Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

ceres.dll and aurora problems [RESOLVED]


  • This topic is locked This topic is locked

#1
drewizspiffy

drewizspiffy

    Member

  • Member
  • PipPip
  • 15 posts
I have run all of the suggested programs and I am still having problems with ceres.dll. I am also still getting problems with aurora. I have run hijackthis and here is my logfile. If anyone could help me to get rid of this pesky bug please help me.

Drew


Logfile of HijackThis v1.99.1
Scan saved at 2:55:43 AM, on 06/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
c:\windows\system32\kofkwe.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mary\Desktop\Drews Pics\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.central.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.central.cox.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [ptyxwua] c:\windows\system32\kofkwe.exe r
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: http://www.neededware.com
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CE185270-53A5-11D9-9669-0800200C9A66} - http://www.ouchvideo...mviewer_ic2.cab
O16 - DPF: {FDCC1518-6A63-11D9-AAC8-91EC5E497716} - http://www.ouchvideo...iewer_emg11.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello :tazz:

Sorry for the delayed response, it has been very busy lately.

Please post a new Hijack log in this
thread and I will help you.

Thanks
  • 0

#3
drewizspiffy

drewizspiffy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thanks for helping...i appreciate it tons.

Drew

p.s. on windows xp what is the number for starting in safe mode?





Logfile of HijackThis v1.99.1
Scan saved at 2:41:01 PM, on 06/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Mary\Desktop\Drews Pics\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.central.cox.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.central.cox.net/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKLM\..\RunOnce: [GIANTAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: http://www.neededware.com
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CE185270-53A5-11D9-9669-0800200C9A66} - http://www.ouchvideo...mviewer_ic2.cab
O16 - DPF: {FDCC1518-6A63-11D9-AAC8-91EC5E497716} - http://www.ouchvideo...iewer_emg11.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hey drew ;)

Do you have an Anti-virus?
Do you have all items selected at startup (Ineed to see everything)

On with the fix :tazz:

download and install CleanUp! but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download CWShredder here to its own folder.

Update CWShredder

* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder

Download and run iSearchFix.exe from http://www.atribune..../iSearchFix.exe and allow it to install to its default location.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us...050515010747824
Unzip it to the desktop but please do NOT run it yet.

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about

open the iSearchFix folder and run isearch.bat
Allow it to finish running and save the isearchlog.txt

Now run Cleanup!

please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check (if present):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: http://www.neededware.com
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {CE185270-53A5-11D9-9669-0800200C9A66} - http://www.ouchvideo...mviewer_ic2.cab
O16 - DPF: {FDCC1518-6A63-11D9-AAC8-91EC5E497716} - http://www.ouchvideo...iewer_emg11.cab



Post the report from Ewido ,isearchlog.txt and a new HiJackThis log into this topic

Edited by loophole, 24 June 2005 - 02:08 PM.

  • 0

#5
drewizspiffy

drewizspiffy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
ok...i have microsoft antispyware running at all times...i selected everything from msconfig on autostart...this obviously has brought alot of errors at startup...from programs that arent there anymore from removal by spyware proggies

so now by following everything that was said on here and on the thread about what u need to do b4 posting logs this is what i got...thanks again for your help...

i still dont know why ceres and desktop search aint leaving...it bothered me and thats why I came here...thanks again

Drew



hijackthis log


Logfile of HijackThis v1.99.1
Scan saved at 5:07:53 PM, on 06/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Mary\Desktop\Drews Pics\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.central.cox.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.central.cox.net/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zKw] C:\documents and settings\mary\local settings\temp\zKw.exe
O4 - HKLM\..\Run: [Zbraa] C:\WINDOWS\uxfna.exe
O4 - HKLM\..\Run: [yjenvowauutxastptrul] C:\WINDOWS\grvyqbvx.exe
O4 - HKLM\..\Run: [xhxhmc] C:\WINDOWS\system32\xhxhmc.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdt.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [Wast] C:\WINDOWS\wast2.exe 2
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [Visual Element Fx] C:\Program Files\hpdll\tempdl\RAS012505.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Oumodt.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [TinkoPal] C:\Program Files\TinkoPal\AppStart.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\Mary\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [salm] c:\windows\salm.exe
O4 - HKLM\..\Run: [sac] c:\program files\180searchassistant\sac.exe
O4 - HKLM\..\Run: [rylyvct] c:\windows\system32\rylyvct.exe
O4 - HKLM\..\Run: [rydgfek] C:\WINDOWS\System32\rylyvct.exe
O4 - HKLM\..\Run: [Rxagik] C:\WINDOWS\Meruoq.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\system32\netsync.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [pgtaff] C:\WINDOWS\pgtaff.exe
O4 - HKLM\..\Run: [otfulsbgxo] C:\WINDOWS\system32\rylyvct.exe
O4 - HKLM\..\Run: [odochws] C:\WINDOWS\system32\odochws.exe
O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32\n20050308.exe
O4 - HKLM\..\Run: [nsj] C:\WINDOWS\nsj.exe
O4 - HKLM\..\Run: [ngftnc] C:\WINDOWS\system32\ngftnc.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\vgikgk.exe
O4 - HKLM\..\Run: [mR] C:\windows\temp\mR.exe
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Makarzy] C:\WINDOWS\nyei.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [lloirc] C:\WINDOWS\system32\lloirc.exe
O4 - HKLM\..\Run: [kqltrufn] C:\WINDOWS\system32\kgrsu\kqltrufn.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\ikpnkn.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvwvx32.exe
O4 - HKLM\..\Run: [JG0oc3iEv] C:\documents and settings\mary\local settings\temp\JG0oc3iEv.exe
O4 - HKLM\..\Run: [JDhG] C:\documents and settings\mary\local settings\temp\JDhG.exe
O4 - HKLM\..\Run: [JD] C:\documents and settings\mary\local settings\temp\JD.exe
O4 - HKLM\..\Run: [javauu.exe] C:\WINDOWS\system32\javauu.exe
O4 - HKLM\..\Run: [j599pd3s] C:\Program Files\j599pd3s\j599pd3s.exe
O4 - HKLM\..\Run: [ivex] C:\WINDOWS\ivex.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [HUGA] C:\documents and settings\mary\local settings\temp\HUGA.exe
O4 - HKLM\..\Run: [HPNT] C:\Program Files\hpdll\hpdll.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [fwvcj] C:\WINDOWS\fwvcj.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [ErrorGuard] C:\Program Files\ErrorGuard\ErrorGuard.Exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [CSV7P70] C:\Program Files\CSBB\CSV7P070.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bptre.exe"
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [App32dll] C:\windows\system32\msnavc32.exe lee0105
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitevbx32.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [474S34l] hnewvdrv.exe
O4 - HKLM\..\Run: [39w] c:\windows\system32\39w.exe
O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [rbaluma] C:\WINDOWS\system32\lhfkcps\rbaluma.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Tsa] C:\PROGRA~1\COMMON~1\tsa\tsm.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\system32\sysmonnt
O4 - HKCU\..\Run: [SpyWareWall] C:\PROGRA~1\SPYWAR~2\SpyWareWall.exe
O4 - HKCU\..\Run: [prutqct] C:\WINDOWS\system32\prutqct.exe
O4 - HKCU\..\Run: [Prgg] C:\WINDOWS\system32\??oolsv.exe
O4 - HKCU\..\Run: [Okqmv] C:\WINDOWS\System32\r?ndll32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [Lwv2RQJqW] fwcprovi.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [Eeor] C:\Documents and Settings\Mary\Application Data\suos.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: popupwall.lnk = C:\Program Files\PopUpWall\PopUpWall.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless Configuration Utility.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.21 V1.10\WlanCU.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://67.89.107.171...sCamControl.ocx
O16 - DPF: {CE185270-53A5-11D9-9669-0800200C9A66} - http://www.ouchvideo...mviewer_ic2.cab
O16 - DPF: {FDCC1518-6A63-11D9-AAC8-91EC5E497716} - http://www.ouchvideo...iewer_emg11.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe





isearch log


iSearch Removal Batch 1.00
iSearch Removal Batch 1.00

by Atri


Looking for and terminating running processes

by Atri

Looking for and terminating running processes


Fixing the registry

Fixing the registry

"Registry fix complete"


Removing the Delprot service
"Registry fix complete"
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.



Unregistering and deleting isrvs dll's

Attempting to unregister msdbhk.dll
Attempting to unregister sysupd.dll
Attempting to unregister sysupd.dll

Attempting to delete files and folders


Attempting to delete files and folders

Attempting to delete delprot.ini
Attempting to delete delprot.sys
Attempting to delete
Attempting to delete desktop.exe
Attempting to delete ffisearch.exe
Attempting to delete isearch.xpi
Attempting to delete msdbhk.dll
Attempting to delete mfiltis.dll
Attempting to delete sysupd.dll
Attempting to delete delprot.ini
Attempting to delete delprot.sys
Attempting to delete
Attempting to delete desktop.exe
Attempting to delete ffisearch.exe
Attempting to delete isearch.xpi
Attempting to delete msdbhk.dll
Attempting to delete mfiltis.dll
Attempting to delete sysupd.dll
Attempting to delete isrvs folder
Attempting to delete isrvs\icons folder
Could not delete isrvs folder
Could not delete isrvs\icons folder

Removing bad shortcuts from desktop


Removing bad shortcuts from desktop

If there are "bad" shortcuts remaining on your desktop please report them with your logs!
If there are "bad" shortcuts remaining on your desktop please report them with your logs!

Emptying the Trusted and Restricted zones



!!Please post this log as well as a new HijackThis log on the forum!!

!!Please post this log as well as a new HijackThis log on the forum!!
  • 0

#6
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Ahhhhh This is what I needed to see :tazz:

Now we can start your cleanup

Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0

#7
drewizspiffy

drewizspiffy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{5A4925DC-6D58-5040-C5B0-948E14F807A6}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}"="America Online"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{5701C41D-5885-4E35-B013-100BF38BE2E2}"=""
"{37C94FEB-49F3-46E3-A8A3-D6A66959CFC3}"=""
"{A494F5B0-4B93-46D3-8E2F-F5E0D9AAA98D}"=""
"{4A4B92DE-3258-4C24-AAA1-D9966C6105B9}"=""
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{58E0CAE6-4166-460D-86A5-D987AE121C97}"=""
"{ADD21D69-F58C-4FE7-80EF-6A26B6182C3C}"=""
"{CE15ACB4-F7D9-4A0C-98E6-5E63FDEF66BE}"=""
"{105376F3-0A9C-450F-925E-E39C577DCD34}"=""
"{6421CEBC-D361-46C2-9A76-A329ABAFEC04}"=""
"{E417E5B1-53A8-43D7-A074-41B277189561}"=""
"{C45D161B-1A54-483B-955A-B7591DEFA02B}"=""
"{E7C8F3B9-1336-47B0-A616-231EB01C1503}"=""
"{6BE8887D-09AD-4449-97AF-E391F1421E18}"=""
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}"="ICQ Lite Shell Extension"
"{BF9FE0A0-F75F-4E40-BF97-36229700C30D}"=""
"{8AC0BAA5-F4D7-40D5-A95E-8A3931151402}"=""
"{3838F7A4-A38E-4D3C-B668-83F6D2E8BE62}"=""
"{B2C12BBF-26A0-4C4C-9E45-9BBDCC97C77B}"=""
"{536CC415-6460-4768-BB0A-B40C4439F179}"=""
"{4056A87A-9055-4911-8513-2F4369DA4283}"=""
"{5E44E225-A408-11CF-B581-008029601108}"="Roxio DragToDisc Shell Extension"
"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}"="My Media"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5701C41D-5885-4E35-B013-100BF38BE2E2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5701C41D-5885-4E35-B013-100BF38BE2E2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5701C41D-5885-4E35-B013-100BF38BE2E2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5701C41D-5885-4E35-B013-100BF38BE2E2}\InprocServer32]
@="blank"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{37C94FEB-49F3-46E3-A8A3-D6A66959CFC3}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{37C94FEB-49F3-46E3-A8A3-D6A66959CFC3}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{37C94FEB-49F3-46E3-A8A3-D6A66959CFC3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{37C94FEB-49F3-46E3-A8A3-D6A66959CFC3}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A494F5B0-4B93-46D3-8E2F-F5E0D9AAA98D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A494F5B0-4B93-46D3-8E2F-F5E0D9AAA98D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A494F5B0-4B93-46D3-8E2F-F5E0D9AAA98D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A494F5B0-4B93-46D3-8E2F-F5E0D9AAA98D}\InprocServer32]
@="blank"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4A4B92DE-3258-4C24-AAA1-D9966C6105B9}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4A4B92DE-3258-4C24-AAA1-D9966C6105B9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4A4B92DE-3258-4C24-AAA1-D9966C6105B9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4A4B92DE-3258-4C24-AAA1-D9966C6105B9}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{58E0CAE6-4166-460D-86A5-D987AE121C97}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{58E0CAE6-4166-460D-86A5-D987AE121C97}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{58E0CAE6-4166-460D-86A5-D987AE121C97}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{58E0CAE6-4166-460D-86A5-D987AE121C97}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{ADD21D69-F58C-4FE7-80EF-6A26B6182C3C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ADD21D69-F58C-4FE7-80EF-6A26B6182C3C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ADD21D69-F58C-4FE7-80EF-6A26B6182C3C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ADD21D69-F58C-4FE7-80EF-6A26B6182C3C}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{CE15ACB4-F7D9-4A0C-98E6-5E63FDEF66BE}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CE15ACB4-F7D9-4A0C-98E6-5E63FDEF66BE}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CE15ACB4-F7D9-4A0C-98E6-5E63FDEF66BE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CE15ACB4-F7D9-4A0C-98E6-5E63FDEF66BE}\InprocServer32]
@="blank"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{105376F3-0A9C-450F-925E-E39C577DCD34}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{105376F3-0A9C-450F-925E-E39C577DCD34}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{105376F3-0A9C-450F-925E-E39C577DCD34}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{105376F3-0A9C-450F-925E-E39C577DCD34}\InprocServer32]
@="blank"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6421CEBC-D361-46C2-9A76-A329ABAFEC04}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6421CEBC-D361-46C2-9A76-A329ABAFEC04}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6421CEBC-D361-46C2-9A76-A329ABAFEC04}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6421CEBC-D361-46C2-9A76-A329ABAFEC04}\InprocServer32]
@="blank"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E417E5B1-53A8-43D7-A074-41B277189561}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E417E5B1-53A8-43D7-A074-41B277189561}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E417E5B1-53A8-43D7-A074-41B277189561}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E417E5B1-53A8-43D7-A074-41B277189561}\InprocServer32]
@="blank"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C45D161B-1A54-483B-955A-B7591DEFA02B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C45D161B-1A54-483B-955A-B7591DEFA02B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C45D161B-1A54-483B-955A-B7591DEFA02B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C45D161B-1A54-483B-955A-B7591DEFA02B}\InprocServer32]
@="blank"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E7C8F3B9-1336-47B0-A616-231EB01C1503}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E7C8F3B9-1336-47B0-A616-231EB01C1503}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E7C8F3B9-1336-47B0-A616-231EB01C1503}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E7C8F3B9-1336-47B0-A616-231EB01C1503}\InprocServer32]
@="blank"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6BE8887D-09AD-4449-97AF-E391F1421E18}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6BE8887D-09AD-4449-97AF-E391F1421E18}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6BE8887D-09AD-4449-97AF-E391F1421E18}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6BE8887D-09AD-4449-97AF-E391F1421E18}\InprocServer32]
@="blank"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BF9FE0A0-F75F-4E40-BF97-36229700C30D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BF9FE0A0-F75F-4E40-BF97-36229700C30D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BF9FE0A0-F75F-4E40-BF97-36229700C30D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BF9FE0A0-F75F-4E40-BF97-36229700C30D}\InprocServer32]
@="blank"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8AC0BAA5-F4D7-40D5-A95E-8A3931151402}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8AC0BAA5-F4D7-40D5-A95E-8A3931151402}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8AC0BAA5-F4D7-40D5-A95E-8A3931151402}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8AC0BAA5-F4D7-40D5-A95E-8A3931151402}\InprocServer32]
@="blank"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3838F7A4-A38E-4D3C-B668-83F6D2E8BE62}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3838F7A4-A38E-4D3C-B668-83F6D2E8BE62}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3838F7A4-A38E-4D3C-B668-83F6D2E8BE62}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3838F7A4-A38E-4D3C-B668-83F6D2E8BE62}\InprocServer32]
@="blank"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B2C12BBF-26A0-4C4C-9E45-9BBDCC97C77B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B2C12BBF-26A0-4C4C-9E45-9BBDCC97C77B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B2C12BBF-26A0-4C4C-9E45-9BBDCC97C77B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B2C12BBF-26A0-4C4C-9E45-9BBDCC97C77B}\InprocServer32]
@="blank"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{536CC415-6460-4768-BB0A-B40C4439F179}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{536CC415-6460-4768-BB0A-B40C4439F179}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{536CC415-6460-4768-BB0A-B40C4439F179}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{536CC415-6460-4768-BB0A-B40C4439F179}\InprocServer32]
@="blank"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4056A87A-9055-4911-8513-2F4369DA4283}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4056A87A-9055-4911-8513-2F4369DA4283}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4056A87A-9055-4911-8513-2F4369DA4283}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4056A87A-9055-4911-8513-2F4369DA4283}\InprocServer32]
@="blank"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Locate .tmp files:
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is E065-7AA0

Directory of C:\WINDOWS\System32

06/25/2005 02:02 PM <DIR> dllcache
03/08/2005 09:42 PM 475 muu.dll
03/08/2005 12:57 AM 223,710 mvrql9951.dll
03/06/2005 09:28 PM 223,993 jt4807hue.dll
03/02/2005 05:39 PM 225,150 l4r0le9m1h.dll
03/02/2005 05:28 PM 223,139 q268lcju1fo8.dll
03/02/2005 01:48 AM 222,967 f00olad31d0.dll
02/28/2005 12:11 AM 222,990 jtj0071me.dll
02/27/2005 07:23 PM 224,588 l80u0id9e80.dll
02/24/2005 08:53 PM 223,213 d8j00i1me8.dll
02/24/2005 08:46 PM 223,713 i8jq0i15e8.dll
02/24/2005 08:33 PM 223,573 m8po0i73e8.dll
02/18/2005 05:37 PM 224,297 dnr6019se.dll
02/18/2005 05:36 PM 225,957 o066lajs1do6.dll
02/14/2005 08:53 PM 222,959 irrql5951.dll
02/13/2005 09:41 PM 223,032 azaolc331f.dll
02/13/2005 08:42 PM 226,287 o4nsle571h.dll
02/12/2005 04:12 PM 225,709 i2lolc331f.dll
02/09/2005 01:12 AM 223,498 mv8ul9l91.dll
02/08/2005 04:48 PM 224,093 hrrq0595e.dll
02/08/2005 03:47 AM 225,015 cnrsrv.dll
02/08/2005 12:47 AM 223,498 dbauth.dll
02/07/2005 05:59 PM 223,498 GBCollection.dll
02/07/2005 05:56 PM 223,498 SbyLt3Pr.dll
02/07/2005 04:11 AM 222,685 kodsp.dll
02/06/2005 12:38 AM 223,045 irp6l57s1.dll
02/02/2005 11:26 PM 222,553 aza0lclm1fqa.dll
01/31/2005 11:01 PM 222,553 azao0133e.dll
01/30/2005 10:15 PM 222,553 q468leju1ho8.dll
01/30/2005 09:41 PM 222,553 ir24l5fq1.dll
01/30/2005 09:07 PM 225,930 hrro0593e.dll
01/23/2005 11:52 AM 223,030 fp2203foe.dll
01/23/2005 11:44 AM 223,252 g2220cfoef2c0.dll
01/18/2005 01:56 AM 223,038 lv0409dqe.dll
01/16/2005 03:06 AM 224,440 en4ul1h91.dll
01/15/2005 09:01 PM 222,936 dnlo0133e.dll
01/14/2005 11:51 PM 224,579 k6pmlg7116.dll
01/10/2005 08:21 PM 225,095 h8l20i3oe8.dll
01/08/2005 10:33 PM 222,915 i2lo0c33ef.dll
01/08/2005 10:32 PM 222,915 dnrm0191e.dll
01/08/2005 01:51 PM 224,889 mvp8l97u1.dll
01/08/2005 12:24 PM 223,466 t6r8lg9u16.dll
01/08/2005 01:29 AM 222,915 hrl0053me.dll
01/07/2005 08:37 PM 222,915 l22slcf71f2.dll
01/07/2005 08:18 PM 222,915 k280lclm1fqa.dll
01/07/2005 01:17 AM 223,575 o0660ajsedo60.dll
01/07/2005 01:09 AM 222,981 i6600gjme6oa0.dll
01/07/2005 12:01 AM 223,450 hrlq0535e.dll
01/05/2005 01:27 PM 224,325 g6jo0g13e6.dll
01/03/2005 12:24 AM 223,905 p04u0ah9ed4.dll
01/01/2005 01:52 PM 223,542 l0l6la3s1d.dll
12/30/2004 11:39 PM 224,155 fpj6031se.dll
12/29/2004 07:46 PM 223,859 enp2l17o1.dll
12/28/2004 05:09 PM 224,130 dnp2017oe.dll
12/28/2004 03:33 PM 223,859 t88u0il9e8q.dll
12/28/2004 02:11 AM 223,859 h40q0ed5eh0.dll
12/26/2004 01:41 PM 224,269 h0j40a1qed.dll
12/26/2004 01:34 PM 225,425 n66qlgj516o.dll
12/25/2004 12:42 PM 223,859 aza2l55o1.dll
12/25/2004 12:29 PM 223,859 irn2l55o1.dll
12/25/2004 12:22 PM 223,859 gprml3911.dll
12/25/2004 02:57 AM 223,088 l8n40i5qe8.dll
12/24/2004 11:54 PM 223,133 azam01j1e.dll
12/24/2004 05:53 PM 222,656 fplo0333e.dll
12/23/2004 02:07 AM 225,604 jr0025dmg.dll
12/22/2004 11:00 PM 224,272 dn6m01j1e.dll
12/21/2004 05:55 PM 224,220 c6002gdmg60a2.dll
12/21/2004 05:40 PM 226,241 fn2021fmg.dll
12/15/2004 06:44 PM 225,328 l46o0ej3eho.dll
12/13/2004 07:16 PM 223,130 ktp6l77s1.dll
12/13/2004 07:07 PM 224,823 gpr6l39s1.dll
12/11/2004 10:21 PM 225,091 fp8q03l5e.dll
12/11/2004 06:08 PM 224,098 jt8407lqe.dll
12/11/2004 04:05 AM 224,508 aza02g3mg6.dll
12/08/2004 05:30 PM 223,218 l6j8lg1u16.dll
12/07/2004 07:18 PM 226,226 l22s0cf7ef2.dll
11/05/2004 11:31 PM 210,292 7xu.sys
11/05/2004 11:31 PM 239,121 xzgzu.exe
05/25/2003 09:44 PM <DIR> Microsoft
77 File(s) 17,017,984 bytes
2 Dir(s) 48,908,103,680 bytes free
  • 0

#8
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left. :tazz:

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
  • 0

#9
drewizspiffy

drewizspiffy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
good almost done...thanks again...ive been over at my mothers house for the past few days trying to fix her pc. my own pc is fine...mainly because I know what to open and what not to open...and I have anti-spyware running...but i swear i cant get it through my mothers head that everything on the internet is NOT safe...shes from the old school "trust everything" way of thinking...but anywho thanks again

p.s. yes i have beat her with a large trout...and she still hasnt listened

drew



Logfile of HijackThis v1.99.1
Scan saved at 1:27:48 PM, on 06/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\hpdll\tempdl\RAS012505.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\lhfkcps\rbaluma.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Mary\Desktop\Drews Pics\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.central.cox.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.central.cox.net/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zKw] C:\documents and settings\mary\local settings\temp\zKw.exe
O4 - HKLM\..\Run: [Zbraa] C:\WINDOWS\uxfna.exe
O4 - HKLM\..\Run: [yjenvowauutxastptrul] C:\WINDOWS\grvyqbvx.exe
O4 - HKLM\..\Run: [xhxhmc] C:\WINDOWS\system32\xhxhmc.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdt.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [Wast] C:\WINDOWS\wast2.exe 2
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [Visual Element Fx] C:\Program Files\hpdll\tempdl\RAS012505.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Oumodt.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [TinkoPal] C:\Program Files\TinkoPal\AppStart.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\Mary\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [salm] c:\windows\salm.exe
O4 - HKLM\..\Run: [sac] c:\program files\180searchassistant\sac.exe
O4 - HKLM\..\Run: [rylyvct] c:\windows\system32\rylyvct.exe
O4 - HKLM\..\Run: [rydgfek] C:\WINDOWS\System32\rylyvct.exe
O4 - HKLM\..\Run: [Rxagik] C:\WINDOWS\Meruoq.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\system32\netsync.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [pgtaff] C:\WINDOWS\pgtaff.exe
O4 - HKLM\..\Run: [otfulsbgxo] C:\WINDOWS\system32\rylyvct.exe
O4 - HKLM\..\Run: [odochws] C:\WINDOWS\system32\odochws.exe
O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32\n20050308.exe
O4 - HKLM\..\Run: [nsj] C:\WINDOWS\nsj.exe
O4 - HKLM\..\Run: [ngftnc] C:\WINDOWS\system32\ngftnc.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\vgikgk.exe
O4 - HKLM\..\Run: [mR] C:\windows\temp\mR.exe
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Makarzy] C:\WINDOWS\nyei.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [lloirc] C:\WINDOWS\system32\lloirc.exe
O4 - HKLM\..\Run: [kqltrufn] C:\WINDOWS\system32\kgrsu\kqltrufn.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\ikpnkn.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvwvx32.exe
O4 - HKLM\..\Run: [JG0oc3iEv] C:\documents and settings\mary\local settings\temp\JG0oc3iEv.exe
O4 - HKLM\..\Run: [JDhG] C:\documents and settings\mary\local settings\temp\JDhG.exe
O4 - HKLM\..\Run: [JD] C:\documents and settings\mary\local settings\temp\JD.exe
O4 - HKLM\..\Run: [javauu.exe] C:\WINDOWS\system32\javauu.exe
O4 - HKLM\..\Run: [j599pd3s] C:\Program Files\j599pd3s\j599pd3s.exe
O4 - HKLM\..\Run: [ivex] C:\WINDOWS\ivex.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [HUGA] C:\documents and settings\mary\local settings\temp\HUGA.exe
O4 - HKLM\..\Run: [HPNT] C:\Program Files\hpdll\hpdll.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [fwvcj] C:\WINDOWS\fwvcj.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [ErrorGuard] C:\Program Files\ErrorGuard\ErrorGuard.Exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [CSV7P70] C:\Program Files\CSBB\CSV7P070.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bptre.exe"
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [App32dll] C:\windows\system32\msnavc32.exe lee0105
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitevbx32.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [474S34l] hnewvdrv.exe
O4 - HKLM\..\Run: [39w] c:\windows\system32\39w.exe
O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe
O4 - HKLM\..\Run: [rbaluma] C:\WINDOWS\system32\lhfkcps\rbaluma.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Tsa] C:\PROGRA~1\COMMON~1\tsa\tsm.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\system32\sysmonnt
O4 - HKCU\..\Run: [SpyWareWall] C:\PROGRA~1\SPYWAR~2\SpyWareWall.exe
O4 - HKCU\..\Run: [prutqct] C:\WINDOWS\system32\prutqct.exe
O4 - HKCU\..\Run: [Prgg] C:\WINDOWS\system32\??oolsv.exe
O4 - HKCU\..\Run: [Okqmv] C:\WINDOWS\System32\r?ndll32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [Lwv2RQJqW] fwcprovi.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [Eeor] C:\Documents and Settings\Mary\Application Data\suos.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: popupwall.lnk = C:\Program Files\PopUpWall\PopUpWall.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless Configuration Utility.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.21 V1.10\WlanCU.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://67.89.107.171...sCamControl.ocx
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe





L2Mfix 1.03

Running From:
C:\Documents and Settings\Mary\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Mary\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Mary\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 964 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1384 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\aza02g3mg6.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\aza0lclm1fqa.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\aza2l55o1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\azam01j1e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\azao0133e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\azaolc331f.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\c6002gdmg60a2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cnrsrv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\d8j00i1me8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dbauth.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dn6m01j1e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dnlo0133e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dnp2017oe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dnr6019se.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dnrm0191e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en4ul1h91.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\enp2l17o1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\f00olad31d0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fn2021fmg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp2203foe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp8q03l5e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fpj6031se.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fplo0333e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\g2220cfoef2c0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\g6jo0g13e6.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\GBCollection.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gp8ql3l51.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gppul3791.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gpr6l39s1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gprml3911.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\h0j40a1qed.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\h40q0ed5eh0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\h8l20i3oe8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hrl0053me.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hrlq0535e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hrro0593e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hrrq0595e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i2lo0c33ef.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i2lolc331f.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i6600gjme6oa0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i8jq0i15e8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir24l5fq1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\irn2l55o1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\irp6l57s1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\irrql5951.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jr0025dmg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jt4807hue.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jt8407lqe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jtj0071me.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k280lclm1fqa.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k6pmlg7116.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kodsp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktp6l77s1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l0l6la3s1d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l22s0cf7ef2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l22slcf71f2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l46o0ej3eho.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l4r0le9m1h.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l6j8lg1u16.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l80u0id9e80.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l8n40i5qe8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv0409dqe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m8po0i73e8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mv8ul9l91.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvp8l97u1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvrql9951.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\n66qlgj516o.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o0660ajsedo60.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o066lajs1do6.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o4nsle571h.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p04u0ah9ed4.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\q268lcju1fo8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\q468leju1ho8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\SbyLt3Pr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\t6r8lg9u16.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\t88u0il9e8q.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uqrfaxa.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\aza02g3mg6.dll
Successfully Deleted: C:\WINDOWS\system32\aza02g3mg6.dll
deleting: C:\WINDOWS\system32\aza0lclm1fqa.dll
Successfully Deleted: C:\WINDOWS\system32\aza0lclm1fqa.dll
deleting: C:\WINDOWS\system32\aza2l55o1.dll
Successfully Deleted: C:\WINDOWS\system32\aza2l55o1.dll
deleting: C:\WINDOWS\system32\azam01j1e.dll
Successfully Deleted: C:\WINDOWS\system32\azam01j1e.dll
deleting: C:\WINDOWS\system32\azao0133e.dll
Successfully Deleted: C:\WINDOWS\system32\azao0133e.dll
deleting: C:\WINDOWS\system32\azaolc331f.dll
Successfully Deleted: C:\WINDOWS\system32\azaolc331f.dll
deleting: C:\WINDOWS\system32\c6002gdmg60a2.dll
Successfully Deleted: C:\WINDOWS\system32\c6002gdmg60a2.dll
deleting: C:\WINDOWS\system32\cnrsrv.dll
Successfully Deleted: C:\WINDOWS\system32\cnrsrv.dll
deleting: C:\WINDOWS\system32\d8j00i1me8.dll
Successfully Deleted: C:\WINDOWS\system32\d8j00i1me8.dll
deleting: C:\WINDOWS\system32\dbauth.dll
Successfully Deleted: C:\WINDOWS\system32\dbauth.dll
deleting: C:\WINDOWS\system32\dn6m01j1e.dll
Successfully Deleted: C:\WINDOWS\system32\dn6m01j1e.dll
deleting: C:\WINDOWS\system32\dnlo0133e.dll
Successfully Deleted: C:\WINDOWS\system32\dnlo0133e.dll
deleting: C:\WINDOWS\system32\dnp2017oe.dll
Successfully Deleted: C:\WINDOWS\system32\dnp2017oe.dll
deleting: C:\WINDOWS\system32\dnr6019se.dll
Successfully Deleted: C:\WINDOWS\system32\dnr6019se.dll
deleting: C:\WINDOWS\system32\dnrm0191e.dll
Successfully Deleted: C:\WINDOWS\system32\dnrm0191e.dll
deleting: C:\WINDOWS\system32\en4ul1h91.dll
Successfully Deleted: C:\WINDOWS\system32\en4ul1h91.dll
deleting: C:\WINDOWS\system32\enp2l17o1.dll
Successfully Deleted: C:\WINDOWS\system32\enp2l17o1.dll
deleting: C:\WINDOWS\system32\f00olad31d0.dll
Successfully Deleted: C:\WINDOWS\system32\f00olad31d0.dll
deleting: C:\WINDOWS\system32\fn2021fmg.dll
Successfully Deleted: C:\WINDOWS\system32\fn2021fmg.dll
deleting: C:\WINDOWS\system32\fp2203foe.dll
Successfully Deleted: C:\WINDOWS\system32\fp2203foe.dll
deleting: C:\WINDOWS\system32\fp8q03l5e.dll
Successfully Deleted: C:\WINDOWS\system32\fp8q03l5e.dll
deleting: C:\WINDOWS\system32\fpj6031se.dll
Successfully Deleted: C:\WINDOWS\system32\fpj6031se.dll
deleting: C:\WINDOWS\system32\fplo0333e.dll
Successfully Deleted: C:\WINDOWS\system32\fplo0333e.dll
deleting: C:\WINDOWS\system32\g2220cfoef2c0.dll
Successfully Deleted: C:\WINDOWS\system32\g2220cfoef2c0.dll
deleting: C:\WINDOWS\system32\g6jo0g13e6.dll
Successfully Deleted: C:\WINDOWS\system32\g6jo0g13e6.dll
deleting: C:\WINDOWS\system32\GBCollection.dll
Successfully Deleted: C:\WINDOWS\system32\GBCollection.dll
deleting: C:\WINDOWS\system32\gp8ql3l51.dll
Successfully Deleted: C:\WINDOWS\system32\gp8ql3l51.dll
deleting: C:\WINDOWS\system32\gppul3791.dll
Successfully Deleted: C:\WINDOWS\system32\gppul3791.dll
deleting: C:\WINDOWS\system32\gpr6l39s1.dll
Successfully Deleted: C:\WINDOWS\system32\gpr6l39s1.dll
deleting: C:\WINDOWS\system32\gprml3911.dll
Successfully Deleted: C:\WINDOWS\system32\gprml3911.dll
deleting: C:\WINDOWS\system32\h0j40a1qed.dll
Successfully Deleted: C:\WINDOWS\system32\h0j40a1qed.dll
deleting: C:\WINDOWS\system32\h40q0ed5eh0.dll
Successfully Deleted: C:\WINDOWS\system32\h40q0ed5eh0.dll
deleting: C:\WINDOWS\system32\h8l20i3oe8.dll
Successfully Deleted: C:\WINDOWS\system32\h8l20i3oe8.dll
deleting: C:\WINDOWS\system32\hrl0053me.dll
Successfully Deleted: C:\WINDOWS\system32\hrl0053me.dll
deleting: C:\WINDOWS\system32\hrlq0535e.dll
Successfully Deleted: C:\WINDOWS\system32\hrlq0535e.dll
deleting: C:\WINDOWS\system32\hrro0593e.dll
Successfully Deleted: C:\WINDOWS\system32\hrro0593e.dll
deleting: C:\WINDOWS\system32\hrrq0595e.dll
Successfully Deleted: C:\WINDOWS\system32\hrrq0595e.dll
deleting: C:\WINDOWS\system32\i2lo0c33ef.dll
Successfully Deleted: C:\WINDOWS\system32\i2lo0c33ef.dll
deleting: C:\WINDOWS\system32\i2lolc331f.dll
Successfully Deleted: C:\WINDOWS\system32\i2lolc331f.dll
deleting: C:\WINDOWS\system32\i6600gjme6oa0.dll
Successfully Deleted: C:\WINDOWS\system32\i6600gjme6oa0.dll
deleting: C:\WINDOWS\system32\i8jq0i15e8.dll
Successfully Deleted: C:\WINDOWS\system32\i8jq0i15e8.dll
deleting: C:\WINDOWS\system32\ir24l5fq1.dll
Successfully Deleted: C:\WINDOWS\system32\ir24l5fq1.dll
deleting: C:\WINDOWS\system32\irn2l55o1.dll
Successfully Deleted: C:\WINDOWS\system32\irn2l55o1.dll
deleting: C:\WINDOWS\system32\irp6l57s1.dll
Successfully Deleted: C:\WINDOWS\system32\irp6l57s1.dll
deleting: C:\WINDOWS\system32\irrql5951.dll
Successfully Deleted: C:\WINDOWS\system32\irrql5951.dll
deleting: C:\WINDOWS\system32\jr0025dmg.dll
Successfully Deleted: C:\WINDOWS\system32\jr0025dmg.dll
deleting: C:\WINDOWS\system32\jt4807hue.dll
Successfully Deleted: C:\WINDOWS\system32\jt4807hue.dll
deleting: C:\WINDOWS\system32\jt8407lqe.dll
Successfully Deleted: C:\WINDOWS\system32\jt8407lqe.dll
deleting: C:\WINDOWS\system32\jtj0071me.dll
Successfully Deleted: C:\WINDOWS\system32\jtj0071me.dll
deleting: C:\WINDOWS\system32\k280lclm1fqa.dll
Successfully Deleted: C:\WINDOWS\system32\k280lclm1fqa.dll
deleting: C:\WINDOWS\system32\k6pmlg7116.dll
Successfully Deleted: C:\WINDOWS\system32\k6pmlg7116.dll
deleting: C:\WINDOWS\system32\kodsp.dll
Successfully Deleted: C:\WINDOWS\system32\kodsp.dll
deleting: C:\WINDOWS\system32\ktp6l77s1.dll
Successfully Deleted: C:\WINDOWS\system32\ktp6l77s1.dll
deleting: C:\WINDOWS\system32\l0l6la3s1d.dll
Successfully Deleted: C:\WINDOWS\system32\l0l6la3s1d.dll
deleting: C:\WINDOWS\system32\l22s0cf7ef2.dll
Successfully Deleted: C:\WINDOWS\system32\l22s0cf7ef2.dll
deleting: C:\WINDOWS\system32\l22slcf71f2.dll
Successfully Deleted: C:\WINDOWS\system32\l22slcf71f2.dll
deleting: C:\WINDOWS\system32\l46o0ej3eho.dll
Successfully Deleted: C:\WINDOWS\system32\l46o0ej3eho.dll
deleting: C:\WINDOWS\system32\l4r0le9m1h.dll
Successfully Deleted: C:\WINDOWS\system32\l4r0le9m1h.dll
deleting: C:\WINDOWS\system32\l6j8lg1u16.dll
Successfully Deleted: C:\WINDOWS\system32\l6j8lg1u16.dll
deleting: C:\WINDOWS\system32\l80u0id9e80.dll
Successfully Deleted: C:\WINDOWS\system32\l80u0id9e80.dll
deleting: C:\WINDOWS\system32\l8n40i5qe8.dll
Successfully Deleted: C:\WINDOWS\system32\l8n40i5qe8.dll
deleting: C:\WINDOWS\system32\lv0409dqe.dll
Successfully Deleted: C:\WINDOWS\system32\lv0409dqe.dll
deleting: C:\WINDOWS\system32\m8po0i73e8.dll
Successfully Deleted: C:\WINDOWS\system32\m8po0i73e8.dll
deleting: C:\WINDOWS\system32\mv8ul9l91.dll
Successfully Deleted: C:\WINDOWS\system32\mv8ul9l91.dll
deleting: C:\WINDOWS\system32\mvp8l97u1.dll
Successfully Deleted: C:\WINDOWS\system32\mvp8l97u1.dll
deleting: C:\WINDOWS\system32\mvrql9951.dll
Successfully Deleted: C:\WINDOWS\system32\mvrql9951.dll
deleting: C:\WINDOWS\system32\n66qlgj516o.dll
Successfully Deleted: C:\WINDOWS\system32\n66qlgj516o.dll
deleting: C:\WINDOWS\system32\o0660ajsedo60.dll
Successfully Deleted: C:\WINDOWS\system32\o0660ajsedo60.dll
deleting: C:\WINDOWS\system32\o066lajs1do6.dll
Successfully Deleted: C:\WINDOWS\system32\o066lajs1do6.dll
deleting: C:\WINDOWS\system32\o4nsle571h.dll
Successfully Deleted: C:\WINDOWS\system32\o4nsle571h.dll
deleting: C:\WINDOWS\system32\p04u0ah9ed4.dll
Successfully Deleted: C:\WINDOWS\system32\p04u0ah9ed4.dll
deleting: C:\WINDOWS\system32\q268lcju1fo8.dll
Successfully Deleted: C:\WINDOWS\system32\q268lcju1fo8.dll
deleting: C:\WINDOWS\system32\q468leju1ho8.dll
Successfully Deleted: C:\WINDOWS\system32\q468leju1ho8.dll
deleting: C:\WINDOWS\system32\SbyLt3Pr.dll
Successfully Deleted: C:\WINDOWS\system32\SbyLt3Pr.dll
deleting: C:\WINDOWS\system32\t6r8lg9u16.dll
Successfully Deleted: C:\WINDOWS\system32\t6r8lg9u16.dll
deleting: C:\WINDOWS\system32\t88u0il9e8q.dll
Successfully Deleted: C:\WINDOWS\system32\t88u0il9e8q.dll
deleting: C:\WINDOWS\system32\uqrfaxa.dll
Successfully Deleted: C:\WINDOWS\system32\uqrfaxa.dll

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: aza02g3mg6.dll (164 bytes security) (deflated 4%)
adding: aza0lclm1fqa.dll (164 bytes security) (deflated 3%)
adding: aza2l55o1.dll (164 bytes security) (deflated 4%)
adding: azam01j1e.dll (164 bytes security) (deflated 4%)
adding: azao0133e.dll (164 bytes security) (deflated 3%)
adding: azaolc331f.dll (164 bytes security) (deflated 4%)
adding: c6002gdmg60a2.dll (164 bytes security) (deflated 4%)
adding: cnrsrv.dll (164 bytes security) (deflated 4%)
adding: d8j00i1me8.dll (164 bytes security) (deflated 4%)
adding: dbauth.dll (164 bytes security) (deflated 4%)
adding: dn6m01j1e.dll (164 bytes security) (deflated 4%)
adding: dnlo0133e.dll (164 bytes security) (deflated 4%)
adding: dnp2017oe.dll (164 bytes security) (deflated 4%)
adding: dnr6019se.dll (164 bytes security) (deflated 4%)
adding: dnrm0191e.dll (164 bytes security) (deflated 4%)
adding: en4ul1h91.dll (164 bytes security) (deflated 4%)
adding: enp2l17o1.dll (164 bytes security) (deflated 4%)
adding: f00olad31d0.dll (164 bytes security) (deflated 4%)
adding: fn2021fmg.dll (164 bytes security) (deflated 5%)
adding: fp2203foe.dll (164 bytes security) (deflated 4%)
adding: fp8q03l5e.dll (164 bytes security) (deflated 4%)
adding: fpj6031se.dll (164 bytes security) (deflated 4%)
adding: fplo0333e.dll (164 bytes security) (deflated 3%)
adding: g2220cfoef2c0.dll (164 bytes security) (deflated 4%)
adding: g6jo0g13e6.dll (164 bytes security) (deflated 4%)
adding: GBCollection.dll (164 bytes security) (deflated 4%)
adding: gp8ql3l51.dll (164 bytes security) (deflated 4%)
adding: gppul3791.dll (164 bytes security) (deflated 5%)
adding: gpr6l39s1.dll (164 bytes security) (deflated 4%)
adding: gprml3911.dll (164 bytes security) (deflated 4%)
adding: h0j40a1qed.dll (164 bytes security) (deflated 4%)
adding: h40q0ed5eh0.dll (164 bytes security) (deflated 4%)
adding: h8l20i3oe8.dll (164 bytes security) (deflated 5%)
adding: hrl0053me.dll (164 bytes security) (deflated 4%)
adding: hrlq0535e.dll (164 bytes security) (deflated 4%)
adding: hrro0593e.dll (164 bytes security) (deflated 5%)
adding: hrrq0595e.dll (164 bytes security) (deflated 4%)
adding: i2lo0c33ef.dll (164 bytes security) (deflated 4%)
adding: i2lolc331f.dll (164 bytes security) (deflated 5%)
adding: i6600gjme6oa0.dll (164 bytes security) (deflated 4%)
adding: i8jq0i15e8.dll (164 bytes security) (deflated 4%)
adding: ir24l5fq1.dll (164 bytes security) (deflated 3%)
adding: irn2l55o1.dll (164 bytes security) (deflated 4%)
adding: irp6l57s1.dll (164 bytes security) (deflated 4%)
adding: irrql5951.dll (164 bytes security) (deflated 4%)
adding: jr0025dmg.dll (164 bytes security) (deflated 5%)
adding: jt4807hue.dll (164 bytes security) (deflated 4%)
adding: jt8407lqe.dll (164 bytes security) (deflated 4%)
adding: jtj0071me.dll (164 bytes security) (deflated 4%)
adding: k280lclm1fqa.dll (164 bytes security) (deflated 4%)
adding: k6pmlg7116.dll (164 bytes security) (deflated 4%)
adding: kodsp.dll (164 bytes security) (deflated 3%)
adding: ktp6l77s1.dll (164 bytes security) (deflated 4%)
adding: l0l6la3s1d.dll (164 bytes security) (deflated 4%)
adding: l22s0cf7ef2.dll (164 bytes security) (deflated 5%)
adding: l22slcf71f2.dll (164 bytes security) (deflated 4%)
adding: l46o0ej3eho.dll (164 bytes security) (deflated 5%)
adding: l4r0le9m1h.dll (164 bytes security) (deflated 5%)
adding: l6j8lg1u16.dll (164 bytes security) (deflated 4%)
adding: l80u0id9e80.dll (164 bytes security) (deflated 4%)
adding: l8n40i5qe8.dll (164 bytes security) (deflated 4%)
adding: lv0409dqe.dll (164 bytes security) (deflated 4%)
adding: m8po0i73e8.dll (164 bytes security) (deflated 4%)
adding: mv8ul9l91.dll (164 bytes security) (deflated 4%)
adding: mvp8l97u1.dll (164 bytes security) (deflated 4%)
adding: mvrql9951.dll (164 bytes security) (deflated 4%)
adding: n66qlgj516o.dll (164 bytes security) (deflated 5%)
adding: o0660ajsedo60.dll (164 bytes security) (deflated 4%)
adding: o066lajs1do6.dll (164 bytes security) (deflated 5%)
adding: o4nsle571h.dll (164 bytes security) (deflated 5%)
adding: p04u0ah9ed4.dll (164 bytes security) (deflated 4%)
adding: q268lcju1fo8.dll (164 bytes security) (deflated 4%)
adding: q468leju1ho8.dll (164 bytes security) (deflated 3%)
adding: SbyLt3Pr.dll (164 bytes security) (deflated 4%)
adding: t6r8lg9u16.dll (164 bytes security) (deflated 4%)
adding: t88u0il9e8q.dll (164 bytes security) (deflated 4%)
adding: uqrfaxa.dll (164 bytes security) (deflated 5%)
adding: clear.reg (164 bytes security) (deflated 69%)
adding: echo.reg (164 bytes security) (deflated 8%)
adding: desktop.ini (164 bytes security) (deflated 15%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 88%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: test.txt (164 bytes security) (deflated 83%)
adding: test2.txt (164 bytes security) (deflated 48%)
adding: test3.txt (164 bytes security) (deflated 48%)
adding: test5.txt (164 bytes security) (deflated 48%)
adding: xfind.txt (164 bytes security) (deflated 79%)
adding: backregs/105376F3-0A9C-450F-925E-E39C577DCD34.reg (164 bytes security) (deflated 71%)
adding: backregs/37C94FEB-49F3-46E3-A8A3-D6A66959CFC3.reg (164 bytes security) (deflated 70%)
adding: backregs/3838F7A4-A38E-4D3C-B668-83F6D2E8BE62.reg (164 bytes security) (deflated 71%)
adding: backregs/4056A87A-9055-4911-8513-2F4369DA4283.reg (164 bytes security) (deflated 71%)
adding: backregs/4A4B92DE-3258-4C24-AAA1-D9966C6105B9.reg (164 bytes security) (deflated 70%)
adding: backregs/536CC415-6460-4768-BB0A-B40C4439F179.reg (164 bytes security) (deflated 71%)
adding: backregs/5701C41D-5885-4E35-B013-100BF38BE2E2.reg (164 bytes security) (deflated 71%)
adding: backregs/58E0CAE6-4166-460D-86A5-D987AE121C97.reg (164 bytes security) (deflated 70%)
adding: backregs/6421CEBC-D361-46C2-9A76-A329ABAFEC04.reg (164 bytes security) (deflated 71%)
adding: backregs/6BE8887D-09AD-4449-97AF-E391F1421E18.reg (164 bytes security) (deflated 71%)
adding: backregs/8AC0BAA5-F4D7-40D5-A95E-8A3931151402.reg (164 bytes security) (deflated 71%)
adding: backregs/A494F5B0-4B93-46D3-8E2F-F5E0D9AAA98D.reg (164 bytes security) (deflated 71%)
adding: backregs/ADD21D69-F58C-4FE7-80EF-6A26B6182C3C.reg (164 bytes security) (deflated 70%)
adding: backregs/B2C12BBF-26A0-4C4C-9E45-9BBDCC97C77B.reg (164 bytes security) (deflated 71%)
adding: backregs/BF9FE0A0-F75F-4E40-BF97-36229700C30D.reg (164 bytes security) (deflated 71%)
adding: backregs/C45D161B-1A54-483B-955A-B7591DEFA02B.reg (164 bytes security) (deflated 71%)
adding: backregs/CE15ACB4-F7D9-4A0C-98E6-5E63FDEF66BE.reg (164 bytes security) (deflated 71%)
adding: backregs/E417E5B1-53A8-43D7-A074-41B277189561.reg (164 bytes security) (deflated 71%)
adding: backregs/E7C8F3B9-1336-47B0-A616-231EB01C1503.reg (164 bytes security) (deflated 71%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: aza02g3mg6.dll
deleting local copy: aza0lclm1fqa.dll
deleting local copy: aza2l55o1.dll
deleting local copy: azam01j1e.dll
deleting local copy: azao0133e.dll
deleting local copy: azaolc331f.dll
deleting local copy: c6002gdmg60a2.dll
deleting local copy: cnrsrv.dll
deleting local copy: d8j00i1me8.dll
deleting local copy: dbauth.dll
deleting local copy: dn6m01j1e.dll
deleting local copy: dnlo0133e.dll
deleting local copy: dnp2017oe.dll
deleting local copy: dnr6019se.dll
deleting local copy: dnrm0191e.dll
deleting local copy: en4ul1h91.dll
deleting local copy: enp2l17o1.dll
deleting local copy: f00olad31d0.dll
deleting local copy: fn2021fmg.dll
deleting local copy: fp2203foe.dll
deleting local copy: fp8q03l5e.dll
deleting local copy: fpj6031se.dll
deleting local copy: fplo0333e.dll
deleting local copy: g2220cfoef2c0.dll
deleting local copy: g6jo0g13e6.dll
deleting local copy: GBCollection.dll
deleting local copy: gp8ql3l51.dll
deleting local copy: gppul3791.dll
deleting local copy: gpr6l39s1.dll
deleting local copy: gprml3911.dll
deleting local copy: h0j40a1qed.dll
deleting local copy: h40q0ed5eh0.dll
deleting local copy: h8l20i3oe8.dll
deleting local copy: hrl0053me.dll
deleting local copy: hrlq0535e.dll
deleting local copy: hrro0593e.dll
deleting local copy: hrrq0595e.dll
deleting local copy: i2lo0c33ef.dll
deleting local copy: i2lolc331f.dll
deleting local copy: i6600gjme6oa0.dll
deleting local copy: i8jq0i15e8.dll
deleting local copy: ir24l5fq1.dll
deleting local copy: irn2l55o1.dll
deleting local copy: irp6l57s1.dll
deleting local copy: irrql5951.dll
deleting local copy: jr0025dmg.dll
deleting local copy: jt4807hue.dll
deleting local copy: jt8407lqe.dll
deleting local copy: jtj0071me.dll
deleting local copy: k280lclm1fqa.dll
deleting local copy: k6pmlg7116.dll
deleting local copy: kodsp.dll
deleting local copy: ktp6l77s1.dll
deleting local copy: l0l6la3s1d.dll
deleting local copy: l22s0cf7ef2.dll
deleting local copy: l22slcf71f2.dll
deleting local copy: l46o0ej3eho.dll
deleting local copy: l4r0le9m1h.dll
deleting local copy: l6j8lg1u16.dll
deleting local copy: l80u0id9e80.dll
deleting local copy: l8n40i5qe8.dll
deleting local copy: lv0409dqe.dll
deleting local copy: m8po0i73e8.dll
deleting local copy: mv8ul9l91.dll
deleting local copy: mvp8l97u1.dll
deleting local copy: mvrql9951.dll
deleting local copy: n66qlgj516o.dll
deleting local copy: o0660ajsedo60.dll
deleting local copy: o066lajs1do6.dll
deleting local copy: o4nsle571h.dll
deleting local copy: p04u0ah9ed4.dll
deleting local copy: q268lcju1fo8.dll
deleting local copy: q468leju1ho8.dll
deleting local copy: SbyLt3Pr.dll
deleting local copy: t6r8lg9u16.dll
deleting local copy: t88u0il9e8q.dll
deleting local copy: uqrfaxa.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\aza02g3mg6.dll
C:\WINDOWS\system32\aza0lclm1fqa.dll
C:\WINDOWS\system32\aza2l55o1.dll
C:\WINDOWS\system32\azam01j1e.dll
C:\WINDOWS\system32\azao0133e.dll
C:\WINDOWS\system32\azaolc331f.dll
C:\WINDOWS\system32\c6002gdmg60a2.dll
C:\WINDOWS\system32\cnrsrv.dll
C:\WINDOWS\system32\d8j00i1me8.dll
C:\WINDOWS\system32\dbauth.dll
C:\WINDOWS\system32\dn6m01j1e.dll
C:\WINDOWS\system32\dnlo0133e.dll
C:\WINDOWS\system32\dnp2017oe.dll
C:\WINDOWS\system32\dnr6019se.dll
C:\WINDOWS\system32\dnrm0191e.dll
C:\WINDOWS\system32\en4ul1h91.dll
C:\WINDOWS\system32\enp2l17o1.dll
C:\WINDOWS\system32\f00olad31d0.dll
C:\WINDOWS\system32\fn2021fmg.dll
C:\WINDOWS\system32\fp2203foe.dll
C:\WINDOWS\system32\fp8q03l5e.dll
C:\WINDOWS\system32\fpj6031se.dll
C:\WINDOWS\system32\fplo0333e.dll
C:\WINDOWS\system32\g2220cfoef2c0.dll
C:\WINDOWS\system32\g6jo0g13e6.dll
C:\WINDOWS\system32\GBCollection.dll
C:\WINDOWS\system32\gp8ql3l51.dll
C:\WINDOWS\system32\gppul3791.dll
C:\WINDOWS\system32\gpr6l39s1.dll
C:\WINDOWS\system32\gprml3911.dll
C:\WINDOWS\system32\h0j40a1qed.dll
C:\WINDOWS\system32\h40q0ed5eh0.dll
C:\WINDOWS\system32\h8l20i3oe8.dll
C:\WINDOWS\system32\hrl0053me.dll
C:\WINDOWS\system32\hrlq0535e.dll
C:\WINDOWS\system32\hrro0593e.dll
C:\WINDOWS\system32\hrrq0595e.dll
C:\WINDOWS\system32\i2lo0c33ef.dll
C:\WINDOWS\system32\i2lolc331f.dll
C:\WINDOWS\system32\i6600gjme6oa0.dll
C:\WINDOWS\system32\i8jq0i15e8.dll
C:\WINDOWS\system32\ir24l5fq1.dll
C:\WINDOWS\system32\irn2l55o1.dll
C:\WINDOWS\system32\irp6l57s1.dll
C:\WINDOWS\system32\irrql5951.dll
C:\WINDOWS\system32\jr0025dmg.dll
C:\WINDOWS\system32\jt4807hue.dll
C:\WINDOWS\system32\jt8407lqe.dll
C:\WINDOWS\system32\jtj0071me.dll
C:\WINDOWS\system32\k280lclm1fqa.dll
C:\WINDOWS\system32\k6pmlg7116.dll
C:\WINDOWS\system32\kodsp.dll
C:\WINDOWS\system32\ktp6l77s1.dll
C:\WINDOWS\system32\l0l6la3s1d.dll
C:\WINDOWS\system32\l22s0cf7ef2.dll
C:\WINDOWS\system32\l22slcf71f2.dll
C:\WINDOWS\system32\l46o0ej3eho.dll
C:\WINDOWS\system32\l4r0le9m1h.dll
C:\WINDOWS\system32\l6j8lg1u16.dll
C:\WINDOWS\system32\l80u0id9e80.dll
C:\WINDOWS\system32\l8n40i5qe8.dll
C:\WINDOWS\system32\lv0409dqe.dll
C:\WINDOWS\system32\m8po0i73e8.dll
C:\WINDOWS\system32\mv8ul9l91.dll
C:\WINDOWS\system32\mvp8l97u1.dll
C:\WINDOWS\system32\mvrql9951.dll
C:\WINDOWS\system32\n66qlgj516o.dll
C:\WINDOWS\system32\o0660ajsedo60.dll
C:\WINDOWS\system32\o066lajs1do6.dll
C:\WINDOWS\system32\o4nsle571h.dll
C:\WINDOWS\system32\p04u0ah9ed4.dll
C:\WINDOWS\system32\q268lcju1fo8.dll
C:\WINDOWS\system32\q468leju1ho8.dll
C:\WINDOWS\system32\SbyLt3Pr.dll
C:\WINDOWS\system32\t6r8lg9u16.dll
C:\WINDOWS\system32\t88u0il9e8q.dll
C:\WINDOWS\system32\uqrfaxa.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{5701C41D-5885-4E35-B013-100BF38BE2E2}"=-
"{37C94FEB-49F3-46E3-A8A3-D6A66959CFC3}"=-
"{A494F5B0-4B93-46D3-8E2F-F5E0D9AAA98D}"=-
"{4A4B92DE-3258-4C24-AAA1-D9966C6105B9}"=-
"{58E0CAE6-4166-460D-86A5-D987AE121C97}"=-
"{ADD21D69-F58C-4FE7-80EF-6A26B6182C3C}"=-
"{CE15ACB4-F7D9-4A0C-98E6-5E63FDEF66BE}"=-
"{105376F3-0A9C-450F-925E-E39C577DCD34}"=-
"{6421CEBC-D361-46C2-9A76-A329ABAFEC04}"=-
"{E417E5B1-53A8-43D7-A074-41B277189561}"=-
"{C45D161B-1A54-483B-955A-B7591DEFA02B}"=-
"{E7C8F3B9-1336-47B0-A616-231EB01C1503}"=-
"{6BE8887D-09AD-4449-97AF-E391F1421E18}"=-
"{BF9FE0A0-F75F-4E40-BF97-36229700C30D}"=-
"{8AC0BAA5-F4D7-40D5-A95E-8A3931151402}"=-
"{3838F7A4-A38E-4D3C-B668-83F6D2E8BE62}"=-
"{B2C12BBF-26A0-4C4C-9E45-9BBDCC97C77B}"=-
"{536CC415-6460-4768-BB0A-B40C4439F179}"=-
"{4056A87A-9055-4911-8513-2F4369DA4283}"=-
[-HKEY_CLASSES_ROOT\CLSID\{5701C41D-5885-4E35-B013-100BF38BE2E2}]
[-HKEY_CLASSES_ROOT\CLSID\{37C94FEB-49F3-46E3-A8A3-D6A66959CFC3}]
[-HKEY_CLASSES_ROOT\CLSID\{A494F5B0-4B93-46D3-8E2F-F5E0D9AAA98D}]
[-HKEY_CLASSES_ROOT\CLSID\{4A4B92DE-3258-4C24-AAA1-D9966C6105B9}]
[-HKEY_CLASSES_ROOT\CLSID\{58E0CAE6-4166-460D-86A5-D987AE121C97}]
[-HKEY_CLASSES_ROOT\CLSID\{ADD21D69-F58C-4FE7-80EF-6A26B6182C3C}]
[-HKEY_CLASSES_ROOT\CLSID\{CE15ACB4-F7D9-4A0C-98E6-5E63FDEF66BE}]
[-HKEY_CLASSES_ROOT\CLSID\{105376F3-0A9C-450F-925E-E39C577DCD34}]
[-HKEY_CLASSES_ROOT\CLSID\{6421CEBC-D361-46C2-9A76-A329ABAFEC04}]
[-HKEY_CLASSES_ROOT\CLSID\{E417E5B1-53A8-43D7-A074-41B277189561}]
[-HKEY_CLASSES_ROOT\CLSID\{C45D161B-1A54-483B-955A-B7591DEFA02B}]
[-HKEY_CLASSES_ROOT\CLSID\{E7C8F3B9-1336-47B0-A616-231EB01C1503}]
[-HKEY_CLASSES_ROOT\CLSID\{6BE8887D-09AD-4449-97AF-E391F1421E18}]
[-HKEY_CLASSES_ROOT\CLSID\{BF9FE0A0-F75F-4E40-BF97-36229700C30D}]
[-HKEY_CLASSES_ROOT\CLSID\{8AC0BAA5-F4D7-40D5-A95E-8A3931151402}]
[-HKEY_CLASSES_ROOT\CLSID\{3838F7A4-A38E-4D3C-B668-83F6D2E8BE62}]
[-HKEY_CLASSES_ROOT\CLSID\{B2C12BBF-26A0-4C4C-9E45-9BBDCC97C77B}]
[-HKEY_CLASSES_ROOT\CLSID\{536CC415-6460-4768-BB0A-B40C4439F179}]
[-HKEY_CLASSES_ROOT\CLSID
  • 0

#10
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Well no we are not that close to being done. This is a mess :tazz: Well get it though

Now lets get another infection that keeps putting crap on that computer

Please download FindQoologic from here:
http://forums.net-in...=post&id=134981
Save it to the desktop and run Find-Qoologic2.bat. This will generate a log file; please post the entire contents of the log file here for me to see.

thanks
  • 0

Advertisements


#11
drewizspiffy

drewizspiffy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
<NO NAME> REG_SZ {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ICQLiteMenu

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mxnqxqns
<NO NAME> REG_SZ {430de69d-b338-44a8-b871-f1ce84d9534f}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin
  • 0

#12
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Please run this http://www.visualtou...oads/xp_fix.exe and then run the
Find-Qoologic2.bat again and post the results for me to see
  • 0

#13
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
disreguard this post ..posting problem

Edited by loophole, 27 June 2005 - 03:37 PM.

  • 0

#14
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
disreguard this post ..posting problem

Edited by loophole, 27 June 2005 - 03:37 PM.

  • 0

#15
drewizspiffy

drewizspiffy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
downloaded and ran xp fix and here is the log after i ran that file



PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* urllogic C:\WINDOWS\MZOKZ.DLL
* qoologic C:\WINDOWS\MZOKZ.DLL
* aspack C:\WINDOWS\System32\MRT.EXE
* aspack C:\WINDOWS\System32\NTDLL.DLL
* UPX! C:\WINDOWS\System32\AUTOUP~1.EXE
* UPX! C:\WINDOWS\System32\BLUESTD.EXE
* UPX! C:\WINDOWS\System32\SURFSI~1.EXE
* UPX! C:\WINDOWS\System32\SPORTS~1.DLL
* UPX! C:\WINDOWS\System32\THIN.DLL
* aspack C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\IO2UNS.EXE
* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
America Online 8.0 Tray Icon.lnk
America Online 9.0 Tray Icon.lnk
desktop.ini
Microsoft Office.lnk
Wireless Configuration Utility.lnk

User Startup:
C:\Documents and Settings\Mary\Start Menu\Programs\Startup
.
..
desktop.ini
popupwall.lnk

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
<NO NAME> REG_SZ {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ICQLiteMenu

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mxnqxqns
<NO NAME> REG_SZ {430de69d-b338-44a8-b871-f1ce84d9534f}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP