Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hijack problem[RESOLVED]

Started by daro , May 14 2005 05:36 AM

  • This topic is locked This topic is locked

#1
daro
Posted 14 May 2005 - 05:36 AM

daro

    New Member

  • Member
  • Pip
  • 4 posts
Hi. I am running WinXP on PC and I have a huge problem with a spyware (or virus) I can't get rid for about a week now. This is what it causes:
- redirects browsers to other pages (spotresults.com is one of it's favored choice but it can take me to other e.g. 9ringtone.com as well)
- is capable of launching my default browser if it was closed – all by itself - when I am online
- disconnects my browser from displaying pages. I mean I am still on line (can do ping and use other network services) but my browsers will say that there is no page to be displayed. Now it happens every 5 -10 minutes!!. I have to restart PC each time to get it back to work so writing this post I’ve done it couple of times - probably the [bleep] is full of bugs :tazz:
- quick launch icons bar disappears after each reboot

Following advices I've scanned my WinXP first with (system restore was disabled):

- Trend Micro Online Scan
- Symantec Security Check
- McAfee AVERT Stinger
- CCleaner
- Ad-Aware
- Spybot
- CWShredder
- Kill2me
- about:Buster
- HSRemove
- SpySweeper

During scans Look2Me adware has been found and removed. The only thing is I am connected through modem and couldn't do online scan in safe mode so it would not be 100% .

Anyway all the scans say now that my PC is clean but it is NOT.

Could you please help me on this.

My Hijack This log is:


Logfile of HijackThis v1.99.1
Scan saved at 13:01:32, on 2005-05-14
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\ibmtools\aptezbtn\aptezbp.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\ibmtools\aptezbtn\rakusb.exe
C:\Program Files\Norton Personal Firewall\ATRACK.EXE
C:\PROGRA~1\Wanadoo\EspaceWanadoo.exe
C:\PROGRA~1\Wanadoo\ComComp.exe
C:\PROGRA~1\Wanadoo\Watch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Moje dokumenty\Utilities\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [AEZBProc] c:\ibmtools\aptezbtn\aptezbp.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\Ers_src.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {3E339D3C-4B12-4E8C-A529-9CC4BEEAFD4F} - http://advnt01.com/dialer/russia.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093656769562
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.co...kanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{345D7F6F-0C98-44B7-B8B6-A3C989E66DEA}: NameServer = 194.204.152.34 217.98.63.164
O17 - HKLM\System\CS3\Services\Tcpip\..\{345D7F6F-0C98-44B7-B8B6-A3C989E66DEA}: NameServer = 194.204.152.34 217.98.63.164
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\jr4025hmg.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Erss8udkaski - Creative Technology Ltd - (no file)
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Thanks
  • 0

Advertisements

#2
miekiemoes
Posted 14 May 2005 - 08:58 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

Please reenable your systemrestore again!! Because if something goes wrong, you don't have a systemrestorepoint to go back.

I spotted the cause(s).

So, let's deal with it.

Please download LSPfix and save it to the Desktop and unzip it.

Run LSPfix and place a check against the I know what I am doing checkbox.
Highlight every instance of the following file: winlspak.dll and move it from the Keep to the Remove panel. Be sure to move nothing other than this file!!
When done, click on Finish to exit the program; do not use the X in the top right-hand corner as nothing will happen!

Reboot.

Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0

#3
daro
Posted 14 May 2005 - 10:37 AM

daro

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks miekiemoes for your answer! I did as was told. Here is a l2mfix report:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************

************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00

,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00

,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\Installer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\t48ulel91hq.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00

,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00

,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00

,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************

************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

Settings\User Agent\Post Platform]
"{DD400CD7-4371-F63B-EB26-59CC11430291}"=""

**********************************************************************

************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell

Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Karta wˆa˜ciwo˜ci pliku

multimedialnego"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ZarzĄdzanie skanerem ICM"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="Strona zabezpieczeä NTFS"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Strona wˆa˜ciwo˜ci OLE

Docfile"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Rozszerzenia powˆoki dla

udost©pniania zasob˘w"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Rozszerzenie CPL karty

graficznej"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Rozszerzenie CPL monitora

wy˜wietlania"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Rozszerzenie CPL kadrowania

wy˜wietlania"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="Strona zabezpieczeä usˆugi

DS"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Strona zgodno˜ci"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Program obsˆugi danych

wycinkowych powˆoki"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Rozszerzenie Disc Copy"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Rozszerzenia powˆoki dla

obiekt˘w Microsoft Windows Network"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ZarzĄdzanie monitorem ICM"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ZarzĄdzanie drukarkĄ ICM"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Rozszerzenia powˆoki dla

kompresji plik˘w"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Rozszerzenie powˆoki

drukarek sieci Web"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Menu kontekstowe

szyfrowania"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Akt˘wka"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Rozszerzenie ikony

HyperTerminalu"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="Profil ICC"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Strona zabezpieczeä

drukarek"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Rozszerzenia powˆoki dla

udost©pniania zasob˘w"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL

Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Rozszerzenie Crypto PKO"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Rozszerzenie Crypto Sign"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="PoˆĄczenia sieciowe"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="PoˆĄczenia sieciowe"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="&Skanery i aparaty

fotograficzne"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="&Skanery i aparaty

fotograficzne"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="&Skanery i aparaty

fotograficzne"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="&Skanery i aparaty

fotograficzne"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="&Skanery i aparaty

fotograficzne"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL

Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet

Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Rozszerzenie powloki dla

programu Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell

Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Zaplanowane zadania"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Pasek zadaä i menu Start"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Wyszukaj"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Pomoc i obsˆuga techniczna"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Pomoc i obsˆuga techniczna"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Uruchom..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Czcionki"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Narz©dzia administracyjne"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties

Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties

Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Pasek narz©dzi programu

Microsoft Internet"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Stan pobierania"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Folder powˆoki zwi©kszonej"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Folder powˆoki zwi©kszonej

2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Pasek przeglĄdarki

Microsoft"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Pasek wyszukiwania"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Pasek multimedi˘w"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="Wyszukiwanie w okienku"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Wyszukiwanie w sieci Web"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Narz©dzie opcji drzewa

rejestru"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adres"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Pole edycji adresu"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Autouzupeˆnianie Microsoft"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="Wyodr©bnianie obraz˘w

Trident"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="Lista autouzupeˆniania MRU"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Niestandardowa lista

autouzupeˆniania MRU"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Dost©pny"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Pasek podr©czny ˜ledzenia"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Analizator paska adresu"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Lista autouzupeˆniania

historii Microsoft"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Lista autouzupeˆniania

folderu powˆoki Microsoft"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Kontener wielu list

autouzupeˆniania Microsoft"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Menu witryny paska powˆoki"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Pasek pulpitu powˆoki"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Pomoc dla uľytkownika"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Globalne ustawienia

folder˘w"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc

Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser

Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History

Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Historia"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Tymczasowe pliki

internetowe"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Tymczasowe pliki

internetowe"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Ekran powitalny pakietu IE4"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Pasek eksploratora"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="Folder pami©ci podr©cznej

ActiveX"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Folder subskrypcji"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Menedľer aplikacji powˆoki"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Wyliczanie zainstalowanych

aplikacji"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Publikator aplikacji Darwin"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+program wyodr©bniajĄcy

miniatury plik˘w"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Informacje podsumowujĄce

obsˆugi miniatur (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Wyodr©bnianie miniatur HTML"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property

Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Kreator publikacji w sieci

Web"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Zamawianie odbitek w sieci

Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Obiekt powˆoki kreatora

publikacji"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Kreator uzyskiwania profilu

usˆugi Passport"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Konta uľytkownik˘w"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder

Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder

SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Plik kanaˆu"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Skr˘t kanaˆu"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Obiekt obsˆugi kanaˆu"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace

Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML

Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace

Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace

Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace

Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS

object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu

Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder

Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Folder plik˘w trybu offline"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character

Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Do os˘b..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as

Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn

Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to

Playlist Context Menu Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and

Defaults"
"{950FF917-7A57-46BC-8017-59D9BF474000}"="Shell Extension for CDRW"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Foldery w sieci Web"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook

Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook

Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon

Handler"
"{0AC6C6C5-F7A8-11D2-BEF4-00C04F990001}"="Macromedia FTP & RDS"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property

Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne

Player"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{E3A800CC-38D8-4B1F-A3ED-393FA8198E48}"=""
"{88C655DB-B0E0-4940-BF9C-F354E0BB207F}"=""
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context

Menu Integration"
"{6E1F735B-79C1-4BE6-A785-C4ECE7DD41AA}"=""
"{176B46C9-82EB-4FD0-BF9A-A16E0598E286}"=""
"{886AA7FC-45A8-4731-8407-6DEC7EB47ADE}"=""
"{6F71190C-540D-42A4-88E9-8CF85AFCF99F}"=""
"{6568AC85-8DC8-409F-A5A1-3C47BA7454CC}"=""
"{ECC3D30C-E354-4866-BBCA-008BA0D493DE}"=""
"{FFBBE799-F5E7-40E1-B652-F4B913E3E19E}"=""
"{513C468B-9E16-468B-A715-B8FA2736B1DE}"=""
"{7D2A0C63-9650-4AC9-A906-B64593F10B33}"=""
"{307FBA9E-CE59-43BE-9226-E720731A5C2F}"=""
"{9D7A4927-2C9C-47C8-AF12-932CAC016F1F}"=""
"{8C9A3AB3-8DA3-4FB9-98BB-847D36F21C8C}"=""
"{30C685CA-F533-460B-8EBB-C17FDBFC3203}"=""
"{B3266DCF-2009-44D9-B164-694492B420DE}"=""
"{84DF0C38-8BC1-4D7A-A84E-AFA7F5583307}"=""
"{A8486EFD-69AE-45AA-BAE0-357332F628F3}"=""
"{69A9F73B-EF00-4C59-838F-A1CC7C67CFE7}"=""
"{6D0EF48D-12C8-4100-985F-305DAA6B0152}"=""
"{848BE854-8940-4CD9-9D03-AF1177D8BA6C}"=""
"{52F46697-236A-43D2-B0D8-06B2E64E1BFD}"=""
"{7B1A5549-4F3F-4F46-9EE8-DC7BDD24AC28}"=""
"{1E2A9011-D673-4BBB-AA72-93D193050811}"=""
"{4DD12615-D6F6-4EA9-BF08-A6B72FD6AEDF}"=""
"{85152FA3-FE73-4E27-8E2A-F3D4858A1532}"=""
"{C9DC4E7D-896B-496A-9063-B688C9382DDE}"=""

**********************************************************************

************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E3A800CC-38D8-4B1F-A3ED-393FA8198E48}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E3A800CC-38D8-4B1F-A3ED-393FA8198E48}\Implem

ented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E3A800CC-38D8-4B1F-A3ED-393FA8198E48}\Implem

ented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E3A800CC-38D8-4B1F-A3ED-393FA8198E48}\Inproc

Server32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{88C655DB-B0E0-4940-BF9C-F354E0BB207F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{88C655DB-B0E0-4940-BF9C-F354E0BB207F}\Implem

ented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{88C655DB-B0E0-4940-BF9C-F354E0BB207F}\Implem

ented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{88C655DB-B0E0-4940-BF9C-F354E0BB207F}\Inproc

Server32]
@="C:\\WINDOWS\\system32\\wbntrust.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6E1F735B-79C1-4BE6-A785-C4ECE7DD41AA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6E1F735B-79C1-4BE6-A785-C4ECE7DD41AA}\Implem

ented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6E1F735B-79C1-4BE6-A785-C4ECE7DD41AA}\Implem

ented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6E1F735B-79C1-4BE6-A785-C4ECE7DD41AA}\Inproc

Server32]
@="C:\\WINDOWS\\system32\\RJOCURS.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{176B46C9-82EB-4FD0-BF9A-A16E0598E286}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{176B46C9-82EB-4FD0-BF9A-A16E0598E286}\Implem

ented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{176B46C9-82EB-4FD0-BF9A-A16E0598E286}\Implem

ented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{176B46C9-82EB-4FD0-BF9A-A16E0598E286}\Inproc

Server32]
@="C:\\WINDOWS\\system32\\mpjava.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{886AA7FC-45A8-4731-8407-6DEC7EB47ADE}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{886AA7FC-45A8-4731-8407-6DEC7EB47ADE}\Implem

ented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{886AA7FC-45A8-4731-8407-6DEC7EB47ADE}\Implem

ented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{886AA7FC-45A8-4731-8407-6DEC7EB47ADE}\Inproc

Server32]
@="C:\\WINDOWS\\system32\\nzshell.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6F71190C-540D-42A4-88E9-8CF85AFCF99F}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{6F71190C-540D-42A4-88E9-8CF85AFCF99F}\Implem

ented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6F71190C-540D-42A4-88E9-8CF85AFCF99F}\Implem

ented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6F71190C-540D-42A4-88E9-8CF85AFCF99F}\Inproc

Server32]
@="C:\\WINDOWS\\system32\\ement97.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6568AC85-8DC8-409F-A5A1-3C47BA7454CC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6568AC85-8DC8-409F-A5A1-3C47BA7454CC}\Implem

ented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6568AC85-8DC8-409F-A5A1-3C47BA7454CC}\Implem

ented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6568AC85-8DC8-409F-A5A1-3C47BA7454CC}\Inproc

Server32]
@="C:\\WINDOWS\\system32\\IqagXpr7.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{ECC3D30C-E354-4866-BBCA-008BA0D493DE}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{ECC3D30C-E354-4866-BBCA-008BA0D493DE}\Implem

ented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ECC3D30C-E354-4866-BBCA-008BA0D493DE}\Implem

ented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ECC3D30C-E354-4866-BBCA-008BA0D493DE}\Inproc

Server32]
@="C:\\WINDOWS\\system32\\iiitpki.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{FFBBE799-F5E7-40E1-B652-F4B913E3E19E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FFBBE799-F5E7-40E1-B652-F4B913E3E19E}\Implem

ented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FFBBE799-F5E7-40E1-B652-F4B913E3E19E}\Implem

ented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FFBBE799-F5E7-40E1-B652-F4B913E3E19E}\Inproc

Server32]
@="C:\\WINDOWS\\system32\\mcr2cenu.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{513C468B-9E16-468B-A715-B8FA2736B1DE}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{513C468B-9E16-468B-A715-B8FA2736B1DE}\Implem

ented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{513C468B-9E16-468B-A715-B8FA2736B1DE}\Implem

ented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{513C468B-9E16-468B-A715-B8FA2736B1DE}\Inproc

Server32]
@="C:\\WINDOWS\\system32\\sncfiles.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7D2A0C63-9650-4AC9-A906-B64593F10B33}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7D2A0C63-9650-4AC9-A906-B64593F10B33}\Implem

ented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7D2A0C63-9650-4AC9-A906-B64593F10B33}\Implem

ented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7D2A0C63-9650-4AC9-A906-B64593F10B33}\Inproc

Server32]
@="C:\\WINDOWS\\system32\\nftui1.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{307FBA9E-CE59-43BE-9226-E720731A5C2F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{307FBA9E-CE59-43BE-9226-E720731A5C2F}\Implem

ented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{307FBA9E-CE59-43BE-9226-E720731A5C2F}\Implem

ented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{307FBA9E-CE59-43BE-9226-E720731A5C2F}\Inproc

Server32]
@="C:\\WINDOWS\\system32\\kpdsmsfi.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9D7A4927-2C9C-47C8-AF12-932CAC016F1F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9D7A4927-2C9C-47C8-AF12-932CAC016F1F}\Implem

ented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9D7A4927-2C9C-47C8-AF12-932CAC016F1F}\Implem

ented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9D7A4927-2C9C-47C8-AF12-932CAC016F1F}\Inproc

Server32]
@="C:\\WINDOWS\\system32\\ngtcfgx.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8C9A3AB3-8DA3-4FB9-98BB-847D36F21C8C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8C9A3AB3-8DA3-4FB9-98BB-847D36F21C8C}\Implem

ented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8C9A3AB3-8DA3-4FB9-98BB-847D36F21C8C}\Implem

ented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8C9A3AB3-8DA3-4FB9-98BB-847D36F21C8C}\Inproc

Server32]
@="C:\\WINDOWS\\system32\\wbnotify.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{30C685CA-F533-460B-8EBB-C17FDBFC3203}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{30C685CA-F533-460B-8EBB-C17FDBFC3203}\Implem

ented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{30C685CA-F533-460B-8EBB-C17FDBFC3203}\Implem

ented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{30C685CA-F533-460B-8EBB-C17FDBFC3203}\Inproc

Server32]
@="C:\\WINDOWS\\system32\\iqeshare.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B3266DCF-2009-44D9-B164-694492B420DE}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B3266DCF-2009-44D9-B164-694492B420DE}\Implem

ented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B3266DCF-2009-44D9-B164-694492B420DE}\Implem

ented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B3266DCF-2009-44D9-B164-694492B420DE}\Inproc

Server32]
@="C:\\WINDOWS\\system32\\mllbui.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{84DF0C38-8BC1-4D7A-A84E-AFA7F5583307}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{84DF0C38-8BC1-4D7A-A84E-AFA7F5583307}\Implem

ented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{84DF0C38-8BC1-4D7A-A84E-AFA7F5583307}\Implem

ented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{84DF0C38-8BC1-4D7A-A84E-AFA7F5583307}\Inproc

Server32]
@="C:\\WINDOWS\\system32\\bfackbox.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A8486EFD-69AE-45AA-BAE0-357332F628F3}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A8486EFD-69AE-45AA-BAE0-357332F628F3}\Implem

ented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A8486EFD-69AE-45AA-BAE0-357332F628F3}\Implem

ented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A8486EFD-69AE-45AA-BAE0-357332F628F3}\Inproc

Server32]
@="C:\\WINDOWS\\system32\\ngrspl.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{69A9F73B-EF00-4C59-838F-A1CC7C67CFE7}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{69A9F73B-EF00-4C59-838F-A1CC7C67CFE7}\Implem

ented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{69A9F73B-EF00-4C59-838F-A1CC7C67CFE7}\Implem

ented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{69A9F73B-EF00-4C59-838F-A1CC7C67CFE7}\Inproc

Server32]
@="C:\\WINDOWS\\system32\\rHsser.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6D0EF48D-12C8-4100-985F-305DAA6B0152}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6D0EF48D-12C8-4100-985F-305DAA6B0152}\Implem

ented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6D0EF48D-12C8-4100-985F-305DAA6B0152}\Implem

ented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6D0EF48D-12C8-4100-985F-305DAA6B0152}\Inproc

Server32]
@="C:\\WINDOWS\\system32\\derawex.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{848BE854-8940-4CD9-9D03-AF1177D8BA6C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{848BE854-8940-4CD9-9D03-AF1177D8BA6C}\Implem

ented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{848BE854-8940-4CD9-9D03-AF1177D8BA6C}\Implem

ented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{848BE854-8940-4CD9-9D03-AF1177D8BA6C}\Inproc

Server32]
@="C:\\WINDOWS\\system32\\mjvcp50.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{52F46697-236A-43D2-B0D8-06B2E64E1BFD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{52F46697-236A-43D2-B0D8-06B2E64E1BFD}\Implem

ented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{52F46697-236A-43D2-B0D8-06B2E64E1BFD}\Implem

ented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{52F46697-236A-43D2-B0D8-06B2E64E1BFD}\Inproc

Server32]
@="C:\\WINDOWS\\system32\\wdhip6.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7B1A5549-4F3F-4F46-9EE8-DC7BDD24AC28}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7B1A5549-4F3F-4F46-9EE8-DC7BDD24AC28}\Implem

ented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7B1A5549-4F3F-4F46-9EE8-DC7BDD24AC28}\Implem

ented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7B1A5549-4F3F-4F46-9EE8-DC7BDD24AC28}\Inproc

Server32]
@="C:\\WINDOWS\\system32\\dxvacm.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1E2A9011-D673-4BBB-AA72-93D193050811}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1E2A9011-D673-4BBB-AA72-93D193050811}\Implem

ented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1E2A9011-D673-4BBB-AA72-93D193050811}\Implem

ented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1E2A9011-D673-4BBB-AA72-93D193050811}\Inproc

Server32]
@="C:\\WINDOWS\\system32\\wrock32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4DD12615-D6F6-4EA9-BF08-A6B72FD6AEDF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4DD12615-D6F6-4EA9-BF08-A6B72FD6AEDF}\Implem

ented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4DD12615-D6F6-4EA9-BF08-A6B72FD6AEDF}\Implem

ented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4DD12615-D6F6-4EA9-BF08-A6B72FD6AEDF}\Inproc

Server32]
@="C:\\WINDOWS\\system32\\sydpsrv.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{85152FA3-FE73-4E27-8E2A-F3D4858A1532}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{85152FA3-FE73-4E27-8E2A-F3D4858A1532}\Implem

ented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{85152FA3-FE73-4E27-8E2A-F3D4858A1532}\Implem

ented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{85152FA3-FE73-4E27-8E2A-F3D4858A1532}\Inproc

Server32]
@="C:\\WINDOWS\\system32\\synike.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C9DC4E7D-896B-496A-9063-B688C9382DDE}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C9DC4E7D-896B-496A-9063-B688C9382DDE}\Implem

ented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C9DC4E7D-896B-496A-9063-B688C9382DDE}\Implem

ented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C9DC4E7D-896B-496A-9063-B688C9382DDE}\Inproc

Server32]
@="C:\\WINDOWS\\system32\\wesapi32.dll"
"ThreadingModel"="Apartment"

**********************************************************************

************
Files Found are not all bad files:
Locate .tmp files:
**********************************************************************

************
Directory Listing of system files:
Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: D4F9-A147

Katalog: C:\WINDOWS\System32

2005-05-14 18:31 233˙728 wesapi32.dll
2005-05-14 18:14 233˙014 kt64l7jq1.dll
2005-05-14 18:14 236˙529 synike.dll
2005-05-14 18:14 233˙728 t48ulel91hq.dll
2005-05-14 14:41 236˙529 sydpsrv.dll
2005-05-14 14:03 236˙529 wrock32.dll
2005-05-14 13:29 236˙529 dxvacm.dll
2005-05-14 13:12 236˙529 wdhip6.dll
2005-05-14 13:08 236˙529 mjvcp50.dll
2005-05-14 12:57 234˙893 derawex.dll
2005-05-14 12:54 236˙529 rHsser.dll
2005-05-14 12:07 236˙529 ngrspl.dll
2005-05-14 11:24 234˙893 bfackbox.dll
2005-05-14 11:12 235˙566 mllbui.dll
2005-05-14 10:57 233˙430 iqeshare.dll
2005-05-14 10:46 235˙566 wbnotify.dll
2005-05-14 01:59 233˙430 ngtcfgx.dll
2005-05-14 01:34 235˙566 kpdsmsfi.dll
2005-05-14 00:58 233˙666 mvwdat10.dll
2005-05-13 23:59 233˙666 nftui1.dll
2005-05-12 22:24 233˙666 sncfiles.dll
2005-05-12 21:05 233˙666 mcr2cenu.dll
2005-05-12 01:25 234˙272 iiitpki.dll
2005-05-11 23:09 234˙272 kodsl.dll
2005-05-11 23:09 234˙272 kwdpo.dll
2005-05-11 22:08 233˙117 g6lm0g31e6.dll
2005-05-11 21:23 232˙981 jt0m07d1e.dll
2005-05-11 20:28 235˙065 IqagXpr7.dll
2005-05-11 13:07 234˙934 ffusd.dll
2005-05-11 02:58 234˙272 ement97.dll
2005-05-11 00:21 234˙272 irjsl5171.dll
2005-05-10 17:57 235˙830 g2jolc131f.dll
2005-05-10 17:54 233˙153 nzshell.dll
2005-05-10 17:53 234˙518 m2po0c73ef.dll
2005-05-02 23:00 233˙221 mpjava.dll
2005-04-29 06:36 235˙162 RJOCURS.DLL
2005-04-29 06:15 235˙162 wbntrust.dll
2005-04-29 05:05 236˙005 sQfrslv.dll
2005-04-28 02:30 236˙005 wsntrust.dll
2005-04-23 14:04 235˙162 dpcpmon.dll
2005-04-21 08:40 235˙162 PH171Hwx.dll
2005-04-17 18:42 233˙470 hpl0233mg.dll
2005-04-12 23:05 232˙948 k844lihq184e.dll
2005-04-09 12:54 235˙104 avtxprxy.dll
2005-02-08 22:25 <DIR> dllcache
2004-08-27 23:05 <DIR> Microsoft
44 plik(˘w) 10˙329˙069 bytes˘w
2 katalog(˘w) 91˙136˙114˙688 bytes˘w free
  • 0

#4
miekiemoes
Posted 14 May 2005 - 10:50 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!
  • 0

#5
daro
Posted 15 May 2005 - 04:45 PM

daro

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Done!
Here is l2mfix log:

L2Mfix 1.03

Running From:
C:\Documents and Settings\Administrator\Pulpit\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(IO) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(NI) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(IO) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Uľytkownicy
(ID-IO) ALLOW Read BUILTIN\Uľytkownicy
(ID-NI) ALLOW Read BUILTIN\Uľytkownicy zaawansowani
(ID-IO) ALLOW Read BUILTIN\Uľytkownicy zaawansowani
(ID-NI) ALLOW Full access BUILTIN\Administratorzy
(ID-IO) ALLOW Full access BUILTIN\Administratorzy
(ID-NI) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(ID-IO) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(ID-IO) ALLOW Full access TWŕRCA-WťA—CICIEL



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administratorzy
(NI) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(IO) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(NI) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(IO) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Uľytkownicy
(ID-IO) ALLOW Read BUILTIN\Uľytkownicy
(ID-NI) ALLOW Read BUILTIN\Uľytkownicy zaawansowani
(ID-IO) ALLOW Read BUILTIN\Uľytkownicy zaawansowani
(ID-NI) ALLOW Full access BUILTIN\Administratorzy
(ID-IO) ALLOW Full access BUILTIN\Administratorzy
(ID-NI) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(ID-IO) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(ID-IO) ALLOW Full access TWŕRCA-WťA—CICIEL



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Administrator\Pulpit\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Administrator\Pulpit\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1228 'explorer.exe'
Killing PID 1228 'explorer.exe'
Killing PID 1228 'explorer.exe'
Killing PID 1228 'explorer.exe'
Killing PID 1228 'explorer.exe'
Killing PID 1228 'explorer.exe'
Killing PID 1228 'explorer.exe'
Killing PID 1228 'explorer.exe'
Killing PID 1228 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1932 'rundll32.exe'
Killing PID 1932 'rundll32.exe'
Killing PID 1596 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\avtxprxy.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\bfackbox.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\cucui.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\derawex.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\dpcpmon.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\dxvacm.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\ement97.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\ffusd.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\g2jolc131f.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\g6lm0g31e6.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\hpl0233mg.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\iiitpki.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\IqagXpr7.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\iqeshare.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\irjsl5171.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\j6l40g3qe6.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\jt0m07d1e.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\k844lihq184e.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\kodsl.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\kpdsmsfi.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\kwdpo.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\m2po0c73ef.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\mcr2cenu.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\mjvcp50.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\mllbui.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\mpjava.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\mvwdat10.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\nftui1.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\ngrspl.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\ngtcfgx.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\nzshell.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\PH171Hwx.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\rHsser.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\RJOCURS.DLL
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\sncfiles.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\sQfrslv.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\sydpsrv.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\synike.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\wbnotify.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\wbntrust.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\wdhip6.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\wesapi32.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\wnncoreak.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\wrock32.dll
Liczba skopiowanych plik˘w: 1.
Backing Up: C:\WINDOWS\system32\wsntrust.dll
Liczba skopiowanych plik˘w: 1.
deleting: C:\WINDOWS\system32\avtxprxy.dll
Successfully Deleted: C:\WINDOWS\system32\avtxprxy.dll
deleting: C:\WINDOWS\system32\bfackbox.dll
Successfully Deleted: C:\WINDOWS\system32\bfackbox.dll
deleting: C:\WINDOWS\system32\cucui.dll
Successfully Deleted: C:\WINDOWS\system32\cucui.dll
deleting: C:\WINDOWS\system32\derawex.dll
Successfully Deleted: C:\WINDOWS\system32\derawex.dll
deleting: C:\WINDOWS\system32\dpcpmon.dll
Successfully Deleted: C:\WINDOWS\system32\dpcpmon.dll
deleting: C:\WINDOWS\system32\dxvacm.dll
Successfully Deleted: C:\WINDOWS\system32\dxvacm.dll
deleting: C:\WINDOWS\system32\ement97.dll
Successfully Deleted: C:\WINDOWS\system32\ement97.dll
deleting: C:\WINDOWS\system32\ffusd.dll
Successfully Deleted: C:\WINDOWS\system32\ffusd.dll
deleting: C:\WINDOWS\system32\g2jolc131f.dll
Successfully Deleted: C:\WINDOWS\system32\g2jolc131f.dll
deleting: C:\WINDOWS\system32\g6lm0g31e6.dll
Successfully Deleted: C:\WINDOWS\system32\g6lm0g31e6.dll
deleting: C:\WINDOWS\system32\hpl0233mg.dll
Successfully Deleted: C:\WINDOWS\system32\hpl0233mg.dll
deleting: C:\WINDOWS\system32\iiitpki.dll
Successfully Deleted: C:\WINDOWS\system32\iiitpki.dll
deleting: C:\WINDOWS\system32\IqagXpr7.dll
Successfully Deleted: C:\WINDOWS\system32\IqagXpr7.dll
deleting: C:\WINDOWS\system32\iqeshare.dll
Successfully Deleted: C:\WINDOWS\system32\iqeshare.dll
deleting: C:\WINDOWS\system32\irjsl5171.dll
Successfully Deleted: C:\WINDOWS\system32\irjsl5171.dll
deleting: C:\WINDOWS\system32\j6l40g3qe6.dll
Successfully Deleted: C:\WINDOWS\system32\j6l40g3qe6.dll
deleting: C:\WINDOWS\system32\jt0m07d1e.dll
Successfully Deleted: C:\WINDOWS\system32\jt0m07d1e.dll
deleting: C:\WINDOWS\system32\k844lihq184e.dll
Successfully Deleted: C:\WINDOWS\system32\k844lihq184e.dll
deleting: C:\WINDOWS\system32\kodsl.dll
Successfully Deleted: C:\WINDOWS\system32\kodsl.dll
deleting: C:\WINDOWS\system32\kpdsmsfi.dll
Successfully Deleted: C:\WINDOWS\system32\kpdsmsfi.dll
deleting: C:\WINDOWS\system32\kwdpo.dll
Successfully Deleted: C:\WINDOWS\system32\kwdpo.dll
deleting: C:\WINDOWS\system32\m2po0c73ef.dll
Successfully Deleted: C:\WINDOWS\system32\m2po0c73ef.dll
deleting: C:\WINDOWS\system32\mcr2cenu.dll
Successfully Deleted: C:\WINDOWS\system32\mcr2cenu.dll
deleting: C:\WINDOWS\system32\mjvcp50.dll
Successfully Deleted: C:\WINDOWS\system32\mjvcp50.dll
deleting: C:\WINDOWS\system32\mllbui.dll
Successfully Deleted: C:\WINDOWS\system32\mllbui.dll
deleting: C:\WINDOWS\system32\mpjava.dll
Successfully Deleted: C:\WINDOWS\system32\mpjava.dll
deleting: C:\WINDOWS\system32\mvwdat10.dll
Successfully Deleted: C:\WINDOWS\system32\mvwdat10.dll
deleting: C:\WINDOWS\system32\nftui1.dll
Successfully Deleted: C:\WINDOWS\system32\nftui1.dll
deleting: C:\WINDOWS\system32\ngrspl.dll
Successfully Deleted: C:\WINDOWS\system32\ngrspl.dll
deleting: C:\WINDOWS\system32\ngtcfgx.dll
Successfully Deleted: C:\WINDOWS\system32\ngtcfgx.dll
deleting: C:\WINDOWS\system32\nzshell.dll
Successfully Deleted: C:\WINDOWS\system32\nzshell.dll
deleting: C:\WINDOWS\system32\PH171Hwx.dll
Successfully Deleted: C:\WINDOWS\system32\PH171Hwx.dll
deleting: C:\WINDOWS\system32\rHsser.dll
Successfully Deleted: C:\WINDOWS\system32\rHsser.dll
deleting: C:\WINDOWS\system32\RJOCURS.DLL
Successfully Deleted: C:\WINDOWS\system32\RJOCURS.DLL
deleting: C:\WINDOWS\system32\sncfiles.dll
Successfully Deleted: C:\WINDOWS\system32\sncfiles.dll
deleting: C:\WINDOWS\system32\sQfrslv.dll
Successfully Deleted: C:\WINDOWS\system32\sQfrslv.dll
deleting: C:\WINDOWS\system32\sydpsrv.dll
Successfully Deleted: C:\WINDOWS\system32\sydpsrv.dll
deleting: C:\WINDOWS\system32\synike.dll
Successfully Deleted: C:\WINDOWS\system32\synike.dll
deleting: C:\WINDOWS\system32\wbnotify.dll
Successfully Deleted: C:\WINDOWS\system32\wbnotify.dll
deleting: C:\WINDOWS\system32\wbntrust.dll
Successfully Deleted: C:\WINDOWS\system32\wbntrust.dll
deleting: C:\WINDOWS\system32\wdhip6.dll
Successfully Deleted: C:\WINDOWS\system32\wdhip6.dll
deleting: C:\WINDOWS\system32\wesapi32.dll
Successfully Deleted: C:\WINDOWS\system32\wesapi32.dll
deleting: C:\WINDOWS\system32\wnncoreak.dll
Successfully Deleted: C:\WINDOWS\system32\wnncoreak.dll
deleting: C:\WINDOWS\system32\wrock32.dll
Successfully Deleted: C:\WINDOWS\system32\wrock32.dll
deleting: C:\WINDOWS\system32\wsntrust.dll
Successfully Deleted: C:\WINDOWS\system32\wsntrust.dll


Zipping up files for submission:
adding: avtxprxy.dll (164 bytes security) (deflated 5%)
adding: bfackbox.dll (164 bytes security) (deflated 5%)
adding: cucui.dll (164 bytes security) (deflated 4%)
adding: derawex.dll (164 bytes security) (deflated 5%)
adding: dpcpmon.dll (164 bytes security) (deflated 5%)
adding: dxvacm.dll (164 bytes security) (deflated 6%)
adding: ement97.dll (164 bytes security) (deflated 4%)
adding: ffusd.dll (164 bytes security) (deflated 5%)
adding: g2jolc131f.dll (164 bytes security) (deflated 5%)
adding: g6lm0g31e6.dll (164 bytes security) (deflated 4%)
adding: hpl0233mg.dll (164 bytes security) (deflated 4%)
adding: iiitpki.dll (164 bytes security) (deflated 4%)
adding: IqagXpr7.dll (164 bytes security) (deflated 5%)
adding: iqeshare.dll (164 bytes security) (deflated 4%)
adding: irjsl5171.dll (164 bytes security) (deflated 4%)
adding: j6l40g3qe6.dll (164 bytes security) (deflated 4%)
adding: jt0m07d1e.dll (164 bytes security) (deflated 4%)
adding: k844lihq184e.dll (164 bytes security) (deflated 4%)
adding: kodsl.dll (164 bytes security) (deflated 4%)
adding: kpdsmsfi.dll (164 bytes security) (deflated 5%)
adding: kwdpo.dll (164 bytes security) (deflated 4%)
adding: m2po0c73ef.dll (164 bytes security) (deflated 5%)
adding: mcr2cenu.dll (164 bytes security) (deflated 4%)
adding: mjvcp50.dll (164 bytes security) (deflated 6%)
adding: mllbui.dll (164 bytes security) (deflated 5%)
adding: mpjava.dll (164 bytes security) (deflated 4%)
adding: mvwdat10.dll (164 bytes security) (deflated 4%)
adding: nftui1.dll (164 bytes security) (deflated 4%)
adding: ngrspl.dll (164 bytes security) (deflated 6%)
adding: ngtcfgx.dll (164 bytes security) (deflated 4%)
adding: nzshell.dll (164 bytes security) (deflated 4%)
adding: PH171Hwx.dll (164 bytes security) (deflated 5%)
adding: rHsser.dll (164 bytes security) (deflated 6%)
adding: RJOCURS.DLL (164 bytes security) (deflated 5%)
adding: sncfiles.dll (164 bytes security) (deflated 4%)
adding: sQfrslv.dll (164 bytes security) (deflated 5%)
adding: sydpsrv.dll (164 bytes security) (deflated 6%)
adding: synike.dll (164 bytes security) (deflated 6%)
adding: wbnotify.dll (164 bytes security) (deflated 5%)
adding: wbntrust.dll (164 bytes security) (deflated 5%)
adding: wdhip6.dll (164 bytes security) (deflated 6%)
adding: wesapi32.dll (164 bytes security) (deflated 4%)
adding: wnncoreak.dll (164 bytes security) (deflated 4%)
adding: wrock32.dll (164 bytes security) (deflated 6%)
adding: wsntrust.dll (164 bytes security) (deflated 5%)
adding: clear.reg (164 bytes security) (deflated 71%)
adding: echo.reg (164 bytes security) (deflated 10%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 87%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 74%)
adding: test.txt (164 bytes security) (deflated 83%)
adding: test2.txt (164 bytes security) (deflated 49%)
adding: test3.txt (164 bytes security) (deflated 49%)
adding: test5.txt (164 bytes security) (deflated 49%)
adding: xfind.txt (164 bytes security) (deflated 77%)
adding: backregs/134DD1E3-0BEF-4CE3-AA00-18CFF12C12A8.reg (164 bytes security) (deflated 70%)
adding: backregs/176B46C9-82EB-4FD0-BF9A-A16E0598E286.reg (164 bytes security) (deflated 70%)
adding: backregs/1E2A9011-D673-4BBB-AA72-93D193050811.reg (164 bytes security) (deflated 70%)
adding: backregs/307FBA9E-CE59-43BE-9226-E720731A5C2F.reg (164 bytes security) (deflated 70%)
adding: backregs/30C685CA-F533-460B-8EBB-C17FDBFC3203.reg (164 bytes security) (deflated 70%)
adding: backregs/4DD12615-D6F6-4EA9-BF08-A6B72FD6AEDF.reg (164 bytes security) (deflated 70%)
adding: backregs/513C468B-9E16-468B-A715-B8FA2736B1DE.reg (164 bytes security) (deflated 70%)
adding: backregs/52F46697-236A-43D2-B0D8-06B2E64E1BFD.reg (164 bytes security) (deflated 70%)
adding: backregs/6568AC85-8DC8-409F-A5A1-3C47BA7454CC.reg (164 bytes security) (deflated 70%)
adding: backregs/69A9F73B-EF00-4C59-838F-A1CC7C67CFE7.reg (164 bytes security) (deflated 70%)
adding: backregs/6D0EF48D-12C8-4100-985F-305DAA6B0152.reg (164 bytes security) (deflated 70%)
adding: backregs/6E1F735B-79C1-4BE6-A785-C4ECE7DD41AA.reg (164 bytes security) (deflated 70%)
adding: backregs/6F71190C-540D-42A4-88E9-8CF85AFCF99F.reg (164 bytes security) (deflated 70%)
adding: backregs/7B1A5549-4F3F-4F46-9EE8-DC7BDD24AC28.reg (164 bytes security) (deflated 70%)
adding: backregs/7D2A0C63-9650-4AC9-A906-B64593F10B33.reg (164 bytes security) (deflated 70%)
adding: backregs/848BE854-8940-4CD9-9D03-AF1177D8BA6C.reg (164 bytes security) (deflated 70%)
adding: backregs/84DF0C38-8BC1-4D7A-A84E-AFA7F5583307.reg (164 bytes security) (deflated 70%)
adding: backregs/85152FA3-FE73-4E27-8E2A-F3D4858A1532.reg (164 bytes security) (deflated 70%)
adding: backregs/886AA7FC-45A8-4731-8407-6DEC7EB47ADE.reg (164 bytes security) (deflated 70%)
adding: backregs/88C655DB-B0E0-4940-BF9C-F354E0BB207F.reg (164 bytes security) (deflated 70%)
adding: backregs/8C9A3AB3-8DA3-4FB9-98BB-847D36F21C8C.reg (164 bytes security) (deflated 70%)
adding: backregs/9D7A4927-2C9C-47C8-AF12-932CAC016F1F.reg (164 bytes security) (deflated 70%)
adding: backregs/A8486EFD-69AE-45AA-BAE0-357332F628F3.reg (164 bytes security) (deflated 70%)
adding: backregs/B3266DCF-2009-44D9-B164-694492B420DE.reg (164 bytes security) (deflated 70%)
adding: backregs/C9DC4E7D-896B-496A-9063-B688C9382DDE.reg (164 bytes security) (deflated 70%)
adding: backregs/E3A800CC-38D8-4B1F-A3ED-393FA8198E48.reg (164 bytes security) (deflated 70%)
adding: backregs/ECC3D30C-E354-4866-BBCA-008BA0D493DE.reg (164 bytes security) (deflated 69%)
adding: backregs/FFBBE799-F5E7-40E1-B652-F4B913E3E19E.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 72%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(IO) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(NI) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(IO) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Uľytkownicy
(ID-IO) ALLOW Read BUILTIN\Uľytkownicy
(ID-NI) ALLOW Read BUILTIN\Uľytkownicy zaawansowani
(ID-IO) ALLOW Read BUILTIN\Uľytkownicy zaawansowani
(ID-NI) ALLOW Full access BUILTIN\Administratorzy
(ID-IO) ALLOW Full access BUILTIN\Administratorzy
(ID-NI) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(ID-IO) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(ID-IO) ALLOW Full access TWŕRCA-WťA—CICIEL


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332

deleting local copy: avtxprxy.dll
deleting local copy: bfackbox.dll
deleting local copy: cucui.dll
deleting local copy: derawex.dll
deleting local copy: dpcpmon.dll
deleting local copy: dxvacm.dll
deleting local copy: ement97.dll
deleting local copy: ffusd.dll
deleting local copy: g2jolc131f.dll
deleting local copy: g6lm0g31e6.dll
deleting local copy: hpl0233mg.dll
deleting local copy: iiitpki.dll
deleting local copy: IqagXpr7.dll
deleting local copy: iqeshare.dll
deleting local copy: irjsl5171.dll
deleting local copy: j6l40g3qe6.dll
deleting local copy: jt0m07d1e.dll
deleting local copy: k844lihq184e.dll
deleting local copy: kodsl.dll
deleting local copy: kpdsmsfi.dll
deleting local copy: kwdpo.dll
deleting local copy: m2po0c73ef.dll
deleting local copy: mcr2cenu.dll
deleting local copy: mjvcp50.dll
deleting local copy: mllbui.dll
deleting local copy: mpjava.dll
deleting local copy: mvwdat10.dll
deleting local copy: nftui1.dll
deleting local copy: ngrspl.dll
deleting local copy: ngtcfgx.dll
deleting local copy: nzshell.dll
deleting local copy: PH171Hwx.dll
deleting local copy: rHsser.dll
deleting local copy: RJOCURS.DLL
deleting local copy: sncfiles.dll
deleting local copy: sQfrslv.dll
deleting local copy: sydpsrv.dll
deleting local copy: synike.dll
deleting local copy: wbnotify.dll
deleting local copy: wbntrust.dll
deleting local copy: wdhip6.dll
deleting local copy: wesapi32.dll
deleting local copy: wnncoreak.dll
deleting local copy: wrock32.dll
deleting local copy: wsntrust.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\avtxprxy.dll
C:\WINDOWS\system32\bfackbox.dll
C:\WINDOWS\system32\cucui.dll
C:\WINDOWS\system32\derawex.dll
C:\WINDOWS\system32\dpcpmon.dll
C:\WINDOWS\system32\dxvacm.dll
C:\WINDOWS\system32\ement97.dll
C:\WINDOWS\system32\ffusd.dll
C:\WINDOWS\system32\g2jolc131f.dll
C:\WINDOWS\system32\g6lm0g31e6.dll
C:\WINDOWS\system32\hpl0233mg.dll
C:\WINDOWS\system32\iiitpki.dll
C:\WINDOWS\system32\IqagXpr7.dll
C:\WINDOWS\system32\iqeshare.dll
C:\WINDOWS\system32\irjsl5171.dll
C:\WINDOWS\system32\j6l40g3qe6.dll
C:\WINDOWS\system32\jt0m07d1e.dll
C:\WINDOWS\system32\k844lihq184e.dll
C:\WINDOWS\system32\kodsl.dll
C:\WINDOWS\system32\kpdsmsfi.dll
C:\WINDOWS\system32\kwdpo.dll
C:\WINDOWS\system32\m2po0c73ef.dll
C:\WINDOWS\system32\mcr2cenu.dll
C:\WINDOWS\system32\mjvcp50.dll
C:\WINDOWS\system32\mllbui.dll
C:\WINDOWS\system32\mpjava.dll
C:\WINDOWS\system32\mvwdat10.dll
C:\WINDOWS\system32\nftui1.dll
C:\WINDOWS\system32\ngrspl.dll
C:\WINDOWS\system32\ngtcfgx.dll
C:\WINDOWS\system32\nzshell.dll
C:\WINDOWS\system32\PH171Hwx.dll
C:\WINDOWS\system32\rHsser.dll
C:\WINDOWS\system32\RJOCURS.DLL
C:\WINDOWS\system32\sncfiles.dll
C:\WINDOWS\system32\sQfrslv.dll
C:\WINDOWS\system32\sydpsrv.dll
C:\WINDOWS\system32\synike.dll
C:\WINDOWS\system32\wbnotify.dll
C:\WINDOWS\system32\wbntrust.dll
C:\WINDOWS\system32\wdhip6.dll
C:\WINDOWS\system32\wesapi32.dll
C:\WINDOWS\system32\wnncoreak.dll
C:\WINDOWS\system32\wrock32.dll
C:\WINDOWS\system32\wsntrust.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{E3A800CC-38D8-4B1F-A3ED-393FA8198E48}"=-
"{88C655DB-B0E0-4940-BF9C-F354E0BB207F}"=-
"{6E1F735B-79C1-4BE6-A785-C4ECE7DD41AA}"=-
"{176B46C9-82EB-4FD0-BF9A-A16E0598E286}"=-
"{886AA7FC-45A8-4731-8407-6DEC7EB47ADE}"=-
"{6F71190C-540D-42A4-88E9-8CF85AFCF99F}"=-
"{6568AC85-8DC8-409F-A5A1-3C47BA7454CC}"=-
"{ECC3D30C-E354-4866-BBCA-008BA0D493DE}"=-
"{FFBBE799-F5E7-40E1-B652-F4B913E3E19E}"=-
"{513C468B-9E16-468B-A715-B8FA2736B1DE}"=-
"{7D2A0C63-9650-4AC9-A906-B64593F10B33}"=-
"{307FBA9E-CE59-43BE-9226-E720731A5C2F}"=-
"{9D7A4927-2C9C-47C8-AF12-932CAC016F1F}"=-
"{8C9A3AB3-8DA3-4FB9-98BB-847D36F21C8C}"=-
"{30C685CA-F533-460B-8EBB-C17FDBFC3203}"=-
"{B3266DCF-2009-44D9-B164-694492B420DE}"=-
"{84DF0C38-8BC1-4D7A-A84E-AFA7F5583307}"=-
"{A8486EFD-69AE-45AA-BAE0-357332F628F3}"=-
"{69A9F73B-EF00-4C59-838F-A1CC7C67CFE7}"=-
"{6D0EF48D-12C8-4100-985F-305DAA6B0152}"=-
"{848BE854-8940-4CD9-9D03-AF1177D8BA6C}"=-
"{52F46697-236A-43D2-B0D8-06B2E64E1BFD}"=-
"{7B1A5549-4F3F-4F46-9EE8-DC7BDD24AC28}"=-
"{1E2A9011-D673-4BBB-AA72-93D193050811}"=-
"{4DD12615-D6F6-4EA9-BF08-A6B72FD6AEDF}"=-
"{85152FA3-FE73-4E27-8E2A-F3D4858A1532}"=-
"{C9DC4E7D-896B-496A-9063-B688C9382DDE}"=-
"{134DD1E3-0BEF-4CE3-AA00-18CFF12C12A8}"=-
[-HKEY_CLASSES_ROOT\CLSID\{E3A800CC-38D8-4B1F-A3ED-393FA8198E48}]
[-HKEY_CLASSES_ROOT\CLSID\{88C655DB-B0E0-4940-BF9C-F354E0BB207F}]
[-HKEY_CLASSES_ROOT\CLSID\{6E1F735B-79C1-4BE6-A785-C4ECE7DD41AA}]
[-HKEY_CLASSES_ROOT\CLSID\{176B46C9-82EB-4FD0-BF9A-A16E0598E286}]
[-HKEY_CLASSES_ROOT\CLSID\{886AA7FC-45A8-4731-8407-6DEC7EB47ADE}]
[-HKEY_CLASSES_ROOT\CLSID\{6F71190C-540D-42A4-88E9-8CF85AFCF99F}]
[-HKEY_CLASSES_ROOT\CLSID\{6568AC85-8DC8-409F-A5A1-3C47BA7454CC}]
[-HKEY_CLASSES_ROOT\CLSID\{ECC3D30C-E354-4866-BBCA-008BA0D493DE}]
[-HKEY_CLASSES_ROOT\CLSID\{FFBBE799-F5E7-40E1-B652-F4B913E3E19E}]
[-HKEY_CLASSES_ROOT\CLSID\{513C468B-9E16-468B-A715-B8FA2736B1DE}]
[-HKEY_CLASSES_ROOT\CLSID\{7D2A0C63-9650-4AC9-A906-B64593F10B33}]
[-HKEY_CLASSES_ROOT\CLSID\{307FBA9E-CE59-43BE-9226-E720731A5C2F}]
[-HKEY_CLASSES_ROOT\CLSID\{9D7A4927-2C9C-47C8-AF12-932CAC016F1F}]
[-HKEY_CLASSES_ROOT\CLSID\{8C9A3AB3-8DA3-4FB9-98BB-847D36F21C8C}]
[-HKEY_CLASSES_ROOT\CLSID\{30C685CA-F533-460B-8EBB-C17FDBFC3203}]
[-HKEY_CLASSES_ROOT\CLSID\{B3266DCF-2009-44D9-B164-694492B420DE}]
[-HKEY_CLASSES_ROOT\CLSID\{84DF0C38-8BC1-4D7A-A84E-AFA7F5583307}]
[-HKEY_CLASSES_ROOT\CLSID\{A8486EFD-69AE-45AA-BAE0-357332F628F3}]
[-HKEY_CLASSES_ROOT\CLSID\{69A9F73B-EF00-4C59-838F-A1CC7C67CFE7}]
[-HKEY_CLASSES_ROOT\CLSID\{6D0EF48D-12C8-4100-985F-305DAA6B0152}]
[-HKEY_CLASSES_ROOT\CLSID\{848BE854-8940-4CD9-9D03-AF1177D8BA6C}]
[-HKEY_CLASSES_ROOT\CLSID\{52F46697-236A-43D2-B0D8-06B2E64E1BFD}]
[-HKEY_CLASSES_ROOT\CLSID\{7B1A5549-4F3F-4F46-9EE8-DC7BDD24AC28}]
[-HKEY_CLASSES_ROOT\CLSID\{1E2A9011-D673-4BBB-AA72-93D193050811}]
[-HKEY_CLASSES_ROOT\CLSID\{4DD12615-D6F6-4EA9-BF08-A6B72FD6AEDF}]
[-HKEY_CLASSES_ROOT\CLSID\{85152FA3-FE73-4E27-8E2A-F3D4858A1532}]
[-HKEY_CLASSES_ROOT\CLSID\{C9DC4E7D-896B-496A-9063-B688C9382DDE}]
[-HKEY_CLASSES_ROOT\CLSID\{134DD1E3-0BEF-4CE3-AA00-18CFF12C12A8}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


and here hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 00:36:42, on 2005-05-16
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\ibmtools\aptezbtn\aptezbp.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\ibmtools\aptezbtn\rakusb.exe
C:\Program Files\Norton Personal Firewall\ATRACK.EXE
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Moje dokumenty\Utilities\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [AEZBProc] c:\ibmtools\aptezbtn\aptezbp.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\Ers_src.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {3E339D3C-4B12-4E8C-A529-9CC4BEEAFD4F} - http://advnt01.com/dialer/russia.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093656769562
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.co...kanerOnline.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Erss8udkaski - Creative Technology Ltd - (no file)
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#6
miekiemoes
Posted 15 May 2005 - 05:21 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
It looks like we got it. Now some leftovers:

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\Ers_src.htm
O16 - DPF: {3E339D3C-4B12-4E8C-A529-9CC4BEEAFD4F} - http://advnt01.com/dialer/russia.CAB
O23 - Service: Erss8udkaski - Creative Technology Ltd - (no file)

* Click on Fix Checked when finished and exit HijackThis.

Popups gone now?

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Avoid illegal sites, because that's where most malware is present.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Kaspersky online and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again!
  • 0

#7
daro
Posted 15 May 2005 - 05:51 PM

daro

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Success! miekiemoes you are the MAN! thanks so much! I've been on line for some time now and no hijacks nor popup appears. great job.
if there's anything I could help you with anytime you know how to find me :tazz:
Spywareblaster installed. Anti-virus updated. Future looks much brighter now ;)
Thread can be closed!
  • 0

#8
miekiemoes
Posted 15 May 2005 - 05:53 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP

Success! miekiemoes you are the MAN!


Still female though... :tazz:

Glad I could help you. ;)

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
an email with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Edited by miekiemoes, 15 May 2005 - 05:54 PM.

  • 0

#9
miekiemoes
Posted 15 May 2005 - 05:54 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP