Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Adware! gah!


  • Please log in to reply

#1
Tourette

Tourette

    New Member

  • Member
  • Pip
  • 8 posts
My brower (foxfire) keeps getting redirected to ad sites sometimes even without clicking a link, I've run ad-aware spybot, ect. and still no luck. :tazz:

Here is my hijack this file log, please help.


Logfile of HijackThis v1.99.1
Scan saved at 9:26:02 PM, on 10/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Mike\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {4B7B69EB-A00F-4FCD-B601-ACCBB86ED528} - (no file)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB002" /M "Stylus CX4600"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [u3rg3pU] setsam.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Microsoft Updates] Botnet.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Shell Logon] C:\logon.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] Botnet.exe
O4 - HKLM\..\RunServices: [start uploading] smsss.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [POP-Stopper-IE] "C:\Program Files\POP-Stopper-IE\POP-Stopper-IE.exe"
O4 - HKCU\..\RunServices: [start uploading] smsss.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: ppctlcab -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} -
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} -
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\m682lglo16qc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello :tazz:

Sorry for the delayed response, it has been very busy lately.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible

If you still require help please post a new Hijack log in this
thread and I will help you. If your problem has been fixed please
respond and let us know.

Thanks
  • 0

#3
Tourette

Tourette

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Still having problems sadly. Here is my new Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 1:11:34 AM, on 10/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Soulseek15\slsk.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB002" /M "Stylus CX4600"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [u3rg3pU] setsam.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Microsoft Updates] Botnet.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Shell Logon] C:\logon.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] Botnet.exe
O4 - HKLM\..\RunServices: [start uploading] smsss.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [POP-Stopper-IE] "C:\Program Files\POP-Stopper-IE\POP-Stopper-IE.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [start uploading] smsss.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: ppctlcab -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} -
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} -
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\gpl8l33u1.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



Also I don't know if it will be of any help but the Ad-aware VX2 Cleaner tool found this as a possible varient:

C:\WINDOWS\system32\gpl8l33u1.dll

Thanks
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
OK we have some work to do so lets get going :tazz:

Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

  • 0

#5
Tourette

Tourette

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
here's the L2MFIX log. thank you : )

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\j84o0ih3e84.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{6892BCCD-DBB9-B52E-E5DE-316F7BC6232C}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{1474F601-9B4B-4EB0-81FA-20F753C0E1A4}"="FRISK extension"
"{E443A8D5-D905-4401-8789-16AE23A8A96D}"="FRISK extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{11359F4A-B191-42D7-905A-594F8CF0387B}"="Dictionary.com"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{9A8FDA05-A7AA-4EA5-B65E-2E7CC3C07CE0}"=""
"{F1892247-475B-404D-A701-5BAC562DD58F}"=""
"{66B49836-6DEE-4F70-9C2F-3A6CB9863FE8}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9A8FDA05-A7AA-4EA5-B65E-2E7CC3C07CE0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9A8FDA05-A7AA-4EA5-B65E-2E7CC3C07CE0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9A8FDA05-A7AA-4EA5-B65E-2E7CC3C07CE0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9A8FDA05-A7AA-4EA5-B65E-2E7CC3C07CE0}\InprocServer32]
@="C:\\WINDOWS\\system32\\mhlogmgr.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F1892247-475B-404D-A701-5BAC562DD58F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F1892247-475B-404D-A701-5BAC562DD58F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F1892247-475B-404D-A701-5BAC562DD58F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F1892247-475B-404D-A701-5BAC562DD58F}\InprocServer32]
@="C:\\WINDOWS\\system32\\meports.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{66B49836-6DEE-4F70-9C2F-3A6CB9863FE8}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{66B49836-6DEE-4F70-9C2F-3A6CB9863FE8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{66B49836-6DEE-4F70-9C2F-3A6CB9863FE8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{66B49836-6DEE-4F70-9C2F-3A6CB9863FE8}\InprocServer32]
@="C:\\WINDOWS\\system32\\PUCSDK.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
acpmgmts.dll Thu Sep 1 2005 9:15:18p ..S.R 234,747 229.24 K
aiycfilt.dll Fri Oct 7 2005 9:47:44p ..S.R 236,064 230.53 K
autprx32.dll Sat Jul 23 2005 11:18:08a A.... 140,288 137.00 K
awdiosrv.dll Thu Aug 11 2005 1:31:02p ..S.R 235,324 229.81 K
browseui.dll Fri Sep 2 2005 4:52:04p A.... 1,019,904 996.00 K
catsrv.dll Mon Jul 25 2005 9:39:42p A.... 225,792 220.50 K
catsrvut.dll Mon Jul 25 2005 9:39:44p A.... 625,152 610.50 K
cdfview.dll Fri Sep 2 2005 4:52:04p A.... 151,040 147.50 K
cdosys.dll Fri Sep 9 2005 6:53:42p A.... 2,067,968 1.97 M
cgrtc.dll Sun Aug 21 2005 8:34:10a ..S.R 234,572 229.07 K
clbcatex.dll Mon Jul 25 2005 9:39:44p A.... 110,080 107.50 K
clbcatq.dll Mon Jul 25 2005 9:39:44p A.... 498,688 487.00 K
cml3d32.dll Thu Sep 22 2005 5:42:36p ..S.R 236,478 230.93 K
colbact.dll Mon Jul 25 2005 9:39:44p A.... 60,416 59.00 K
comrepl.dll Mon Jul 25 2005 9:39:44p A.... 97,792 95.50 K
comsvcs.dll Mon Jul 25 2005 9:39:44p A.... 1,267,200 1.21 M
comuid.dll Mon Jul 25 2005 9:39:46p A.... 540,160 527.50 K
cpsetacl.dll Wed Sep 28 2005 9:40:36p ..S.R 235,486 229.96 K
cqsetacl.dll Wed Sep 14 2005 5:01:32p ..S.R 235,682 230.16 K
cvyptext.dll Thu Aug 4 2005 8:38:18p ..S.R 235,324 229.81 K
danim.dll Fri Sep 2 2005 4:52:04p A.... 1,053,696 1.00 M
dbugui10.dll Wed Aug 3 2005 9:20:18p ..S.R 235,324 229.81 K
ddd8thk.dll Mon Aug 8 2005 11:31:36p ..S.R 235,324 229.81 K
ddwave.dll Wed Sep 28 2005 9:27:14p ..S.R 235,486 229.96 K
delay.dll Sun Oct 2 2005 7:52:24p ..S.R 234,196 228.71 K
disetup.dll Fri Sep 9 2005 9:23:20a ..S.R 233,577 228.10 K
dxtrans.dll Fri Sep 2 2005 4:52:04p A.... 205,312 200.50 K
dxwave.dll Sat Aug 27 2005 8:23:40a ..S.R 232,941 227.48 K
e2202c~1.dll Wed Sep 28 2005 9:27:14p ..S.R 233,747 228.27 K
es.dll Mon Jul 25 2005 9:39:46p A.... 243,200 237.50 K
essadu.dll Sat Aug 20 2005 2:50:20p ..S.R 235,811 230.28 K
extmgr.dll Fri Sep 2 2005 4:52:04p ..... 55,808 54.50 K
fp2203~1.dll Tue Oct 11 2005 3:23:38p ..S.R 236,064 230.53 K
gp6ol3~1.dll Thu Sep 1 2005 9:08:56p ..S.R 236,110 230.57 K
gpn2l3~1.dll Sat Oct 15 2005 9:53:52a ..S.R 233,426 227.95 K
hffcisp2.dll Wed Sep 21 2005 12:13:42p ..S.R 236,037 230.50 K
icclass.dll Fri Oct 7 2005 10:18:04p ..... 236,064 230.53 K
iepeers.dll Fri Sep 2 2005 4:52:04p A.... 251,392 245.50 K
igpeers.dll Fri Aug 12 2005 12:35:00a ..S.R 235,811 230.28 K
ihpeers.dll Thu Sep 1 2005 4:10:00p ..S.R 234,747 229.24 K
inseng.dll Fri Sep 2 2005 4:52:04p A.... 96,256 94.00 K
iosacct.dll Wed Aug 31 2005 8:05:04a ..S.R 233,915 228.43 K
ixitpki.dll Tue Sep 13 2005 9:13:52a ..S.R 235,873 230.34 K
izmpagnt.dll Tue Sep 20 2005 8:07:12a ..S.R 236,003 230.47 K
j84o0i~1.dll Sat Oct 15 2005 9:52:52a ..S.R 233,774 228.29 K
jt2407~1.dll Thu Sep 1 2005 4:09:08p ..S.R 233,915 228.43 K
jtn407~1.dll Wed Sep 7 2005 10:27:54p ..S.R 233,702 228.22 K
krdinmal.dll Wed Sep 7 2005 10:27:54p ..S.R 233,245 227.78 K
kvdmac.dll Sun Jul 31 2005 7:50:50a ..S.R 235,324 229.81 K
lgrmonui.dll Thu Aug 25 2005 12:47:08a ..S.R 235,045 229.54 K
linkinfo.dll Wed Aug 31 2005 6:41:54p A.... 19,968 19.50 K
lrpct80n.dll Sun Sep 18 2005 6:02:32p ..S.R 236,037 230.50 K
lv0609~1.dll Thu Sep 1 2005 9:09:00p ..S.R 235,796 230.27 K
lvlq09~1.dll Fri Oct 7 2005 8:37:48p ..S.R 233,300 227.83 K
mbgentr.dll Thu Sep 1 2005 9:08:56p ..S.R 234,747 229.24 K
mdang.dll Thu Aug 11 2005 1:47:28p ..S.R 236,735 231.18 K
meports.dll Fri Oct 7 2005 10:19:38p ..S.R 233,426 227.95 K
mgbsync.dll Thu Sep 1 2005 9:18:22p ..S.R 236,480 230.94 K
mhlogmgr.dll Fri Oct 7 2005 9:50:58p ..S.R 233,300 227.83 K
mlxoci.dll Thu Aug 11 2005 9:34:50a ..S.R 235,324 229.81 K
mnyuv.dll Tue Sep 27 2005 4:13:18p ..S.R 233,747 228.27 K
msblcd32.dll Sat Jul 23 2005 11:18:32a A.... 185 0.18 K
msdtcprx.dll Mon Jul 25 2005 9:39:46p A.... 425,472 415.50 K
msdtctm.dll Mon Jul 25 2005 9:39:48p A.... 945,152 923.00 K
msdtcuiu.dll Mon Jul 25 2005 9:39:48p A.... 161,280 157.50 K
mshtml.dll Tue Oct 4 2005 5:26:00p A.... 3,015,168 2.88 M
mshtmled.dll Fri Sep 2 2005 4:52:06p A.... 448,512 438.00 K
msrating.dll Fri Sep 2 2005 4:52:06p A.... 146,432 143.00 K
msrep32.dll Wed Oct 5 2005 10:29:46p A.... 10,536 10.29 K
mstime.dll Fri Sep 2 2005 4:52:06p A.... 530,432 518.00 K
mtxclu.dll Mon Jul 25 2005 9:39:48p A.... 66,560 65.00 K
mtxoci.dll Mon Jul 25 2005 9:39:48p A.... 91,136 89.00 K
mvstkprp.dll Fri Aug 5 2005 4:52:32p ..S.R 235,324 229.81 K
myports.dll Sun Sep 11 2005 9:36:08p ..S.R 235,682 230.16 K
netman.dll Mon Aug 22 2005 11:29:46a A.... 197,632 193.00 K
nirsfi.dll Mon Sep 5 2005 4:21:30p ..S.R 234,747 229.24 K
nldsapi.dll Sat Sep 17 2005 10:28:16a ..S.R 236,003 230.47 K
nqmkcert.dll Sun Sep 4 2005 10:59:14a ..S.R 236,480 230.94 K
nurses.dll Wed Sep 21 2005 9:49:38a ..S.R 236,037 230.50 K
nwwks.dll Thu Aug 11 2005 8:10:00a A.... 65,024 63.50 K
ole32.dll Mon Jul 25 2005 9:39:48p A.... 1,285,120 1.22 M
olecli32.dll Mon Jul 25 2005 9:39:48p A.... 74,752 73.00 K
olecnv32.dll Mon Jul 25 2005 9:39:50p A.... 37,888 37.00 K
ooeacc.dll Thu Aug 11 2005 10:37:48p ..S.R 235,324 229.81 K
pktorsvc.dll Fri Aug 12 2005 7:33:54a ..S.R 233,309 227.84 K
pngfilt.dll Fri Sep 2 2005 4:52:06p A.... 39,424 38.50 K
pucsdk.dll Mon Oct 17 2005 10:47:24a ..... 233,774 228.29 K
quartz.dll Mon Aug 29 2005 8:54:26p A.... 1,287,168 1.23 M
r06ula~1.dll Thu Aug 4 2005 3:28:32a ..S.R 233,820 228.34 K
r68s0g~1.dll Wed Sep 21 2005 9:49:38a ..S.R 236,823 231.27 K
rggapi.dll Thu Aug 11 2005 1:28:58p ..S.R 236,735 231.18 K
rpcss.dll Mon Jul 25 2005 9:39:50p A.... 397,824 388.50 K
rzsmontr.dll Sat Oct 1 2005 12:00:48p ..S.R 233,660 228.18 K
shdocvw.dll Fri Sep 2 2005 4:52:06p A.... 1,483,776 1.41 M
shell32.dll Thu Sep 22 2005 8:05:30p A.... 8,450,560 8.06 M
shlwapi.dll Fri Sep 2 2005 4:52:06p A.... 473,600 462.50 K
shntfnt.dll Sat Sep 3 2005 9:48:34a ..S.R 234,747 229.24 K
snmedia.dll Sat Aug 20 2005 4:54:02p ..S.R 233,520 228.05 K
sslsrv32.dll Fri Aug 26 2005 7:09:02a ..S.R 236,797 231.25 K
svcsccp.dll Mon Aug 8 2005 4:35:20p ..S.R 236,735 231.18 K
ted32.dll Sun Aug 28 2005 1:52:36a ..S.R 233,993 228.51 K
ttflog.dll Sat Sep 10 2005 4:08:00p ..S.R 234,066 228.58 K
tvbyuv.dll Fri Sep 23 2005 11:59:30p ..S.R 236,037 230.50 K
txflog.dll Mon Jul 25 2005 9:39:50p A.... 101,376 99.00 K
ugrrtosa.dll Tue Sep 27 2005 8:21:44a ..S.R 236,037 230.50 K
uircoina.dll Mon Aug 22 2005 1:44:02p ..S.R 235,045 229.54 K
umpnpmgr.dll Mon Aug 22 2005 8:35:42p A.... 123,392 120.50 K
unrlbva.dll Tue Sep 6 2005 9:19:24p ..S.R 236,480 230.94 K
urlmon.dll Fri Sep 2 2005 4:52:06p A.... 608,768 594.50 K
utandlg.dll Thu Sep 1 2005 9:11:50p ..S.R 234,747 229.24 K
uuiplat.dll Sun Sep 25 2005 5:34:14p ..S.R 233,191 227.72 K
uurlbva.dll Thu Sep 15 2005 10:15:52p ..S.R 235,873 230.34 K
vdsapi.dll Thu Aug 4 2005 3:26:30a ..S.R 233,820 228.34 K
vk5db.dll Mon Aug 29 2005 7:24:08a ..S.R 232,941 227.48 K
vsdata.dll Mon Aug 29 2005 7:08:34p A.... 83,712 81.75 K
vsinit.dll Mon Aug 29 2005 7:08:46p A.... 141,056 137.75 K
vsmonapi.dll Mon Aug 29 2005 7:08:54p A.... 104,192 101.75 K
vspubapi.dll Mon Aug 29 2005 7:08:58p A.... 227,072 221.75 K
vsregexp.dll Mon Aug 29 2005 7:09:02p A.... 71,424 69.75 K
vsutil.dll Mon Aug 29 2005 7:09:14p A.... 382,720 373.75 K
vsxml.dll Mon Aug 29 2005 7:09:22p A.... 100,096 97.75 K
wcigest.dll Sat Aug 6 2005 10:47:32p ..S.R 236,735 231.18 K
wininet.dll Fri Sep 2 2005 4:52:06p A.... 658,432 643.00 K
winsrv.dll Wed Aug 31 2005 6:41:54p A.... 291,840 285.00 K
wkv8dmod.dll Thu Sep 8 2005 12:50:30a ..S.R 233,245 227.78 K
wrpencen.dll Tue Aug 23 2005 6:51:56p ..S.R 234,572 229.07 K
wwdrmnet.dll Fri Sep 30 2005 6:10:20a ..S.R 236,241 230.70 K
xolehlp.dll Mon Jul 25 2005 9:39:50p A.... 11,776 11.50 K
zlcomm.dll Mon Aug 29 2005 7:09:42p A.... 79,616 77.75 K
zlcommdb.dll Mon Aug 29 2005 7:09:46p A.... 71,424 69.75 K

130 items found: 130 files (72 H/S), 0 directories.
Total of file sizes: 48,811,211 bytes 46.55 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Mon Oct 17 2005 10:49:24a ..S.R 233,774 228.29 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 233,774 bytes 228.29 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 74AE-F2F7

Directory of C:\WINDOWS\System32

10/17/2005 10:50 AM <DIR> dllcache
10/17/2005 10:49 AM 233,774 guard.tmp
10/15/2005 09:53 AM 233,426 gpn2l35o1.dll
10/15/2005 09:52 AM 233,774 j84o0ih3e84.dll
10/11/2005 03:23 PM 236,064 fp2203foe.dll
10/07/2005 10:19 PM 233,426 meports.dll
10/07/2005 09:50 PM 233,300 mhlogmgr.dll
10/07/2005 09:47 PM 236,064 aiycfilt.dll
10/07/2005 08:37 PM 233,300 lvlq0935e.dll
10/02/2005 07:52 PM 234,196 delay.dll
10/01/2005 12:00 PM 233,660 rZsmontr.dll
09/30/2005 06:10 AM 236,241 WWDRMNet.dll
09/28/2005 09:40 PM 235,486 cpsetacl.dll
09/28/2005 09:27 PM 235,486 ddwave.dll
09/28/2005 09:27 PM 233,747 e2202cfmgf2a2.dll
09/27/2005 04:13 PM 233,747 mnyuv.dll
09/27/2005 08:21 AM 236,037 ugrrtosa.dll
09/25/2005 05:34 PM 233,191 uuiplat.dll
09/23/2005 11:59 PM 236,037 tvbyuv.dll
09/22/2005 05:42 PM 236,478 cml3d32.dll
09/21/2005 12:13 PM 236,037 hffcisp2.dll
09/21/2005 09:49 AM 236,037 nurses.dll
09/21/2005 09:49 AM 236,823 r68s0gl7e6q.dll
09/20/2005 08:07 AM 236,003 izmpagnt.dll
09/18/2005 06:02 PM 236,037 LRPCT80N.DLL
09/17/2005 10:28 AM 236,003 nldsapi.dll
09/15/2005 10:15 PM 235,873 uurlbva.dll
09/14/2005 05:01 PM 235,682 cqsetacl.dll
09/13/2005 09:13 AM 235,873 ixitpki.dll
09/11/2005 09:36 PM 235,682 myports.dll
09/10/2005 04:07 PM 234,066 ttflog.dll
09/09/2005 09:23 AM 233,577 disetup.dll
09/08/2005 12:50 AM 233,245 wkv8dmod.dll
09/07/2005 10:27 PM 233,245 krdinmal.dll
09/07/2005 10:27 PM 233,702 jtn4075qe.dll
09/06/2005 09:19 PM 236,480 unrlbva.dll
09/05/2005 04:21 PM 234,747 nirsfi.dll
09/04/2005 10:59 AM 236,480 nqmkcert.dll
09/03/2005 09:48 AM 234,747 SHntfNT.dll
09/01/2005 09:18 PM 236,480 mgbsync.dll
09/01/2005 09:15 PM 234,747 acpmgmts.dll
09/01/2005 09:11 PM 234,747 utandlg.dll
09/01/2005 09:08 PM 235,796 lv0609dse.dll
09/01/2005 09:08 PM 234,747 mbgentr.dll
09/01/2005 09:08 PM 236,110 gp6ol3j31.dll
09/01/2005 04:09 PM 234,747 ihpeers.dll
09/01/2005 04:09 PM 233,915 jt2407fqe.dll
08/31/2005 08:05 AM 233,915 iOsacct.dll
08/29/2005 07:24 AM 232,941 VK5DB.DLL
08/28/2005 01:52 AM 233,993 ted32.dll
08/27/2005 08:23 AM 232,941 dxwave.dll
08/26/2005 07:09 AM 236,797 sslsrv32.dll
08/25/2005 12:47 AM 235,045 lgrmonui.dll
08/23/2005 06:51 PM 234,572 wrpencen.dll
08/22/2005 01:44 PM 235,045 uircoina.dll
08/21/2005 08:34 AM 234,572 cgrtc.dll
08/20/2005 04:54 PM 233,520 snmedia.dll
08/20/2005 02:50 PM 235,811 essadu.dll
08/12/2005 07:33 AM 233,309 pktorsvc.dll
08/12/2005 12:34 AM 235,811 igpeers.dll
08/11/2005 10:37 PM 235,324 ooeacc.dll
08/11/2005 01:47 PM 236,735 mdang.dll
08/11/2005 01:31 PM 235,324 awdiosrv.dll
08/11/2005 01:28 PM 236,735 rggapi.dll
08/11/2005 09:34 AM 235,324 mlxoci.dll
08/08/2005 11:31 PM 235,324 dDd8thk.dll
08/08/2005 04:35 PM 236,735 svcsccp.dll
08/06/2005 10:47 PM 236,735 wcigest.dll
08/05/2005 04:52 PM 235,324 mvstkprp.dll
08/04/2005 08:38 PM 235,324 cvyptext.dll
08/04/2005 03:28 AM 233,820 r06ulaj91do.dll
08/04/2005 03:26 AM 233,820 vdsapi.dll
08/03/2005 09:20 PM 235,324 dbuGUI10.dll
07/31/2005 07:50 AM 235,324 kvdmac.dll
01/13/2005 01:40 PM 32 {812A234B-C7B5-4C92-866F-A6EA831DA820}.dat
01/08/2005 09:01 PM <DIR> Microsoft
74 File(s) 17,154,538 bytes
2 Dir(s) 13,783,040,000 bytes free

Edited by Tourette, 17 October 2005 - 09:08 AM.

  • 0

#6
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the desktop icons dont dissappear or the log does not pop up then in the l2mfix folder double click the second.bat file to continue with the fix.
  • 0

#7
Tourette

Tourette

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
thanks for your fast response. here's the l2mfix log after I ran option #2:

Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1556 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1664 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\acpmgmts.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\aiycfilt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\awdiosrv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cgrtc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cml3d32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cpsetacl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cqsetacl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cvyptext.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dbuGUI10.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dDd8thk.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ddwave.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\delay.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\disetup.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dxwave.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\e2202cfmgf2a2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\essadu.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp2203foe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gp6ol3j31.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gpn2l35o1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hffcisp2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\icclass.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\igpeers.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ihpeers.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iOsacct.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ixitpki.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\izmpagnt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jt2407fqe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jtn4075qe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\krdinmal.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kvdmac.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lgrmonui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\LRPCT80N.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv0609dse.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvlq0935e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mbgentr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mdang.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\meports.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mgbsync.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mhlogmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mlxoci.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mnyuv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvstkprp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\myports.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nirsfi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nldsapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nqmkcert.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nurses.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ooeacc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pktorsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\r06ulaj91do.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\r68s0gl7e6q.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rggapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rZsmontr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\SHntfNT.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\snmedia.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sslsrv32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\svcsccp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ted32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ttflog.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\tvbyuv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ugrrtosa.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uircoina.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\unrlbva.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\utandlg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uuiplat.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uurlbva.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\vdsapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\VK5DB.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wcigest.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wkv8dmod.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wrpencen.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\WWDRMNet.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\acpmgmts.dll
Successfully Deleted: C:\WINDOWS\system32\acpmgmts.dll
deleting: C:\WINDOWS\system32\aiycfilt.dll
Successfully Deleted: C:\WINDOWS\system32\aiycfilt.dll
deleting: C:\WINDOWS\system32\awdiosrv.dll
Successfully Deleted: C:\WINDOWS\system32\awdiosrv.dll
deleting: C:\WINDOWS\system32\cgrtc.dll
Successfully Deleted: C:\WINDOWS\system32\cgrtc.dll
deleting: C:\WINDOWS\system32\cml3d32.dll
Successfully Deleted: C:\WINDOWS\system32\cml3d32.dll
deleting: C:\WINDOWS\system32\cpsetacl.dll
Successfully Deleted: C:\WINDOWS\system32\cpsetacl.dll
deleting: C:\WINDOWS\system32\cqsetacl.dll
Successfully Deleted: C:\WINDOWS\system32\cqsetacl.dll
deleting: C:\WINDOWS\system32\cvyptext.dll
Successfully Deleted: C:\WINDOWS\system32\cvyptext.dll
deleting: C:\WINDOWS\system32\dbuGUI10.dll
Successfully Deleted: C:\WINDOWS\system32\dbuGUI10.dll
deleting: C:\WINDOWS\system32\dDd8thk.dll
Successfully Deleted: C:\WINDOWS\system32\dDd8thk.dll
deleting: C:\WINDOWS\system32\ddwave.dll
Successfully Deleted: C:\WINDOWS\system32\ddwave.dll
deleting: C:\WINDOWS\system32\delay.dll
Successfully Deleted: C:\WINDOWS\system32\delay.dll
deleting: C:\WINDOWS\system32\disetup.dll
Successfully Deleted: C:\WINDOWS\system32\disetup.dll
deleting: C:\WINDOWS\system32\dxwave.dll
Successfully Deleted: C:\WINDOWS\system32\dxwave.dll
deleting: C:\WINDOWS\system32\e2202cfmgf2a2.dll
Successfully Deleted: C:\WINDOWS\system32\e2202cfmgf2a2.dll
deleting: C:\WINDOWS\system32\essadu.dll
Successfully Deleted: C:\WINDOWS\system32\essadu.dll
deleting: C:\WINDOWS\system32\fp2203foe.dll
Successfully Deleted: C:\WINDOWS\system32\fp2203foe.dll
deleting: C:\WINDOWS\system32\gp6ol3j31.dll
Successfully Deleted: C:\WINDOWS\system32\gp6ol3j31.dll
deleting: C:\WINDOWS\system32\gpn2l35o1.dll
Successfully Deleted: C:\WINDOWS\system32\gpn2l35o1.dll
deleting: C:\WINDOWS\system32\hffcisp2.dll
Successfully Deleted: C:\WINDOWS\system32\hffcisp2.dll
deleting: C:\WINDOWS\system32\icclass.dll
Successfully Deleted: C:\WINDOWS\system32\icclass.dll
deleting: C:\WINDOWS\system32\igpeers.dll
Successfully Deleted: C:\WINDOWS\system32\igpeers.dll
deleting: C:\WINDOWS\system32\ihpeers.dll
Successfully Deleted: C:\WINDOWS\system32\ihpeers.dll
deleting: C:\WINDOWS\system32\iOsacct.dll
Successfully Deleted: C:\WINDOWS\system32\iOsacct.dll
deleting: C:\WINDOWS\system32\ixitpki.dll
Successfully Deleted: C:\WINDOWS\system32\ixitpki.dll
deleting: C:\WINDOWS\system32\izmpagnt.dll
Successfully Deleted: C:\WINDOWS\system32\izmpagnt.dll
deleting: C:\WINDOWS\system32\jt2407fqe.dll
Successfully Deleted: C:\WINDOWS\system32\jt2407fqe.dll
deleting: C:\WINDOWS\system32\jtn4075qe.dll
Successfully Deleted: C:\WINDOWS\system32\jtn4075qe.dll
deleting: C:\WINDOWS\system32\krdinmal.dll
Successfully Deleted: C:\WINDOWS\system32\krdinmal.dll
deleting: C:\WINDOWS\system32\kvdmac.dll
Successfully Deleted: C:\WINDOWS\system32\kvdmac.dll
deleting: C:\WINDOWS\system32\lgrmonui.dll
Successfully Deleted: C:\WINDOWS\system32\lgrmonui.dll
deleting: C:\WINDOWS\system32\LRPCT80N.DLL
Successfully Deleted: C:\WINDOWS\system32\LRPCT80N.DLL
deleting: C:\WINDOWS\system32\lv0609dse.dll
Successfully Deleted: C:\WINDOWS\system32\lv0609dse.dll
deleting: C:\WINDOWS\system32\lvlq0935e.dll
Successfully Deleted: C:\WINDOWS\system32\lvlq0935e.dll
deleting: C:\WINDOWS\system32\mbgentr.dll
Successfully Deleted: C:\WINDOWS\system32\mbgentr.dll
deleting: C:\WINDOWS\system32\mdang.dll
Successfully Deleted: C:\WINDOWS\system32\mdang.dll
deleting: C:\WINDOWS\system32\meports.dll
Successfully Deleted: C:\WINDOWS\system32\meports.dll
deleting: C:\WINDOWS\system32\mgbsync.dll
Successfully Deleted: C:\WINDOWS\system32\mgbsync.dll
deleting: C:\WINDOWS\system32\mhlogmgr.dll
Successfully Deleted: C:\WINDOWS\system32\mhlogmgr.dll
deleting: C:\WINDOWS\system32\mlxoci.dll
Successfully Deleted: C:\WINDOWS\system32\mlxoci.dll
deleting: C:\WINDOWS\system32\mnyuv.dll
Successfully Deleted: C:\WINDOWS\system32\mnyuv.dll
deleting: C:\WINDOWS\system32\mvstkprp.dll
Successfully Deleted: C:\WINDOWS\system32\mvstkprp.dll
deleting: C:\WINDOWS\system32\myports.dll
Successfully Deleted: C:\WINDOWS\system32\myports.dll
deleting: C:\WINDOWS\system32\nirsfi.dll
Successfully Deleted: C:\WINDOWS\system32\nirsfi.dll
deleting: C:\WINDOWS\system32\nldsapi.dll
Successfully Deleted: C:\WINDOWS\system32\nldsapi.dll
deleting: C:\WINDOWS\system32\nqmkcert.dll
Successfully Deleted: C:\WINDOWS\system32\nqmkcert.dll
deleting: C:\WINDOWS\system32\nurses.dll
Successfully Deleted: C:\WINDOWS\system32\nurses.dll
deleting: C:\WINDOWS\system32\ooeacc.dll
Successfully Deleted: C:\WINDOWS\system32\ooeacc.dll
deleting: C:\WINDOWS\system32\pktorsvc.dll
Successfully Deleted: C:\WINDOWS\system32\pktorsvc.dll
deleting: C:\WINDOWS\system32\r06ulaj91do.dll
Successfully Deleted: C:\WINDOWS\system32\r06ulaj91do.dll
deleting: C:\WINDOWS\system32\r68s0gl7e6q.dll
Successfully Deleted: C:\WINDOWS\system32\r68s0gl7e6q.dll
deleting: C:\WINDOWS\system32\rggapi.dll
Successfully Deleted: C:\WINDOWS\system32\rggapi.dll
deleting: C:\WINDOWS\system32\rZsmontr.dll
Successfully Deleted: C:\WINDOWS\system32\rZsmontr.dll
deleting: C:\WINDOWS\system32\SHntfNT.dll
Successfully Deleted: C:\WINDOWS\system32\SHntfNT.dll
deleting: C:\WINDOWS\system32\snmedia.dll
Successfully Deleted: C:\WINDOWS\system32\snmedia.dll
deleting: C:\WINDOWS\system32\sslsrv32.dll
Successfully Deleted: C:\WINDOWS\system32\sslsrv32.dll
deleting: C:\WINDOWS\system32\svcsccp.dll
Successfully Deleted: C:\WINDOWS\system32\svcsccp.dll
deleting: C:\WINDOWS\system32\ted32.dll
Successfully Deleted: C:\WINDOWS\system32\ted32.dll
deleting: C:\WINDOWS\system32\ttflog.dll
Successfully Deleted: C:\WINDOWS\system32\ttflog.dll
deleting: C:\WINDOWS\system32\tvbyuv.dll
Successfully Deleted: C:\WINDOWS\system32\tvbyuv.dll
deleting: C:\WINDOWS\system32\ugrrtosa.dll
Successfully Deleted: C:\WINDOWS\system32\ugrrtosa.dll
deleting: C:\WINDOWS\system32\uircoina.dll
Successfully Deleted: C:\WINDOWS\system32\uircoina.dll
deleting: C:\WINDOWS\system32\unrlbva.dll
Successfully Deleted: C:\WINDOWS\system32\unrlbva.dll
deleting: C:\WINDOWS\system32\utandlg.dll
Successfully Deleted: C:\WINDOWS\system32\utandlg.dll
deleting: C:\WINDOWS\system32\uuiplat.dll
Successfully Deleted: C:\WINDOWS\system32\uuiplat.dll
deleting: C:\WINDOWS\system32\uurlbva.dll
Successfully Deleted: C:\WINDOWS\system32\uurlbva.dll
deleting: C:\WINDOWS\system32\vdsapi.dll
Successfully Deleted: C:\WINDOWS\system32\vdsapi.dll
deleting: C:\WINDOWS\system32\VK5DB.DLL
Successfully Deleted: C:\WINDOWS\system32\VK5DB.DLL
deleting: C:\WINDOWS\system32\wcigest.dll
Successfully Deleted: C:\WINDOWS\system32\wcigest.dll
deleting: C:\WINDOWS\system32\wkv8dmod.dll
Successfully Deleted: C:\WINDOWS\system32\wkv8dmod.dll
deleting: C:\WINDOWS\system32\wrpencen.dll
Successfully Deleted: C:\WINDOWS\system32\wrpencen.dll
deleting: C:\WINDOWS\system32\WWDRMNet.dll
Successfully Deleted: C:\WINDOWS\system32\WWDRMNet.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: acpmgmts.dll (188 bytes security) (deflated 5%)
adding: aiycfilt.dll (188 bytes security) (deflated 5%)
adding: awdiosrv.dll (188 bytes security) (deflated 5%)
adding: cgrtc.dll (188 bytes security) (deflated 5%)
adding: cml3d32.dll (188 bytes security) (deflated 6%)
adding: cpsetacl.dll (188 bytes security) (deflated 5%)
adding: cqsetacl.dll (188 bytes security) (deflated 5%)
adding: cvyptext.dll (188 bytes security) (deflated 5%)
adding: dbuGUI10.dll (188 bytes security) (deflated 5%)
adding: dDd8thk.dll (188 bytes security) (deflated 5%)
adding: ddwave.dll (188 bytes security) (deflated 5%)
adding: delay.dll (188 bytes security) (deflated 5%)
adding: disetup.dll (188 bytes security) (deflated 4%)
adding: dxwave.dll (188 bytes security) (deflated 4%)
adding: e2202cfmgf2a2.dll (188 bytes security) (deflated 5%)
adding: essadu.dll (188 bytes security) (deflated 5%)
adding: fp2203foe.dll (188 bytes security) (deflated 5%)
adding: gp6ol3j31.dll (188 bytes security) (deflated 5%)
adding: gpn2l35o1.dll (188 bytes security) (deflated 4%)
adding: hffcisp2.dll (188 bytes security) (deflated 5%)
adding: icclass.dll (188 bytes security) (deflated 5%)
adding: igpeers.dll (188 bytes security) (deflated 5%)
adding: ihpeers.dll (188 bytes security) (deflated 5%)
adding: iOsacct.dll (188 bytes security) (deflated 5%)
adding: ixitpki.dll (188 bytes security) (deflated 5%)
adding: izmpagnt.dll (188 bytes security) (deflated 5%)
adding: jt2407fqe.dll (188 bytes security) (deflated 5%)
adding: jtn4075qe.dll (188 bytes security) (deflated 5%)
adding: krdinmal.dll (188 bytes security) (deflated 4%)
adding: kvdmac.dll (188 bytes security) (deflated 5%)
adding: lgrmonui.dll (188 bytes security) (deflated 5%)
adding: LRPCT80N.DLL (188 bytes security) (deflated 5%)
adding: lv0609dse.dll (188 bytes security) (deflated 5%)
adding: lvlq0935e.dll (188 bytes security) (deflated 4%)
adding: mbgentr.dll (188 bytes security) (deflated 5%)
adding: mdang.dll (188 bytes security) (deflated 6%)
adding: meports.dll (188 bytes security) (deflated 4%)
adding: mgbsync.dll (188 bytes security) (deflated 6%)
adding: mhlogmgr.dll (188 bytes security) (deflated 4%)
adding: mlxoci.dll (188 bytes security) (deflated 5%)
adding: mnyuv.dll (188 bytes security) (deflated 5%)
adding: mvstkprp.dll (188 bytes security) (deflated 5%)
adding: myports.dll (188 bytes security) (deflated 5%)
adding: nirsfi.dll (188 bytes security) (deflated 5%)
adding: nldsapi.dll (188 bytes security) (deflated 5%)
adding: nqmkcert.dll (188 bytes security) (deflated 6%)
adding: nurses.dll (188 bytes security) (deflated 5%)
adding: ooeacc.dll (188 bytes security) (deflated 5%)
adding: pktorsvc.dll (188 bytes security) (deflated 4%)
adding: r06ulaj91do.dll (188 bytes security) (deflated 4%)
adding: r68s0gl7e6q.dll (188 bytes security) (deflated 6%)
adding: rggapi.dll (188 bytes security) (deflated 6%)
adding: rZsmontr.dll (188 bytes security) (deflated 5%)
adding: SHntfNT.dll (188 bytes security) (deflated 5%)
adding: snmedia.dll (188 bytes security) (deflated 4%)
adding: sslsrv32.dll (188 bytes security) (deflated 6%)
adding: svcsccp.dll (188 bytes security) (deflated 6%)
adding: ted32.dll (188 bytes security) (deflated 5%)
adding: ttflog.dll (188 bytes security) (deflated 5%)
adding: tvbyuv.dll (188 bytes security) (deflated 5%)
adding: ugrrtosa.dll (188 bytes security) (deflated 5%)
adding: uircoina.dll (188 bytes security) (deflated 5%)
adding: unrlbva.dll (188 bytes security) (deflated 6%)
adding: utandlg.dll (188 bytes security) (deflated 5%)
adding: uuiplat.dll (188 bytes security) (deflated 4%)
adding: uurlbva.dll (188 bytes security) (deflated 5%)
adding: vdsapi.dll (188 bytes security) (deflated 4%)
adding: VK5DB.DLL (188 bytes security) (deflated 4%)
adding: wcigest.dll (188 bytes security) (deflated 6%)
adding: wkv8dmod.dll (188 bytes security) (deflated 4%)
adding: wrpencen.dll (188 bytes security) (deflated 5%)
adding: WWDRMNet.dll (188 bytes security) (deflated 6%)
adding: guard.tmp (188 bytes security) (deflated 5%)
adding: clear.reg (188 bytes security) (deflated 46%)
adding: DVDPATH.TXT (188 bytes security) (deflated 12%)
adding: lo2.txt (188 bytes security) (deflated 89%)
adding: test.txt (188 bytes security) (deflated 85%)
adding: test2.txt (188 bytes security) (deflated 27%)
adding: test3.txt (188 bytes security) (deflated 27%)
adding: test5.txt (188 bytes security) (deflated 27%)
adding: vx2logs.txt (188 bytes security) (stored 0%)
adding: xfind.txt (188 bytes security) (deflated 80%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: acpmgmts.dll
deleting local copy: aiycfilt.dll
deleting local copy: awdiosrv.dll
deleting local copy: cgrtc.dll
deleting local copy: cml3d32.dll
deleting local copy: cpsetacl.dll
deleting local copy: cqsetacl.dll
deleting local copy: cvyptext.dll
deleting local copy: dbuGUI10.dll
deleting local copy: dDd8thk.dll
deleting local copy: ddwave.dll
deleting local copy: delay.dll
deleting local copy: disetup.dll
deleting local copy: dxwave.dll
deleting local copy: e2202cfmgf2a2.dll
deleting local copy: essadu.dll
deleting local copy: fp2203foe.dll
deleting local copy: gp6ol3j31.dll
deleting local copy: gpn2l35o1.dll
deleting local copy: hffcisp2.dll
deleting local copy: icclass.dll
deleting local copy: igpeers.dll
deleting local copy: ihpeers.dll
deleting local copy: iOsacct.dll
deleting local copy: ixitpki.dll
deleting local copy: izmpagnt.dll
deleting local copy: jt2407fqe.dll
deleting local copy: jtn4075qe.dll
deleting local copy: krdinmal.dll
deleting local copy: kvdmac.dll
deleting local copy: lgrmonui.dll
deleting local copy: LRPCT80N.DLL
deleting local copy: lv0609dse.dll
deleting local copy: lvlq0935e.dll
deleting local copy: mbgentr.dll
deleting local copy: mdang.dll
deleting local copy: meports.dll
deleting local copy: mgbsync.dll
deleting local copy: mhlogmgr.dll
deleting local copy: mlxoci.dll
deleting local copy: mnyuv.dll
deleting local copy: mvstkprp.dll
deleting local copy: myports.dll
deleting local copy: nirsfi.dll
deleting local copy: nldsapi.dll
deleting local copy: nqmkcert.dll
deleting local copy: nurses.dll
deleting local copy: ooeacc.dll
deleting local copy: pktorsvc.dll
deleting local copy: r06ulaj91do.dll
deleting local copy: r68s0gl7e6q.dll
deleting local copy: rggapi.dll
deleting local copy: rZsmontr.dll
deleting local copy: SHntfNT.dll
deleting local copy: snmedia.dll
deleting local copy: sslsrv32.dll
deleting local copy: svcsccp.dll
deleting local copy: ted32.dll
deleting local copy: ttflog.dll
deleting local copy: tvbyuv.dll
deleting local copy: ugrrtosa.dll
deleting local copy: uircoina.dll
deleting local copy: unrlbva.dll
deleting local copy: utandlg.dll
deleting local copy: uuiplat.dll
deleting local copy: uurlbva.dll
deleting local copy: vdsapi.dll
deleting local copy: VK5DB.DLL
deleting local copy: wcigest.dll
deleting local copy: wkv8dmod.dll
deleting local copy: wrpencen.dll
deleting local copy: WWDRMNet.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\acpmgmts.dll
C:\WINDOWS\system32\aiycfilt.dll
C:\WINDOWS\system32\awdiosrv.dll
C:\WINDOWS\system32\cgrtc.dll
C:\WINDOWS\system32\cml3d32.dll
C:\WINDOWS\system32\cpsetacl.dll
C:\WINDOWS\system32\cqsetacl.dll
C:\WINDOWS\system32\cvyptext.dll
C:\WINDOWS\system32\dbuGUI10.dll
C:\WINDOWS\system32\dDd8thk.dll
C:\WINDOWS\system32\ddwave.dll
C:\WINDOWS\system32\delay.dll
C:\WINDOWS\system32\disetup.dll
C:\WINDOWS\system32\dxwave.dll
C:\WINDOWS\system32\e2202cfmgf2a2.dll
C:\WINDOWS\system32\essadu.dll
C:\WINDOWS\system32\fp2203foe.dll
C:\WINDOWS\system32\gp6ol3j31.dll
C:\WINDOWS\system32\gpn2l35o1.dll
C:\WINDOWS\system32\hffcisp2.dll
C:\WINDOWS\system32\icclass.dll
C:\WINDOWS\system32\igpeers.dll
C:\WINDOWS\system32\ihpeers.dll
C:\WINDOWS\system32\iOsacct.dll
C:\WINDOWS\system32\ixitpki.dll
C:\WINDOWS\system32\izmpagnt.dll
C:\WINDOWS\system32\jt2407fqe.dll
C:\WINDOWS\system32\jtn4075qe.dll
C:\WINDOWS\system32\krdinmal.dll
C:\WINDOWS\system32\kvdmac.dll
C:\WINDOWS\system32\lgrmonui.dll
C:\WINDOWS\system32\LRPCT80N.DLL
C:\WINDOWS\system32\lv0609dse.dll
C:\WINDOWS\system32\lvlq0935e.dll
C:\WINDOWS\system32\mbgentr.dll
C:\WINDOWS\system32\mdang.dll
C:\WINDOWS\system32\meports.dll
C:\WINDOWS\system32\mgbsync.dll
C:\WINDOWS\system32\mhlogmgr.dll
C:\WINDOWS\system32\mlxoci.dll
C:\WINDOWS\system32\mnyuv.dll
C:\WINDOWS\system32\mvstkprp.dll
C:\WINDOWS\system32\myports.dll
C:\WINDOWS\system32\nirsfi.dll
C:\WINDOWS\system32\nldsapi.dll
C:\WINDOWS\system32\nqmkcert.dll
C:\WINDOWS\system32\nurses.dll
C:\WINDOWS\system32\ooeacc.dll
C:\WINDOWS\system32\pktorsvc.dll
C:\WINDOWS\system32\r06ulaj91do.dll
C:\WINDOWS\system32\r68s0gl7e6q.dll
C:\WINDOWS\system32\rggapi.dll
C:\WINDOWS\system32\rZsmontr.dll
C:\WINDOWS\system32\SHntfNT.dll
C:\WINDOWS\system32\snmedia.dll
C:\WINDOWS\system32\sslsrv32.dll
C:\WINDOWS\system32\svcsccp.dll
C:\WINDOWS\system32\ted32.dll
C:\WINDOWS\system32\ttflog.dll
C:\WINDOWS\system32\tvbyuv.dll
C:\WINDOWS\system32\ugrrtosa.dll
C:\WINDOWS\system32\uircoina.dll
C:\WINDOWS\system32\unrlbva.dll
C:\WINDOWS\system32\utandlg.dll
C:\WINDOWS\system32\uuiplat.dll
C:\WINDOWS\system32\uurlbva.dll
C:\WINDOWS\system32\vdsapi.dll
C:\WINDOWS\system32\VK5DB.DLL
C:\WINDOWS\system32\wcigest.dll
C:\WINDOWS\system32\wkv8dmod.dll
C:\WINDOWS\system32\wrpencen.dll
C:\WINDOWS\system32\WWDRMNet.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{9A8FDA05-A7AA-4EA5-B65E-2E7CC3C07CE0}"=-
"{F1892247-475B-404D-A701-5BAC562DD58F}"=-
"{66B49836-6DEE-4F70-9C2F-3A6CB9863FE8}"=-
[-HKEY_CLASSES_ROOT\CLSID\{9A8FDA05-A7AA-4EA5-B65E-2E7CC3C07CE0}]
[-HKEY_CLASSES_ROOT\CLSID\{F1892247-475B-404D-A701-5BAC562DD58F}]
[-HKEY_CLASSES_ROOT\CLSID\{66B49836-6DEE-4F70-9C2F-3A6CB9863FE8}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************




New Hijackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:19:05 PM, on 10/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Soulseek15\slsk.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB002" /M "Stylus CX4600"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [u3rg3pU] setsam.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Microsoft Updates] Botnet.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Shell Logon] C:\logon.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] Botnet.exe
O4 - HKLM\..\RunServices: [start uploading] smsss.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [POP-Stopper-IE] "C:\Program Files\POP-Stopper-IE\POP-Stopper-IE.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [start uploading] smsss.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: ppctlcab -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} -
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} -
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



  • 0

#8
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Good Job.One bad one out of the way . Lets go after the next one

Please download FileFind from Atribune.
Unzip the file and save it to your desktop.

To run FileFind, please do the following:
  • Click on FileFind.exe
  • In the box labeled "Enter the directory to search"
    • Enter Drive eg.. C:\
  • In the box labeled "Enter the file to search"
    • Enter the file Botnet.exe
  • Now click on the "Find" button
  • Once the utility has found the files click on "Export"
  • This will save a text file to your C:\ drive as "Export.txt"
  • Double click on Export.txt, copy and paste this information in your next post
Follw the above instructions for these files

smsss.exe
mssw32.exe

  • 0

#9
Tourette

Tourette

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
FileFind did not find any of the .exe's you listed, so I don't have anything to post.

It seems the problem has gone away though. Thanks for all the help. If there's anything else you think I ought to do let me know.

Thanks again
  • 0

#10
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
We aren't out of the woods yet ,just a few more steps to go

Open the task manager (Cntrl+Alt+Del) Then click the processes tab. Now highlight this CSv10P070.exe and then click on end process

Please uninstall the following (click start >>>control panel >>> add/remove programs)

CSBB


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [u3rg3pU] setsam.exe
O4 - HKLM\..\Run: [Microsoft Updates] Botnet.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\RunServices: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] Botnet.exe
O4 - HKLM\..\RunServices: [start uploading] smsss.exe
O4 - HKCU\..\RunServices: [start uploading] smsss.exe
O16 - DPF: ppctlcab

Now close all windows other than HiJackThis, then click Fix Checked

Reboot

Please run this online virus scan:
Panda Active Scan You need to use Internet Explorer for this scan.
  • Once you get to the Panda site, scroll down a bit and click on Scan your PC
  • A new window will appear; click on Check Now!
  • A new window will appear; fill in the boxes (Country, State, email addy)
  • Click on Scan Now! >
    If you have never used ActiveScan before, you will be prompted to install an ActiveX control (asinst.cab) : click on Install. Panda will install the component, and then install the latest signature files.
  • From "Select a device to scan...", choose "My Computer"
  • Allow the scan to run. It'll take a while.
  • When complete, click on "See Report", and then on "Save report"; save it to a convenient location.
  • I will need you to post that report in your next reply; simply open the text file, then copy/paste the content here. Also post a new Hijack log

  • 0

Advertisements


#11
Tourette

Tourette

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Heres the Activescan

Incident Status Location

Adware:adware/pacimedia No disinfected C:\WINDOWS\SYSTEM32\pacis.exe
Adware:adware/ncase No disinfected C:\WINDOWS\SYSTEM32\saie_gdf.dat
Adware:adware/portalscan No disinfected C:\WINDOWS\BUNDLES\adv0ltc0m.exe
Adware:adware/ipinsight No disinfected C:\WINDOWS\INF\polall1r.inf
Adware:adware/imgiant No disinfected C:\PROGRAM FILES\joystick networks
Adware:adware/tvmedia No disinfected C:\WINDOWS\bundles
Adware:adware/wupd No disinfected Windows Registry
Adware:Adware/Look2Me No disinfected C:\backup.zip[acpmgmts.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[aiycfilt.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[awdiosrv.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[cgrtc.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[cml3d32.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[cpsetacl.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[cqsetacl.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[cvyptext.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[dbuGUI10.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[dDd8thk.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[ddwave.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[delay.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[disetup.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[dxwave.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[e2202cfmgf2a2.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[essadu.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[fp2203foe.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[gp6ol3j31.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[gpn2l35o1.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[hffcisp2.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[icclass.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[igpeers.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[ihpeers.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[iOsacct.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[ixitpki.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[izmpagnt.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[jt2407fqe.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[jtn4075qe.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[krdinmal.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[kvdmac.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[lgrmonui.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[LRPCT80N.DLL]
Adware:Adware/Look2Me No disinfected C:\backup.zip[lv0609dse.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[lvlq0935e.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[mbgentr.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[mdang.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[meports.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[mgbsync.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[mhlogmgr.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[mlxoci.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[mnyuv.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[mvstkprp.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[myports.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[nirsfi.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[nldsapi.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[nqmkcert.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[nurses.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[ooeacc.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[pktorsvc.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[r06ulaj91do.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[r68s0gl7e6q.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[rggapi.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[rZsmontr.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[SHntfNT.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[snmedia.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[sslsrv32.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[svcsccp.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[ted32.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[ttflog.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[tvbyuv.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[ugrrtosa.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[uircoina.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[unrlbva.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[utandlg.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[uuiplat.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[uurlbva.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[vdsapi.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[VK5DB.DLL]
Adware:Adware/Look2Me No disinfected C:\backup.zip[wcigest.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[wkv8dmod.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[wrpencen.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[WWDRMNet.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[guard.tmp]
Virus:Eicar.Mod No disinfected C:\Program Files\FSI\F-Prot\fpav-help.chm[prob-scan-ok.html]
Virus:Eicar.Mod No disinfected C:\Program Files\InstallShield Installation Information\{9FD12630-1991-46F5-8479-92DE1EAE87DA}\data1.cab[fpav-help.chm][prob-scan-ok.html]
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\09D25BDC-1405-409B-BA81-A62471.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\12AFB6C4-4212-41E2-9DF8-8E1D8D.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\12F399BD-B0BF-4197-8736-C014F7.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\1422D0FA-F0C0-420B-8679-83BA8D.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\2018684C-5FEE-4E94-997B-5526B3.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\22D9CDF1-4D9F-4B95-95DC-0131B3.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\2A14033B-90E3-4065-9810-6613EA.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\30635C41-277F-4839-9DA8-098BDF.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\3224EC9B-40AA-4D8B-9760-0312F9.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\353F6C30-9D29-45B3-AB2A-746230.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\751303CD-2F47-4816-AFA0-00F845.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\77B8AAB2-9511-4A8F-B5D2-7C0720.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\7875B256-88FC-43AF-A36F-013C35.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\7B1D1FD6-7C71-4C54-A230-7F089A.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\7E67F5D3-016E-4367-A47E-86AA6B.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\9549913C-2B27-43F9-826B-BCE85C.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\960BE331-6C33-4C27-A724-747A89.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\962FF384-4DA7-471B-8BD8-7230E8.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\96620C4E-942F-4DCA-98E7-980EC8.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\B5C9F9F5-16B3-4C37-85D4-F1967B.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\C82A2F86-E35E-4F29-9E02-5E115B.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\D82A89A4-70E7-459E-B999-20AD7B.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\D841FEAE-1F36-4106-BB4C-721820.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\E38A1CC1-C753-4598-8FE5-82A770.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\EE5DCADE-D4D8-4E51-9107-CC60DA.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\EEF0F0DF-2344-4249-9A47-FEA562.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\F06C8B4C-8DA7-43E2-8BD5-1B1E84.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\FB8B9AA2-C392-42DD-A45B-EDC373.asq
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\m67m.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\polall1r.inf
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2PNAUBB0\bridge-c15[1].cab[DeskAdX.dll]
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O2LXBVNZ\Cash1[1].html


And heres the Hijack log


Logfile of HijackThis v1.99.1
Scan saved at 9:33:18 PM, on 10/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareUpdater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB002" /M "Stylus CX4600"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Shell Logon] C:\logon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Microsoft Updates] Botnet.exe
O4 - HKLM\..\RunServices: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [POP-Stopper-IE] "C:\Program Files\POP-Stopper-IE\POP-Stopper-IE.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: ppctlcab -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} -
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} -
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#12
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Click here to download Pocket Killbox by Option^Explicit

Delete the L2m folder on your desktop

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [Microsoft Updates] Botnet.exe
O4 - HKLM\..\RunServices: [Microsoft Windows W32 Services] mssw32.exe

Now close all windows other than HiJackThis, then click Fix Checked.

Now open pocketkillbox Select the option "Delete on reboot".
Now highlight and 'copy' (Ctrl + C) the entire list of filepaths below:
Click 'File' on the killbox menu at the top and choose 'Paste from clipboard'
The entire list should now be in the "Full Path of File to Delete"
field.To check, click on the dropdown-arrow next to that field.
If you expand it, these lines should all be there

C:\WINDOWS\SYSTEM32\pacis.exe
C:\WINDOWS\SYSTEM32\saie_gdf.dat
C:\WINDOWS\BUNDLES\adv0ltc0m.exe
C:\WINDOWS\INF\polall1r.inf
C:\PROGRAM FILES\joystick networks
C:\WINDOWS\bundles
C:\WINDOWS\Downloaded Program Files\m67m.inf
C:\WINDOWS\inf\polall1r.inf


Then press the red button with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot, click YES.When it asks if you would like to Reboot now, click YES.

Post a new hijack log and tell me how your system is running now.

Thanks :tazz:
  • 0

#13
Tourette

Tourette

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here the Hijack Log. When I ran killbox it told me the C:\Windows\bundles did not exist. My computer seems to be running ok. At least my browser isnt telling me to get a cingular phone every ten minutes anyway.

I noticed in the hijack log, smsss.exe, mssw32.exe, botnet.exe and the rest of the usually suspects are still around....whats up with that?

Logfile of HijackThis v1.99.1
Scan saved at 9:21:40 PM, on 10/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareUpdater.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB002" /M "Stylus CX4600"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Shell Logon] C:\logon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Microsoft Updates] Botnet.exe
O4 - HKLM\..\Run: [u3rg3pU] setsam.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\RunServices: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] Botnet.exe
O4 - HKLM\..\RunServices: [start uploading] smsss.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [POP-Stopper-IE] "C:\Program Files\POP-Stopper-IE\POP-Stopper-IE.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [start uploading] smsss.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: ppctlcab -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} -
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} -
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#14
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
You may wish to print out a copy of these instructions to follow while you complete this procedure

Disconnect from the internet

Please disable any real time protection feature such as Microsoft antispyware or just allow the changes made.It may interfere with the changes made in hijack

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Microsoft Updates] Botnet.exe
O4 - HKLM\..\Run: [u3rg3pU] setsam.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\RunServices: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] Botnet.exe
O4 - HKLM\..\RunServices: [start uploading] smsss.exe
O4 - HKCU\..\RunServices: [start uploading] smsss.exe
O16 - DPF: ppctlcab -
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} -

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Please remove these entries from Add/Remove Programs in the Control Panel(if present):

CSBB



Please note any other programs that you dont recognize in that list in your next response


Show Hidden Files and Folders (if needed)
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please delete these folders using Windows Explorer(if present):

C:\Program Files\CSBB

Please delete these files using Windows Explorer(if present):You will have to search for these

Botnet.exe
smsss.exe <<<>>>> Please not the extra s There is a valid smss.exe
mssw32.exe
Botnet.exe

Now rehide files and folders

After that, Reboot.

Please post a new Hijack log

Thanks
:tazz:

Edited by loophole, 20 October 2005 - 09:49 PM.

  • 0

#15
Tourette

Tourette

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Sorry for the slow reply, things have been crazy at work. I did everything you asked though i didnt find any of the CSBB or any of the .exe's you listed in safe mode.

Here is my hijack log


Logfile of HijackThis v1.99.1
Scan saved at 9:34:27 PM, on 10/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB002" /M "Stylus CX4600"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Shell Logon] C:\logon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Microsoft Updates] Botnet.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [POP-Stopper-IE] "C:\Program Files\POP-Stopper-IE\POP-Stopper-IE.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: ppctlcab -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} -
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} -
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP