Thanks TampaBelle.
Followed your instructions. Here are the logs:
Hijack ThisLogfile of HijackThis v1.99.1
Scan saved at 4:34:21 PM, on 7/21/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Command Software\Command AntiVirus\schscnt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\vidctrl\vidctrl.exe
C:\WINNT\system32\jorarq.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\trdb.exe
C:\Program Files\Command Software\Command AntiVirus\avgui.exe
U:\HijackThis\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by XXXXXX
O1 - Hosts: 168.162.75.105 STNPSQL1
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [vidctrl] C:\WINNT\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\jorarq.exe reg_run
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.XXXXX.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.XXXXX.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.XXXXX.corp
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: avinitnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: schscnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\schscnt.exe
L2MFIX:L2MFIX:L2MFIX:L2MFIX:C:\
C:\
System Rebooted!
Running From:
C:\
killing explorer and rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Killing PID 848 'explorer.exe'
Killing PID 848 'explorer.exe'
Error 0x5 : Access is denied.
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Killing PID 980 'rundll32.exe'
Killing PID 1216 'rundll32.exe'
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Backing Up: C:\WINNT\system32\AHLEDIT.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\AHLEDIT.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\CVPBK32.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\CVPBK32.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\cznquery.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\cznquery.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\DECPROP.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\DECPROP.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\dFdref8.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dFdref8.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\DMSKMON.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\DMSKMON.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\dsgfgaj.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dsgfgaj.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\ibetpp.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\ibetpp.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\iClmdev5.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\iClmdev5.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\imfxeud.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\imfxeud.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\KNDSF.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\KNDSF.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\KSDUS.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\KSDUS.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\MESLGN32.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\MESLGN32.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\MFSLGN32.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\MFSLGN32.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\MKIDLE.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\MKIDLE.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\MWASTMIB.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\MWASTMIB.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\ORPRT400.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\ORPRT400.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\sdvsvc.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\sdvsvc.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\TGPI32.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\TGPI32.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\wdw32.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wdw32.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wjpshell.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wjpshell.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wwerrenu.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wwerrenu.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINNT\system32\AHLEDIT.DLL
Successfully Deleted: C:\WINNT\system32\AHLEDIT.DLL
deleting: C:\WINNT\system32\AHLEDIT.DLL
Successfully Deleted: C:\WINNT\system32\AHLEDIT.DLL
deleting: C:\WINNT\system32\CVPBK32.DLL
Successfully Deleted: C:\WINNT\system32\CVPBK32.DLL
deleting: C:\WINNT\system32\CVPBK32.DLL
Successfully Deleted: C:\WINNT\system32\CVPBK32.DLL
deleting: C:\WINNT\system32\cznquery.dll
Successfully Deleted: C:\WINNT\system32\cznquery.dll
deleting: C:\WINNT\system32\cznquery.dll
Successfully Deleted: C:\WINNT\system32\cznquery.dll
deleting: C:\WINNT\system32\DECPROP.DLL
Successfully Deleted: C:\WINNT\system32\DECPROP.DLL
deleting: C:\WINNT\system32\DECPROP.DLL
Successfully Deleted: C:\WINNT\system32\DECPROP.DLL
deleting: C:\WINNT\system32\dFdref8.dll
Successfully Deleted: C:\WINNT\system32\dFdref8.dll
deleting: C:\WINNT\system32\dFdref8.dll
Successfully Deleted: C:\WINNT\system32\dFdref8.dll
deleting: C:\WINNT\system32\DMSKMON.DLL
Successfully Deleted: C:\WINNT\system32\DMSKMON.DLL
deleting: C:\WINNT\system32\DMSKMON.DLL
Successfully Deleted: C:\WINNT\system32\DMSKMON.DLL
deleting: C:\WINNT\system32\dsgfgaj.dll
Successfully Deleted: C:\WINNT\system32\dsgfgaj.dll
deleting: C:\WINNT\system32\dsgfgaj.dll
Successfully Deleted: C:\WINNT\system32\dsgfgaj.dll
deleting: C:\WINNT\system32\ibetpp.dll
Successfully Deleted: C:\WINNT\system32\ibetpp.dll
deleting: C:\WINNT\system32\ibetpp.dll
Successfully Deleted: C:\WINNT\system32\ibetpp.dll
deleting: C:\WINNT\system32\iClmdev5.dll
Successfully Deleted: C:\WINNT\system32\iClmdev5.dll
deleting: C:\WINNT\system32\iClmdev5.dll
Successfully Deleted: C:\WINNT\system32\iClmdev5.dll
deleting: C:\WINNT\system32\imfxeud.dll
Successfully Deleted: C:\WINNT\system32\imfxeud.dll
deleting: C:\WINNT\system32\imfxeud.dll
Successfully Deleted: C:\WINNT\system32\imfxeud.dll
deleting: C:\WINNT\system32\KNDSF.DLL
Successfully Deleted: C:\WINNT\system32\KNDSF.DLL
deleting: C:\WINNT\system32\KNDSF.DLL
Successfully Deleted: C:\WINNT\system32\KNDSF.DLL
deleting: C:\WINNT\system32\KSDUS.DLL
Successfully Deleted: C:\WINNT\system32\KSDUS.DLL
deleting: C:\WINNT\system32\KSDUS.DLL
Successfully Deleted: C:\WINNT\system32\KSDUS.DLL
deleting: C:\WINNT\system32\MESLGN32.DLL
Successfully Deleted: C:\WINNT\system32\MESLGN32.DLL
deleting: C:\WINNT\system32\MESLGN32.DLL
Successfully Deleted: C:\WINNT\system32\MESLGN32.DLL
deleting: C:\WINNT\system32\MFSLGN32.DLL
Successfully Deleted: C:\WINNT\system32\MFSLGN32.DLL
deleting: C:\WINNT\system32\MFSLGN32.DLL
Successfully Deleted: C:\WINNT\system32\MFSLGN32.DLL
deleting: C:\WINNT\system32\MKIDLE.DLL
Successfully Deleted: C:\WINNT\system32\MKIDLE.DLL
deleting: C:\WINNT\system32\MKIDLE.DLL
Successfully Deleted: C:\WINNT\system32\MKIDLE.DLL
deleting: C:\WINNT\system32\MWASTMIB.DLL
Successfully Deleted: C:\WINNT\system32\MWASTMIB.DLL
deleting: C:\WINNT\system32\MWASTMIB.DLL
Successfully Deleted: C:\WINNT\system32\MWASTMIB.DLL
deleting: C:\WINNT\system32\ORPRT400.DLL
Successfully Deleted: C:\WINNT\system32\ORPRT400.DLL
deleting: C:\WINNT\system32\ORPRT400.DLL
Successfully Deleted: C:\WINNT\system32\ORPRT400.DLL
deleting: C:\WINNT\system32\sdvsvc.dll
Successfully Deleted: C:\WINNT\system32\sdvsvc.dll
deleting: C:\WINNT\system32\sdvsvc.dll
Successfully Deleted: C:\WINNT\system32\sdvsvc.dll
deleting: C:\WINNT\system32\TGPI32.DLL
Successfully Deleted: C:\WINNT\system32\TGPI32.DLL
deleting: C:\WINNT\system32\TGPI32.DLL
Successfully Deleted: C:\WINNT\system32\TGPI32.DLL
deleting: C:\WINNT\system32\wdw32.dll
Successfully Deleted: C:\WINNT\system32\wdw32.dll
deleting: C:\WINNT\system32\wdw32.dll
Successfully Deleted: C:\WINNT\system32\wdw32.dll
deleting: C:\WINNT\system32\wjpshell.dll
Successfully Deleted: C:\WINNT\system32\wjpshell.dll
deleting: C:\WINNT\system32\wjpshell.dll
Successfully Deleted: C:\WINNT\system32\wjpshell.dll
deleting: C:\WINNT\system32\wwerrenu.dll
Successfully Deleted: C:\WINNT\system32\wwerrenu.dll
deleting: C:\WINNT\system32\wwerrenu.dll
Successfully Deleted: C:\WINNT\system32\wwerrenu.dll
deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp
deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp
Desktop.ini sucessfully removed
Zipping up files for submission:
adding: AHLEDIT.DLL (92 bytes security) (deflated 48%)
adding: CVPBK32.DLL (92 bytes security) (deflated 48%)
adding: cznquery.dll (92 bytes security) (deflated 48%)
adding: DECPROP.DLL (92 bytes security) (deflated 48%)
adding: dFdref8.dll (92 bytes security) (deflated 48%)
adding: DMSKMON.DLL (92 bytes security) (deflated 48%)
adding: dsgfgaj.dll (92 bytes security) (deflated 48%)
adding: ibetpp.dll (92 bytes security) (deflated 48%)
adding: iClmdev5.dll (92 bytes security) (deflated 48%)
adding: imfxeud.dll (92 bytes security) (deflated 48%)
adding: KNDSF.DLL (92 bytes security) (deflated 48%)
adding: KSDUS.DLL (92 bytes security) (deflated 48%)
adding: MESLGN32.DLL (92 bytes security) (deflated 48%)
adding: MFSLGN32.DLL (92 bytes security) (deflated 48%)
adding: MKIDLE.DLL (92 bytes security) (deflated 48%)
adding: MWASTMIB.DLL (92 bytes security) (deflated 48%)
adding: ORPRT400.DLL (92 bytes security) (deflated 48%)
adding: sdvsvc.dll (92 bytes security) (deflated 48%)
adding: TGPI32.DLL (92 bytes security) (deflated 48%)
adding: wdw32.dll (92 bytes security) (deflated 48%)
adding: wjpshell.dll (92 bytes security) (deflated 48%)
adding: wwerrenu.dll (92 bytes security) (deflated 48%)
adding: guard.tmp (92 bytes security) (deflated 48%)
adding: VDM16.tmp (92 bytes security) (stored 0%)
adding: VDM17.tmp (92 bytes security) (stored 0%)
adding: VDM7.tmp (92 bytes security) (stored 0%)
adding: VDM71.tmp (92 bytes security) (stored 0%)
adding: VDM72.tmp (92 bytes security) (stored 0%)
adding: VDM8.tmp (92 bytes security) (stored 0%)
adding: VDMB.tmp (92 bytes security) (stored 0%)
adding: VDMC.tmp (92 bytes security) (stored 0%)
adding: clear.reg (92 bytes security) (deflated 52%)
adding: DESKTOP.INI (92 bytes security) (stored 0%)
adding: lo2.txt (92 bytes security) (deflated 90%)
adding: test.txt (92 bytes security) (deflated 88%)
adding: test2.txt (92 bytes security) (deflated 33%)
adding: test3.txt (92 bytes security) (deflated 33%)
adding: test5.txt (92 bytes security) (deflated 33%)
adding: xfind.txt (92 bytes security) (deflated 84%)
Restoring Registry Permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Registry permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
deleting local copy: AHLEDIT.DLL
deleting local copy: AHLEDIT.DLL
deleting local copy: CVPBK32.DLL
deleting local copy: CVPBK32.DLL
deleting local copy: cznquery.dll
deleting local copy: cznquery.dll
deleting local copy: DECPROP.DLL
deleting local copy: DECPROP.DLL
deleting local copy: dFdref8.dll
deleting local copy: dFdref8.dll
deleting local copy: DMSKMON.DLL
deleting local copy: DMSKMON.DLL
deleting local copy: dsgfgaj.dll
deleting local copy: dsgfgaj.dll
deleting local copy: ibetpp.dll
deleting local copy: ibetpp.dll
deleting local copy: iClmdev5.dll
deleting local copy: iClmdev5.dll
deleting local copy: imfxeud.dll
deleting local copy: imfxeud.dll
deleting local copy: KNDSF.DLL
deleting local copy: KNDSF.DLL
deleting local copy: KSDUS.DLL
deleting local copy: KSDUS.DLL
deleting local copy: MESLGN32.DLL
deleting local copy: MESLGN32.DLL
deleting local copy: MFSLGN32.DLL
deleting local copy: MFSLGN32.DLL
deleting local copy: MKIDLE.DLL
deleting local copy: MKIDLE.DLL
deleting local copy: MWASTMIB.DLL
deleting local copy: MWASTMIB.DLL
deleting local copy: ORPRT400.DLL
deleting local copy: ORPRT400.DLL
deleting local copy: sdvsvc.dll
deleting local copy: sdvsvc.dll
deleting local copy: TGPI32.DLL
deleting local copy: TGPI32.DLL
deleting local copy: wdw32.dll
deleting local copy: wdw32.dll
deleting local copy: wjpshell.dll
deleting local copy: wjpshell.dll
deleting local copy: wwerrenu.dll
deleting local copy: wwerrenu.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000
The following are the files found:
****************************************************************************
C:\WINNT\system32\AHLEDIT.DLL
C:\WINNT\system32\AHLEDIT.DLL
C:\WINNT\system32\CVPBK32.DLL
C:\WINNT\system32\CVPBK32.DLL
C:\WINNT\system32\cznquery.dll
C:\WINNT\system32\cznquery.dll
C:\WINNT\system32\DECPROP.DLL
C:\WINNT\system32\DECPROP.DLL
C:\WINNT\system32\dFdref8.dll
C:\WINNT\system32\dFdref8.dll
C:\WINNT\system32\DMSKMON.DLL
C:\WINNT\system32\DMSKMON.DLL
C:\WINNT\system32\dsgfgaj.dll
C:\WINNT\system32\dsgfgaj.dll
C:\WINNT\system32\ibetpp.dll
C:\WINNT\system32\ibetpp.dll
C:\WINNT\system32\iClmdev5.dll
C:\WINNT\system32\iClmdev5.dll
C:\WINNT\system32\imfxeud.dll
C:\WINNT\system32\imfxeud.dll
C:\WINNT\system32\KNDSF.DLL
C:\WINNT\system32\KNDSF.DLL
C:\WINNT\system32\KSDUS.DLL
C:\WINNT\system32\KSDUS.DLL
C:\WINNT\system32\MESLGN32.DLL
C:\WINNT\system32\MESLGN32.DLL
C:\WINNT\system32\MFSLGN32.DLL
C:\WINNT\system32\MFSLGN32.DLL
C:\WINNT\system32\MKIDLE.DLL
C:\WINNT\system32\MKIDLE.DLL
C:\WINNT\system32\MWASTMIB.DLL
C:\WINNT\system32\MWASTMIB.DLL
C:\WINNT\system32\ORPRT400.DLL
C:\WINNT\system32\ORPRT400.DLL
C:\WINNT\system32\sdvsvc.dll
C:\WINNT\system32\sdvsvc.dll
C:\WINNT\system32\TGPI32.DLL
C:\WINNT\system32\TGPI32.DLL
C:\WINNT\system32\wdw32.dll
C:\WINNT\system32\wdw32.dll
C:\WINNT\system32\wjpshell.dll
C:\WINNT\system32\wjpshell.dll
C:\WINNT\system32\wwerrenu.dll
C:\WINNT\system32\wwerrenu.dll
C:\WINNT\system32\guard.tmp
C:\WINNT\system32\guard.tmp
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{047E7253-3845-4D80-9933-B5CA9DEFA29A}"=-
"{4EBFED8A-24A6-4F4A-BF9A-B4AC1B03E6C6}"=-
"{E258D564-6539-41C6-AA0C-85694F5E1EA8}"=-
"{7686FCC2-EAF9-483A-9D4A-BB84A035DE01}"=-
[-HKEY_CLASSES_ROOT\CLSID\{047E7253-3845-4D80-9933-B5CA9DEFA29A}]
[-HKEY_CLASSES_ROOT\CLSID\{4EBFED8A-24A6-4F4A-BF9A-B4AC1B03E6C6}]
[-HKEY_CLASSES_ROOT\CLSID\{E258D564-6539-41C6-AA0C-85694F5E1EA8}]
[-HKEY_CLASSES_ROOT\CLSID\{7686FCC2-EAF9-483A-9D4A-BB84A035DE01}]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************
Edited by kirrill, 21 July 2005 - 03:42 PM.