ad-Aware removed:
Ezula, VX2, AdDestroyer, Virtual Bouncer, Media Motor, Other (prefetch)

SpyBot Removed:
ABetterInternet, CallingHome.biz, iSearch, Look2Me.Topconverting, Virtual Bouncer, eZula HotText, NicTechNetworks.zestyfind, wishbone, VBouncer, AdDestroyer

Kaspersky removed:
nlnrzm.exe, tctd.exe, oq0carn.exe, ckcui.dll, akcore.dll, aklsp.dll, akrules.dll, bw2.com, f4352671.exe, randreco.exe, build2.exe, thnall2c.exe, Remove display utility, buddy.exe, icont.exe, mm15201518.stub.exe, sskb5.exe, woinstall.exe, wupdsnff.exe, desktop.exe, isearch.js, 3p_1n.exe, updinst.exe, aqanr.dll, delfin.dll, docore.dll

MSAS removed:
Nictech.BM2, Unclassified.spyware.bl, ezula.weboffer, transponder.ABetterInternet.ceres, iSearch.Desktopsearch, AdDestroyer, look2me, virtual bouncer, 180searchassistant



Logfile of HijackThis v1.99.1
Scan saved at 3:43:38 PM, on 4/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\hpb2ksrv.exe
C:\WINDOWS\System32\hpbhksrv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\hpnra.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\3M\PSNotes2\Psn2.exe
C:\PROGRA~1\3M\PSNotes2\PSNGive.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-itŪ Software Notes.lnk = C:\Program Files\3M\PSNotes2\Psn2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: HP Status - Hewlett-Packard Company - C:\WINDOWS\System32\hpb2ksrv.exe
O23 - Service: HP Status Print - Unknown owner - C:\WINDOWS\System32\hpbhksrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
  • 0

#14
rstones12
Posted 27 April 2005 - 06:42 PM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
jody,
That looks much better, that infection is very hard to remove. Good job.

Download CleanUp
Install the program, dont run it yet, we will later.

Enable show hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Scan with HJT and place a checkmark next to the following items:

O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

Close all browsers and open windows except HJT and then click Fix Checked

Next
Go to your Start | Control Panel | Add-Remove Programs
Remove the following if found or any variation.

iSearch


Using Windows Explorer find and remove the following folders/files if present.
C:\WINDOWS\isrvs\ <-- Folder
C:\WINDOWS\system32\n20050308.EXE

Start CleanUp
When CleanUp starts go to the Options button (right side of CleanUp screen)
Uncheck cookies
This is optional, if you leave the box checked it will remove all of your cookies.
Click OK
Then click on the CleanUp button. This will take a short while, let it do its thing.
When asked to reboot system select No
Close CleanUp

Reboot and post back a new HJT log by using Add Reply

Thanks,
rstones12
  • 0

#15
jody
Posted 28 April 2005 - 06:29 AM

jody

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
This PC is already behaving tons better! I really appreciate your patient help.

Logfile of HijackThis v1.99.1
Scan saved at 8:26:00 AM, on 4/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\hpb2ksrv.exe
C:\WINDOWS\System32\hpbhksrv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\hpnra.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\3M\PSNotes2\Psn2.exe
C:\PROGRA~1\3M\PSNotes2\PSNGive.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-itŪ Software Notes.lnk = C:\Program Files\3M\PSNotes2\Psn2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: HP Status - Hewlett-Packard Company - C:\WINDOWS\System32\hpb2ksrv.exe
O23 - Service: HP Status Print - Unknown owner - C:\WINDOWS\System32\hpbhksrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP