Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan-Dropper.W32.Agent.pb - Can't Remove [RESOLVED]

Started by LFNNS , Aug 04 2005 09:19 AM

  • This topic is locked This topic is locked

#1
LFNNS
Posted 04 August 2005 - 09:19 AM

LFNNS

    New Member

  • Member
  • Pip
  • 4 posts
Hi GTG,

I have Khasper Anit-Virus and tried every online virus scanner and I can't remove Trojan-Dropper.W32.Agent.pb. Khasper AV deletes the AppWrap[1].exe all the time but it keeps coming back and I get popup windows all the time.

I read through some of the forum posts but some replies are past my tech jargon so I am asking for some help.

THANKS!
Eric


Here is my HiJack Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:08:58 AM, on 8/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper\DkService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0XIC1.EXE
C:\Program Files\QuickTime6.3\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\OmniPagePro12.0\Opware12.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\LFN\HijackThis.exe

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 

6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program 

files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\AI 

RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - 

C:\DOCUME~1\EN\LOCALS~1\Temp\msdxm.ocx (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 

Personal\kav.exe /minimize
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo 900] 

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0XIC1.EXE /P22 "EPSON Stylus Photo 900" /O5 "LPT1:" 

/M "Stylus Photo 900"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] 

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 

"USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime6.3\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe 

bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] "C:\Program Files\ABBYY FineReader 7.0 Professional 

Edition\AbbyyNewsReader.exe"
O4 - HKLM\..\Run: [Opware12] "C:\Program Files\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 

6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 

6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common 

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program 

Files\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program 

Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program 

Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program 

Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Customize Menu	&4 - file://C:\Program Files\AI 

RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - 

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms	&] - file://C:\Program Files\AI 

RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Keyword Density - 

http://route.mouseclickapplication.com/cgi-bin/partner/router.cgi?partner=alacarim&version=1&set=

1&tool=2
O8 - Extra context menu item: Link Popularity - 

http://route.mouseclickapplication.com/cgi-bin/partner/router.cgi?partner=alacarim&version=1&set=

1&tool=1
O8 - Extra context menu item: Position Reporter - 

http://route.mouseclickapplication.com/cgi-bin/partner/router.cgi?partner=alacarim&version=1&set=

1&tool=3
O8 - Extra context menu item: Save Forms	&[ - file://C:\Program Files\AI 

RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Save image with M&ybase - C:\Program 

Files\Mybase\WebCollect\imagesave.htm
O8 - Extra context menu item: Save with &Mybase - C:\Program Files\Mybase\WebCollect\websave.htm
O8 - Extra context menu item: SE Optimizer - 

http://route.mouseclickapplication.com/cgi-bin/partner/router.cgi?partner=alacarim&version=1&set=

1&tool=5
O8 - Extra context menu item: SE Submission - 

http://route.mouseclickapplication.com/cgi-bin/partner/router.cgi?partner=alacarim&version=1&set=

1&tool=4
O8 - Extra context menu item: Similar Pages - res://C:\Program 

Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program 

Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe 

(file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - 

{85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - 

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program 

Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - 

C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Save with Mybase/WebCollect - {B32D4F40-124C-4be4-9EED-456712C053B5} - 

C:\Program Files\Mybase\WebCollect\websave.htm (HKCU)
O9 - Extra 'Tools' menuitem: Save with Mybase/WebCollect - {B32D4F40-124C-4be4-9EED-456712C053B5} 

- C:\Program Files\Mybase\WebCollect\websave.htm (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - 

http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - 

http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - 

http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - 

http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\tmaffic.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems 

Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program 

Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program 

Files\Diskeeper\DkService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 

Personal\kavsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - 

C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - 

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\Drive Image 

7.0\Agent\PQV2iSvc.exe

  • 0

Advertisements

#2
greyknight17
Posted 04 August 2005 - 10:07 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Eric and welcome to GTG.

Please make sure that Word Wrap is turned OFF in Notepad before you post your log next time. As you can see (take a look at the log you posted), the format is distorted. This makes it harder for us to read your log and will take a little longer to get back to you on it. So make sure Word Wrap is turned OFF next time :tazz:

Download L2MFix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts. Then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing Enter. This will scan your computer and it may appear nothing is happening. After a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 or any other files in the l2mfix folder until you are asked to do so!
  • 0

#3
LFNNS
Posted 04 August 2005 - 10:26 AM

LFNNS

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hi greyknight17,

Ooops! I turned of WordWrap. Sorry about that! Thanks for your assistance. No rush on my end as I have to go to work now but I will check back as soon as I can.

Thanks,
Eric


Here is my l2mfix bat file #1:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ModuleUsage]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\tmaffic.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PCANotify]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Unlock"="WLEventUnlock"
"Lock"="WLEventLock"
"Startup"="WLEventStartup"
"DllName"="PCANotify.dll"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{47C0DBEA-015D-9156-70C4-8EB5B74576E0}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"="Adobe.Acrobat.ContextMenu"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{2F25CF20-C569-11D1-B94C-00608CB45480}"="TextPad"
"{40950107-FEA6-4d53-A65F-B2DCBA57DD58}"="Nokia Phone Browser"
"{FBFE7864-D495-41f0-B7DC-4BB601CC295E}"="Contact View"
"{C0C4375A-5B72-4efe-929D-3B848C3A1E91}"="Message View"
"{298AA01F-45C6-467C-ACD7-54D65BD6CEF7}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{298AA01F-45C6-467C-ACD7-54D65BD6CEF7}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{298AA01F-45C6-467C-ACD7-54D65BD6CEF7}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{298AA01F-45C6-467C-ACD7-54D65BD6CEF7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{298AA01F-45C6-467C-ACD7-54D65BD6CEF7}\InprocServer32]
@="C:\\WINDOWS\\system32\\kjdit.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
   aameter.dll    Fri Jul 22 2005   4:46:28a  ..S.R        417,792   408.00 K
   bktmeter.dll   Fri Jul 22 2005   4:46:32a  A.S.R        417,792   408.00 K
   ccwmdm.dll     Thu Jul 28 2005   2:05:06a  .....        417,792   408.00 K
   kjdit.dll      Thu Aug  4 2005   9:49:48a  ..S.R        417,792   408.00 K
   kjdno.dll      Fri Jul 22 2005  12:42:32a  A.S.R        417,792   408.00 K
   kldinben.dll   Fri Jul 22 2005   2:07:28a  ..S.R        417,792   408.00 K
   ktdit.dll      Fri Jul 22 2005   2:07:32a  A.S.R        417,792   408.00 K
   kzdru1.dll     Fri Jul 22 2005  12:42:28a  ..S.R        417,792   408.00 K
   lq32.dll       Thu Jul 28 2005  12:37:12p  ..S.R        417,792   408.00 K
   mhhgrcoi.dll   Fri Jul 22 2005   3:30:28a  ..S.R        417,792   408.00 K
   mmhgrcoi.dll   Fri Jul 22 2005   3:30:36a  A.S.R        417,792   408.00 K
   mtmtapi.dll    Thu Jul 21 2005  11:20:32p  ..S.R        417,792   408.00 K
   myrdim.dll     Thu Jul 21 2005  11:20:44p  A.S.R        417,792   408.00 K
   pxh.dll        Thu Jul 28 2005   2:21:46a  ..S.R        417,792   408.00 K
   tmaffic.dll    Fri Jul 22 2005   6:14:28a  ..S.R        417,792   408.00 K
   tupmon.dll     Fri Jul 22 2005   6:14:32a  A.S.R        417,792   408.00 K
   tzemeui.dll    Wed Aug  3 2005  10:42:48a  ..S.R        417,792   408.00 K
   wwaservc.dll   Wed Jul 27 2005  10:50:40p  ..S.R        417,792   408.00 K
   xdctsrv.dll    Fri Jul 22 2005   2:50:10p  ..S.R        417,792   408.00 K

19 items found:  19 files (18 H/S), 0 directories.
   Total of file sizes:  7,938,048 bytes      7.57 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
   guard.tmp      Thu Jul 28 2005   1:57:42a  ..S.R        417,792   408.00 K

1 item found:  1 file (1 H/S), 0 directories.
   Total of file sizes:  417,792 bytes    408.00 K
**********************************************************************************
Directory Listing of system files:
 Volume in drive C has no label.
 Volume Serial Number is 04FF-316A

 Directory of C:\WINDOWS\System32

08/04/2005  09:49 AM           417,792 kjdit.dll
08/03/2005  10:42 AM           417,792 tzemeui.dll
07/28/2005  12:37 PM           417,792 lq32.dll
07/28/2005  02:21 AM           417,792 pxh.dll
07/28/2005  01:57 AM           417,792 guard.tmp
07/28/2005  01:50 AM    <DIR>          dllcache
07/27/2005  10:50 PM           417,792 wwaservc.dll
07/22/2005  02:50 PM           417,792 xDctsrv.dll
07/22/2005  06:14 AM           417,792 tupmon.dll
07/22/2005  06:14 AM           417,792 tmaffic.dll
07/22/2005  04:46 AM           417,792 bKtmeter.dll
07/22/2005  04:46 AM           417,792 aameter.dll
07/22/2005  03:30 AM           417,792 mmhgrcoi.dll
07/22/2005  03:30 AM           417,792 mhhgrcoi.dll
07/22/2005  02:07 AM           417,792 ktdit.dll
07/22/2005  02:07 AM           417,792 kldinben.dll
07/22/2005  12:42 AM           417,792 kjdno.dll
07/22/2005  12:42 AM           417,792 kzdru1.dll
07/21/2005  11:20 PM           417,792 myrdim.dll
07/21/2005  11:20 PM           417,792 mtmtapi.dll
06/06/2005  02:33 PM             1,942 KGyGaAvL.sys
09/25/2004  02:38 AM    <DIR>          Microsoft
              20 File(s)      7,939,990 bytes
               2 Dir(s)   3,633,586,176 bytes free

  • 0

#4
greyknight17
Posted 04 August 2005 - 01:26 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing Enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2MFix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new HijackThis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
  • 0

#5
LFNNS
Posted 04 August 2005 - 05:27 PM

LFNNS

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hi,
Here is the info you requested...

L2Mfix 1.03a
 
Running From:
C:\Documents and Settings\EN\Desktop\l2mfix
 
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read       	 BUILTIN\Users
(ID-IO) ALLOW  Read       	 BUILTIN\Users
(ID-NI) ALLOW  Read       	 BUILTIN\Power Users
(ID-IO) ALLOW  Read       	 BUILTIN\Power Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  CREATOR OWNER


 
Setting registry permissions:
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
 - adding new ACCESS DENY entry

 
Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI)    DENY   --C-------    BUILTIN\Administrators
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read       	 BUILTIN\Users
(ID-IO) ALLOW  Read       	 BUILTIN\Users
(ID-NI) ALLOW  Read       	 BUILTIN\Power Users
(ID-IO) ALLOW  Read       	 BUILTIN\Power Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  CREATOR OWNER


 
Setting up for Reboot
 
 
Starting Reboot!
 
C:\Documents and Settings\EN\Desktop\l2mfix 
System Rebooted! 
 
Running From:
C:\Documents and Settings\EN\Desktop\l2mfix
 
killing explorer and rundll32.exe 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 1944 'explorer.exe'
Killing PID 1944 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 420 'rundll32.exe'
Killing PID 932 'rundll32.exe'
 
Scanning First Pass. Please Wait!
 
First Pass Completed 
 
Second Pass Scanning 
 
Second pass Completed!
Backing Up: C:\WINDOWS\system32\aameter.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\aameter.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\bKtmeter.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\bKtmeter.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ccwmdm.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ccwmdm.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dynput8.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dynput8.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ivrop.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ivrop.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kjdit.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kjdit.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kjdno.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kjdno.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kldinben.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kldinben.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktdit.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktdit.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kzdru1.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kzdru1.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lq32.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lq32.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mhhgrcoi.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mhhgrcoi.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mmhgrcoi.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mmhgrcoi.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mtmtapi.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mtmtapi.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\myrdim.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\myrdim.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pxh.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pxh.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\tmaffic.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\tmaffic.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\tupmon.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\tupmon.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\tzemeui.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\tzemeui.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wwaservc.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wwaservc.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\xDctsrv.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\xDctsrv.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
        1 file(s) copied.
deleting: C:\WINDOWS\system32\aameter.dll  
Successfully Deleted: C:\WINDOWS\system32\aameter.dll
deleting: C:\WINDOWS\system32\aameter.dll  
Successfully Deleted: C:\WINDOWS\system32\aameter.dll
deleting: C:\WINDOWS\system32\bKtmeter.dll  
Successfully Deleted: C:\WINDOWS\system32\bKtmeter.dll
deleting: C:\WINDOWS\system32\bKtmeter.dll  
Successfully Deleted: C:\WINDOWS\system32\bKtmeter.dll
deleting: C:\WINDOWS\system32\ccwmdm.dll  
Successfully Deleted: C:\WINDOWS\system32\ccwmdm.dll
deleting: C:\WINDOWS\system32\ccwmdm.dll  
Successfully Deleted: C:\WINDOWS\system32\ccwmdm.dll
deleting: C:\WINDOWS\system32\dynput8.dll  
Successfully Deleted: C:\WINDOWS\system32\dynput8.dll
deleting: C:\WINDOWS\system32\dynput8.dll  
Successfully Deleted: C:\WINDOWS\system32\dynput8.dll
deleting: C:\WINDOWS\system32\ivrop.dll  
Successfully Deleted: C:\WINDOWS\system32\ivrop.dll
deleting: C:\WINDOWS\system32\ivrop.dll  
Successfully Deleted: C:\WINDOWS\system32\ivrop.dll
deleting: C:\WINDOWS\system32\kjdit.dll  
Successfully Deleted: C:\WINDOWS\system32\kjdit.dll
deleting: C:\WINDOWS\system32\kjdit.dll  
Successfully Deleted: C:\WINDOWS\system32\kjdit.dll
deleting: C:\WINDOWS\system32\kjdno.dll  
Successfully Deleted: C:\WINDOWS\system32\kjdno.dll
deleting: C:\WINDOWS\system32\kjdno.dll  
Successfully Deleted: C:\WINDOWS\system32\kjdno.dll
deleting: C:\WINDOWS\system32\kldinben.dll  
Successfully Deleted: C:\WINDOWS\system32\kldinben.dll
deleting: C:\WINDOWS\system32\kldinben.dll  
Successfully Deleted: C:\WINDOWS\system32\kldinben.dll
deleting: C:\WINDOWS\system32\ktdit.dll  
Successfully Deleted: C:\WINDOWS\system32\ktdit.dll
deleting: C:\WINDOWS\system32\ktdit.dll  
Successfully Deleted: C:\WINDOWS\system32\ktdit.dll
deleting: C:\WINDOWS\system32\kzdru1.dll  
Successfully Deleted: C:\WINDOWS\system32\kzdru1.dll
deleting: C:\WINDOWS\system32\kzdru1.dll  
Successfully Deleted: C:\WINDOWS\system32\kzdru1.dll
deleting: C:\WINDOWS\system32\lq32.dll  
Successfully Deleted: C:\WINDOWS\system32\lq32.dll
deleting: C:\WINDOWS\system32\lq32.dll  
Successfully Deleted: C:\WINDOWS\system32\lq32.dll
deleting: C:\WINDOWS\system32\mhhgrcoi.dll  
Successfully Deleted: C:\WINDOWS\system32\mhhgrcoi.dll
deleting: C:\WINDOWS\system32\mhhgrcoi.dll  
Successfully Deleted: C:\WINDOWS\system32\mhhgrcoi.dll
deleting: C:\WINDOWS\system32\mmhgrcoi.dll  
Successfully Deleted: C:\WINDOWS\system32\mmhgrcoi.dll
deleting: C:\WINDOWS\system32\mmhgrcoi.dll  
Successfully Deleted: C:\WINDOWS\system32\mmhgrcoi.dll
deleting: C:\WINDOWS\system32\mtmtapi.dll  
Successfully Deleted: C:\WINDOWS\system32\mtmtapi.dll
deleting: C:\WINDOWS\system32\mtmtapi.dll  
Successfully Deleted: C:\WINDOWS\system32\mtmtapi.dll
deleting: C:\WINDOWS\system32\myrdim.dll  
Successfully Deleted: C:\WINDOWS\system32\myrdim.dll
deleting: C:\WINDOWS\system32\myrdim.dll  
Successfully Deleted: C:\WINDOWS\system32\myrdim.dll
deleting: C:\WINDOWS\system32\pxh.dll  
Successfully Deleted: C:\WINDOWS\system32\pxh.dll
deleting: C:\WINDOWS\system32\pxh.dll  
Successfully Deleted: C:\WINDOWS\system32\pxh.dll
deleting: C:\WINDOWS\system32\tmaffic.dll  
Successfully Deleted: C:\WINDOWS\system32\tmaffic.dll
deleting: C:\WINDOWS\system32\tmaffic.dll  
Successfully Deleted: C:\WINDOWS\system32\tmaffic.dll
deleting: C:\WINDOWS\system32\tupmon.dll  
Successfully Deleted: C:\WINDOWS\system32\tupmon.dll
deleting: C:\WINDOWS\system32\tupmon.dll  
Successfully Deleted: C:\WINDOWS\system32\tupmon.dll
deleting: C:\WINDOWS\system32\tzemeui.dll  
Successfully Deleted: C:\WINDOWS\system32\tzemeui.dll
deleting: C:\WINDOWS\system32\tzemeui.dll  
Successfully Deleted: C:\WINDOWS\system32\tzemeui.dll
deleting: C:\WINDOWS\system32\wwaservc.dll  
Successfully Deleted: C:\WINDOWS\system32\wwaservc.dll
deleting: C:\WINDOWS\system32\wwaservc.dll  
Successfully Deleted: C:\WINDOWS\system32\wwaservc.dll
deleting: C:\WINDOWS\system32\xDctsrv.dll  
Successfully Deleted: C:\WINDOWS\system32\xDctsrv.dll
deleting: C:\WINDOWS\system32\xDctsrv.dll  
Successfully Deleted: C:\WINDOWS\system32\xDctsrv.dll
deleting: C:\WINDOWS\system32\guard.tmp  
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp  
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
 
 
Zipping up files for submission:
  adding: aameter.dll (164 bytes security) (deflated 48%)
  adding: bKtmeter.dll (164 bytes security) (deflated 48%)
  adding: ccwmdm.dll (164 bytes security) (deflated 48%)
  adding: dynput8.dll (164 bytes security) (deflated 48%)
  adding: ivrop.dll (164 bytes security) (deflated 48%)
  adding: kjdit.dll (164 bytes security) (deflated 48%)
  adding: kjdno.dll (164 bytes security) (deflated 48%)
  adding: kldinben.dll (164 bytes security) (deflated 48%)
  adding: ktdit.dll (164 bytes security) (deflated 48%)
  adding: kzdru1.dll (164 bytes security) (deflated 48%)
  adding: lq32.dll (164 bytes security) (deflated 48%)
  adding: mhhgrcoi.dll (164 bytes security) (deflated 48%)
  adding: mmhgrcoi.dll (164 bytes security) (deflated 48%)
  adding: mtmtapi.dll (164 bytes security) (deflated 48%)
  adding: myrdim.dll (164 bytes security) (deflated 48%)
  adding: pxh.dll (164 bytes security) (deflated 48%)
  adding: tmaffic.dll (164 bytes security) (deflated 48%)
  adding: tupmon.dll (164 bytes security) (deflated 48%)
  adding: tzemeui.dll (164 bytes security) (deflated 48%)
  adding: wwaservc.dll (164 bytes security) (deflated 48%)
  adding: xDctsrv.dll (164 bytes security) (deflated 48%)
  adding: guard.tmp (164 bytes security) (deflated 48%)
  adding: clear.reg (164 bytes security) (deflated 22%)
  adding: echo.reg (164 bytes security) (deflated 8%)
  adding: direct.txt (164 bytes security) (stored 0%)
  adding: lo2.txt (164 bytes security) (deflated 88%)
  adding: readme.txt (164 bytes security) (deflated 49%)
  adding: report.txt (164 bytes security) (deflated 66%)
  adding: test.txt (164 bytes security) (deflated 90%)
  adding: test2.txt (164 bytes security) (stored 0%)
  adding: test3.txt (164 bytes security) (stored 0%)
  adding: test5.txt (164 bytes security) (stored 0%)
  adding: xfind.txt (164 bytes security) (deflated 87%)
  adding: backregs/298AA01F-45C6-467C-ACD7-54D65BD6CEF7.reg (164 bytes security) (deflated 70%)
  adding: backregs/shell.reg (164 bytes security) (deflated 73%)
 
Restoring Registry Permissions: 
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

 
Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read       	 BUILTIN\Users
(ID-IO) ALLOW  Read       	 BUILTIN\Users
(ID-NI) ALLOW  Read       	 BUILTIN\Power Users
(ID-IO) ALLOW  Read       	 BUILTIN\Power Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  CREATOR OWNER


Restoring Sedebugprivilege:
 
 Granting SeDebugPrivilege to Administrators   ... successful
 
deleting local copy: aameter.dll   
deleting local copy: aameter.dll   
deleting local copy: bKtmeter.dll   
deleting local copy: bKtmeter.dll   
deleting local copy: ccwmdm.dll   
deleting local copy: ccwmdm.dll   
deleting local copy: dynput8.dll   
deleting local copy: dynput8.dll   
deleting local copy: ivrop.dll   
deleting local copy: ivrop.dll   
deleting local copy: kjdit.dll   
deleting local copy: kjdit.dll   
deleting local copy: kjdno.dll   
deleting local copy: kjdno.dll   
deleting local copy: kldinben.dll   
deleting local copy: kldinben.dll   
deleting local copy: ktdit.dll   
deleting local copy: ktdit.dll   
deleting local copy: kzdru1.dll   
deleting local copy: kzdru1.dll   
deleting local copy: lq32.dll   
deleting local copy: lq32.dll   
deleting local copy: mhhgrcoi.dll   
deleting local copy: mhhgrcoi.dll   
deleting local copy: mmhgrcoi.dll   
deleting local copy: mmhgrcoi.dll   
deleting local copy: mtmtapi.dll   
deleting local copy: mtmtapi.dll   
deleting local copy: myrdim.dll   
deleting local copy: myrdim.dll   
deleting local copy: pxh.dll   
deleting local copy: pxh.dll   
deleting local copy: tmaffic.dll   
deleting local copy: tmaffic.dll   
deleting local copy: tupmon.dll   
deleting local copy: tupmon.dll   
deleting local copy: tzemeui.dll   
deleting local copy: tzemeui.dll   
deleting local copy: wwaservc.dll   
deleting local copy: wwaservc.dll   
deleting local copy: xDctsrv.dll   
deleting local copy: xDctsrv.dll   
deleting local copy: guard.tmp   
deleting local copy: guard.tmp   
 
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PCANotify]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Unlock"="WLEventUnlock"
"Lock"="WLEventLock"
"Startup"="WLEventStartup"
"DllName"="PCANotify.dll"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

 
The following are the files found: 
****************************************************************************
C:\WINDOWS\system32\aameter.dll 
C:\WINDOWS\system32\aameter.dll 
C:\WINDOWS\system32\bKtmeter.dll 
C:\WINDOWS\system32\bKtmeter.dll 
C:\WINDOWS\system32\ccwmdm.dll 
C:\WINDOWS\system32\ccwmdm.dll 
C:\WINDOWS\system32\dynput8.dll 
C:\WINDOWS\system32\dynput8.dll 
C:\WINDOWS\system32\ivrop.dll 
C:\WINDOWS\system32\ivrop.dll 
C:\WINDOWS\system32\kjdit.dll 
C:\WINDOWS\system32\kjdit.dll 
C:\WINDOWS\system32\kjdno.dll 
C:\WINDOWS\system32\kjdno.dll 
C:\WINDOWS\system32\kldinben.dll 
C:\WINDOWS\system32\kldinben.dll 
C:\WINDOWS\system32\ktdit.dll 
C:\WINDOWS\system32\ktdit.dll 
C:\WINDOWS\system32\kzdru1.dll 
C:\WINDOWS\system32\kzdru1.dll 
C:\WINDOWS\system32\lq32.dll 
C:\WINDOWS\system32\lq32.dll 
C:\WINDOWS\system32\mhhgrcoi.dll 
C:\WINDOWS\system32\mhhgrcoi.dll 
C:\WINDOWS\system32\mmhgrcoi.dll 
C:\WINDOWS\system32\mmhgrcoi.dll 
C:\WINDOWS\system32\mtmtapi.dll 
C:\WINDOWS\system32\mtmtapi.dll 
C:\WINDOWS\system32\myrdim.dll 
C:\WINDOWS\system32\myrdim.dll 
C:\WINDOWS\system32\pxh.dll 
C:\WINDOWS\system32\pxh.dll 
C:\WINDOWS\system32\tmaffic.dll 
C:\WINDOWS\system32\tmaffic.dll 
C:\WINDOWS\system32\tupmon.dll 
C:\WINDOWS\system32\tupmon.dll 
C:\WINDOWS\system32\tzemeui.dll 
C:\WINDOWS\system32\tzemeui.dll 
C:\WINDOWS\system32\wwaservc.dll 
C:\WINDOWS\system32\wwaservc.dll 
C:\WINDOWS\system32\xDctsrv.dll 
C:\WINDOWS\system32\xDctsrv.dll 
C:\WINDOWS\system32\guard.tmp 
C:\WINDOWS\system32\guard.tmp 
 
Registry Entries that were Deleted: 
Please verify that the listing looks ok.  
If there was something deleted wrongly there are backups in the backreg folder. 
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{298AA01F-45C6-467C-ACD7-54D65BD6CEF7}"=-
[-HKEY_CLASSES_ROOT\CLSID\{298AA01F-45C6-467C-ACD7-54D65BD6CEF7}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents: 
****************************************************************************
****************************************************************************


Logfile of HijackThis v1.99.1
Scan saved at 6:20:01 PM, on 8/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0XIC1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\QuickTime6.3\qttask.exe
C:\Program Files\OmniPagePro12.0\Opware12.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Diskeeper\DkService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\wuauclt.exe
D:\LFN\HijackThis.exe

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\DOCUME~1\EN\LOCALS~1\Temp\msdxm.ocx (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo 900] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0XIC1.EXE /P22 "EPSON Stylus Photo 900" /O5 "LPT1:" /M "Stylus Photo 900"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime6.3\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] "C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe"
O4 - HKLM\..\Run: [Opware12] "C:\Program Files\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Customize Menu	&4 - file://C:\Program Files\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms	&] - file://C:\Program Files\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Keyword Density - http://route.mouseclickapplication.com/cgi-bin/partner/router.cgi?partner=alacarim&version=1&set=1&tool=2
O8 - Extra context menu item: Link Popularity - http://route.mouseclickapplication.com/cgi-bin/partner/router.cgi?partner=alacarim&version=1&set=1&tool=1
O8 - Extra context menu item: Position Reporter - http://route.mouseclickapplication.com/cgi-bin/partner/router.cgi?partner=alacarim&version=1&set=1&tool=3
O8 - Extra context menu item: Save Forms	&[ - file://C:\Program Files\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Save image with M&ybase - C:\Program Files\Mybase\WebCollect\imagesave.htm
O8 - Extra context menu item: Save with &Mybase - C:\Program Files\Mybase\WebCollect\websave.htm
O8 - Extra context menu item: SE Optimizer - http://route.mouseclickapplication.com/cgi-bin/partner/router.cgi?partner=alacarim&version=1&set=1&tool=5
O8 - Extra context menu item: SE Submission - http://route.mouseclickapplication.com/cgi-bin/partner/router.cgi?partner=alacarim&version=1&set=1&tool=4
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Save with Mybase/WebCollect - {B32D4F40-124C-4be4-9EED-456712C053B5} - C:\Program Files\Mybase\WebCollect\websave.htm (HKCU)
O9 - Extra 'Tools' menuitem: Save with Mybase/WebCollect - {B32D4F40-124C-4be4-9EED-456712C053B5} - C:\Program Files\Mybase\WebCollect\websave.htm (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Diskeeper\DkService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\Drive Image 7.0\Agent\PQV2iSvc.exe

  • 0

#6
greyknight17
Posted 04 August 2005 - 08:39 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Check and fix these in HijackThis:

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\DOCUME~1\EN\LOCALS~1\Temp\msdxm.ocx (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx

After that,

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#7
LFNNS
Posted 05 August 2005 - 12:22 AM

LFNNS

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
THANKS FOR YOUR HELP!

Problems appear to be gone! I sent you some Paypal from lfndvd.com to help support your time and efforts... I bookmarked your site for later reading as it looks like I have a lot to learn about preventing spyware/malware. Lots of good info at your site. Thanks again!

Eric
  • 0

#8
greyknight17
Posted 05 August 2005 - 12:56 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP