Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

WinXPhome CWS.Look2Me, BookedSpace, BrowserAid [RESOLVED]


  • This topic is locked This topic is locked

#1
KGHN

KGHN

    Member

  • Member
  • PipPip
  • 66 posts
Greetings, Geeks. I have been working on a friend's XP Home emachine for several days now. She brought it to me because it had bogged down to an unusable crawl. I have removed over 2K (2,000) files/registry entries of nasties so far, but some problems remain. It is set up for DSL, but I only have dialup here, so I am talking to you (& downloading tools) via my W98SE machine and moving files around on CDs. After initial debug efforts...
- I ran WinsockXPFix, and upgraded to WinXP-SP1a without error messages
- CleanUp 4.0 finds a list of items every time it is run.
- Ad-Aware SE 1.06 continues to find/fix BookedSpace (9 items) and BrowserAid (2)
- CWShredder repeatedly finds and "removes" VX2/CWS.Look2Me
- SpyBot 1.4, AVG 7, and F-Prot 3.16c all report no problems
- I checked Add/Remove for rogue products, none
- Ewido can't load its definitions due to an NSIS error
- (Sorry, I can't run Trend Housecall, machine isn't online)
- TDS3 says "RegVal trace suspicious"
HKLM\software\microsoft\windows\current version\run
[KavSvc=c:\windows\system32\hklrun.exe reg_run]
- Start\Run\SigVerif ran clean on system files. I saved a list of unsigned files in \windows.
- In a user account SpyBot's TeaTimer reports repeated attempts to modify the registry.
- I deleted Hosts per HJT's advice, but the problem came back
- Other problems I've bumped into during the repair:
- No wallpaper choice for the main user when desktop is right-clicked. Current wallpaper is a fake IE system error for trojan-spy.html.smitfraud.c.
- SFC - from DOS C:\> err 0x000006ba RPC server is unavailable - from Win Start/Run flashes something on the screen & quits
- CtrlPanel/System/DeviceManager says "C:\windows\system32\devmgmt.msc can't open" - devmgmt.msc file is present in correct dir per DOS dir, nowhere else
- Search is disabled - "run Setup" (how?)
- Help pages load after error when chosen from index but can't search
- A: not working, even after freshly formatting the diskette on this machine (may just be a bad disk?)
- Suspicious: in user account, ZoneAlarm says WeirdOnTheWeb.exe's Notifier is trying to access the 'net.

So... Here's my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 9:57:49 AM, on 6/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 66.180.173.39 www.google.ae
O1 - Hosts: 66.180.173.39 www.google.am
O1 - Hosts: 66.180.173.39 www.google.as
O1 - Hosts: 66.180.173.39 www.google.at
O1 - Hosts: 66.180.173.39 www.google.az
O1 - Hosts: 66.180.173.39 www.google.be
O1 - Hosts: 66.180.173.39 www.google.bi
O1 - Hosts: 66.180.173.39 www.google.ca
O1 - Hosts: 66.180.173.39 www.google.cd
O1 - Hosts: 66.180.173.39 www.google.cg
O1 - Hosts: 66.180.173.39 www.google.ch
O1 - Hosts: 66.180.173.39 www.google.ci
O1 - Hosts: 66.180.173.39 www.google.cl
O1 - Hosts: 66.180.173.39 www.google.co.cr
O1 - Hosts: 66.180.173.39 www.google.co.hu
O1 - Hosts: 66.180.173.39 www.google.co.il
O1 - Hosts: 66.180.173.39 www.google.co.in
O1 - Hosts: 66.180.173.39 www.google.co.je
O1 - Hosts: 66.180.173.39 www.google.co.jp
O1 - Hosts: 66.180.173.39 www.google.co.ke
O1 - Hosts: 66.180.173.39 www.google.co.kr
O1 - Hosts: 66.180.173.39 www.google.co.ls
O1 - Hosts: 66.180.173.39 www.google.co.nz
O1 - Hosts: 66.180.173.39 www.google.co.th
O1 - Hosts: 66.180.173.39 www.google.co.ug
O1 - Hosts: 66.180.173.39 www.google.co.uk
O1 - Hosts: 66.180.173.39 www.google.co.ve
O1 - Hosts: 66.180.173.39 www.google.com
O1 - Hosts: 66.180.173.39 www.google.com.ag
O1 - Hosts: 66.180.173.39 www.google.com.ar
O1 - Hosts: 66.180.173.39 www.google.com.au
O1 - Hosts: 66.180.173.39 www.google.com.br
O1 - Hosts: 66.180.173.39 www.google.com.co
O1 - Hosts: 66.180.173.39 www.google.com.cu
O1 - Hosts: 66.180.173.39 www.google.com.do
O1 - Hosts: 66.180.173.39 www.google.com.ec
O1 - Hosts: 66.180.173.39 www.google.com.fj
O1 - Hosts: 66.180.173.39 www.google.com.gi
O1 - Hosts: 66.180.173.39 www.google.com.gr
O1 - Hosts: 66.180.173.39 www.google.com.gt
O1 - Hosts: 66.180.173.39 www.google.com.hk
O1 - Hosts: 66.180.173.39 www.google.com.ly
O1 - Hosts: 66.180.173.39 www.google.com.mt
O1 - Hosts: 66.180.173.39 www.google.com.mx
O1 - Hosts: 66.180.173.39 www.google.com.my
O1 - Hosts: 66.180.173.39 www.google.com.na
O1 - Hosts: 66.180.173.39 www.google.com.nf
O1 - Hosts: 66.180.173.39 www.google.com.ni
O1 - Hosts: 66.180.173.39 www.google.com.np
O1 - Hosts: 66.180.173.39 www.google.com.pa
O1 - Hosts: 66.180.173.39 www.google.com.pe
O1 - Hosts: 66.180.173.39 www.google.com.ph
O1 - Hosts: 66.180.173.39 www.google.com.pk
O1 - Hosts: 66.180.173.39 www.google.com.pr
O1 - Hosts: 66.180.173.39 www.google.com.py
O1 - Hosts: 66.180.173.39 www.google.com.sa
O1 - Hosts: 66.180.173.39 www.google.com.sg
O1 - Hosts: 66.180.173.39 www.google.com.sv
O1 - Hosts: 66.180.173.39 www.google.com.tr
O1 - Hosts: 66.180.173.39 www.google.com.tw
O1 - Hosts: 66.180.173.39 www.google.com.ua
O1 - Hosts: 66.180.173.39 www.google.com.uy
O1 - Hosts: 66.180.173.39 www.google.com.vc
O1 - Hosts: 66.180.173.39 www.google.com.vn
O1 - Hosts: 66.180.173.39 www.google.de
O1 - Hosts: 66.180.173.39 www.google.dj
O1 - Hosts: 66.180.173.39 www.google.dk
O1 - Hosts: 66.180.173.39 www.google.es
O1 - Hosts: 66.180.173.39 www.google.fi
O1 - Hosts: 66.180.173.39 www.google.fm
O1 - Hosts: 66.180.173.39 www.google.fr
O1 - Hosts: 66.180.173.39 www.google.gg
O1 - Hosts: 66.180.173.39 www.google.gl
O1 - Hosts: 66.180.173.39 www.google.gm
O1 - Hosts: 66.180.173.39 www.google.hn
O1 - Hosts: 66.180.173.39 www.google.ie
O1 - Hosts: 66.180.173.39 www.google.it
O1 - Hosts: 66.180.173.39 www.google.kz
O1 - Hosts: 66.180.173.39 www.google.li
O1 - Hosts: 66.180.173.39 www.google.lt
O1 - Hosts: 66.180.173.39 www.google.lu
O1 - Hosts: 66.180.173.39 www.google.lv
O1 - Hosts: 66.180.173.39 www.google.mn
O1 - Hosts: 66.180.173.39 www.google.ms
O1 - Hosts: 66.180.173.39 www.google.mu
O1 - Hosts: 66.180.173.39 www.google.mw
O1 - Hosts: 66.180.173.39 www.google.nl
O1 - Hosts: 66.180.173.39 www.google.no
O1 - Hosts: 66.180.173.39 www.google.off.ai
O1 - Hosts: 66.180.173.39 www.google.pl
O1 - Hosts: 66.180.173.39 www.google.pn
O1 - Hosts: 66.180.173.39 www.google.pt
O1 - Hosts: 66.180.173.39 www.google.ro
O1 - Hosts: 66.180.173.39 www.google.ru
O1 - Hosts: 66.180.173.39 www.google.rw
O1 - Hosts: 66.180.173.39 www.google.se
O1 - Hosts: 66.180.173.39 www.google.sh
O1 - Hosts: 66.180.173.39 www.google.sk
O1 - Hosts: 66.180.173.39 www.google.sm
O1 - Hosts: 66.180.173.39 www.google.td
O1 - Hosts: 66.180.173.39 www.google.tm
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - (no file)
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [239S3qP] msudcmsg.exe
O4 - HKLM\..\Run: [stb] C:\WINDOWS\System32\stb.exe
O4 - HKLM\..\Run: [PMT] C:\Program Files\Personal Money Tree\personalmoneytree.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [uqbjcc] C:\WINDOWS\System32\uqbjcc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\hklrun.exe reg_run
O4 - HKLM\..\Run: [eubpxk] c:\windows\system32\eobyehj.exe r
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: rdun.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - ms-its:mhtml:file://c:\nosuxxx.mht!http://elitegate.de/...ysb_regular.cab
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\mfrd3x40.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks a million for being there, KGHN
  • 0

Advertisements


#2
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi KGHN,

You have a bunch of infections on the PC. We will have to get them in multiple stages.


Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0

#3
KGHN

KGHN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Hi tampabelle,

I downloaded L2MFIX.exe to my W98SE from each site (they compared OK) and wrote a copy to a CD. I took the CD to the infested machine and copied the file to the desktop. I executed it and clicked Install. I opened the l2mfix folder on the desktop and ran L2MFIX.bat and selected #1 only. Here is the log file:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SMDEn]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mfrd3x40.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D1793546-FA10-A36B-4AD3-A00378A093B1}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}"="America Online"
"{D1FB6C78-10FD-45cd-8FF4-8267D62992FB}"="CompuServe"
"{F802F260-519B-11D1-BB5D-0060974C6013}"="ICQ Shell Extension"
"{C4ADC23A-F243-4263-8E8B-02B5651CB540}"=""
"{D519836E-72B0-4B8A-83BB-6051D5D3319C}"=""
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{1474F601-9B4B-4EB0-81FA-20F753C0E1A4}"="FRISK extension"
"{E443A8D5-D905-4401-8789-16AE23A8A96D}"="FRISK extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C4ADC23A-F243-4263-8E8B-02B5651CB540}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C4ADC23A-F243-4263-8E8B-02B5651CB540}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C4ADC23A-F243-4263-8E8B-02B5651CB540}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C4ADC23A-F243-4263-8E8B-02B5651CB540}\InprocServer32]
@="C:\\WINDOWS\\system32\\axvapi32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D519836E-72B0-4B8A-83BB-6051D5D3319C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D519836E-72B0-4B8A-83BB-6051D5D3319C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D519836E-72B0-4B8A-83BB-6051D5D3319C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D519836E-72B0-4B8A-83BB-6051D5D3319C}\InprocServer32]
@="C:\\WINDOWS\\system32\\moi.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
ancups.dll Fri Jun 24 2005 11:50:56a ..S.R 417,792 408.00 K
auptif.dll Sun Jun 26 2005 1:42:38p ..S.R 417,792 408.00 K
axvapi32.dll Tue Jun 28 2005 9:56:46a ..S.R 417,792 408.00 K
ca.dll Mon Jun 6 2005 5:01:18p A.... 77,824 76.00 K
ca2.dll Wed Jun 15 2005 9:47:00p A.... 77,824 76.00 K
cmdlin~1.dll Wed Jun 22 2005 3:56:22p A.... 43,520 42.50 K
cnl3dv2.dll Sat Jun 18 2005 11:10:32p ..S.R 417,792 408.00 K
commun~1.dll Thu Apr 7 2005 12:02:16p A.... 1,263,616 1.20 M
cslbact.dll Tue Jun 21 2005 8:27:44p ..S.R 417,792 408.00 K
danwsock.dll Fri Jun 24 2005 10:12:44a ..S.R 417,792 408.00 K
dcmstor.dll Sun Jun 26 2005 1:37:28p ..S.R 417,792 408.00 K
dpmstor.dll Wed Jun 22 2005 2:20:02p ..S.R 417,792 408.00 K
dvcpcsvc.dll Fri Jun 24 2005 3:59:34p ..S.R 417,792 408.00 K
ehf1873b.dll Thu Jun 16 2005 11:49:50a ..S.R 417,792 408.00 K
etbteg.dll Sun Jun 26 2005 12:10:52p ..S.R 417,792 408.00 K
ezent.dll Thu Jun 16 2005 11:49:56a ..S.R 417,792 408.00 K
gwmf32.dll Mon Jun 27 2005 3:33:24p ..S.R 417,792 408.00 K
heetcfg.dll Tue Jun 21 2005 1:38:16p ..S.R 417,792 408.00 K
hmui.dll Mon Jun 20 2005 9:03:08p ..S.R 417,792 408.00 K
irguv.dll Thu Jun 16 2005 8:28:46p A.... 9,728 9.50 K
kodlt1.dll Mon Jun 27 2005 2:32:54p ..S.R 417,792 408.00 K
ksdtuq.dll Fri Jun 24 2005 4:01:14p ..S.R 417,792 408.00 K
kwdtuq.dll Mon Jun 27 2005 3:02:54p ..S.R 417,792 408.00 K
kzduk.dll Tue Jun 21 2005 7:40:22p ..S.R 417,792 408.00 K
lhcalui.dll Sun Jun 26 2005 12:18:30p ..S.R 417,792 408.00 K
lkeps11n.dll Tue Jun 21 2005 4:59:18p ..S.R 417,792 408.00 K
lvrmonui.dll Mon Jun 27 2005 3:22:02p ..S.R 417,792 408.00 K
mbimg32.dll Sun Jun 26 2005 6:12:52p ..S.R 417,792 408.00 K
mcg4dmod.dll Sun Jun 26 2005 1:14:58p ..S.R 417,792 408.00 K
mfnsspc.dll Tue Jun 21 2005 10:28:34p ..S.R 417,792 408.00 K
mfports.dll Mon Jun 20 2005 9:23:18p ..S.R 417,792 408.00 K
mfrd3x40.dll Mon Jun 27 2005 9:35:14p ..S.R 417,792 408.00 K
misystem.dll Mon Jun 20 2005 10:11:36p ..S.R 417,792 408.00 K
moi.dll Tue Jun 28 2005 10:00:06a ..S.R 417,792 408.00 K
mpvcr70.dll Sat Jun 18 2005 9:08:26p ..S.R 417,792 408.00 K
mpvfw32.dll Mon Jun 20 2005 8:38:04p ..S.R 417,792 408.00 K
mrrapi.dll Mon Jun 27 2005 8:02:40a ..S.R 417,792 408.00 K
msicda.dll Sat Jun 18 2005 10:23:50p ..S.R 417,792 408.00 K
mtvidctl.dll Fri Jun 24 2005 3:00:16p ..S.R 417,792 408.00 K
mtwdat10.dll Thu Jun 16 2005 8:26:04p ..S.R 417,792 408.00 K
neyrcor.dll Thu Jun 16 2005 8:28:46p A.... 27,648 27.00 K
nstevent.dll Mon Jun 27 2005 10:32:30p ..S.R 417,792 408.00 K
ohjsel.dll Sun Jun 26 2005 1:03:16p ..S.R 417,792 408.00 K
pacifisy.dll Fri Jun 17 2005 11:10:04a A.... 22 0.02 K
qlink32.dll Thu May 19 2005 4:37:38p A.... 200,704 196.00 K
rgcss.dll Sat Jun 18 2005 11:02:14p ..S.R 417,792 408.00 K
riipxmib.dll Fri Jun 17 2005 11:05:54a ..S.R 417,792 408.00 K
rzvpmsg.dll Sun Jun 26 2005 1:35:30p ..S.R 417,792 408.00 K
s32evnt1.dll Fri May 13 2005 7:50:10p A.... 91,856 89.70 K
sabcsp.dll Mon Jun 20 2005 10:50:24p ..S.R 417,792 408.00 K
sblwoa.dll Mon Jun 20 2005 8:39:44p ..S.R 417,792 408.00 K
sdsinv.dll Fri Jun 24 2005 2:49:24p ..S.R 417,792 408.00 K
sgftpub.dll Sun Jun 26 2005 1:10:48p ..S.R 417,792 408.00 K
sintf16.dll Wed Jun 22 2005 3:56:36p A.... 12,067 11.78 K
sintf32.dll Wed Jun 22 2005 3:56:36p A.... 17,212 16.81 K
sintfnt.dll Wed Jun 22 2005 3:56:36p A.... 21,840 21.33 K
sllwoa.dll Mon Jun 20 2005 10:19:32p ..S.R 417,792 408.00 K
spgtab.dll Sun Jun 26 2005 1:17:04p ..S.R 417,792 408.00 K
spmapi.dll Mon Jun 27 2005 1:51:32p ..S.R 417,792 408.00 K
srsvcs.dll Thu Jun 16 2005 1:17:46p ..S.R 417,792 408.00 K
ssftpub.dll Thu Jun 16 2005 8:33:36p ..S.R 417,792 408.00 K
stsinv.dll Thu Jun 16 2005 8:45:50p ..S.R 417,792 408.00 K
suayerxp.dll Mon Jun 20 2005 9:06:36p ..S.R 417,792 408.00 K
sumsrv.dll Mon Jun 27 2005 2:52:30p ..S.R 417,792 408.00 K
supdate.dll Thu Jun 16 2005 8:28:34p A.... 29,184 28.50 K
uhandlg.dll Tue Jun 21 2005 6:58:36p ..S.R 417,792 408.00 K
vbpubapi.dll Tue Jun 21 2005 10:37:06p ..S.R 417,792 408.00 K
vxrsion.dll Fri Jun 24 2005 10:04:48a ..S.R 417,792 408.00 K
wanfax.dll Tue Jun 21 2005 8:02:12p ..S.R 417,792 408.00 K
wtfeman.dll Mon Jun 27 2005 7:53:24p ..S.R 417,792 408.00 K
wyploc.dll Mon Jun 27 2005 3:19:00p ..S.R 417,792 408.00 K
wznsock.dll Mon Jun 27 2005 2:23:52p ..S.R 417,792 408.00 K

72 items found: 72 files (59 H/S), 0 directories.
Total of file sizes: 26,522,773 bytes 25.29 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Tue Jun 28 2005 10:17:02a ..S.R 417,792 408.00 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 417,792 bytes 408.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is C435-A9DD

Directory of C:\WINDOWS\System32

06/28/2005 10:17 AM 417,792 guard.tmp
06/28/2005 10:00 AM 417,792 moi.dll
06/28/2005 09:56 AM 417,792 axvapi32.dll
06/27/2005 10:32 PM 417,792 nstevent.dll
06/27/2005 09:35 PM 417,792 mfrd3x40.dll
06/27/2005 07:53 PM 417,792 wtfeman.dll
06/27/2005 03:33 PM 417,792 gwmf32.dll
06/27/2005 03:22 PM 417,792 lvrmonui.dll
06/27/2005 03:19 PM 417,792 wyploc.dll
06/27/2005 03:02 PM 417,792 kwdtuq.dll
06/27/2005 02:57 PM <DIR> dllcache
06/27/2005 02:52 PM 417,792 sUmsrv.dll
06/27/2005 02:32 PM 417,792 kodlt1.dll
06/27/2005 02:23 PM 417,792 wznsock.dll
06/27/2005 01:51 PM 417,792 spmapi.dll
06/27/2005 08:02 AM 417,792 mrrapi.dll
06/26/2005 06:12 PM 417,792 mbimg32.dll
06/26/2005 01:42 PM 417,792 auptif.dll
06/26/2005 01:37 PM 417,792 dcmstor.dll
06/26/2005 01:35 PM 417,792 rzvpmsg.dll
06/26/2005 01:17 PM 417,792 spgtab.dll
06/26/2005 01:14 PM 417,792 mcg4dmod.dll
06/26/2005 01:10 PM 417,792 sgftpub.dll
06/26/2005 01:03 PM 417,792 ohjsel.dll
06/26/2005 12:18 PM 417,792 lhcalui.dll
06/26/2005 12:10 PM 417,792 ETBTEG.DLL
06/24/2005 04:01 PM 417,792 ksdtuq.dll
06/24/2005 03:59 PM 417,792 dvcpcsvc.dll
06/24/2005 03:00 PM 417,792 mtvidctl.dll
06/24/2005 02:49 PM 417,792 sdsinv.dll
06/24/2005 11:50 AM 417,792 ancups.dll
06/24/2005 10:12 AM 417,792 danwsock.dll
06/24/2005 10:04 AM 417,792 vxrsion.dll
06/22/2005 02:20 PM 417,792 dpmstor.dll
06/21/2005 10:37 PM 417,792 vbpubapi.dll
06/21/2005 10:28 PM 417,792 mfnsspc.dll
06/21/2005 08:27 PM 417,792 cslbact.dll
06/21/2005 08:02 PM 417,792 wanfax.dll
06/21/2005 07:40 PM 417,792 kzduk.dll
06/21/2005 06:58 PM 417,792 uhandlg.dll
06/21/2005 04:59 PM 417,792 lkeps11n.dll
06/21/2005 01:38 PM 417,792 heetcfg.dll
06/20/2005 10:50 PM 417,792 sabcsp.dll
06/20/2005 10:19 PM 417,792 sllwoa.dll
06/20/2005 10:11 PM 417,792 misystem.dll
06/20/2005 09:23 PM 417,792 mfports.dll
06/20/2005 09:06 PM 417,792 suayerxp.dll
06/20/2005 09:03 PM 417,792 hmui.dll
06/20/2005 08:39 PM 417,792 sblwoa.dll
06/20/2005 08:38 PM 417,792 mpvfw32.dll
06/18/2005 11:10 PM 417,792 cnl3dv2.dll
06/18/2005 11:02 PM 417,792 rgcss.dll
06/18/2005 10:23 PM 417,792 msicda.dll
06/18/2005 09:08 PM 417,792 mpvcr70.dll
06/17/2005 11:05 AM 417,792 riipxmib.dll
06/16/2005 08:45 PM 417,792 stsinv.dll
06/16/2005 08:33 PM 417,792 ssftpub.dll
06/16/2005 08:26 PM 417,792 mtwdat10.dll
06/16/2005 01:17 PM 417,792 srsvcs.dll
06/16/2005 11:49 AM 417,792 ezent.dll
06/16/2005 11:49 AM 417,792 eHf1873b.dll
12/24/2002 08:32 AM <DIR> Microsoft
60 File(s) 25,067,520 bytes
2 Dir(s) 86,421,950,464 bytes free

Phew! Lots there.
Thank you for volunteering to help me. I look forward to working with you for however many steps it takes. I plan to donate when this machine is ready to use again; this site is a wonderful resource.

KGHN
  • 0

#4
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left. :tazz:

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
  • 0

#5
KGHN

KGHN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
L2MFIX log:

L2Mfix 1.03

Running From:
C:\Documents and Settings\Tina\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Tina\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Tina\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1300 'explorer.exe'
Killing PID 1300 'explorer.exe'
Killing PID 1300 'explorer.exe'
Killing PID 1300 'explorer.exe'
Killing PID 1300 'explorer.exe'
Killing PID 1300 'explorer.exe'
Killing PID 1300 'explorer.exe'
Killing PID 1300 'explorer.exe'
Killing PID 1300 'explorer.exe'
Killing PID 1300 'explorer.exe'
Killing PID 1300 'explorer.exe'
Killing PID 1300 'explorer.exe'
Killing PID 1300 'explorer.exe'
Killing PID 1136 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1460 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\ancups.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ancups.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\auptif.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\auptif.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\axvapi32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\axvapi32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cnl3dv2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cnl3dv2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cslbact.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cslbact.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\danwsock.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\danwsock.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dcmstor.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dcmstor.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dpmstor.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dpmstor.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dvcpcsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dvcpcsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\eHf1873b.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\eHf1873b.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ETBTEG.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ETBTEG.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ezent.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ezent.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gwmf32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gwmf32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\heetcfg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\heetcfg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hmui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hmui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kodlt1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kodlt1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ksdtuq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ksdtuq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kwdtuq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kwdtuq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kzduk.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kzduk.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lhcalui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lhcalui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lkeps11n.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lkeps11n.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvrmonui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvrmonui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mbimg32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mbimg32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mcg4dmod.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mcg4dmod.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mfnsspc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mfnsspc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mfports.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mfports.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mfrd3x40.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mfrd3x40.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\misystem.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\misystem.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\moi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\moi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mpvcr70.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mpvcr70.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mpvfw32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mpvfw32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mrrapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mrrapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\msicda.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\msicda.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mtvidctl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mtvidctl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mtwdat10.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mtwdat10.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nstevent.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nstevent.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ohjsel.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ohjsel.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rgcss.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rgcss.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\riipxmib.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\riipxmib.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rzvpmsg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rzvpmsg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sabcsp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sabcsp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sblwoa.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sblwoa.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sdsinv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sdsinv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sgftpub.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sgftpub.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sllwoa.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sllwoa.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\spgtab.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\spgtab.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\spmapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\spmapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\srsvcs.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\srsvcs.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ssftpub.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ssftpub.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\stsinv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\stsinv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\suayerxp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\suayerxp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sUmsrv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sUmsrv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sycpack.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sycpack.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uhandlg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uhandlg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\vbpubapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\vbpubapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\vxrsion.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\vxrsion.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wanfax.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wanfax.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wtfeman.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wtfeman.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wyploc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wyploc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wznsock.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wznsock.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\ancups.dll
Successfully Deleted: C:\WINDOWS\system32\ancups.dll
deleting: C:\WINDOWS\system32\ancups.dll
Successfully Deleted: C:\WINDOWS\system32\ancups.dll
deleting: C:\WINDOWS\system32\auptif.dll
Successfully Deleted: C:\WINDOWS\system32\auptif.dll
deleting: C:\WINDOWS\system32\auptif.dll
Successfully Deleted: C:\WINDOWS\system32\auptif.dll
deleting: C:\WINDOWS\system32\axvapi32.dll
Successfully Deleted: C:\WINDOWS\system32\axvapi32.dll
deleting: C:\WINDOWS\system32\axvapi32.dll
Successfully Deleted: C:\WINDOWS\system32\axvapi32.dll
deleting: C:\WINDOWS\system32\cnl3dv2.dll
Successfully Deleted: C:\WINDOWS\system32\cnl3dv2.dll
deleting: C:\WINDOWS\system32\cnl3dv2.dll
Successfully Deleted: C:\WINDOWS\system32\cnl3dv2.dll
deleting: C:\WINDOWS\system32\cslbact.dll
Successfully Deleted: C:\WINDOWS\system32\cslbact.dll
deleting: C:\WINDOWS\system32\cslbact.dll
Successfully Deleted: C:\WINDOWS\system32\cslbact.dll
deleting: C:\WINDOWS\system32\danwsock.dll
Successfully Deleted: C:\WINDOWS\system32\danwsock.dll
deleting: C:\WINDOWS\system32\danwsock.dll
Successfully Deleted: C:\WINDOWS\system32\danwsock.dll
deleting: C:\WINDOWS\system32\dcmstor.dll
Successfully Deleted: C:\WINDOWS\system32\dcmstor.dll
deleting: C:\WINDOWS\system32\dcmstor.dll
Successfully Deleted: C:\WINDOWS\system32\dcmstor.dll
deleting: C:\WINDOWS\system32\dpmstor.dll
Successfully Deleted: C:\WINDOWS\system32\dpmstor.dll
deleting: C:\WINDOWS\system32\dpmstor.dll
Successfully Deleted: C:\WINDOWS\system32\dpmstor.dll
deleting: C:\WINDOWS\system32\dvcpcsvc.dll
Successfully Deleted: C:\WINDOWS\system32\dvcpcsvc.dll
deleting: C:\WINDOWS\system32\dvcpcsvc.dll
Successfully Deleted: C:\WINDOWS\system32\dvcpcsvc.dll
deleting: C:\WINDOWS\system32\eHf1873b.dll
Successfully Deleted: C:\WINDOWS\system32\eHf1873b.dll
deleting: C:\WINDOWS\system32\eHf1873b.dll
Successfully Deleted: C:\WINDOWS\system32\eHf1873b.dll
deleting: C:\WINDOWS\system32\ETBTEG.DLL
Successfully Deleted: C:\WINDOWS\system32\ETBTEG.DLL
deleting: C:\WINDOWS\system32\ETBTEG.DLL
Successfully Deleted: C:\WINDOWS\system32\ETBTEG.DLL
deleting: C:\WINDOWS\system32\ezent.dll
Successfully Deleted: C:\WINDOWS\system32\ezent.dll
deleting: C:\WINDOWS\system32\ezent.dll
Successfully Deleted: C:\WINDOWS\system32\ezent.dll
deleting: C:\WINDOWS\system32\gwmf32.dll
Successfully Deleted: C:\WINDOWS\system32\gwmf32.dll
deleting: C:\WINDOWS\system32\gwmf32.dll
Successfully Deleted: C:\WINDOWS\system32\gwmf32.dll
deleting: C:\WINDOWS\system32\heetcfg.dll
Successfully Deleted: C:\WINDOWS\system32\heetcfg.dll
deleting: C:\WINDOWS\system32\heetcfg.dll
Successfully Deleted: C:\WINDOWS\system32\heetcfg.dll
deleting: C:\WINDOWS\system32\hmui.dll
Successfully Deleted: C:\WINDOWS\system32\hmui.dll
deleting: C:\WINDOWS\system32\hmui.dll
Successfully Deleted: C:\WINDOWS\system32\hmui.dll
deleting: C:\WINDOWS\system32\kodlt1.dll
Successfully Deleted: C:\WINDOWS\system32\kodlt1.dll
deleting: C:\WINDOWS\system32\kodlt1.dll
Successfully Deleted: C:\WINDOWS\system32\kodlt1.dll
deleting: C:\WINDOWS\system32\ksdtuq.dll
Successfully Deleted: C:\WINDOWS\system32\ksdtuq.dll
deleting: C:\WINDOWS\system32\ksdtuq.dll
Successfully Deleted: C:\WINDOWS\system32\ksdtuq.dll
deleting: C:\WINDOWS\system32\kwdtuq.dll
Successfully Deleted: C:\WINDOWS\system32\kwdtuq.dll
deleting: C:\WINDOWS\system32\kwdtuq.dll
Successfully Deleted: C:\WINDOWS\system32\kwdtuq.dll
deleting: C:\WINDOWS\system32\kzduk.dll
Successfully Deleted: C:\WINDOWS\system32\kzduk.dll
deleting: C:\WINDOWS\system32\kzduk.dll
Successfully Deleted: C:\WINDOWS\system32\kzduk.dll
deleting: C:\WINDOWS\system32\lhcalui.dll
Successfully Deleted: C:\WINDOWS\system32\lhcalui.dll
deleting: C:\WINDOWS\system32\lhcalui.dll
Successfully Deleted: C:\WINDOWS\system32\lhcalui.dll
deleting: C:\WINDOWS\system32\lkeps11n.dll
Successfully Deleted: C:\WINDOWS\system32\lkeps11n.dll
deleting: C:\WINDOWS\system32\lkeps11n.dll
Successfully Deleted: C:\WINDOWS\system32\lkeps11n.dll
deleting: C:\WINDOWS\system32\lvrmonui.dll
Successfully Deleted: C:\WINDOWS\system32\lvrmonui.dll
deleting: C:\WINDOWS\system32\lvrmonui.dll
Successfully Deleted: C:\WINDOWS\system32\lvrmonui.dll
deleting: C:\WINDOWS\system32\mbimg32.dll
Successfully Deleted: C:\WINDOWS\system32\mbimg32.dll
deleting: C:\WINDOWS\system32\mbimg32.dll
Successfully Deleted: C:\WINDOWS\system32\mbimg32.dll
deleting: C:\WINDOWS\system32\mcg4dmod.dll
Successfully Deleted: C:\WINDOWS\system32\mcg4dmod.dll
deleting: C:\WINDOWS\system32\mcg4dmod.dll
Successfully Deleted: C:\WINDOWS\system32\mcg4dmod.dll
deleting: C:\WINDOWS\system32\mfnsspc.dll
Successfully Deleted: C:\WINDOWS\system32\mfnsspc.dll
deleting: C:\WINDOWS\system32\mfnsspc.dll
Successfully Deleted: C:\WINDOWS\system32\mfnsspc.dll
deleting: C:\WINDOWS\system32\mfports.dll
Successfully Deleted: C:\WINDOWS\system32\mfports.dll
deleting: C:\WINDOWS\system32\mfports.dll
Successfully Deleted: C:\WINDOWS\system32\mfports.dll
deleting: C:\WINDOWS\system32\mfrd3x40.dll
Successfully Deleted: C:\WINDOWS\system32\mfrd3x40.dll
deleting: C:\WINDOWS\system32\mfrd3x40.dll
Successfully Deleted: C:\WINDOWS\system32\mfrd3x40.dll
deleting: C:\WINDOWS\system32\misystem.dll
Successfully Deleted: C:\WINDOWS\system32\misystem.dll
deleting: C:\WINDOWS\system32\misystem.dll
Successfully Deleted: C:\WINDOWS\system32\misystem.dll
deleting: C:\WINDOWS\system32\moi.dll
Successfully Deleted: C:\WINDOWS\system32\moi.dll
deleting: C:\WINDOWS\system32\moi.dll
Successfully Deleted: C:\WINDOWS\system32\moi.dll
deleting: C:\WINDOWS\system32\mpvcr70.dll
Successfully Deleted: C:\WINDOWS\system32\mpvcr70.dll
deleting: C:\WINDOWS\system32\mpvcr70.dll
Successfully Deleted: C:\WINDOWS\system32\mpvcr70.dll
deleting: C:\WINDOWS\system32\mpvfw32.dll
Successfully Deleted: C:\WINDOWS\system32\mpvfw32.dll
deleting: C:\WINDOWS\system32\mpvfw32.dll
Successfully Deleted: C:\WINDOWS\system32\mpvfw32.dll
deleting: C:\WINDOWS\system32\mrrapi.dll
Successfully Deleted: C:\WINDOWS\system32\mrrapi.dll
deleting: C:\WINDOWS\system32\mrrapi.dll
Successfully Deleted: C:\WINDOWS\system32\mrrapi.dll
deleting: C:\WINDOWS\system32\msicda.dll
Successfully Deleted: C:\WINDOWS\system32\msicda.dll
deleting: C:\WINDOWS\system32\msicda.dll
Successfully Deleted: C:\WINDOWS\system32\msicda.dll
deleting: C:\WINDOWS\system32\mtvidctl.dll
Successfully Deleted: C:\WINDOWS\system32\mtvidctl.dll
deleting: C:\WINDOWS\system32\mtvidctl.dll
Successfully Deleted: C:\WINDOWS\system32\mtvidctl.dll
deleting: C:\WINDOWS\system32\mtwdat10.dll
Successfully Deleted: C:\WINDOWS\system32\mtwdat10.dll
deleting: C:\WINDOWS\system32\mtwdat10.dll
Successfully Deleted: C:\WINDOWS\system32\mtwdat10.dll
deleting: C:\WINDOWS\system32\nstevent.dll
Successfully Deleted: C:\WINDOWS\system32\nstevent.dll
deleting: C:\WINDOWS\system32\nstevent.dll
Successfully Deleted: C:\WINDOWS\system32\nstevent.dll
deleting: C:\WINDOWS\system32\ohjsel.dll
Successfully Deleted: C:\WINDOWS\system32\ohjsel.dll
deleting: C:\WINDOWS\system32\ohjsel.dll
Successfully Deleted: C:\WINDOWS\system32\ohjsel.dll
deleting: C:\WINDOWS\system32\rgcss.dll
Successfully Deleted: C:\WINDOWS\system32\rgcss.dll
deleting: C:\WINDOWS\system32\rgcss.dll
Successfully Deleted: C:\WINDOWS\system32\rgcss.dll
deleting: C:\WINDOWS\system32\riipxmib.dll
Successfully Deleted: C:\WINDOWS\system32\riipxmib.dll
deleting: C:\WINDOWS\system32\riipxmib.dll
Successfully Deleted: C:\WINDOWS\system32\riipxmib.dll
deleting: C:\WINDOWS\system32\rzvpmsg.dll
Successfully Deleted: C:\WINDOWS\system32\rzvpmsg.dll
deleting: C:\WINDOWS\system32\rzvpmsg.dll
Successfully Deleted: C:\WINDOWS\system32\rzvpmsg.dll
deleting: C:\WINDOWS\system32\sabcsp.dll
Successfully Deleted: C:\WINDOWS\system32\sabcsp.dll
deleting: C:\WINDOWS\system32\sabcsp.dll
Successfully Deleted: C:\WINDOWS\system32\sabcsp.dll
deleting: C:\WINDOWS\system32\sblwoa.dll
Successfully Deleted: C:\WINDOWS\system32\sblwoa.dll
deleting: C:\WINDOWS\system32\sblwoa.dll
Successfully Deleted: C:\WINDOWS\system32\sblwoa.dll
deleting: C:\WINDOWS\system32\sdsinv.dll
Successfully Deleted: C:\WINDOWS\system32\sdsinv.dll
deleting: C:\WINDOWS\system32\sdsinv.dll
Successfully Deleted: C:\WINDOWS\system32\sdsinv.dll
deleting: C:\WINDOWS\system32\sgftpub.dll
Successfully Deleted: C:\WINDOWS\system32\sgftpub.dll
deleting: C:\WINDOWS\system32\sgftpub.dll
Successfully Deleted: C:\WINDOWS\system32\sgftpub.dll
deleting: C:\WINDOWS\system32\sllwoa.dll
Successfully Deleted: C:\WINDOWS\system32\sllwoa.dll
deleting: C:\WINDOWS\system32\sllwoa.dll
Successfully Deleted: C:\WINDOWS\system32\sllwoa.dll
deleting: C:\WINDOWS\system32\spgtab.dll
Successfully Deleted: C:\WINDOWS\system32\spgtab.dll
deleting: C:\WINDOWS\system32\spgtab.dll
Successfully Deleted: C:\WINDOWS\system32\spgtab.dll
deleting: C:\WINDOWS\system32\spmapi.dll
Successfully Deleted: C:\WINDOWS\system32\spmapi.dll
deleting: C:\WINDOWS\system32\spmapi.dll
Successfully Deleted: C:\WINDOWS\system32\spmapi.dll
deleting: C:\WINDOWS\system32\srsvcs.dll
Successfully Deleted: C:\WINDOWS\system32\srsvcs.dll
deleting: C:\WINDOWS\system32\srsvcs.dll
Successfully Deleted: C:\WINDOWS\system32\srsvcs.dll
deleting: C:\WINDOWS\system32\ssftpub.dll
Successfully Deleted: C:\WINDOWS\system32\ssftpub.dll
deleting: C:\WINDOWS\system32\ssftpub.dll
Successfully Deleted: C:\WINDOWS\system32\ssftpub.dll
deleting: C:\WINDOWS\system32\stsinv.dll
Successfully Deleted: C:\WINDOWS\system32\stsinv.dll
deleting: C:\WINDOWS\system32\stsinv.dll
Successfully Deleted: C:\WINDOWS\system32\stsinv.dll
deleting: C:\WINDOWS\system32\suayerxp.dll
Successfully Deleted: C:\WINDOWS\system32\suayerxp.dll
deleting: C:\WINDOWS\system32\suayerxp.dll
Successfully Deleted: C:\WINDOWS\system32\suayerxp.dll
deleting: C:\WINDOWS\system32\sUmsrv.dll
Successfully Deleted: C:\WINDOWS\system32\sUmsrv.dll
deleting: C:\WINDOWS\system32\sUmsrv.dll
Successfully Deleted: C:\WINDOWS\system32\sUmsrv.dll
deleting: C:\WINDOWS\system32\sycpack.dll
Successfully Deleted: C:\WINDOWS\system32\sycpack.dll
deleting: C:\WINDOWS\system32\sycpack.dll
Successfully Deleted: C:\WINDOWS\system32\sycpack.dll
deleting: C:\WINDOWS\system32\uhandlg.dll
Successfully Deleted: C:\WINDOWS\system32\uhandlg.dll
deleting: C:\WINDOWS\system32\uhandlg.dll
Successfully Deleted: C:\WINDOWS\system32\uhandlg.dll
deleting: C:\WINDOWS\system32\vbpubapi.dll
Successfully Deleted: C:\WINDOWS\system32\vbpubapi.dll
deleting: C:\WINDOWS\system32\vbpubapi.dll
Successfully Deleted: C:\WINDOWS\system32\vbpubapi.dll
deleting: C:\WINDOWS\system32\vxrsion.dll
Successfully Deleted: C:\WINDOWS\system32\vxrsion.dll
deleting: C:\WINDOWS\system32\vxrsion.dll
Successfully Deleted: C:\WINDOWS\system32\vxrsion.dll
deleting: C:\WINDOWS\system32\wanfax.dll
Successfully Deleted: C:\WINDOWS\system32\wanfax.dll
deleting: C:\WINDOWS\system32\wanfax.dll
Successfully Deleted: C:\WINDOWS\system32\wanfax.dll
deleting: C:\WINDOWS\system32\wtfeman.dll
Successfully Deleted: C:\WINDOWS\system32\wtfeman.dll
deleting: C:\WINDOWS\system32\wtfeman.dll
Successfully Deleted: C:\WINDOWS\system32\wtfeman.dll
deleting: C:\WINDOWS\system32\wyploc.dll
Successfully Deleted: C:\WINDOWS\system32\wyploc.dll
deleting: C:\WINDOWS\system32\wyploc.dll
Successfully Deleted: C:\WINDOWS\system32\wyploc.dll
deleting: C:\WINDOWS\system32\wznsock.dll
Successfully Deleted: C:\WINDOWS\system32\wznsock.dll
deleting: C:\WINDOWS\system32\wznsock.dll
Successfully Deleted: C:\WINDOWS\system32\wznsock.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: ancups.dll (164 bytes security) (deflated 48%)
adding: auptif.dll (164 bytes security) (deflated 48%)
adding: axvapi32.dll (164 bytes security) (deflated 48%)
adding: cnl3dv2.dll (164 bytes security) (deflated 48%)
adding: cslbact.dll (164 bytes security) (deflated 48%)
adding: danwsock.dll (164 bytes security) (deflated 48%)
adding: dcmstor.dll (164 bytes security) (deflated 48%)
adding: dpmstor.dll (164 bytes security) (deflated 48%)
adding: dvcpcsvc.dll (164 bytes security) (deflated 48%)
adding: eHf1873b.dll (164 bytes security) (deflated 48%)
adding: ETBTEG.DLL (164 bytes security) (deflated 48%)
adding: ezent.dll (164 bytes security) (deflated 48%)
adding: gwmf32.dll (164 bytes security) (deflated 48%)
adding: heetcfg.dll (164 bytes security) (deflated 48%)
adding: hmui.dll (164 bytes security) (deflated 48%)
adding: kodlt1.dll (164 bytes security) (deflated 48%)
adding: ksdtuq.dll (164 bytes security) (deflated 48%)
adding: kwdtuq.dll (164 bytes security) (deflated 48%)
adding: kzduk.dll (164 bytes security) (deflated 48%)
adding: lhcalui.dll (164 bytes security) (deflated 48%)
adding: lkeps11n.dll (164 bytes security) (deflated 48%)
adding: lvrmonui.dll (164 bytes security) (deflated 48%)
adding: mbimg32.dll (164 bytes security) (deflated 48%)
adding: mcg4dmod.dll (164 bytes security) (deflated 48%)
adding: mfnsspc.dll (164 bytes security) (deflated 48%)
adding: mfports.dll (164 bytes security) (deflated 48%)
adding: mfrd3x40.dll (164 bytes security) (deflated 48%)
adding: misystem.dll (164 bytes security) (deflated 48%)
adding: moi.dll (164 bytes security) (deflated 48%)
adding: mpvcr70.dll (164 bytes security) (deflated 48%)
adding: mpvfw32.dll (164 bytes security) (deflated 48%)
adding: mrrapi.dll (164 bytes security) (deflated 48%)
adding: msicda.dll (164 bytes security) (deflated 48%)
adding: mtvidctl.dll (164 bytes security) (deflated 48%)
adding: mtwdat10.dll (164 bytes security) (deflated 48%)
adding: nstevent.dll (164 bytes security) (deflated 48%)
adding: ohjsel.dll (164 bytes security) (deflated 48%)
adding: rgcss.dll (164 bytes security) (deflated 48%)
adding: riipxmib.dll (164 bytes security) (deflated 48%)
adding: rzvpmsg.dll (164 bytes security) (deflated 48%)
adding: sabcsp.dll (164 bytes security) (deflated 48%)
adding: sblwoa.dll (164 bytes security) (deflated 48%)
adding: sdsinv.dll (164 bytes security) (deflated 48%)
adding: sgftpub.dll (164 bytes security) (deflated 48%)
adding: sllwoa.dll (164 bytes security) (deflated 48%)
adding: spgtab.dll (164 bytes security) (deflated 48%)
adding: spmapi.dll (164 bytes security) (deflated 48%)
adding: srsvcs.dll (164 bytes security) (deflated 48%)
adding: ssftpub.dll (164 bytes security) (deflated 48%)
adding: stsinv.dll (164 bytes security) (deflated 48%)
adding: suayerxp.dll (164 bytes security) (deflated 48%)
adding: sUmsrv.dll (164 bytes security) (deflated 48%)
adding: sycpack.dll (164 bytes security) (deflated 48%)
adding: uhandlg.dll (164 bytes security) (deflated 48%)
adding: vbpubapi.dll (164 bytes security) (deflated 48%)
adding: vxrsion.dll (164 bytes security) (deflated 48%)
adding: wanfax.dll (164 bytes security) (deflated 48%)
adding: wtfeman.dll (164 bytes security) (deflated 48%)
adding: wyploc.dll (164 bytes security) (deflated 48%)
adding: wznsock.dll (164 bytes security) (deflated 48%)
adding: guard.tmp (164 bytes security) (deflated 48%)
adding: clear.reg (164 bytes security) (deflated 36%)
adding: echo.reg (164 bytes security) (deflated 8%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 92%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 68%)
adding: test.txt (164 bytes security) (deflated 92%)
adding: test2.txt (164 bytes security) (deflated 17%)
adding: test3.txt (164 bytes security) (deflated 17%)
adding: test5.txt (164 bytes security) (deflated 17%)
adding: xfind.txt (164 bytes security) (deflated 89%)
adding: backregs/C4ADC23A-F243-4263-8E8B-02B5651CB540.reg (164 bytes security) (deflated 70%)
adding: backregs/D519836E-72B0-4B8A-83BB-6051D5D3319C.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: ancups.dll
deleting local copy: ancups.dll
deleting local copy: auptif.dll
deleting local copy: auptif.dll
deleting local copy: axvapi32.dll
deleting local copy: axvapi32.dll
deleting local copy: cnl3dv2.dll
deleting local copy: cnl3dv2.dll
deleting local copy: cslbact.dll
deleting local copy: cslbact.dll
deleting local copy: danwsock.dll
deleting local copy: danwsock.dll
deleting local copy: dcmstor.dll
deleting local copy: dcmstor.dll
deleting local copy: dpmstor.dll
deleting local copy: dpmstor.dll
deleting local copy: dvcpcsvc.dll
deleting local copy: dvcpcsvc.dll
deleting local copy: eHf1873b.dll
deleting local copy: eHf1873b.dll
deleting local copy: ETBTEG.DLL
deleting local copy: ETBTEG.DLL
deleting local copy: ezent.dll
deleting local copy: ezent.dll
deleting local copy: gwmf32.dll
deleting local copy: gwmf32.dll
deleting local copy: heetcfg.dll
deleting local copy: heetcfg.dll
deleting local copy: hmui.dll
deleting local copy: hmui.dll
deleting local copy: kodlt1.dll
deleting local copy: kodlt1.dll
deleting local copy: ksdtuq.dll
deleting local copy: ksdtuq.dll
deleting local copy: kwdtuq.dll
deleting local copy: kwdtuq.dll
deleting local copy: kzduk.dll
deleting local copy: kzduk.dll
deleting local copy: lhcalui.dll
deleting local copy: lhcalui.dll
deleting local copy: lkeps11n.dll
deleting local copy: lkeps11n.dll
deleting local copy: lvrmonui.dll
deleting local copy: lvrmonui.dll
deleting local copy: mbimg32.dll
deleting local copy: mbimg32.dll
deleting local copy: mcg4dmod.dll
deleting local copy: mcg4dmod.dll
deleting local copy: mfnsspc.dll
deleting local copy: mfnsspc.dll
deleting local copy: mfports.dll
deleting local copy: mfports.dll
deleting local copy: mfrd3x40.dll
deleting local copy: mfrd3x40.dll
deleting local copy: misystem.dll
deleting local copy: misystem.dll
deleting local copy: moi.dll
deleting local copy: moi.dll
deleting local copy: mpvcr70.dll
deleting local copy: mpvcr70.dll
deleting local copy: mpvfw32.dll
deleting local copy: mpvfw32.dll
deleting local copy: mrrapi.dll
deleting local copy: mrrapi.dll
deleting local copy: msicda.dll
deleting local copy: msicda.dll
deleting local copy: mtvidctl.dll
deleting local copy: mtvidctl.dll
deleting local copy: mtwdat10.dll
deleting local copy: mtwdat10.dll
deleting local copy: nstevent.dll
deleting local copy: nstevent.dll
deleting local copy: ohjsel.dll
deleting local copy: ohjsel.dll
deleting local copy: rgcss.dll
deleting local copy: rgcss.dll
deleting local copy: riipxmib.dll
deleting local copy: riipxmib.dll
deleting local copy: rzvpmsg.dll
deleting local copy: rzvpmsg.dll
deleting local copy: sabcsp.dll
deleting local copy: sabcsp.dll
deleting local copy: sblwoa.dll
deleting local copy: sblwoa.dll
deleting local copy: sdsinv.dll
deleting local copy: sdsinv.dll
deleting local copy: sgftpub.dll
deleting local copy: sgftpub.dll
deleting local copy: sllwoa.dll
deleting local copy: sllwoa.dll
deleting local copy: spgtab.dll
deleting local copy: spgtab.dll
deleting local copy: spmapi.dll
deleting local copy: spmapi.dll
deleting local copy: srsvcs.dll
deleting local copy: srsvcs.dll
deleting local copy: ssftpub.dll
deleting local copy: ssftpub.dll
deleting local copy: stsinv.dll
deleting local copy: stsinv.dll
deleting local copy: suayerxp.dll
deleting local copy: suayerxp.dll
deleting local copy: sUmsrv.dll
deleting local copy: sUmsrv.dll
deleting local copy: sycpack.dll
deleting local copy: sycpack.dll
deleting local copy: uhandlg.dll
deleting local copy: uhandlg.dll
deleting local copy: vbpubapi.dll
deleting local copy: vbpubapi.dll
deleting local copy: vxrsion.dll
deleting local copy: vxrsion.dll
deleting local copy: wanfax.dll
deleting local copy: wanfax.dll
deleting local copy: wtfeman.dll
deleting local copy: wtfeman.dll
deleting local copy: wyploc.dll
deleting local copy: wyploc.dll
deleting local copy: wznsock.dll
deleting local copy: wznsock.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\ancups.dll
C:\WINDOWS\system32\ancups.dll
C:\WINDOWS\system32\auptif.dll
C:\WINDOWS\system32\auptif.dll
C:\WINDOWS\system32\axvapi32.dll
C:\WINDOWS\system32\axvapi32.dll
C:\WINDOWS\system32\cnl3dv2.dll
C:\WINDOWS\system32\cnl3dv2.dll
C:\WINDOWS\system32\cslbact.dll
C:\WINDOWS\system32\cslbact.dll
C:\WINDOWS\system32\danwsock.dll
C:\WINDOWS\system32\danwsock.dll
C:\WINDOWS\system32\dcmstor.dll
C:\WINDOWS\system32\dcmstor.dll
C:\WINDOWS\system32\dpmstor.dll
C:\WINDOWS\system32\dpmstor.dll
C:\WINDOWS\system32\dvcpcsvc.dll
C:\WINDOWS\system32\dvcpcsvc.dll
C:\WINDOWS\system32\eHf1873b.dll
C:\WINDOWS\system32\eHf1873b.dll
C:\WINDOWS\system32\ETBTEG.DLL
C:\WINDOWS\system32\ETBTEG.DLL
C:\WINDOWS\system32\ezent.dll
C:\WINDOWS\system32\ezent.dll
C:\WINDOWS\system32\gwmf32.dll
C:\WINDOWS\system32\gwmf32.dll
C:\WINDOWS\system32\heetcfg.dll
C:\WINDOWS\system32\heetcfg.dll
C:\WINDOWS\system32\hmui.dll
C:\WINDOWS\system32\hmui.dll
C:\WINDOWS\system32\kodlt1.dll
C:\WINDOWS\system32\kodlt1.dll
C:\WINDOWS\system32\ksdtuq.dll
C:\WINDOWS\system32\ksdtuq.dll
C:\WINDOWS\system32\kwdtuq.dll
C:\WINDOWS\system32\kwdtuq.dll
C:\WINDOWS\system32\kzduk.dll
C:\WINDOWS\system32\kzduk.dll
C:\WINDOWS\system32\lhcalui.dll
C:\WINDOWS\system32\lhcalui.dll
C:\WINDOWS\system32\lkeps11n.dll
C:\WINDOWS\system32\lkeps11n.dll
C:\WINDOWS\system32\lvrmonui.dll
C:\WINDOWS\system32\lvrmonui.dll
C:\WINDOWS\system32\mbimg32.dll
C:\WINDOWS\system32\mbimg32.dll
C:\WINDOWS\system32\mcg4dmod.dll
C:\WINDOWS\system32\mcg4dmod.dll
C:\WINDOWS\system32\mfnsspc.dll
C:\WINDOWS\system32\mfnsspc.dll
C:\WINDOWS\system32\mfports.dll
C:\WINDOWS\system32\mfports.dll
C:\WINDOWS\system32\mfrd3x40.dll
C:\WINDOWS\system32\mfrd3x40.dll
C:\WINDOWS\system32\misystem.dll
C:\WINDOWS\system32\misystem.dll
C:\WINDOWS\system32\moi.dll
C:\WINDOWS\system32\moi.dll
C:\WINDOWS\system32\mpvcr70.dll
C:\WINDOWS\system32\mpvcr70.dll
C:\WINDOWS\system32\mpvfw32.dll
C:\WINDOWS\system32\mpvfw32.dll
C:\WINDOWS\system32\mrrapi.dll
C:\WINDOWS\system32\mrrapi.dll
C:\WINDOWS\system32\msicda.dll
C:\WINDOWS\system32\msicda.dll
C:\WINDOWS\system32\mtvidctl.dll
C:\WINDOWS\system32\mtvidctl.dll
C:\WINDOWS\system32\mtwdat10.dll
C:\WINDOWS\system32\mtwdat10.dll
C:\WINDOWS\system32\nstevent.dll
C:\WINDOWS\system32\nstevent.dll
C:\WINDOWS\system32\ohjsel.dll
C:\WINDOWS\system32\ohjsel.dll
C:\WINDOWS\system32\rgcss.dll
C:\WINDOWS\system32\rgcss.dll
C:\WINDOWS\system32\riipxmib.dll
C:\WINDOWS\system32\riipxmib.dll
C:\WINDOWS\system32\rzvpmsg.dll
C:\WINDOWS\system32\rzvpmsg.dll
C:\WINDOWS\system32\sabcsp.dll
C:\WINDOWS\system32\sabcsp.dll
C:\WINDOWS\system32\sblwoa.dll
C:\WINDOWS\system32\sblwoa.dll
C:\WINDOWS\system32\sdsinv.dll
C:\WINDOWS\system32\sdsinv.dll
C:\WINDOWS\system32\sgftpub.dll
C:\WINDOWS\system32\sgftpub.dll
C:\WINDOWS\system32\sllwoa.dll
C:\WINDOWS\system32\sllwoa.dll
C:\WINDOWS\system32\spgtab.dll
C:\WINDOWS\system32\spgtab.dll
C:\WINDOWS\system32\spmapi.dll
C:\WINDOWS\system32\spmapi.dll
C:\WINDOWS\system32\srsvcs.dll
C:\WINDOWS\system32\srsvcs.dll
C:\WINDOWS\system32\ssftpub.dll
C:\WINDOWS\system32\ssftpub.dll
C:\WINDOWS\system32\stsinv.dll
C:\WINDOWS\system32\stsinv.dll
C:\WINDOWS\system32\suayerxp.dll
C:\WINDOWS\system32\suayerxp.dll
C:\WINDOWS\system32\sUmsrv.dll
C:\WINDOWS\system32\sUmsrv.dll
C:\WINDOWS\system32\sycpack.dll
C:\WINDOWS\system32\sycpack.dll
C:\WINDOWS\system32\uhandlg.dll
C:\WINDOWS\system32\uhandlg.dll
C:\WINDOWS\system32\vbpubapi.dll
C:\WINDOWS\system32\vbpubapi.dll
C:\WINDOWS\system32\vxrsion.dll
C:\WINDOWS\system32\vxrsion.dll
C:\WINDOWS\system32\wanfax.dll
C:\WINDOWS\system32\wanfax.dll
C:\WINDOWS\system32\wtfeman.dll
C:\WINDOWS\system32\wtfeman.dll
C:\WINDOWS\system32\wyploc.dll
C:\WINDOWS\system32\wyploc.dll
C:\WINDOWS\system32\wznsock.dll
C:\WINDOWS\system32\wznsock.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{C4ADC23A-F243-4263-8E8B-02B5651CB540}"=-
"{D519836E-72B0-4B8A-83BB-6051D5D3319C}"=-
[-HKEY_CLASSES_ROOT\CLSID\{C4ADC23A-F243-4263-8E8B-02B5651CB540}]
[-HKEY_CLASSES_ROOT\CLSID\{D519836E-72B0-4B8A-83BB-6051D5D3319C}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:48:22 PM, on 6/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe
C:\Program Files\Personal Money Tree\personalmoneytree.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\hklrun.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\aim\aim.exe
C:\Program Files\Cas\Client\casclient.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 66.180.173.39 www.google.ae
O1 - Hosts: 66.180.173.39 www.google.am
O1 - Hosts: 66.180.173.39 www.google.as
O1 - Hosts: 66.180.173.39 www.google.at
O1 - Hosts: 66.180.173.39 www.google.az
O1 - Hosts: 66.180.173.39 www.google.be
O1 - Hosts: 66.180.173.39 www.google.bi
O1 - Hosts: 66.180.173.39 www.google.ca
O1 - Hosts: 66.180.173.39 www.google.cd
O1 - Hosts: 66.180.173.39 www.google.cg
O1 - Hosts: 66.180.173.39 www.google.ch
O1 - Hosts: 66.180.173.39 www.google.ci
O1 - Hosts: 66.180.173.39 www.google.cl
O1 - Hosts: 66.180.173.39 www.google.co.cr
O1 - Hosts: 66.180.173.39 www.google.co.hu
O1 - Hosts: 66.180.173.39 www.google.co.il
O1 - Hosts: 66.180.173.39 www.google.co.in
O1 - Hosts: 66.180.173.39 www.google.co.je
O1 - Hosts: 66.180.173.39 www.google.co.jp
O1 - Hosts: 66.180.173.39 www.google.co.ke
O1 - Hosts: 66.180.173.39 www.google.co.kr
O1 - Hosts: 66.180.173.39 www.google.co.ls
O1 - Hosts: 66.180.173.39 www.google.co.nz
O1 - Hosts: 66.180.173.39 www.google.co.th
O1 - Hosts: 66.180.173.39 www.google.co.ug
O1 - Hosts: 66.180.173.39 www.google.co.uk
O1 - Hosts: 66.180.173.39 www.google.co.ve
O1 - Hosts: 66.180.173.39 www.google.com
O1 - Hosts: 66.180.173.39 www.google.com.ag
O1 - Hosts: 66.180.173.39 www.google.com.ar
O1 - Hosts: 66.180.173.39 www.google.com.au
O1 - Hosts: 66.180.173.39 www.google.com.br
O1 - Hosts: 66.180.173.39 www.google.com.co
O1 - Hosts: 66.180.173.39 www.google.com.cu
O1 - Hosts: 66.180.173.39 www.google.com.do
O1 - Hosts: 66.180.173.39 www.google.com.ec
O1 - Hosts: 66.180.173.39 www.google.com.fj
O1 - Hosts: 66.180.173.39 www.google.com.gi
O1 - Hosts: 66.180.173.39 www.google.com.gr
O1 - Hosts: 66.180.173.39 www.google.com.gt
O1 - Hosts: 66.180.173.39 www.google.com.hk
O1 - Hosts: 66.180.173.39 www.google.com.ly
O1 - Hosts: 66.180.173.39 www.google.com.mt
O1 - Hosts: 66.180.173.39 www.google.com.mx
O1 - Hosts: 66.180.173.39 www.google.com.my
O1 - Hosts: 66.180.173.39 www.google.com.na
O1 - Hosts: 66.180.173.39 www.google.com.nf
O1 - Hosts: 66.180.173.39 www.google.com.ni
O1 - Hosts: 66.180.173.39 www.google.com.np
O1 - Hosts: 66.180.173.39 www.google.com.pa
O1 - Hosts: 66.180.173.39 www.google.com.pe
O1 - Hosts: 66.180.173.39 www.google.com.ph
O1 - Hosts: 66.180.173.39 www.google.com.pk
O1 - Hosts: 66.180.173.39 www.google.com.pr
O1 - Hosts: 66.180.173.39 www.google.com.py
O1 - Hosts: 66.180.173.39 www.google.com.sa
O1 - Hosts: 66.180.173.39 www.google.com.sg
O1 - Hosts: 66.180.173.39 www.google.com.sv
O1 - Hosts: 66.180.173.39 www.google.com.tr
O1 - Hosts: 66.180.173.39 www.google.com.tw
O1 - Hosts: 66.180.173.39 www.google.com.ua
O1 - Hosts: 66.180.173.39 www.google.com.uy
O1 - Hosts: 66.180.173.39 www.google.com.vc
O1 - Hosts: 66.180.173.39 www.google.com.vn
O1 - Hosts: 66.180.173.39 www.google.de
O1 - Hosts: 66.180.173.39 www.google.dj
O1 - Hosts: 66.180.173.39 www.google.dk
O1 - Hosts: 66.180.173.39 www.google.es
O1 - Hosts: 66.180.173.39 www.google.fi
O1 - Hosts: 66.180.173.39 www.google.fm
O1 - Hosts: 66.180.173.39 www.google.fr
O1 - Hosts: 66.180.173.39 www.google.gg
O1 - Hosts: 66.180.173.39 www.google.gl
O1 - Hosts: 66.180.173.39 www.google.gm
O1 - Hosts: 66.180.173.39 www.google.hn
O1 - Hosts: 66.180.173.39 www.google.ie
O1 - Hosts: 66.180.173.39 www.google.it
O1 - Hosts: 66.180.173.39 www.google.kz
O1 - Hosts: 66.180.173.39 www.google.li
O1 - Hosts: 66.180.173.39 www.google.lt
O1 - Hosts: 66.180.173.39 www.google.lu
O1 - Hosts: 66.180.173.39 www.google.lv
O1 - Hosts: 66.180.173.39 www.google.mn
O1 - Hosts: 66.180.173.39 www.google.ms
O1 - Hosts: 66.180.173.39 www.google.mu
O1 - Hosts: 66.180.173.39 www.google.mw
O1 - Hosts: 66.180.173.39 www.google.nl
O1 - Hosts: 66.180.173.39 www.google.no
O1 - Hosts: 66.180.173.39 www.google.off.ai
O1 - Hosts: 66.180.173.39 www.google.pl
O1 - Hosts: 66.180.173.39 www.google.pn
O1 - Hosts: 66.180.173.39 www.google.pt
O1 - Hosts: 66.180.173.39 www.google.ro
O1 - Hosts: 66.180.173.39 www.google.ru
O1 - Hosts: 66.180.173.39 www.google.rw
O1 - Hosts: 66.180.173.39 www.google.se
O1 - Hosts: 66.180.173.39 www.google.sh
O1 - Hosts: 66.180.173.39 www.google.sk
O1 - Hosts: 66.180.173.39 www.google.sm
O1 - Hosts: 66.180.173.39 www.google.td
O1 - Hosts: 66.180.173.39 www.google.tm
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - (no file)
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [239S3qP] msudcmsg.exe
O4 - HKLM\..\Run: [stb] C:\WINDOWS\System32\stb.exe
O4 - HKLM\..\Run: [PMT] C:\Program Files\Personal Money Tree\personalmoneytree.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [uqbjcc] C:\WINDOWS\System32\uqbjcc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\hklrun.exe reg_run
O4 - HKLM\..\Run: [oyaqaie] c:\windows\system32\pnhssr.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [J0q2Rkjng] mshplwiz.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\System32\Tmntsrv32.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - ms-its:mhtml:file://c:\nosuxxx.mht!http://elitegate.de/...ysb_regular.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks. KGHN
  • 0

#6
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi KGHN,

Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall sosme programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

Make sure the hidden files and system files are showing. Please read this page for more details on how to show these files.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp
Ewido Security Suite

Install Ewido, and update the definitions to the newest files. Do NOT run a scan yet.

Please disconnect from the internet. If you have DSL / Cable, then remove the cord between the modem / router and the PC.

Exit from SpyBot S&D as it can interfere with the fix process.

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

2. Remove Infections

Run CleanUp and delete all temp files including temporary internet files

Run Ewido full scan. Let it fix any items it finds.

3. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 66.180.173.39 www.google.ae
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - (no file)
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [239S3qP] msudcmsg.exe
O4 - HKLM\..\Run: [stb] C:\WINDOWS\System32\stb.exe
O4 - HKLM\..\Run: [PMT] C:\Program Files\Personal Money Tree\personalmoneytree.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [uqbjcc] C:\WINDOWS\System32\uqbjcc.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\hklrun.exe reg_run
O4 - HKLM\..\Run: [oyaqaie] c:\windows\system32\pnhssr.exe r
O4 - HKCU\..\Run: [J0q2Rkjng] mshplwiz.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\System32\Tmntsrv32.EXE
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - ms-its:mhtml:file://c:\nosuxxx.mht!http://elitegate.de/...ysb_regular.cab


Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

4. Delete Rogue files

Open Add or Remove Programs (click on Start ---> Settings ---> Control panel. This should be the 3rd item). Uninstall or remove the following items -

WhenUSearch
Desktop Toolbar
Weird on the Web
Delfin


Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -

Folders
C:\Program Files\WeirdOnTheWeb
C:\WINDOWS\System32\nsvsvc
C:\Program Files\Personal Money Tree
C:\Program Files\sf
C:\Program Files\Cas

Files
c:\nosuxxx.mht
C:\WINDOWS\sfita.exe
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\System32\stb.exe
C:\WINDOWS\System32\uqbjcc.exe
C:\WINDOWS\System32\hklrun.exe
c:\windows\system32\pnhssr.exe r
C:\WINDOWS\System32\SMSSU.EXE
C:\WINDOWS\System32\Tmntsrv32.EXE
msudcmsg.exe
mshplwiz.exe



Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder. Dont delete the folder, only the files in it !!!!!!!!


Reboot the PC in Normal Mode.

Make sure Spybot S&D is turned on again. Run the program and it will automatically turn on.

Run Hijack This and post a fresh HJT log along with Ewido scan report.
  • 0

#7
KGHN

KGHN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Hi again, tampabelle,
Man, this is getting lengthy. Multiple problems indeed. Here's my notes from working from your third response:

I enabled seeing hidden/system files per bleepingcomputer. I had already turned on seeing filename extensions.
CleanUp 4.0 was already installed.

When I double-click ewido-signatures-full-20050626.exe:

"The installer you are trying to use is corrupted or incomplete.
This could be the result of a damaged disk, a failed download or a virus.
You may want to contact the author of this installer to obtain a new copy.
It may be possible to skip this check using the /NCRC command line switch
(NOT RECOMMENDED)."
[OK]
I googled this a while back without a clear result. The best answer I saw was for a W2000 problem about signature files. Can you help?

When I run Ewido:
"Database could not be found! Please run an online update to get the latest signatures."
[OK]

This is a broadband machine but I do not have broadband service here.
I have to download on another machine and bring files to this one on CD.
I have tried redownloading the signature file, which matched, and also tried downloading other days' signature files, same result on execution.

Until this problem is resolved, Ewido may be unavailable. (Could it be installed/updated on my other machine and files copied?)
I tried to exit from SpyBot (but probably didn't do it right, see below)

Restarted to Safe Mode, logged in as Administrator.

I am using CleanUp 4.0, and don't see any specific reference to temporary internet files. CleanUp found lots of index.dat files & \Windows\prefetch entries
Here's rest of the CleanUp log:
CleanUp! started on 06/29/05 08:54:53.
'Typed URLs' (Internet Explorer) - removed from the registry.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk - deleted
'Run MRU' list - removed from the registry.
WordPad Recent File List - removed from the registry.
Telnet's MRU list - removed from the registry.
CleanUp! 4.0 recovered 1.7 MB of disk space from 46 files.
CleanUp! finished on 06/29/05 08:55:20.

Start/Control Panel/Internet Options. I Deleted Cookies, Deleted Files (Offline Content checked), and Cleared History.

Restarted Safe Mode / login Administrator
Ran HijackThis, fixed what you said, except these discrepancies:

R1 - HKCU\..Explorer\Main,Search Bar is missing
R0 - HKCU\..Explorer\Main,Start Page is set to http://www.emachines.com, so I didn't check it.
R0 - HKCU\..Explorer\Toolbar,LinksFolderName = is missing
I did see
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
(not on your list, so not checked)
"R3 - Default URL SearchHook is missing" is missing

O4 - HKLM\..\Run: [oyaqaie] c:\windows\system32\pnhssr.exe r is missing, but I see and have checked
O4 - HKLM\..\Run: [jqpytgk] c:\windows\system32\ilqxgf.exe r

All the O4 - HKCU entries are missing.
O15 - Trusted Zone: *.sxload.com is missing

I fixed all the checked entries & closed HijackThis.
In Add/Remove, only Weird on the Web was present, I Removed it.

c:\Program Files\Weirdontheweb and c:\windows\system32\nsvsvc were not found by explore or the CMD window DIR.

Of the files-to-delete list, only stb and uqbjcc were found by explore, and I deleted them. A CMD DIR found hklrun.exe, but "access denied" when I tried to delete it.
Suspicious files I cut from \windows\system32 (and pasted to \HJT in case you say I shouldn't have) are cfgmgr52.ini and ilfqxgf.exe (see the O4 - HKLM key removed above). OK?

The Prefetch folder was empty.

When I restarted normally and logged in as Tina, SpyBot fired up and prevented changes to the registry - perhaps I didn't shut it down right. So I Removed it in CtrlPanel's Add/Remove, and tried again CleanUp/HijackThis in Safe mode.

Several of the same entries I tried to fix before were in the new HijackThis list, and I checked and fixed them again.
A CMD DIR found hklrun.exe, and I ERASEd it OK this time.
I noticed there is a \windows\CFGMGR52 directory (folder). Should I remove this?

Restarted normally, this time logged in as John:
I still get the same error trying to install the Ewido signatures.

Here is my HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 9:50:02 AM, on 7/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rdun.exe
C:\WINDOWS\system32\notepad.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\hklrun.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: *.sxload.com
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

I logged off John and logged in as Tina.
I still have the "error message" wallpaper:
"Security warning
A fatal error in IE has occured at 0028:C0011E36 in VXD VMM<01> +
00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c
* System can not function in normal mode.
Please check you security settings.
* Scan your PC with any avaliable antivirus / spyware remover program to fix the problem."

Note the spelling and grammar errors and bad advice. This looks bogus to me.

When I tried to start/search for the text, I got the message "A file that is required to run Search Companion cannot be found. You may need to run setup."
How do I run Setup?

EOF 07/01/05

Thanks and happy Independence Day weekend,
KGHN
  • 0

#8
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi John (or is it Tina),

lol, I saw your detailed description and was wondering what new problems have befallen you !!!!!!!!

Things seem to be on the mend. Take Heart

Run Hijack This and click on scan. The following items need to be fixed -

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\hklrun.exe reg_run
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: *.sxload.com


Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Reboot the PC in Safe Mode

Open Add or Remove Programs (click on Start ---> Settings ---> Control panel. This should be the 3rd item). Uninstall or remove the following items -

Surf Side Kick 3

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -

C:\Program Files\SurfSideKick 3

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder. Dont delete the folder, only the files in it !!!!!!!!


Reboot the PC in Normal Mode.


Please download FindQoologic from here:
http://forums.net-in...=post&id=134981
Save it to the desktop and run Find-Qoologic2.bat. This will generate a log file; please post the entire contents of the log file here for me to see.
  • 0

#9
KGHN

KGHN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Hi Tampabelle,
So nice you are there today. Actually, I'm Kate, a friend of Tina's. Thanks for your encouraging words.

I have booted normally and logged in as John. He has pretty mountain wallpaper.

In HijackThis I scanned, checked all the ones you listed:
ok R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
= http://websearch.drs...esearch.cgi?id=
ok R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
= http://websearch.drs...esearch.cgi?id=
ok R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)
= websearch.drsnsrch.com/q.cgi?q=
ok R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
ok O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\hklrun.exe reg_run
ok O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
ok O15 - Trusted Zone: *.media-motor.net
ok O15 - Trusted Zone: *.popuppers.com
ok O15 - Trusted Zone: *.sxload.com
...and clicked "fix checked".

Restart/Safe Mode/login Administrator
Surf Side Kick 3 was not on the Add or Remove Programs list.
CMD DIR couldn't find C:\Program Files\SurfSideKick 3
CMD ERASEd c:\windows\prefetch\*.*

Restart/Normal Mode/login Tina
Copied QooLogic from my CDR to the desktop, ran Find-Qoologic2.bat
Here's the whole log:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* KavSvc C:\WINDOWS\System32\IRGUV.DLL
* KavSvc C:\WINDOWS\System32\NEYRCOR.DLL
* KavSvc C:\WINDOWS\System32\SUPDATE.DLL
* aspack C:\WINDOWS\System32\WQGPY.DAT
* aspack C:\WINDOWS\System32\DCXBQRB.EXE
* aspack C:\WINDOWS\System32\HKLRUN.EXE
* aspack C:\WINDOWS\System32\IRGUV.DLL
* aspack C:\WINDOWS\System32\NEYRCOR.DLL
* aspack C:\WINDOWS\System32\SUPDATE.DLL
* aspack C:\WINDOWS\System32\REDIT.CPL
* UPX! C:\WINDOWS\System32\PSOF1.EXE
* UPX! C:\WINDOWS\CASINO~1.EXE
* UPX! C:\WINDOWS\DLOAD.EXE
* UPX! C:\WINDOWS\LOADASP.EXE
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\RDUN.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f75fae

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
BigFix.lnk
desktop.ini
QuickBooks Update Agent.lnk
rdun.exe

User Startup:
C:\Documents and Settings\Tina\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
<NO NAME> REG_SZ {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
<NO NAME> REG_SZ {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mgsfktfg
<NO NAME> REG_SZ {419e87e8-6c0f-4961-a405-3b2f2e4b6592}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TDS-3
<NO NAME> REG_SZ {E8ADA3E1-CE9B-44A0-A165-997304EF4E18}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

EOF 07/02/2005

P.S. Search and Help are still misbehaving. Can you clue me in on how to run Windows XP Setup? KGHN
  • 0

#10
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Kate,

You have Qoologic infection. This can be dealt with but we may need to run the cure (delete the malicious files at atleast a couple of times). However, we may have some more hidden files.

Can you visit this site http://www.pandasoft...com/activescan/ and do an online scan?? Save the scan report and post it back here.

We can then identify all the files to be deleted
  • 0

Advertisements


#11
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Kate,

Once we get rid of this infection, things should be much better and you probably wont have any issues with Search and Help
  • 0

#12
KGHN

KGHN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Dear Tampabelle,
Thanks for posting that very helpful info re the Windows system functions; I've been fretting about those and I'm not sure whether emachines gave Tina an XP CD. The XP machine is not hooked to the net - is it worth trying to get the modem set up - currently it is configured for DSL - for access to online scans? I don't mind doing multiple file deletions (I am comfortable making batch files to do that or running down a list from you manually). Perhaps there is a good Qoologic removal tool I could download & run... Kate
  • 0

#13
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Kate,

let us try deleting the necessary files. If it doesnt work, then we will think about the alternatives. As I warned you before, there might be some hidden files, which Find_Qoologic may not have identiifed and these files may cause the infection to regenerate.


Please download FindQoologic from here:
http://forums.net-in...=post&id=134981
Save it to the desktop and run Find-Qoologic2.bat. This will generate a log file. Save it.


Please download RootKitRevealer from here:
http://www.sysintern...kitrevealer.zip
Unzip it to the desktop, run it, and click Scan. This will generate a log file. Save it.

please post the entire contents of the log files from Find_Qoologic and rootkitrevealer here for me to see.
  • 0

#14
KGHN

KGHN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Here's the QooLogic log:
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* KavSvc C:\WINDOWS\System32\IRGUV.DLL
* KavSvc C:\WINDOWS\System32\NEYRCOR.DLL
* KavSvc C:\WINDOWS\System32\SUPDATE.DLL
* aspack C:\WINDOWS\System32\WQGPY.DAT
* aspack C:\WINDOWS\System32\DCXBQRB.EXE
* aspack C:\WINDOWS\System32\HKLRUN.EXE
* aspack C:\WINDOWS\System32\IRGUV.DLL
* aspack C:\WINDOWS\System32\NEYRCOR.DLL
* aspack C:\WINDOWS\System32\SUPDATE.DLL
* aspack C:\WINDOWS\System32\REDIT.CPL
* UPX! C:\WINDOWS\System32\PSOF1.EXE
* UPX! C:\WINDOWS\CASINO~1.EXE
* UPX! C:\WINDOWS\DLOAD.EXE
* UPX! C:\WINDOWS\LOADASP.EXE
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\RDUN.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f75fae

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
BigFix.lnk
desktop.ini
QuickBooks Update Agent.lnk
rdun.exe

User Startup:
C:\Documents and Settings\Tina\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
<NO NAME> REG_SZ {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
<NO NAME> REG_SZ {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mgsfktfg
<NO NAME> REG_SZ {419e87e8-6c0f-4961-a405-3b2f2e4b6592}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TDS-3
<NO NAME> REG_SZ {E8ADA3E1-CE9B-44A0-A165-997304EF4E18}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

RootKitRevealer reports:
Scan complete: no discrepancies found.

Normal boot/login Tina...
After running the above scans, I continued on my own...

AVG Complete Test 0 viruses, 0 errors
F-Prot Win 3.16b:
c:\windows\system32\wininet.dll Oleadm.A(exact) Dropper - tried to disinfect - could not delete the file.
1 infected object, 0 suspicious objects
Ad-Aware SE 1.06:
6 critical objects
Logfile:
Ad-Aware SE Build 1.06r1
Logfile Created on:Sunday, July 03, 2005 7:39:23 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R51 21.06.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
BookedSpace(TAC index:10):6 total references
MRU List(TAC index:0):7 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R51 21.06.2005
Internal build : 59
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 483435 Bytes
Total size : 1461660 Bytes
Signature data size : 1429955 Bytes
Reference data size : 31193 Bytes
Signatures total : 40756
CSI Fingerprints total : 906
CSI data size : 31253 Bytes
Target categories : 15
Target families : 694


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:60 %
Total physical memory:515568 kb
Available physical memory:308092 kb
Total page file size:1260228 kb
Available on page file:1116452 kb
Total virtual memory:2097024 kb
Available virtual memory:2045116 kb
OS:Microsoft Windows XP Home Edition Service Pack 1 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


7-3-2005 7:39:23 PM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 332
ThreadCreationTime : 7-3-2005 11:41:20 PM
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 380
ThreadCreationTime : 7-3-2005 11:41:21 PM
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 404
ThreadCreationTime : 7-3-2005 11:41:21 PM
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 448
ThreadCreationTime : 7-3-2005 11:41:21 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 460
ThreadCreationTime : 7-3-2005 11:41:21 PM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 632
ThreadCreationTime : 7-3-2005 11:41:22 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k netsvcs
ProcessID : 656
ThreadCreationTime : 7-3-2005 11:41:22 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k NetworkService
ProcessID : 756
ThreadCreationTime : 7-3-2005 11:41:23 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k LocalService
ProcessID : 792
ThreadCreationTime : 7-3-2005 11:41:23 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : C:\WINDOWS\system32\spoolsv.exe
ProcessID : 868
ThreadCreationTime : 7-3-2005 11:41:24 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:11 [avgamsvr.exe]
ModuleName : C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
Command Line : C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
ProcessID : 968
ThreadCreationTime : 7-3-2005 11:41:24 PM
BasePriority : Normal
FileVersion : 7,1,0,321
ProductVersion : 7.1.0.321
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE

#:12 [avgupsvc.exe]
ModuleName : C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
Command Line : C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
ProcessID : 980
ThreadCreationTime : 7-3-2005 11:41:24 PM
BasePriority : Normal
FileVersion : 7,1,0,321
ProductVersion : 7.1.0.321
ProductName : AVG 7.0 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgupdsvc.EXE

#:13 [slserv.exe]
ModuleName : C:\WINDOWS\system32\slserv.exe
Command Line : slserv.exe
ProcessID : 1100
ThreadCreationTime : 7-3-2005 11:41:25 PM
BasePriority : Normal
FileVersion : 2.80.00(24Apr2000)
ProductVersion : 2.80.00
ProductName : Modem
FileDescription : User-Level Modem Service
InternalName : slserv
LegalCopyright : Copyright © 1999-2000
OriginalFilename : slserv.exe

#:14 [wanmpsvc.exe]
ModuleName : C:\WINDOWS\wanmpsvc.exe
Command Line : "C:\WINDOWS\wanmpsvc.exe"
ProcessID : 1172
ThreadCreationTime : 7-3-2005 11:41:25 PM
BasePriority : Normal
FileVersion : 7, 0, 0, 2
ProductVersion : 7, 0, 0, 2
ProductName : America Online
CompanyName : America Online, Inc.
FileDescription : Wan Miniport (ATW) Service
InternalName : WanMPSvc
LegalCopyright : Copyright © 2001 America Online, Inc.
OriginalFilename : WanMPSvc.exe

#:15 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 1328
ThreadCreationTime : 7-3-2005 11:41:29 PM
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:16 [mhotkey.exe]
ModuleName : C:\WINDOWS\mHotkey.exe
Command Line : "C:\WINDOWS\mHotkey.exe"
ProcessID : 1420
ThreadCreationTime : 7-3-2005 11:41:30 PM
BasePriority : Normal
FileVersion : 2, 2, 2, 0
ProductVersion : 2, 2, 2, 0
ProductName : Chicony Multimedia Driver
CompanyName : Chicony
FileDescription : Chicony Multimedia Driver
InternalName : Multimedia Hotkey Driver
LegalCopyright : Copyright © 2001 Chicony
OriginalFilename : mHotkey.res

#:17 [avgemc.exe]
ModuleName : C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
Command Line : "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe"
ProcessID : 1444
ThreadCreationTime : 7-3-2005 11:41:30 PM
BasePriority : Normal
FileVersion : 7,1,0,321
ProductVersion : 7.1.0.321
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG E-Mail Scanner
InternalName : avgemc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgemc.exe

#:18 [hklrun.exe]
ModuleName : C:\WINDOWS\System32\hklrun.exe
Command Line : "C:\WINDOWS\System32\hklrun.exe" reg_run
ProcessID : 1456
ThreadCreationTime : 7-3-2005 11:41:31 PM
BasePriority : Normal


#:19 [qbupdate.exe]
ModuleName : C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
Command Line : "C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe"
ProcessID : 1568
ThreadCreationTime : 7-3-2005 11:41:32 PM
BasePriority : Normal
FileVersion : 13.0 R1
ProductVersion : 13.0 R1
ProductName : QuickBooks
CompanyName : Intuit, Inc.
FileDescription : QBUpdate Module
InternalName : QBUpdate
LegalCopyright : Copyright © Intuit, Inc. 1993-2003.
OriginalFilename : QBUpdate.exe

#:20 [notepad.exe]
ModuleName : C:\WINDOWS\system32\notepad.exe
Command Line : "C:\WINDOWS\system32\notepad.exe"
ProcessID : 1364
ThreadCreationTime : 7-4-2005 1:13:09 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Notepad
InternalName : Notepad
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : NOTEPAD.EXE

#:21 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 524
ThreadCreationTime : 7-4-2005 1:38:42 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

BookedSpace Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : appid\bookedspace.dll

BookedSpace Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : appid\{0dc5cd7c-f653-4417-aa43-d457be3a9622}

BookedSpace Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : bookedspace.extension

BookedSpace Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : bookedspace.extension.5

BookedSpace Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{05080e6b-a88a-4cfd-8c3d-9b2557670b6e}

BookedSpace Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{0dc5cd7c-f653-4417-aa43-d457be3a9622}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 6
Objects found so far: 6


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6

MRU List Object Recognized!
Location: : C:\Documents and Settings\Tina\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : S-1-5-21-74348050-3559772894-2167010964-1006\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad


MRU List Object Recognized!
Location: : S-1-5-21-74348050-3559772894-2167010964-1006\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-74348050-3559772894-2167010964-1006\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-74348050-3559772894-2167010964-1006\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 13



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 13

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
0 entries scanned.
New critical objects:0
Objects found so far: 13




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 13

7:43:35 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:04:11.734
Objects scanned:105108
Objects identified:6
Objects ignored:0
New critical objects:6

My daughter Alice googled Qoologic and found some interesting info on the ca site. It says a copy of the initial dropper gets put in the \Documents and Settings\All Users\Start Menu\Programs\Startup folder. When I browse to that folder I see BigFix and QuickBooks Update Agent. When I CMD DIR the folder, I also see "rdun.exe" 06/16/2005 8:28 PM 62,952 bytes. ATTRIB just shows an A. (How is it hiding?)
I am quarantining rdun.exe to \HJT, let me know if I should move it back. (Google doesn't recognise this filename.)
The ca info said KavSvc is part of QooLogic. It references \windows\system32\hklrun.exe. It also shows on a CMD DIR but not in a Windows Explore. When I try to ERASE it, "Access is denied."

c:\windows\system32\wininet.dll also can't be erased. I note another file same size different time in \windows\servicepackfiles\i386 - the two files have compare errors.

Restarted in Safe mode/login Administrator
hklrun.exe and wininet.dll both still "Access is denied."

And rdun.exe is back in ..Startup, but a slightly different size - it's now 61,952, the same as \windows\system32\hklrun.exe (same size also are 6/16/05 8:28 PM wqgpy.dat, 8/29/02 6:00 AM osuninst.dll, webclnt.dll, acelpdec.ax, sti.dll, and rdshost.exe).

I ran HijackThis and fixed:
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\hklrun.exe reg_run
Then I CMD ERASED \Documents and Settings\All Users\Start Menu\Programs\Startup\rdun.exe again.

I restarted Safe/Administrator
Now I can CMD ERASE hklrun.exe, but wininet.dll is still "Access denied."

I used Task Manager: services.exe wouldn't shut down, the first svchost.exe seemed to shut down OK, the 2nd crashed the system (oops)

Restarted Safe/Administrator
Created rdun_bye.bat:

echo on
cd c:\Documents and Settings\All Users\Start Menu\Programs\Startup
dir rdun.exe
pause ^Break to quit or to erase this QooLogic file...
erase rdun.exe
pause Press a key to continue...
cd \windows\system32
dir hklrun.exe
pause ^Break to quit or to erase this QooLogic file...
erase hklrun.exe
dir wininet.dll
pause ^Break to quit or to erase this QooLogic file...
erase wininet.dll
pause Press a key to continue...
copy c:\windows\servicepackfiles\i386\wininet.dll
pause Check result, then press a key to exit...

I used Task Manager to shut down just the first svchost (7.2K mem used), then ran rdun_bye.bat. Still "Access denied." erasing wininet.dll (the others weren't found.)

Tried shutting down csrss.exe, lsass.exe, services.exe, smss.exe - all "critical" and wouldn't shut down. Explorer, notepad, system, system idle, taskmgr, and winlogon seem legit to me. Two svchost.exe's are listed, one 2,260, one 5,544. I shut down the 5,544 (it had changed to 5,616), and another svchost popped up at 1,652 immediately. rdun_bye still can't erase wininet.dll.

Tried making a MSDOS startup disk by rightclicking on A: and choosing Format - can boot to A:\> but then C: is not seen as a valid disk.

Tried using GiPo's MoveOnBoot - didn't help (uninstalled).

I found MS instructions for an XP boot disk, but it uses the drivers in \windows\system32 per its boot.ini.
XP "startup disks" only boot in preparation for using the XP CD.

Would this work? Should I copy the \windows tree to, say, \Windows2 and copy the correct wininet.dll from i386 to it, then make an XP boot disk that looks in the alternate tree to boot?

Or is there a better way?

Thanks, Kate
  • 0

#15
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Kate,

I told you that you have Qoologic and I will give you the fix for it.

svchost.exe, csrss.exe, lsass.exe, services.exe, smss.exe etc. are critical windows files. If you manage to delete these files, well then you can install XP again !!!!!!!! Same with wininet.dll. It is a critical windows file. I will tell you how to deal with the infected files.

The hklrun.exe file that you were trying to delet is just one of the many files related to Qoologic. If you succeed in deleting the file, it will regenerate from the other asssociated files.
  • Please download the Killbox.
  • Unzip it to the desktop but do NOT run it yet.
  • Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
  • Once in Safe Mode, please run Killbox.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste the following into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\IRGUV.DLL
  • Click the red-and-white "Delete File".
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 5-9 above for these files:
    • C:\WINDOWS\System32\NEYRCOR.DLL
    • C:\WINDOWS\System32\SUPDATE.DLL
    • C:\WINDOWS\System32\WQGPY.DAT
    • C:\WINDOWS\System32\DCXBQRB.EXE
    • C:\WINDOWS\System32\HKLRUN.EXE
    • C:\WINDOWS\System32\REDIT.CPL
    • C:\WINDOWS\System32\PSOF1.EXE
    • C:\WINDOWS\CASINO~1.EXE
    • C:\WINDOWS\DLOAD.EXE
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste the following file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\LOADASP.EXE
  • Click the red-and-white "Delete File" button.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer. You do not need to reboot into Safe Mode this time.
  • When your computer reboots, please run Find-Qoologic2.bat again and post the new log here.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP