Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

advertising.com,avenue a.inc,doubleclick,hitbox!

Started by kmfdmanic , Aug 07 2005 08:06 PM

  • Please log in to reply

#31
kmfdmanic
Posted 12 August 2005 - 06:59 PM

kmfdmanic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
result of second.bat

L2Mfix 1.03a

Running From:
C:\Documents and Settings\Owner\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry
- removing existing ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

Setting Directory
C:\Documents and Settings\Owner\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Owner\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1280 'explorer.exe'
Killing PID 1280 'explorer.exe'
Killing PID 1280 'explorer.exe'
Killing PID 1280 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
adding: clear.reg (188 bytes security) (deflated 2%)
adding: echo.reg (188 bytes security) (deflated 9%)
adding: direct.txt (188 bytes security) (stored 0%)
adding: lo2.txt (188 bytes security) (deflated 74%)
adding: noti.txt (188 bytes security) (deflated 40%)
adding: readme.txt (188 bytes security) (deflated 49%)
adding: report.txt (188 bytes security) (deflated 58%)
adding: test.txt (188 bytes security) (stored 0%)
adding: test2.txt (188 bytes security) (stored 0%)
adding: test3.txt (188 bytes security) (stored 0%)
adding: test5.txt (188 bytes security) (stored 0%)
adding: backregs/notibac.reg (188 bytes security) (deflated 40%)
adding: backregs/shell.reg (188 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

RESULT OF HIJACK THIS

Logfile of HijackThis v1.99.1
Scan saved at 8:55:44 PM, on 8/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\DC++\DCPlusPlus.exe
C:\VenoScript 1.2.7\mirc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijack this\HijackThis.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SymNetDrv\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SonicStage\SsAAD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
  • 0

Advertisements

#32
Wizard
Posted 13 August 2005 - 05:46 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
WooHoo!!!!!!!!!!!!!!!! Success!!!!!!!!!!!!!!!

Now Run Option 4 and post that log!

I will have to give Mosaic1 a huge Kiss for that Advice!

Lets see of the Notify Key will restore and then Work on Windows Updates!
  • 0

#33
kmfdmanic
Posted 13 August 2005 - 12:47 PM

kmfdmanic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
option 4 log

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
  • 0

#34
Wizard
Posted 13 August 2005 - 01:37 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Now Go here
http://www.billsway.com/vbspage/

Scroll down the page
and download the "Registry Search Tool"

Unzip RegSrch.zip to the desktop

Double click on RegSrch.vbs

If you get a warning from your Anti Virus please ignore it and allow this to run.

When it starts, you will be prompted to enter a search phrase.


Enter WindowsUpdates for a search in the registry!

Post the results of that search!
  • 0

#35
kmfdmanic
Posted 13 August 2005 - 02:00 PM

kmfdmanic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
extracted to desktop, ran, found 18 results, but when I went OK to see them in wordpad, got the following error...

script c:\documents and settings\owner\desktop\regsrch.vbs
line 76
char 1
error the system cannot find the file specified
code 80070002
source (null)

and, the windows update error code is...0x80240020

I am logged in as administrator, and all typical permissions are there...also, an email from microsoft gave me several suggestions...none of which worked...I would laugh, if you can one up microsoft themselves and remedy this situation...as far as I have seen, every topic via google search, with this same error, has yet to be resolved...

there is a suggestion of manually updating...or updating at shutdown...but I am unsure of how to do those...?

Edited by kmfdmanic, 13 August 2005 - 02:34 PM.

  • 0

#36
Wizard
Posted 13 August 2005 - 03:40 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Were you prompted to save the document in WordPad?

It should show up in Notepad!

Let me see what I can dig up!

Let me see a copy of the Hosts File

Open HijackThis>Click Config>Click Misc Tools>Click Open Hosts File Manager>Click Open in Notepad>Copy&Paste the entire Contents of that Notepad Page to your Next Post!

Also,install Scripting 5.6
http://www.microsoft...&displaylang=en

Try running the VB script again!

Edited by Cretemonster, 13 August 2005 - 03:45 PM.

  • 0

#37
kmfdmanic
Posted 13 August 2005 - 03:47 PM

kmfdmanic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
no, it asked me to click ok, and that it would open it up in wordpad (exact word it used)

anyways, the host log shows up as...

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost


I won't be around for another 11 hours, work beckons me...but, I will look forward to seeing any further steps you post in the meantime! And, remember, I owe you some Mad Magazines!
  • 0

#38
Wizard
Posted 13 August 2005 - 03:53 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Check my edited post above and see if that scripting download wont help!
  • 0

#39
kmfdmanic
Posted 13 August 2005 - 03:57 PM

kmfdmanic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
ok, luckily I have a valid windows! that script will be quite helpful for some of my emulation needs in the near future...so, a big thanks for that...I can't restart computer till I get home..so, at that point, I will do so...and post the results...till then...take it easy...
  • 0

#40
kmfdmanic
Posted 14 August 2005 - 03:06 AM

kmfdmanic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
well, good news...windows updated JUST FINE! so, let me know what else to do to finally finish this charade...thanks for everything, as well as your utmost patience thus far...!
  • 0

Advertisements

#41
Wizard
Posted 14 August 2005 - 03:38 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
HA!!!!!!!!!!!

Windows Updated HUH???

That means all is resolved,correct?

Lets see one last HijackThis log and you tell me what you have installed for security!

I mean everything you have installed!

Lets get this PC fitted with an Internet Condom!!!!!!!
  • 0

#42
kmfdmanic
Posted 14 August 2005 - 02:23 PM

kmfdmanic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
spybot, adaware, etc, didnt show anything bad...what would you recommend security wise...if there is a topic already made for this, feel free to link me to it...otherwise, thanks a lot for everything...and, I believe this is resolved, unless my hijack this log tells you any differently!

Logfile of HijackThis v1.99.1
Scan saved at 4:18:00 PM, on 8/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\BitLord\BitLord.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\TMD-Recruit3.71\mirc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\DC++\DCPlusPlus.exe
C:\EMULATORS\NES\Jnes.exe
C:\Program Files\Hijack this\HijackThis.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SymNetDrv\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SonicStage\SsAAD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
  • 0

#43
Wizard
Posted 14 August 2005 - 03:46 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Go ahead and Disable System Restore
http://service1.syma...src=sec_doc_nam

Lets get a couple things installed to assist in the Security of your PC!

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/...p2002/hosts.htm

Made Easy
http://www.mvps.org/...2002/hosts2.htm

Restart the PC and Renable System Restore!

Go ahead and Configure Msconfig the way you want the PC to Start!

Have a peek through those 3 little black links in my signature to see some good info on how to avoid this in the future!

Also,have a look at Metallicas Site for some excellent suggestions
http://metallica.geekstogo.com/

Think that gets ya,Good job sticking with it until the job was done! :tazz:
  • 0

#44
kmfdmanic
Posted 14 August 2005 - 04:10 PM

kmfdmanic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
well, after all this, I can finally happily say RESOLVED! Thanks for the spywareblaster suggestion, it covers exactly the majority of the problems I have encountered in the past...
  • 0

#45
Wizard
Posted 14 August 2005 - 04:12 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Glad to hear that!

Best News all day?

I am typing this from my Home PC!!!!!!!!!

No more hospital food! :tazz:

I have never been one to close a thread so if you need anything else,you know where to find me!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP