Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

psguard and trojan problems [RESOLVED]


  • This topic is locked This topic is locked

#1
interbeing

interbeing

    Member

  • Member
  • PipPip
  • 29 posts
here is my hijack this log im having problems opening any programs and have a background on my desktop that is irreplacable and has a target link to ps guard









Logfile of HijackThis v1.99.1
Scan saved at 11:18:30 PM, on 7/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\mtes\orer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\darren\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
F2 - REG:system.ini: Shell=explorer.exe,editdnec.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\editdnec.exe,C:\Documents and Settings\darren\Application Data\Explorer\editdnec.exe
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [Client Messenger] C:\WINDOWS\System32\editdnec.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Client Messenger] C:\WINDOWS\System32\editdnec.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\nntlogon.dll
O21 - SSODL: Client Component - {D198D485-A5E2-4932-AAB3-F264074AF526} - C:\WINDOWS\System32\kswd0850.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

Advertisements


#2
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi interbeing and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. If you haven't logged in go to Geeks to Go and do so. Then proceed to item a.

If you already have logged in, go directly to item a.

a. Click on My Controls at the top right hand corner of the window.
b. In the left hand column, click "View Topics"
c. If you click on the title of your post, you will be taken there

2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"

3. You have a lot of malware on your system that must be emoved prior to tackiln the main infection: but first

4 Please DELETE your current HJT program from its present location.

5 Download and run the following HijackThis autoinstall program from Here HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

A. Close ALL windows except HJT

B. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')

C. POST the log in this thread using 'Add Reply' (Ctrl-V to 'paste')


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER


Regards,

Trevuren

  • 0

#3
interbeing

interbeing

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:45:04 PM, on 7/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\mtes\orer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
F2 - REG:system.ini: Shell=explorer.exe,editdnec.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\editdnec.exe,C:\Documents and Settings\darren\Application Data\Explorer\editdnec.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [Client Messenger] C:\WINDOWS\System32\editdnec.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Client Messenger] C:\WINDOWS\System32\editdnec.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\nntlogon.dll
O21 - SSODL: Client Component - {D198D485-A5E2-4932-AAB3-F264074AF526} - C:\WINDOWS\System32\kswd0850.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#4
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
In addition to your screen problem you also have what I believe to be a Look2Me infection which we must treat first.

You have the latest version of VX2.
  • Download L2mfix from one of these two locations:

    http://www.atribune....oads/l2mfix.exe
    http://www.downloads....org/l2mfix.exe

  • Save the file to your desktop and double click l2mfix.exe.
  • Click the Install button to extract the files and follow the prompts, then OPEN the newly added l2mfix folder on your desktop.
  • Double click l2mfix.bat and select option #"1" for Run Find Log by typing 1 and then pressing Enter.
  • This will scan your computer and it may appear as if nothing is happening, then, after a minute or 2, Notepad will open with a log.
  • Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!


Regards,

Trevuren

  • 0

#5
interbeing

interbeing

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\nntlogon.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D635CD2E-0337-DA3C-4A9E-AF7A082C4C36}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{5E2121EE-0300-11D4-8D3B-444553540000}"="Catalyst Context Menu extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BB56C69A-F9B4-4C47-8CFF-94C4A55D2AA8}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BB56C69A-F9B4-4C47-8CFF-94C4A55D2AA8}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BB56C69A-F9B4-4C47-8CFF-94C4A55D2AA8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BB56C69A-F9B4-4C47-8CFF-94C4A55D2AA8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BB56C69A-F9B4-4C47-8CFF-94C4A55D2AA8}\InprocServer32]
@="C:\\WINDOWS\\system32\\glkcsp.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
abirvalg.dll Thu Jul 21 2005 8:26:38a A.... 64 0.06 K
abirva~1.dll Thu Jul 21 2005 8:26:38a A.... 24,576 24.00 K
ati2cqag.dll Thu May 12 2005 7:38:02p A.... 208,896 204.00 K
ati2dvag.dll Thu May 12 2005 8:15:28p A.... 228,864 223.50 K
ati2edxx.dll Thu May 12 2005 8:10:20p A.... 39,936 39.00 K
ati2evxx.dll Thu May 12 2005 8:10:10p A.... 46,080 45.00 K
ati3duag.dll Thu May 12 2005 8:01:24p A.... 2,347,520 2.24 M
atiddc.dll Thu May 12 2005 8:08:34p A.... 53,248 52.00 K
atidemgr.dll Thu May 12 2005 10:23:08p A.... 229,376 224.00 K
atiiiexx.dll Thu May 12 2005 10:54:06p A.... 299,008 292.00 K
atikvmag.dll Thu May 12 2005 7:44:06p A.... 139,264 136.00 K
atioglx1.dll Thu May 12 2005 9:39:58p A.... 6,680,576 6.37 M
atioglxx.dll Thu May 12 2005 8:31:36p A.... 4,816,896 4.59 M
atipdlxx.dll Thu May 12 2005 8:10:44p A.... 94,208 92.00 K
atitvo32.dll Thu May 12 2005 7:43:18p A.... 17,408 17.00 K
ativvaxx.dll Thu May 12 2005 7:55:20p A.... 613,440 599.06 K
baotvid.dll Mon Jul 11 2005 2:48:34p ..S.R 417,792 408.00 K
bsowser.dll Mon Jul 11 2005 2:48:30p ..S.R 417,792 408.00 K
crrds.dll Mon Jul 4 2005 3:19:40a ..... 417,792 408.00 K
ddprpres.dll Tue Jul 12 2005 6:01:32a ..S.R 417,792 408.00 K
divx.dll Thu Jun 9 2005 2:32:28p A.... 692,736 676.50 K
divx_x~1.dll Wed May 4 2005 7:12:48p A.... 688,128 672.00 K
divx_x~2.dll Wed May 4 2005 7:12:48p A.... 688,128 672.00 K
divx_x~3.dll Wed May 4 2005 7:12:50p A.... 671,744 656.00 K
dlmasf.dll Tue Jul 12 2005 6:01:36a ..S.R 417,792 408.00 K
dpl100.dll Wed Apr 27 2005 10:22:36p A.... 86,016 84.00 K
dpu11.dll Wed Apr 27 2005 10:22:36p A.... 245,760 240.00 K
dpugui11.dll Wed Apr 27 2005 10:22:36p A.... 581,632 568.00 K
dpus11.dll Wed Apr 27 2005 10:22:38p A.... 303,104 296.00 K
dpv11.dll Wed Apr 27 2005 10:22:38p A.... 57,344 56.00 K
dtu100.dll Wed May 18 2005 3:40:22p A.... 200,704 196.00 K
fjco1ins.dll Thu Jul 21 2005 9:16:00p ..S.R 417,792 408.00 K
ftdrclnr.dll Mon Jul 11 2005 6:25:30p ..S.R 417,792 408.00 K
ggelkaaa.dll Thu Jul 21 2005 8:26:38a A.... 2,640 2.58 K
glkcsp.dll Thu Jul 21 2005 10:38:50p ..S.R 417,792 408.00 K
haui.dll Mon Jul 11 2005 5:04:30p ..S.R 417,792 408.00 K
hgakheg.dll Fri Jul 22 2005 10:36:52a A.... 92,225 90.06 K
ifagehlp.dll Thu Jul 14 2005 2:54:12p ..S.R 417,792 408.00 K
iisacct.dll Mon Jul 11 2005 5:04:34p ..S.R 417,792 408.00 K
iletppui.dll Thu Jul 14 2005 1:34:04p ..S.R 417,792 408.00 K
ipm32.dll Wed Jul 13 2005 10:50:34p ..S.R 417,792 408.00 K
islzma.dll Thu May 19 2005 2:06:22p A.... 102,912 100.50 K
itssuba.dll Thu Jul 14 2005 1:34:08p ..S.R 417,792 408.00 K
ixetppui.dll Thu Jul 14 2005 2:54:08p ..S.R 417,792 408.00 K
jepl400.dll Tue Jul 12 2005 8:22:38a ..S.R 417,792 408.00 K
jucript.dll Tue Jul 12 2005 8:22:34a ..S.R 417,792 408.00 K
kadazel.dll Tue Jul 12 2005 1:07:32a ..S.R 417,792 408.00 K
kadbu.dll Tue Jul 12 2005 1:07:36a ..S.R 417,792 408.00 K
kjdcr.dll Mon Jul 11 2005 9:41:26a ..S.R 417,792 408.00 K
kjdic.dll Tue Jul 12 2005 3:28:32a ..S.R 417,792 408.00 K
kldgr.dll Mon Jul 11 2005 9:41:36a ..S.R 417,792 408.00 K
kqdlv1.dll Tue Jul 12 2005 3:28:36a ..S.R 417,792 408.00 K
libeay32.dll Wed Apr 27 2005 10:22:36p A.... 831,488 812.00 K
lpcalui.dll Thu Jul 14 2005 8:16:14p ..S.R 417,792 408.00 K
lprt.dll Thu Jul 14 2005 8:16:10p ..S.R 417,792 408.00 K
mdrle32.dll Mon Jul 11 2005 3:50:32p ..S.R 417,792 408.00 K
mecduaaa.dll Fri Jul 22 2005 10:27:24a A.... 15,359 14.99 K
mhxlegih.dll Thu Jul 14 2005 12:17:06p ..S.R 417,792 408.00 K
mjtlsapi.dll Mon Jul 11 2005 8:46:34p ..S.R 417,792 408.00 K
mkvbvm60.dll Mon Jul 11 2005 8:46:30p ..S.R 417,792 408.00 K
mm3216.dll Thu Jul 14 2005 9:44:12p ..S.R 234,272 228.78 K
mmcsubs.dll Mon Jul 11 2005 7:46:30p ..S.R 417,792 408.00 K
msvcp71.dll Tue Jun 28 2005 4:37:12p A.... 499,712 488.00 K
msvcr71.dll Tue Jun 28 2005 4:37:14p A.... 348,160 340.00 K
mtiole16.dll Thu Jul 14 2005 9:44:16p ..S.R 234,272 228.78 K
mumefilt.dll Mon Jul 11 2005 7:46:34p ..S.R 417,792 408.00 K
mvuni11.dll Mon Jul 11 2005 3:50:28p ..S.R 417,792 408.00 K
nawks.dll Mon Jul 11 2005 10:53:26a ..S.R 417,792 408.00 K
nbptools.dll Mon Jul 11 2005 6:25:34p ..S.R 417,792 408.00 K
ngraidel.dll Tue Jul 12 2005 7:17:36a ..S.R 417,792 408.00 K
njraidfi.dll Tue Jul 12 2005 7:17:34a ..S.R 417,792 408.00 K
njraidtr.dll Mon Jul 11 2005 11:41:32p ..S.R 417,792 408.00 K
nmraid~1.dll Thu Jul 14 2005 11:05:20p ..S.R 417,792 408.00 K
nmwdev.dll Thu Jul 21 2005 4:11:28p ..S.R 417,792 408.00 K
nntlogon.dll Thu Jul 21 2005 4:11:24p ..S.R 417,792 408.00 K
nqraid~1.dll Mon Jul 11 2005 10:15:30p ..S.R 417,792 408.00 K
nrraid~1.dll Mon Jul 11 2005 11:41:36p ..S.R 417,792 408.00 K
nxraid~1.dll Mon Jul 11 2005 10:15:34p ..S.R 417,792 408.00 K
oemdspif.dll Thu May 12 2005 8:10:32p A.... 73,728 72.00 K
oibcbcp.dll Mon Jul 11 2005 10:53:30a ..S.R 417,792 408.00 K
pncrt.dll Tue Jun 28 2005 8:22:22p A.... 278,528 272.00 K
pndx5016.dll Tue Jun 28 2005 8:22:22p A.... 6,656 6.50 K
pndx5032.dll Tue Jun 28 2005 8:22:22p A.... 5,632 5.50 K
qt-dx331.dll Wed Apr 27 2005 10:22:40p A.... 3,596,288 3.43 M
rdched32.dll Tue Jul 12 2005 2:23:36a ..S.R 417,792 408.00 K
rmoc3260.dll Tue Jun 28 2005 8:22:26p A.... 176,167 172.04 K
rvcns4.dll Tue Jul 12 2005 2:23:32a ..S.R 417,792 408.00 K
smdll.dll Tue Jul 12 2005 9:46:34a ..S.R 417,792 408.00 K
srsbkup.dll Thu Jul 14 2005 12:17:12p ..S.R 417,792 408.00 K
ssleay32.dll Wed Apr 27 2005 10:22:36p A.... 159,744 156.00 K
subrccsp.dll Tue Jul 12 2005 9:46:38a ..S.R 417,792 408.00 K
tcpiui.dll Thu Jul 14 2005 6:46:12p ..S.R 417,792 408.00 K
tuntsvrp.dll Thu Jul 14 2005 6:46:08p ..S.R 417,792 408.00 K
unicows.dll Wed Apr 27 2005 10:22:36p A.... 245,408 239.66 K
uoib.dll Mon Jul 18 2005 6:11:52p ..S.R 417,792 408.00 K
wghrm.dll Mon Jul 11 2005 9:03:00p ..S.R 417,792 408.00 K
wgvadve.dll Tue Jul 12 2005 4:52:36a ..S.R 417,792 408.00 K
wqbhits.dll Sun Jul 10 2005 9:18:20p ..S.R 417,792 408.00 K
wxsapi32.dll Thu Jul 14 2005 10:54:12p ..S.R 417,792 408.00 K
wzvcore2.dll Tue Jul 12 2005 4:52:32a ..S.R 417,792 408.00 K

100 items found: 100 files (58 H/S), 0 directories.
Total of file sizes: 50,771,991 bytes 48.42 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Sat Jul 9 2005 5:49:42p ..S.R 417,792 408.00 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 417,792 bytes 408.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 5CDF-001A

Directory of C:\WINDOWS\System32

07/21/2005 10:38 PM 417,792 glkcsp.dll
07/21/2005 09:15 PM 417,792 fjco1ins.dll
07/21/2005 04:11 PM 417,792 nmwdev.dll
07/21/2005 04:11 PM 417,792 nntlogon.dll
07/21/2005 07:54 AM 401,408 n?tdde.exe
07/20/2005 08:36 AM <DIR> dllcache
07/18/2005 06:11 PM 417,792 uoib.dll
07/14/2005 11:05 PM 417,792 NmRaidWizardeng.dll
07/14/2005 10:54 PM 417,792 wxsapi32.dll
07/14/2005 09:44 PM 234,272 mtiole16.dll
07/14/2005 09:44 PM 234,272 mm3216.dll
07/14/2005 08:16 PM 417,792 lpcalui.dll
07/14/2005 08:16 PM 417,792 lprt.dll
07/14/2005 06:46 PM 417,792 tCpiui.dll
07/14/2005 06:46 PM 417,792 tuntsvrp.dll
07/14/2005 02:54 PM 417,792 ifagehlp.dll
07/14/2005 02:54 PM 417,792 ixetppui.dll
07/14/2005 01:34 PM 417,792 itssuba.dll
07/14/2005 01:34 PM 417,792 iletppui.dll
07/14/2005 12:17 PM 417,792 srsbkup.dll
07/14/2005 12:17 PM 417,792 mhxlegih.dll
07/13/2005 10:50 PM 417,792 ipm32.dll
07/12/2005 09:46 AM 417,792 subrccsp.dll
07/12/2005 09:46 AM 417,792 smdll.dll
07/12/2005 08:22 AM 417,792 jepl400.dll
07/12/2005 08:22 AM 417,792 jucript.dll
07/12/2005 07:17 AM 417,792 NgRaidel.dll
07/12/2005 07:17 AM 417,792 NjRaidfi.dll
07/12/2005 06:01 AM 417,792 dlmasf.dll
07/12/2005 06:01 AM 417,792 ddprpres.dll
07/12/2005 04:52 AM 417,792 WGVADVE.DLL
07/12/2005 04:52 AM 417,792 wzvcore2.dll
07/12/2005 03:28 AM 417,792 kqdlv1.dll
07/12/2005 03:28 AM 417,792 kjdic.dll
07/12/2005 02:23 AM 417,792 rdched32.dll
07/12/2005 02:23 AM 417,792 rvcns4.dll
07/12/2005 01:07 AM 417,792 kadbu.dll
07/12/2005 01:07 AM 417,792 kadazel.dll
07/11/2005 11:41 PM 417,792 NrRaidSvsl.dll
07/11/2005 11:41 PM 417,792 NjRaidtr.dll
07/11/2005 10:15 PM 417,792 NxRaidSvno.dll
07/11/2005 10:15 PM 417,792 NqRaidSvhe.dll
07/11/2005 09:02 PM 417,792 WghRm.dll
07/11/2005 08:46 PM 417,792 mjtlsapi.dll
07/11/2005 08:46 PM 417,792 mkvbvm60.dll
07/11/2005 07:46 PM 417,792 mumefilt.dll
07/11/2005 07:46 PM 417,792 mmcsubs.dll
07/11/2005 06:25 PM 417,792 nbptools.dll
07/11/2005 06:25 PM 417,792 ftdrclnr.dll
07/11/2005 05:04 PM 417,792 iIsacct.dll
07/11/2005 05:04 PM 417,792 haui.dll
07/11/2005 03:50 PM 417,792 mdrle32.dll
07/11/2005 03:50 PM 417,792 mvuni11.dll
07/11/2005 02:48 PM 417,792 baotvid.dll
07/11/2005 02:48 PM 417,792 bsowser.dll
07/11/2005 10:53 AM 417,792 oibcbcp.dll
07/11/2005 10:53 AM 417,792 nawks.dll
07/11/2005 09:41 AM 417,792 kldgr.dll
07/11/2005 09:41 AM 417,792 kjdcr.dll
07/10/2005 09:18 PM 417,792 wqbhits.dll
07/09/2005 05:49 PM 417,792 guard.tmp
06/29/2005 09:31 AM 401,408 ?ti2evxx.exe
06/28/2005 04:52 PM <DIR> Microsoft
61 File(s) 25,085,504 bytes
2 Dir(s) 296,036,315,136 bytes free
  • 0

#6
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Close any programs you have open since this step requires a reboot.
  • From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing "2" and then pressing ENTER.
  • Then press any key to reboot your computer.
  • After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer.
  • When it's finished, Notepad will open with a log.
  • Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.
IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Regards,

Trevuren

  • 0

#7
interbeing

interbeing

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
L2Mfix 1.03a

Running From:
C:\Documents and Settings\darren\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\darren\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\darren\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1728 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2020 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\baotvid.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\baotvid.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\bsowser.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\bsowser.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cRrds.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cRrds.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ddprpres.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ddprpres.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dlmasf.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dlmasf.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fjco1ins.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fjco1ins.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ftdrclnr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ftdrclnr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\glkcsp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\glkcsp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\haui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\haui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ifagehlp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ifagehlp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\igmon.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\igmon.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iIsacct.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iIsacct.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iletppui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iletppui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ipm32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ipm32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\itssuba.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\itssuba.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ixetppui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ixetppui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jepl400.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jepl400.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jucript.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jucript.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kadazel.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kadazel.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kadbu.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kadbu.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kjdcr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kjdcr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kjdic.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kjdic.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kldgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kldgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kqdlv1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kqdlv1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lpcalui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lpcalui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lprt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lprt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mdrle32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mdrle32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mhxlegih.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mhxlegih.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mjtlsapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mjtlsapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mkvbvm60.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mkvbvm60.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mm3216.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mmcsubs.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mmcsubs.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mtiole16.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mumefilt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mumefilt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvuni11.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvuni11.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nawks.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nawks.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nbptools.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nbptools.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\NgRaidel.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\NgRaidel.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\NjRaidfi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\NjRaidfi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\NjRaidtr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\NjRaidtr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\NmRaidWizardeng.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\NmRaidWizardeng.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nmwdev.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nmwdev.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nntlogon.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nntlogon.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\NqRaidSvhe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\NqRaidSvhe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\NrRaidSvsl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\NrRaidSvsl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\NxRaidSvno.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\NxRaidSvno.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\oibcbcp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\oibcbcp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rdched32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rdched32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rvcns4.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rvcns4.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\smdll.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\smdll.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\srsbkup.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\srsbkup.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\subrccsp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\subrccsp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\tCpiui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\tCpiui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\tuntsvrp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\tuntsvrp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uoib.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uoib.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\WghRm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\WghRm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\WGVADVE.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\WGVADVE.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wqbhits.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wqbhits.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wxsapi32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wxsapi32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wzvcore2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wzvcore2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\baotvid.dll
Successfully Deleted: C:\WINDOWS\system32\baotvid.dll
deleting: C:\WINDOWS\system32\baotvid.dll
Successfully Deleted: C:\WINDOWS\system32\baotvid.dll
deleting: C:\WINDOWS\system32\bsowser.dll
Successfully Deleted: C:\WINDOWS\system32\bsowser.dll
deleting: C:\WINDOWS\system32\bsowser.dll
Successfully Deleted: C:\WINDOWS\system32\bsowser.dll
deleting: C:\WINDOWS\system32\cRrds.dll
Successfully Deleted: C:\WINDOWS\system32\cRrds.dll
deleting: C:\WINDOWS\system32\cRrds.dll
Successfully Deleted: C:\WINDOWS\system32\cRrds.dll
deleting: C:\WINDOWS\system32\ddprpres.dll
Successfully Deleted: C:\WINDOWS\system32\ddprpres.dll
deleting: C:\WINDOWS\system32\ddprpres.dll
Successfully Deleted: C:\WINDOWS\system32\ddprpres.dll
deleting: C:\WINDOWS\system32\dlmasf.dll
Successfully Deleted: C:\WINDOWS\system32\dlmasf.dll
deleting: C:\WINDOWS\system32\dlmasf.dll
Successfully Deleted: C:\WINDOWS\system32\dlmasf.dll
deleting: C:\WINDOWS\system32\fjco1ins.dll
Successfully Deleted: C:\WINDOWS\system32\fjco1ins.dll
deleting: C:\WINDOWS\system32\fjco1ins.dll
Successfully Deleted: C:\WINDOWS\system32\fjco1ins.dll
deleting: C:\WINDOWS\system32\ftdrclnr.dll
Successfully Deleted: C:\WINDOWS\system32\ftdrclnr.dll
deleting: C:\WINDOWS\system32\ftdrclnr.dll
Successfully Deleted: C:\WINDOWS\system32\ftdrclnr.dll
deleting: C:\WINDOWS\system32\glkcsp.dll
Successfully Deleted: C:\WINDOWS\system32\glkcsp.dll
deleting: C:\WINDOWS\system32\glkcsp.dll
Successfully Deleted: C:\WINDOWS\system32\glkcsp.dll
deleting: C:\WINDOWS\system32\haui.dll
Successfully Deleted: C:\WINDOWS\system32\haui.dll
deleting: C:\WINDOWS\system32\haui.dll
Successfully Deleted: C:\WINDOWS\system32\haui.dll
deleting: C:\WINDOWS\system32\ifagehlp.dll
Successfully Deleted: C:\WINDOWS\system32\ifagehlp.dll
deleting: C:\WINDOWS\system32\ifagehlp.dll
Successfully Deleted: C:\WINDOWS\system32\ifagehlp.dll
deleting: C:\WINDOWS\system32\igmon.dll
Successfully Deleted: C:\WINDOWS\system32\igmon.dll
deleting: C:\WINDOWS\system32\igmon.dll
Successfully Deleted: C:\WINDOWS\system32\igmon.dll
deleting: C:\WINDOWS\system32\iIsacct.dll
Successfully Deleted: C:\WINDOWS\system32\iIsacct.dll
deleting: C:\WINDOWS\system32\iIsacct.dll
Successfully Deleted: C:\WINDOWS\system32\iIsacct.dll
deleting: C:\WINDOWS\system32\iletppui.dll
Successfully Deleted: C:\WINDOWS\system32\iletppui.dll
deleting: C:\WINDOWS\system32\iletppui.dll
Successfully Deleted: C:\WINDOWS\system32\iletppui.dll
deleting: C:\WINDOWS\system32\ipm32.dll
Successfully Deleted: C:\WINDOWS\system32\ipm32.dll
deleting: C:\WINDOWS\system32\ipm32.dll
Successfully Deleted: C:\WINDOWS\system32\ipm32.dll
deleting: C:\WINDOWS\system32\itssuba.dll
Successfully Deleted: C:\WINDOWS\system32\itssuba.dll
deleting: C:\WINDOWS\system32\itssuba.dll
Successfully Deleted: C:\WINDOWS\system32\itssuba.dll
deleting: C:\WINDOWS\system32\ixetppui.dll
Successfully Deleted: C:\WINDOWS\system32\ixetppui.dll
deleting: C:\WINDOWS\system32\ixetppui.dll
Successfully Deleted: C:\WINDOWS\system32\ixetppui.dll
deleting: C:\WINDOWS\system32\jepl400.dll
Successfully Deleted: C:\WINDOWS\system32\jepl400.dll
deleting: C:\WINDOWS\system32\jepl400.dll
Successfully Deleted: C:\WINDOWS\system32\jepl400.dll
deleting: C:\WINDOWS\system32\jucript.dll
Successfully Deleted: C:\WINDOWS\system32\jucript.dll
deleting: C:\WINDOWS\system32\jucript.dll
Successfully Deleted: C:\WINDOWS\system32\jucript.dll
deleting: C:\WINDOWS\system32\kadazel.dll
Successfully Deleted: C:\WINDOWS\system32\kadazel.dll
deleting: C:\WINDOWS\system32\kadazel.dll
Successfully Deleted: C:\WINDOWS\system32\kadazel.dll
deleting: C:\WINDOWS\system32\kadbu.dll
Successfully Deleted: C:\WINDOWS\system32\kadbu.dll
deleting: C:\WINDOWS\system32\kadbu.dll
Successfully Deleted: C:\WINDOWS\system32\kadbu.dll
deleting: C:\WINDOWS\system32\kjdcr.dll
Successfully Deleted: C:\WINDOWS\system32\kjdcr.dll
deleting: C:\WINDOWS\system32\kjdcr.dll
Successfully Deleted: C:\WINDOWS\system32\kjdcr.dll
deleting: C:\WINDOWS\system32\kjdic.dll
Successfully Deleted: C:\WINDOWS\system32\kjdic.dll
deleting: C:\WINDOWS\system32\kjdic.dll
Successfully Deleted: C:\WINDOWS\system32\kjdic.dll
deleting: C:\WINDOWS\system32\kldgr.dll
Successfully Deleted: C:\WINDOWS\system32\kldgr.dll
deleting: C:\WINDOWS\system32\kldgr.dll
Successfully Deleted: C:\WINDOWS\system32\kldgr.dll
deleting: C:\WINDOWS\system32\kqdlv1.dll
Successfully Deleted: C:\WINDOWS\system32\kqdlv1.dll
deleting: C:\WINDOWS\system32\kqdlv1.dll
Successfully Deleted: C:\WINDOWS\system32\kqdlv1.dll
deleting: C:\WINDOWS\system32\lpcalui.dll
Successfully Deleted: C:\WINDOWS\system32\lpcalui.dll
deleting: C:\WINDOWS\system32\lpcalui.dll
Successfully Deleted: C:\WINDOWS\system32\lpcalui.dll
deleting: C:\WINDOWS\system32\lprt.dll
Successfully Deleted: C:\WINDOWS\system32\lprt.dll
deleting: C:\WINDOWS\system32\lprt.dll
Successfully Deleted: C:\WINDOWS\system32\lprt.dll
deleting: C:\WINDOWS\system32\mdrle32.dll
Successfully Deleted: C:\WINDOWS\system32\mdrle32.dll
deleting: C:\WINDOWS\system32\mdrle32.dll
Successfully Deleted: C:\WINDOWS\system32\mdrle32.dll
deleting: C:\WINDOWS\system32\mhxlegih.dll
Successfully Deleted: C:\WINDOWS\system32\mhxlegih.dll
deleting: C:\WINDOWS\system32\mhxlegih.dll
Successfully Deleted: C:\WINDOWS\system32\mhxlegih.dll
deleting: C:\WINDOWS\system32\mjtlsapi.dll
Successfully Deleted: C:\WINDOWS\system32\mjtlsapi.dll
deleting: C:\WINDOWS\system32\mjtlsapi.dll
Successfully Deleted: C:\WINDOWS\system32\mjtlsapi.dll
deleting: C:\WINDOWS\system32\mkvbvm60.dll
Successfully Deleted: C:\WINDOWS\system32\mkvbvm60.dll
deleting: C:\WINDOWS\system32\mkvbvm60.dll
Successfully Deleted: C:\WINDOWS\system32\mkvbvm60.dll
deleting: C:\WINDOWS\system32\mm3216.dll
Successfully Deleted: C:\WINDOWS\system32\mm3216.dll
deleting: C:\WINDOWS\system32\mmcsubs.dll
Successfully Deleted: C:\WINDOWS\system32\mmcsubs.dll
deleting: C:\WINDOWS\system32\mmcsubs.dll
Successfully Deleted: C:\WINDOWS\system32\mmcsubs.dll
deleting: C:\WINDOWS\system32\mtiole16.dll
Successfully Deleted: C:\WINDOWS\system32\mtiole16.dll
deleting: C:\WINDOWS\system32\mumefilt.dll
Successfully Deleted: C:\WINDOWS\system32\mumefilt.dll
deleting: C:\WINDOWS\system32\mumefilt.dll
Successfully Deleted: C:\WINDOWS\system32\mumefilt.dll
deleting: C:\WINDOWS\system32\mvuni11.dll
Successfully Deleted: C:\WINDOWS\system32\mvuni11.dll
deleting: C:\WINDOWS\system32\mvuni11.dll
Successfully Deleted: C:\WINDOWS\system32\mvuni11.dll
deleting: C:\WINDOWS\system32\nawks.dll
Successfully Deleted: C:\WINDOWS\system32\nawks.dll
deleting: C:\WINDOWS\system32\nawks.dll
Successfully Deleted: C:\WINDOWS\system32\nawks.dll
deleting: C:\WINDOWS\system32\nbptools.dll
Successfully Deleted: C:\WINDOWS\system32\nbptools.dll
deleting: C:\WINDOWS\system32\nbptools.dll
Successfully Deleted: C:\WINDOWS\system32\nbptools.dll
deleting: C:\WINDOWS\system32\NgRaidel.dll
Successfully Deleted: C:\WINDOWS\system32\NgRaidel.dll
deleting: C:\WINDOWS\system32\NgRaidel.dll
Successfully Deleted: C:\WINDOWS\system32\NgRaidel.dll
deleting: C:\WINDOWS\system32\NjRaidfi.dll
Successfully Deleted: C:\WINDOWS\system32\NjRaidfi.dll
deleting: C:\WINDOWS\system32\NjRaidfi.dll
Successfully Deleted: C:\WINDOWS\system32\NjRaidfi.dll
deleting: C:\WINDOWS\system32\NjRaidtr.dll
Successfully Deleted: C:\WINDOWS\system32\NjRaidtr.dll
deleting: C:\WINDOWS\system32\NjRaidtr.dll
Successfully Deleted: C:\WINDOWS\system32\NjRaidtr.dll
deleting: C:\WINDOWS\system32\NmRaidWizardeng.dll
Successfully Deleted: C:\WINDOWS\system32\NmRaidWizardeng.dll
deleting: C:\WINDOWS\system32\NmRaidWizardeng.dll
Successfully Deleted: C:\WINDOWS\system32\NmRaidWizardeng.dll
deleting: C:\WINDOWS\system32\nmwdev.dll
Successfully Deleted: C:\WINDOWS\system32\nmwdev.dll
deleting: C:\WINDOWS\system32\nmwdev.dll
Successfully Deleted: C:\WINDOWS\system32\nmwdev.dll
deleting: C:\WINDOWS\system32\nntlogon.dll
Successfully Deleted: C:\WINDOWS\system32\nntlogon.dll
deleting: C:\WINDOWS\system32\nntlogon.dll
Successfully Deleted: C:\WINDOWS\system32\nntlogon.dll
deleting: C:\WINDOWS\system32\NqRaidSvhe.dll
Successfully Deleted: C:\WINDOWS\system32\NqRaidSvhe.dll
deleting: C:\WINDOWS\system32\NqRaidSvhe.dll
Successfully Deleted: C:\WINDOWS\system32\NqRaidSvhe.dll
deleting: C:\WINDOWS\system32\NrRaidSvsl.dll
Successfully Deleted: C:\WINDOWS\system32\NrRaidSvsl.dll
deleting: C:\WINDOWS\system32\NrRaidSvsl.dll
Successfully Deleted: C:\WINDOWS\system32\NrRaidSvsl.dll
deleting: C:\WINDOWS\system32\NxRaidSvno.dll
Successfully Deleted: C:\WINDOWS\system32\NxRaidSvno.dll
deleting: C:\WINDOWS\system32\NxRaidSvno.dll
Successfully Deleted: C:\WINDOWS\system32\NxRaidSvno.dll
deleting: C:\WINDOWS\system32\oibcbcp.dll
Successfully Deleted: C:\WINDOWS\system32\oibcbcp.dll
deleting: C:\WINDOWS\system32\oibcbcp.dll
Successfully Deleted: C:\WINDOWS\system32\oibcbcp.dll
deleting: C:\WINDOWS\system32\rdched32.dll
Successfully Deleted: C:\WINDOWS\system32\rdched32.dll
deleting: C:\WINDOWS\system32\rdched32.dll
Successfully Deleted: C:\WINDOWS\system32\rdched32.dll
deleting: C:\WINDOWS\system32\rvcns4.dll
Successfully Deleted: C:\WINDOWS\system32\rvcns4.dll
deleting: C:\WINDOWS\system32\rvcns4.dll
Successfully Deleted: C:\WINDOWS\system32\rvcns4.dll
deleting: C:\WINDOWS\system32\smdll.dll
Successfully Deleted: C:\WINDOWS\system32\smdll.dll
deleting: C:\WINDOWS\system32\smdll.dll
Successfully Deleted: C:\WINDOWS\system32\smdll.dll
deleting: C:\WINDOWS\system32\srsbkup.dll
Successfully Deleted: C:\WINDOWS\system32\srsbkup.dll
deleting: C:\WINDOWS\system32\srsbkup.dll
Successfully Deleted: C:\WINDOWS\system32\srsbkup.dll
deleting: C:\WINDOWS\system32\subrccsp.dll
Successfully Deleted: C:\WINDOWS\system32\subrccsp.dll
deleting: C:\WINDOWS\system32\subrccsp.dll
Successfully Deleted: C:\WINDOWS\system32\subrccsp.dll
deleting: C:\WINDOWS\system32\tCpiui.dll
Successfully Deleted: C:\WINDOWS\system32\tCpiui.dll
deleting: C:\WINDOWS\system32\tCpiui.dll
Successfully Deleted: C:\WINDOWS\system32\tCpiui.dll
deleting: C:\WINDOWS\system32\tuntsvrp.dll
Successfully Deleted: C:\WINDOWS\system32\tuntsvrp.dll
deleting: C:\WINDOWS\system32\tuntsvrp.dll
Successfully Deleted: C:\WINDOWS\system32\tuntsvrp.dll
deleting: C:\WINDOWS\system32\uoib.dll
Successfully Deleted: C:\WINDOWS\system32\uoib.dll
deleting: C:\WINDOWS\system32\uoib.dll
Successfully Deleted: C:\WINDOWS\system32\uoib.dll
deleting: C:\WINDOWS\system32\WghRm.dll
Successfully Deleted: C:\WINDOWS\system32\WghRm.dll
deleting: C:\WINDOWS\system32\WghRm.dll
Successfully Deleted: C:\WINDOWS\system32\WghRm.dll
deleting: C:\WINDOWS\system32\WGVADVE.DLL
Successfully Deleted: C:\WINDOWS\system32\WGVADVE.DLL
deleting: C:\WINDOWS\system32\WGVADVE.DLL
Successfully Deleted: C:\WINDOWS\system32\WGVADVE.DLL
deleting: C:\WINDOWS\system32\wqbhits.dll
Successfully Deleted: C:\WINDOWS\system32\wqbhits.dll
deleting: C:\WINDOWS\system32\wqbhits.dll
Successfully Deleted: C:\WINDOWS\system32\wqbhits.dll
deleting: C:\WINDOWS\system32\wxsapi32.dll
Successfully Deleted: C:\WINDOWS\system32\wxsapi32.dll
deleting: C:\WINDOWS\system32\wxsapi32.dll
Successfully Deleted: C:\WINDOWS\system32\wxsapi32.dll
deleting: C:\WINDOWS\system32\wzvcore2.dll
Successfully Deleted: C:\WINDOWS\system32\wzvcore2.dll
deleting: C:\WINDOWS\system32\wzvcore2.dll
Successfully Deleted: C:\WINDOWS\system32\wzvcore2.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: baotvid.dll (164 bytes security) (deflated 48%)
adding: bsowser.dll (164 bytes security) (deflated 48%)
adding: cRrds.dll (164 bytes security) (deflated 48%)
adding: ddprpres.dll (164 bytes security) (deflated 48%)
adding: dlmasf.dll (164 bytes security) (deflated 48%)
adding: fjco1ins.dll (164 bytes security) (deflated 48%)
adding: ftdrclnr.dll (164 bytes security) (deflated 48%)
adding: glkcsp.dll (164 bytes security) (deflated 48%)
adding: haui.dll (164 bytes security) (deflated 48%)
adding: ifagehlp.dll (164 bytes security) (deflated 48%)
adding: igmon.dll (164 bytes security) (deflated 48%)
adding: iIsacct.dll (164 bytes security) (deflated 48%)
adding: iletppui.dll (164 bytes security) (deflated 48%)
adding: ipm32.dll (164 bytes security) (deflated 48%)
adding: itssuba.dll (164 bytes security) (deflated 48%)
adding: ixetppui.dll (164 bytes security) (deflated 48%)
adding: jepl400.dll (164 bytes security) (deflated 48%)
adding: jucript.dll (164 bytes security) (deflated 48%)
adding: kadazel.dll (164 bytes security) (deflated 48%)
adding: kadbu.dll (164 bytes security) (deflated 48%)
adding: kjdcr.dll (164 bytes security) (deflated 48%)
adding: kjdic.dll (164 bytes security) (deflated 48%)
adding: kldgr.dll (164 bytes security) (deflated 48%)
adding: kqdlv1.dll (164 bytes security) (deflated 48%)
adding: lpcalui.dll (164 bytes security) (deflated 48%)
adding: lprt.dll (164 bytes security) (deflated 48%)
adding: mdrle32.dll (164 bytes security) (deflated 48%)
adding: mhxlegih.dll (164 bytes security) (deflated 48%)
adding: mjtlsapi.dll (164 bytes security) (deflated 48%)
adding: mkvbvm60.dll (164 bytes security) (deflated 48%)
adding: mm3216.dll (164 bytes security) (deflated 4%)
adding: mmcsubs.dll (164 bytes security) (deflated 48%)
adding: mtiole16.dll (164 bytes security) (deflated 4%)
adding: mumefilt.dll (164 bytes security) (deflated 48%)
adding: mvuni11.dll (164 bytes security) (deflated 48%)
adding: nawks.dll (164 bytes security) (deflated 48%)
adding: nbptools.dll (164 bytes security) (deflated 48%)
adding: NgRaidel.dll (164 bytes security) (deflated 48%)
adding: NjRaidfi.dll (164 bytes security) (deflated 48%)
adding: NjRaidtr.dll (164 bytes security) (deflated 48%)
adding: NmRaidWizardeng.dll (164 bytes security) (deflated 48%)
adding: nmwdev.dll (164 bytes security) (deflated 48%)
adding: nntlogon.dll (164 bytes security) (deflated 48%)
adding: NqRaidSvhe.dll (164 bytes security) (deflated 48%)
adding: NrRaidSvsl.dll (164 bytes security) (deflated 48%)
adding: NxRaidSvno.dll (164 bytes security) (deflated 48%)
adding: oibcbcp.dll (164 bytes security) (deflated 48%)
adding: rdched32.dll (164 bytes security) (deflated 48%)
adding: rvcns4.dll (164 bytes security) (deflated 48%)
adding: smdll.dll (164 bytes security) (deflated 48%)
adding: srsbkup.dll (164 bytes security) (deflated 48%)
adding: subrccsp.dll (164 bytes security) (deflated 48%)
adding: tCpiui.dll (164 bytes security) (deflated 48%)
adding: tuntsvrp.dll (164 bytes security) (deflated 48%)
adding: uoib.dll (164 bytes security) (deflated 48%)
adding: WghRm.dll (164 bytes security) (deflated 48%)
adding: WGVADVE.DLL (164 bytes security) (deflated 48%)
adding: wqbhits.dll (164 bytes security) (deflated 48%)
adding: wxsapi32.dll (164 bytes security) (deflated 48%)
adding: wzvcore2.dll (164 bytes security) (deflated 48%)
adding: guard.tmp (164 bytes security) (deflated 48%)
adding: clear.reg (164 bytes security) (deflated 22%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 92%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 70%)
adding: test.txt (164 bytes security) (deflated 91%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: xfind.txt (164 bytes security) (deflated 89%)
adding: backregs/BB56C69A-F9B4-4C47-8CFF-94C4A55D2AA8.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: baotvid.dll
deleting local copy: baotvid.dll
deleting local copy: bsowser.dll
deleting local copy: bsowser.dll
deleting local copy: cRrds.dll
deleting local copy: cRrds.dll
deleting local copy: ddprpres.dll
deleting local copy: ddprpres.dll
deleting local copy: dlmasf.dll
deleting local copy: dlmasf.dll
deleting local copy: fjco1ins.dll
deleting local copy: fjco1ins.dll
deleting local copy: ftdrclnr.dll
deleting local copy: ftdrclnr.dll
deleting local copy: glkcsp.dll
deleting local copy: glkcsp.dll
deleting local copy: haui.dll
deleting local copy: haui.dll
deleting local copy: ifagehlp.dll
deleting local copy: ifagehlp.dll
deleting local copy: igmon.dll
deleting local copy: igmon.dll
deleting local copy: iIsacct.dll
deleting local copy: iIsacct.dll
deleting local copy: iletppui.dll
deleting local copy: iletppui.dll
deleting local copy: ipm32.dll
deleting local copy: ipm32.dll
deleting local copy: itssuba.dll
deleting local copy: itssuba.dll
deleting local copy: ixetppui.dll
deleting local copy: ixetppui.dll
deleting local copy: jepl400.dll
deleting local copy: jepl400.dll
deleting local copy: jucript.dll
deleting local copy: jucript.dll
deleting local copy: kadazel.dll
deleting local copy: kadazel.dll
deleting local copy: kadbu.dll
deleting local copy: kadbu.dll
deleting local copy: kjdcr.dll
deleting local copy: kjdcr.dll
deleting local copy: kjdic.dll
deleting local copy: kjdic.dll
deleting local copy: kldgr.dll
deleting local copy: kldgr.dll
deleting local copy: kqdlv1.dll
deleting local copy: kqdlv1.dll
deleting local copy: lpcalui.dll
deleting local copy: lpcalui.dll
deleting local copy: lprt.dll
deleting local copy: lprt.dll
deleting local copy: mdrle32.dll
deleting local copy: mdrle32.dll
deleting local copy: mhxlegih.dll
deleting local copy: mhxlegih.dll
deleting local copy: mjtlsapi.dll
deleting local copy: mjtlsapi.dll
deleting local copy: mkvbvm60.dll
deleting local copy: mkvbvm60.dll
deleting local copy: mm3216.dll
deleting local copy: mmcsubs.dll
deleting local copy: mmcsubs.dll
deleting local copy: mtiole16.dll
deleting local copy: mumefilt.dll
deleting local copy: mumefilt.dll
deleting local copy: mvuni11.dll
deleting local copy: mvuni11.dll
deleting local copy: nawks.dll
deleting local copy: nawks.dll
deleting local copy: nbptools.dll
deleting local copy: nbptools.dll
deleting local copy: NgRaidel.dll
deleting local copy: NgRaidel.dll
deleting local copy: NjRaidfi.dll
deleting local copy: NjRaidfi.dll
deleting local copy: NjRaidtr.dll
deleting local copy: NjRaidtr.dll
deleting local copy: NmRaidWizardeng.dll
deleting local copy: NmRaidWizardeng.dll
deleting local copy: nmwdev.dll
deleting local copy: nmwdev.dll
deleting local copy: nntlogon.dll
deleting local copy: nntlogon.dll
deleting local copy: NqRaidSvhe.dll
deleting local copy: NqRaidSvhe.dll
deleting local copy: NrRaidSvsl.dll
deleting local copy: NrRaidSvsl.dll
deleting local copy: NxRaidSvno.dll
deleting local copy: NxRaidSvno.dll
deleting local copy: oibcbcp.dll
deleting local copy: oibcbcp.dll
deleting local copy: rdched32.dll
deleting local copy: rdched32.dll
deleting local copy: rvcns4.dll
deleting local copy: rvcns4.dll
deleting local copy: smdll.dll
deleting local copy: smdll.dll
deleting local copy: srsbkup.dll
deleting local copy: srsbkup.dll
deleting local copy: subrccsp.dll
deleting local copy: subrccsp.dll
deleting local copy: tCpiui.dll
deleting local copy: tCpiui.dll
deleting local copy: tuntsvrp.dll
deleting local copy: tuntsvrp.dll
deleting local copy: uoib.dll
deleting local copy: uoib.dll
deleting local copy: WghRm.dll
deleting local copy: WghRm.dll
deleting local copy: WGVADVE.DLL
deleting local copy: WGVADVE.DLL
deleting local copy: wqbhits.dll
deleting local copy: wqbhits.dll
deleting local copy: wxsapi32.dll
deleting local copy: wxsapi32.dll
deleting local copy: wzvcore2.dll
deleting local copy: wzvcore2.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\baotvid.dll
C:\WINDOWS\system32\baotvid.dll
C:\WINDOWS\system32\bsowser.dll
C:\WINDOWS\system32\bsowser.dll
C:\WINDOWS\system32\cRrds.dll
C:\WINDOWS\system32\cRrds.dll
C:\WINDOWS\system32\ddprpres.dll
C:\WINDOWS\system32\ddprpres.dll
C:\WINDOWS\system32\dlmasf.dll
C:\WINDOWS\system32\dlmasf.dll
C:\WINDOWS\system32\fjco1ins.dll
C:\WINDOWS\system32\fjco1ins.dll
C:\WINDOWS\system32\ftdrclnr.dll
C:\WINDOWS\system32\ftdrclnr.dll
C:\WINDOWS\system32\glkcsp.dll
C:\WINDOWS\system32\glkcsp.dll
C:\WINDOWS\system32\haui.dll
C:\WINDOWS\system32\haui.dll
C:\WINDOWS\system32\ifagehlp.dll
C:\WINDOWS\system32\ifagehlp.dll
C:\WINDOWS\system32\igmon.dll
C:\WINDOWS\system32\igmon.dll
C:\WINDOWS\system32\iIsacct.dll
C:\WINDOWS\system32\iIsacct.dll
C:\WINDOWS\system32\iletppui.dll
C:\WINDOWS\system32\iletppui.dll
C:\WINDOWS\system32\ipm32.dll
C:\WINDOWS\system32\ipm32.dll
C:\WINDOWS\system32\itssuba.dll
C:\WINDOWS\system32\itssuba.dll
C:\WINDOWS\system32\ixetppui.dll
C:\WINDOWS\system32\ixetppui.dll
C:\WINDOWS\system32\jepl400.dll
C:\WINDOWS\system32\jepl400.dll
C:\WINDOWS\system32\jucript.dll
C:\WINDOWS\system32\jucript.dll
C:\WINDOWS\system32\kadazel.dll
C:\WINDOWS\system32\kadazel.dll
C:\WINDOWS\system32\kadbu.dll
C:\WINDOWS\system32\kadbu.dll
C:\WINDOWS\system32\kjdcr.dll
C:\WINDOWS\system32\kjdcr.dll
C:\WINDOWS\system32\kjdic.dll
C:\WINDOWS\system32\kjdic.dll
C:\WINDOWS\system32\kldgr.dll
C:\WINDOWS\system32\kldgr.dll
C:\WINDOWS\system32\kqdlv1.dll
C:\WINDOWS\system32\kqdlv1.dll
C:\WINDOWS\system32\lpcalui.dll
C:\WINDOWS\system32\lpcalui.dll
C:\WINDOWS\system32\lprt.dll
C:\WINDOWS\system32\lprt.dll
C:\WINDOWS\system32\mdrle32.dll
C:\WINDOWS\system32\mdrle32.dll
C:\WINDOWS\system32\mhxlegih.dll
C:\WINDOWS\system32\mhxlegih.dll
C:\WINDOWS\system32\mjtlsapi.dll
C:\WINDOWS\system32\mjtlsapi.dll
C:\WINDOWS\system32\mkvbvm60.dll
C:\WINDOWS\system32\mkvbvm60.dll
C:\WINDOWS\system32\mm3216.dll
C:\WINDOWS\system32\mmcsubs.dll
C:\WINDOWS\system32\mmcsubs.dll
C:\WINDOWS\system32\mtiole16.dll
C:\WINDOWS\system32\mumefilt.dll
C:\WINDOWS\system32\mumefilt.dll
C:\WINDOWS\system32\mvuni11.dll
C:\WINDOWS\system32\mvuni11.dll
C:\WINDOWS\system32\nawks.dll
C:\WINDOWS\system32\nawks.dll
C:\WINDOWS\system32\nbptools.dll
C:\WINDOWS\system32\nbptools.dll
C:\WINDOWS\system32\NgRaidel.dll
C:\WINDOWS\system32\NgRaidel.dll
C:\WINDOWS\system32\NjRaidfi.dll
C:\WINDOWS\system32\NjRaidfi.dll
C:\WINDOWS\system32\NjRaidtr.dll
C:\WINDOWS\system32\NjRaidtr.dll
C:\WINDOWS\system32\NmRaidWizardeng.dll
C:\WINDOWS\system32\NmRaidWizardeng.dll
C:\WINDOWS\system32\nmwdev.dll
C:\WINDOWS\system32\nmwdev.dll
C:\WINDOWS\system32\nntlogon.dll
C:\WINDOWS\system32\nntlogon.dll
C:\WINDOWS\system32\NqRaidSvhe.dll
C:\WINDOWS\system32\NqRaidSvhe.dll
C:\WINDOWS\system32\NrRaidSvsl.dll
C:\WINDOWS\system32\NrRaidSvsl.dll
C:\WINDOWS\system32\NxRaidSvno.dll
C:\WINDOWS\system32\NxRaidSvno.dll
C:\WINDOWS\system32\oibcbcp.dll
C:\WINDOWS\system32\oibcbcp.dll
C:\WINDOWS\system32\rdched32.dll
C:\WINDOWS\system32\rdched32.dll
C:\WINDOWS\system32\rvcns4.dll
C:\WINDOWS\system32\rvcns4.dll
C:\WINDOWS\system32\smdll.dll
C:\WINDOWS\system32\smdll.dll
C:\WINDOWS\system32\srsbkup.dll
C:\WINDOWS\system32\srsbkup.dll
C:\WINDOWS\system32\subrccsp.dll
C:\WINDOWS\system32\subrccsp.dll
C:\WINDOWS\system32\tCpiui.dll
C:\WINDOWS\system32\tCpiui.dll
C:\WINDOWS\system32\tuntsvrp.dll
C:\WINDOWS\system32\tuntsvrp.dll
C:\WINDOWS\system32\uoib.dll
C:\WINDOWS\system32\uoib.dll
C:\WINDOWS\system32\WghRm.dll
C:\WINDOWS\system32\WghRm.dll
C:\WINDOWS\system32\WGVADVE.DLL
C:\WINDOWS\system32\WGVADVE.DLL
C:\WINDOWS\system32\wqbhits.dll
C:\WINDOWS\system32\wqbhits.dll
C:\WINDOWS\system32\wxsapi32.dll
C:\WINDOWS\system32\wxsapi32.dll
C:\WINDOWS\system32\wzvcore2.dll
C:\WINDOWS\system32\wzvcore2.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{BB56C69A-F9B4-4C47-8CFF-94C4A55D2AA8}"=-
[-HKEY_CLASSES_ROOT\CLSID\{BB56C69A-F9B4-4C47-8CFF-94C4A55D2AA8}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************















Logfile of HijackThis v1.99.1
Scan saved at 10:38:14 PM, on 7/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\mtes\orer.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
F2 - REG:system.ini: Shell=explorer.exe,editdnec.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\editdnec.exe,C:\Documents and Settings\darren\Application Data\Explorer\editdnec.exe
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [Client Messenger] C:\WINDOWS\System32\editdnec.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Client Messenger] C:\WINDOWS\System32\editdnec.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O21 - SSODL: Client Component - {D198D485-A5E2-4932-AAB3-F264074AF526} - C:\WINDOWS\System32\kswd0850.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#8
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1, We first have to temporarily disable SpySweeper as it may interfere with our fixes.

To disable SpySweeper:

Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck 'automaticly restore default without notifiction

2. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

First we need to make all files and folders VISIBLE:

Go to start>control panel>folder options>view (tab)
*choose to "show hidden files and folders,"
*uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
*Close the window with ok
*All hidden files will now be visible

Please RUN HijackThis.
. Click the SCAN button to produce a log.

Place a check mark beside each one of the following items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
F2 - REG:system.ini: Shell=explorer.exe,editdnec.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\editdnec.exe,C:\Documents and Settings\darren\Application Data\Explorer\editdnec.exe
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [Client Messenger] C:\WINDOWS\System32\editdnec.exe
O4 - HKCU\..\Run: [Client Messenger] C:\WINDOWS\System32\editdnec.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O21 - SSODL: Client Component - {D198D485-A5E2-4932-AAB3-F264074AF526} - C:\WINDOWS\System32\kswd0850.dll



Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode

How to use the F8 method to Start Your Computer in Safe Mode

*Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.


Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

C:\Documents and Settings\darren\Application Data\Explorer\editdnec.exe
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\System32\editdnec.exe
C:\Program Files\Cas<===Folder with content
C:\WINDOWS\System32\kswd0850.dll

Exit Explorer, and REBOOT BACK INTO NORMAL MODE

Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.

Regards,

Trevuren

  • 0

#9
interbeing

interbeing

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
hey
i can not open spysweeper like it is hidden or something acts like it is opening but does not so i dont really know if i should go on or not
thanks
darren
  • 0

#10
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please uninstall it then


Trevuren
  • 0

Advertisements


#11
interbeing

interbeing

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Logfile of HijackThis v1.99.1
Scan saved at 11:37:28 PM, on 7/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\TEMP\!update.exe
C:\Program Files\Hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe,editdnec.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\editdnec.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Client Messenger] C:\WINDOWS\System32\editdnec.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Client Messenger] C:\WINDOWS\System32\editdnec.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O21 - SSODL: Client Component - {68052A45-15F0-41CA-8E41-EADFF7555B4E} - C:\WINDOWS\System32\kswd0850.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
  • 0

#12
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please provide with a list of your Uninstallable programs:

To Provide a List of Installed Programs
  • Run HijackThis.
  • Click Config>>Miscellaneous Tools>>Open Uninstall Manager>>Save List
  • Save list to Desktop
  • Copy the Notepad list and Paste it into this thread.
Trevuren
  • 0

#13
interbeing

interbeing

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Ad-Aware SE Personal
Athlon 64 Processor Driver
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Battlefield 2™
BearShare
Delta Force Land Warrior
DivX
DivX Player
F-22 Lightning 3
Google Toolbar for Internet Explorer
Hijackthis 1.99.1
HijackThis 1.99.1
Internet Update
Logitech iTouch Software
Microsoft .NET Framework 1.1
MSN Messenger 7.0
MSN Music Assistant
NVIDIA Drivers
OIN
RealPlayer
Realtek AC'97 Audio
Spybot - Search & Destroy 1.4
Windows Media Format Runtime
Windows Media Player 10
  • 0

#14
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
There is a file in your log of which I am unsure and of which there exists very little informatiion. For that reason, I need you to submit it to Jotti's for analysis.

1. Click HERE to get to Jotti's site.

2. At the top of the Jotti window, use the Browse button to locate the following file on your system:

C:\WINDOWS\System32\editdnec.exe


3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed.

4. Please provide me with the results of the analysis.

Regards,

Trevuren

  • 0

#15
interbeing

interbeing

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Service load: 0% 100%

File: editdnec.exe
Status: INFECTED/MALWARE
MD5 620871dd09cf1637dc719cce89bd0a17
Packers detected: -
Scanner results
AntiVir Found DR/Pere.103936.B
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found BehavesLike:Trojan.ShellObject (probable variant)
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found a variant of Win32/PPdoor.T
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Trojan.Dropper.Small.14 (probable variant)

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, I cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, I am aware of the implications of a setup like this. I am sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). I am aware, in spite of efforts to proactively counter these, false positives might occur, for example. I do not consider this a very big issue, so please do not e-mail me about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 15Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, James Love, Gideon Pertzov, Malcolm Murray, Nigel Thomas, Wendy Dickerson, Anthony Midmore, "ethereal", Mark Rubins, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, and some people who prefer to remain anonymous... many thanks to all!

Statistics
Last file scanned at least one scanner reported something about: Trojan.Virtool.Avspoffer.A in patch.exe, detected by:

Scanner Malware name
AntiVir X
ArcaVir Trojan.Virtool.Avspoffer.A
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
UNA X
VBA32 X


You're free to (mis)interpret these automated, flawed statistics at your own discretion.


36287 files (24574 of those unique) have been uploaded & scanned since 11/Jul/2005, the day of the last database purge.
6106 of those 24574 files contained a virus or any other form of malware.
This page has been visited 61211 times in this time period.

If you have suggestions and/or comments, please send me them!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP