Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

.dll, UMonitor error, recycle bin not working

Started by mothaefa , Jan 17 2005 11:10 PM

  • Please log in to reply

#1
mothaefa
Posted 17 January 2005 - 11:10 PM

mothaefa

    Member

  • Member
  • PipPip
  • 10 posts
Im running Windows XP sp2 and everytime I boot into windows I get a RUNDLL error (random.dll,UMonitor). Once I click on OK and launch Internet Explorer I get lots of popups and various miscellaneous applications get automatically installed (Virtual bouncer, Ad Destroyer among otheres). My recyle Bin no longer works either, when I delete a file it just deletes. Ive read a few forum posts and tried a few things with no luck. Can someone Please help me get rid of these very annoying and frustrating problems? :tazz:

Here is my HijackThis log file:

Logfile of HijackThis v1.99.0
Scan saved at 11:43:20 PM, on 1/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\yyyrvk.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [I/O Controllers] svcnet.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C927A6C8-61EF-4293-ABF7-A76C1E1F6C94}: NameServer = 192.168.1.1,4.2.2.2
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: ISSvc - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe






The FindIt NT-2K-XP Log File:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Downloads\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 84A4-1352

Directory of C:\WINDOWS\System32

01/17/2005 03:30 AM 224,446 j4l4le3q1h.dll
01/17/2005 03:07 AM 223,107 en2ul1f91.dll
01/17/2005 12:49 AM <DIR> dllcache
01/15/2005 05:42 AM 223,107 ktjql7151.dll
01/14/2005 12:21 AM 223,107 upbui.dll
01/14/2005 12:11 AM 225,531 kvdbr.dll
01/13/2005 09:08 PM 226,203 ajstream.dll
01/13/2005 03:19 AM 225,531 iaencode.dll
01/13/2005 03:16 AM 225,531 szimeng.dll
01/12/2005 07:25 AM 223,592 irl2l53o1.dll
01/12/2005 03:15 AM 223,592 kfdbe.dll
01/12/2005 02:28 AM 223,592 mhfutil.dll
01/12/2005 01:56 AM 223,592 pLpgasvc.dll
01/12/2005 01:55 AM 225,049 m4820eloehqc0.dll
01/12/2005 12:56 AM 225,049 mzvci70.dll
01/07/2005 11:44 PM 223,592 sasvc.dll
01/06/2005 11:08 PM 223,138 lv6409jqe.dll
01/05/2005 08:48 PM 223,232 wwsapi32.dll
01/05/2005 01:48 AM 224,123 dnr8019ue.dll
07/08/2004 08:37 PM 7,168 Thumbs.db
07/18/2003 08:45 PM <DIR> Microsoft
09/30/1999 06:21 PM 166,672 mstext35.dll
09/28/1999 08:42 PM 1,050,896 msjet35.dll
09/09/1999 09:06 PM 252,688 msexcl35.dll
09/09/1999 09:06 PM 168,720 msltus35.dll
08/25/1999 01:57 PM 415,504 msrepl35.dll
06/07/1999 05:59 PM 250,128 mspdox35.dll
04/25/1999 04:00 PM 287,504 Msxbse35.dll
26 File(s) 6,634,394 bytes
2 Dir(s) 22,547,054,592 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 84A4-1352

Directory of C:\WINDOWS\System32

01/17/2005 01:53 AM <DIR> vmss
01/17/2005 12:49 AM <DIR> dllcache
07/08/2004 08:37 PM 7,168 Thumbs.db
07/18/2003 07:44 AM 488 logonui.exe.manifest
07/18/2003 07:44 AM 488 WindowsLogon.manifest
07/18/2003 07:44 AM 749 sapi.cpl.manifest
07/18/2003 07:44 AM 749 nwc.cpl.manifest
07/18/2003 07:44 AM 749 ncpa.cpl.manifest
07/18/2003 07:44 AM 749 cdplayer.exe.manifest
07/18/2003 07:44 AM 749 wuaucpl.cpl.manifest
8 File(s) 11,889 bytes
2 Dir(s) 22,547,050,496 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 84A4-1352

Directory of C:\WINDOWS\System32

01/17/2005 11:41 PM 223,107 guard.tmp
1 File(s) 223,107 bytes
0 Dir(s) 22,547,050,496 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 84A4-1352

Directory of C:\WINDOWS\System32

01/17/2005 11:41 PM 223,107 guard.tmp
1 File(s) 223,107 bytes
0 Dir(s) 22,547,050,496 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{64FAC624-0B39-4C44-BF16-C8CDB4806271}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PCANotify]
"DllName"="PCANotify.dll"
"Startup"="WLEventStartup"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rainit]
"Asynchronous"=dword:00000000
"DllName"=hex(2):52,41,69,6e,69,74,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Lock"="WLEventLock"
"Logoff"="WLEventLogoff"
"Logon"="WLEventLogon"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StartShell"="WLEventStartShell"
"Startup"="WLEventStartup"
"StopScreenSaver"="WLEventStopScreenSaver"
"Unlock"="WLEventUnlock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en2ul1f91.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
ajstream.dll Thu Jan 13 2005 9:08:50p ..S.R 226,203 220.90 K
dnr801~1.dll Wed Jan 5 2005 1:48:04a ..S.R 224,123 218.87 K
en2ul1~1.dll Mon Jan 17 2005 3:07:20a ..S.R 223,107 217.88 K
iaencode.dll Thu Jan 13 2005 3:19:26a ..S.R 225,531 220.24 K
irl2l5~1.dll Wed Jan 12 2005 7:25:38a ..S.R 223,592 218.35 K
j4l4le~1.dll Mon Jan 17 2005 3:30:06a ..S.R 224,446 219.18 K
kfdbe.dll Wed Jan 12 2005 3:15:36a ..S.R 223,592 218.35 K
ktjql7~1.dll Sat Jan 15 2005 5:42:10a ..S.R 223,107 217.88 K
kvdbr.dll Fri Jan 14 2005 12:11:34a ..S.R 225,531 220.24 K
lv6409~1.dll Thu Jan 6 2005 11:08:58p ..S.R 223,138 217.91 K
m4820e~1.dll Wed Jan 12 2005 1:55:12a ..S.R 225,049 219.77 K
mhfutil.dll Wed Jan 12 2005 2:28:18a ..S.R 223,592 218.35 K
mzvci70.dll Wed Jan 12 2005 12:56:10a ..S.R 225,049 219.77 K
plpgasvc.dll Wed Jan 12 2005 1:56:24a ..S.R 223,592 218.35 K
sasvc.dll Fri Jan 7 2005 11:44:12p ..S.R 223,592 218.35 K
szimeng.dll Thu Jan 13 2005 3:16:02a ..S.R 225,531 220.24 K
upbui.dll Fri Jan 14 2005 12:21:54a ..S.R 223,107 217.88 K
wwsapi32.dll Wed Jan 5 2005 8:48:48p ..S.R 223,232 218.00 K

18 items found: 18 files, 0 directories.
Total of file sizes: 4,035,114 bytes 3.85 M

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\gggolp.dll: updates.qoologic.com
C:\WINDOWS\system32\pppwlq.exe: updates.qoologic.com
C:\WINDOWS\system32\zzzbia.dll: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack
C:\WINDOWS\system32\qqqbwv.dat: .aspack
C:\WINDOWS\system32\yyyrvk.exe: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\yyytkn.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Norton Ghost 9.0"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\Agent\\GhostTray.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"Narrator"="C:\\WINDOWS\\system32\\yyyrvk.exe"
"D-Link AirPlus Xtreme G"="C:\\Program Files\\D-Link\\AirPlus Xtreme G\\AirPlusCFG.exe"
"ANIWZCSService"="C:\\Program Files\\Alpha Networks\\ANIWZCS Service\\WZCSLDR.exe"
"VBouncer"="C:\\PROGRA~1\\VBouncer\\VirtualBouncer.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

Advertisements

#2
Guest_thatman_*
Posted 17 January 2005 - 11:56 PM

Guest_thatman_*
  • Guest
Hi mothaefa

looking at your log now Download the Pocket Killbox.


kc :tazz:

Edited by thatman, 18 January 2005 - 12:03 AM.

  • 0

#3
mothaefa
Posted 18 January 2005 - 12:10 AM

mothaefa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
k, got it, also downloaded LSPFix just incase :tazz:
  • 0

#4
mothaefa
Posted 18 January 2005 - 12:29 AM

mothaefa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
My PC just shut down and rebooted itself, first time ive seen this one is it something caused by this particular hijack?
  • 0

#5
Guest_thatman_*
Posted 18 January 2005 - 12:39 AM

Guest_thatman_*
  • Guest
Hi mothaefa

Yes it may be the scam on your pc that will have change The FindIt NT-2K-XP Log

it is now o6:35 in the uk now have not be to bed yet I will be back on line at 18:00 pm uk time.

post a new findit log now i will look to see if it has changed

kc :tazz:
  • 0

#6
mothaefa
Posted 18 January 2005 - 12:49 AM

mothaefa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I do notice there is now a FindIT folder on the root of my C: drive which was not there before since im actually running FindIt from a folder I created named C:\Downloads\Hijack CleanUP Apps\Find It NT-2K-XP, it has a bunch of text documents in it (guard, header, hidden, locate, notify, qoologic, system, temp useragent and aspack).

Here is the latest FindIT log file:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Downloads\Hijack CleanUP Apps\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 84A4-1352

Directory of C:\WINDOWS\System32

01/18/2005 01:15 AM 224,446 h2l2lc3o1f.dll
01/18/2005 12:14 AM 223,107 jt4s07h7e.dll
01/17/2005 03:30 AM 224,446 j4l4le3q1h.dll
01/17/2005 12:49 AM <DIR> dllcache
01/15/2005 05:42 AM 223,107 ktjql7151.dll
01/14/2005 12:21 AM 223,107 upbui.dll
01/14/2005 12:11 AM 225,531 kvdbr.dll
01/13/2005 09:08 PM 226,203 ajstream.dll
01/13/2005 03:19 AM 225,531 iaencode.dll
01/13/2005 03:16 AM 225,531 szimeng.dll
01/12/2005 07:25 AM 223,592 irl2l53o1.dll
01/12/2005 03:15 AM 223,592 kfdbe.dll
01/12/2005 02:28 AM 223,592 mhfutil.dll
01/12/2005 01:56 AM 223,592 pLpgasvc.dll
01/12/2005 01:55 AM 225,049 m4820eloehqc0.dll
01/12/2005 12:56 AM 225,049 mzvci70.dll
01/07/2005 11:44 PM 223,592 sasvc.dll
01/06/2005 11:08 PM 223,138 lv6409jqe.dll
01/05/2005 08:48 PM 223,232 wwsapi32.dll
01/05/2005 01:48 AM 224,123 dnr8019ue.dll
07/08/2004 08:37 PM 7,168 Thumbs.db
07/18/2003 08:45 PM <DIR> Microsoft
09/30/1999 06:21 PM 166,672 mstext35.dll
09/28/1999 08:42 PM 1,050,896 msjet35.dll
09/09/1999 09:06 PM 252,688 msexcl35.dll
09/09/1999 09:06 PM 168,720 msltus35.dll
08/25/1999 01:57 PM 415,504 msrepl35.dll
06/07/1999 05:59 PM 250,128 mspdox35.dll
04/25/1999 04:00 PM 287,504 Msxbse35.dll
27 File(s) 6,858,840 bytes
2 Dir(s) 22,547,566,592 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 84A4-1352

Directory of C:\WINDOWS\System32

01/17/2005 01:53 AM <DIR> vmss
01/17/2005 12:49 AM <DIR> dllcache
07/08/2004 08:37 PM 7,168 Thumbs.db
07/18/2003 07:44 AM 488 logonui.exe.manifest
07/18/2003 07:44 AM 488 WindowsLogon.manifest
07/18/2003 07:44 AM 749 sapi.cpl.manifest
07/18/2003 07:44 AM 749 nwc.cpl.manifest
07/18/2003 07:44 AM 749 ncpa.cpl.manifest
07/18/2003 07:44 AM 749 cdplayer.exe.manifest
07/18/2003 07:44 AM 749 wuaucpl.cpl.manifest
8 File(s) 11,889 bytes
2 Dir(s) 22,547,562,496 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 84A4-1352

Directory of C:\WINDOWS\System32

01/18/2005 01:25 AM 224,446 guard.tmp
1 File(s) 224,446 bytes
0 Dir(s) 22,547,562,496 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 84A4-1352

Directory of C:\WINDOWS\System32

01/18/2005 01:25 AM 224,446 guard.tmp
1 File(s) 224,446 bytes
0 Dir(s) 22,547,562,496 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{64FAC624-0B39-4C44-BF16-C8CDB4806271}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\j4l4le3q1h.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PCANotify]
"DllName"="PCANotify.dll"
"Startup"="WLEventStartup"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rainit]
"Asynchronous"=dword:00000000
"DllName"=hex(2):52,41,69,6e,69,74,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Lock"="WLEventLock"
"Logoff"="WLEventLogoff"
"Logon"="WLEventLogon"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StartShell"="WLEventStartShell"
"Startup"="WLEventStartup"
"StopScreenSaver"="WLEventStopScreenSaver"
"Unlock"="WLEventUnlock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
ajstream.dll Thu Jan 13 2005 9:08:50p ..S.R 226,203 220.90 K
dnr801~1.dll Wed Jan 5 2005 1:48:04a ..S.R 224,123 218.87 K
h2l2lc~1.dll Tue Jan 18 2005 1:15:34a ..S.R 224,446 219.18 K
iaencode.dll Thu Jan 13 2005 3:19:26a ..S.R 225,531 220.24 K
irl2l5~1.dll Wed Jan 12 2005 7:25:38a ..S.R 223,592 218.35 K
j4l4le~1.dll Mon Jan 17 2005 3:30:06a ..S.R 224,446 219.18 K
jt4s07~1.dll Tue Jan 18 2005 12:14:12a ..S.R 223,107 217.88 K
kfdbe.dll Wed Jan 12 2005 3:15:36a ..S.R 223,592 218.35 K
ktjql7~1.dll Sat Jan 15 2005 5:42:10a ..S.R 223,107 217.88 K
kvdbr.dll Fri Jan 14 2005 12:11:34a ..S.R 225,531 220.24 K
lv6409~1.dll Thu Jan 6 2005 11:08:58p ..S.R 223,138 217.91 K
m4820e~1.dll Wed Jan 12 2005 1:55:12a ..S.R 225,049 219.77 K
mhfutil.dll Wed Jan 12 2005 2:28:18a ..S.R 223,592 218.35 K
mzvci70.dll Wed Jan 12 2005 12:56:10a ..S.R 225,049 219.77 K
plpgasvc.dll Wed Jan 12 2005 1:56:24a ..S.R 223,592 218.35 K
sasvc.dll Fri Jan 7 2005 11:44:12p ..S.R 223,592 218.35 K
szimeng.dll Thu Jan 13 2005 3:16:02a ..S.R 225,531 220.24 K
upbui.dll Fri Jan 14 2005 12:21:54a ..S.R 223,107 217.88 K
wwsapi32.dll Wed Jan 5 2005 8:48:48p ..S.R 223,232 218.00 K

19 items found: 19 files, 0 directories.
Total of file sizes: 4,259,560 bytes 4.06 M

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\gggolp.dll: updates.qoologic.com
C:\WINDOWS\system32\pppwlq.exe: updates.qoologic.com
C:\WINDOWS\system32\zzzbia.dll: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack
C:\WINDOWS\system32\qqqbwv.dat: .aspack
C:\WINDOWS\system32\yyyrvk.exe: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\yyytkn.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Norton Ghost 9.0"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\Agent\\GhostTray.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"Narrator"="C:\\WINDOWS\\system32\\yyyrvk.exe"
"D-Link AirPlus Xtreme G"="C:\\Program Files\\D-Link\\AirPlus Xtreme G\\AirPlusCFG.exe"
"ANIWZCSService"="C:\\Program Files\\Alpha Networks\\ANIWZCS Service\\WZCSLDR.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#7
mothaefa
Posted 18 January 2005 - 01:00 AM

mothaefa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thanks for your time and knowledge in this issue, even if we are not on again at the same time I will continue to message back and forth with you until we can kill this thing :tazz:.
  • 0

#8
Guest_thatman_*
Posted 18 January 2005 - 01:05 AM

Guest_thatman_*
  • Guest
Hi

Please download this tool read the read me file

http://downloads.sub....org/l2mfix.exe

unzip the file then run the l2mfix.bat dont fix any items yet but check to see how close the l2mfix is with the findit log

kc :tazz:
  • 0

#9
mothaefa
Posted 18 January 2005 - 01:15 AM

mothaefa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\j4l4le3q1h.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PCANotify]
"DllName"="PCANotify.dll"
"Startup"="WLEventStartup"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rainit]
"Asynchronous"=dword:00000000
"DllName"=hex(2):52,00,41,00,69,00,6e,00,69,00,74,00,2e,00,64,00,6c,00,6c,00,\
00,00
"Impersonate"=dword:00000000
"Lock"="WLEventLock"
"Logoff"="WLEventLogoff"
"Logon"="WLEventLogon"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StartShell"="WLEventStartShell"
"Startup"="WLEventStartup"
"StopScreenSaver"="WLEventStopScreenSaver"
"Unlock"="WLEventUnlock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
**********************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{64FAC624-0B39-4C44-BF16-C8CDB4806271}"=""

Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
ajstream.dll Thu Jan 13 2005 9:08:50p ..S.R 226,203 220.90 K
dnr801~1.dll Wed Jan 5 2005 1:48:04a ..S.R 224,123 218.87 K
h2l2lc~1.dll Tue Jan 18 2005 1:15:34a ..S.R 224,446 219.18 K
iaencode.dll Thu Jan 13 2005 3:19:26a ..S.R 225,531 220.24 K
irl2l5~1.dll Wed Jan 12 2005 7:25:38a ..S.R 223,592 218.35 K
j4l4le~1.dll Mon Jan 17 2005 3:30:06a ..S.R 224,446 219.18 K
jt4s07~1.dll Tue Jan 18 2005 12:14:12a ..S.R 223,107 217.88 K
kfdbe.dll Wed Jan 12 2005 3:15:36a ..S.R 223,592 218.35 K
ktjql7~1.dll Sat Jan 15 2005 5:42:10a ..S.R 223,107 217.88 K
kvdbr.dll Fri Jan 14 2005 12:11:34a ..S.R 225,531 220.24 K
lv6409~1.dll Thu Jan 6 2005 11:08:58p ..S.R 223,138 217.91 K
m4820e~1.dll Wed Jan 12 2005 1:55:12a ..S.R 225,049 219.77 K
mhfutil.dll Wed Jan 12 2005 2:28:18a ..S.R 223,592 218.35 K
mzvci70.dll Wed Jan 12 2005 12:56:10a ..S.R 225,049 219.77 K
plpgasvc.dll Wed Jan 12 2005 1:56:24a ..S.R 223,592 218.35 K
sasvc.dll Fri Jan 7 2005 11:44:12p ..S.R 223,592 218.35 K
szimeng.dll Thu Jan 13 2005 3:16:02a ..S.R 225,531 220.24 K
upbui.dll Fri Jan 14 2005 12:21:54a ..S.R 223,107 217.88 K
wwsapi32.dll Wed Jan 5 2005 8:48:48p ..S.R 223,232 218.00 K

19 items found: 19 files, 0 directories.
Total of file sizes: 4,259,560 bytes 4.06 M

No matches found.

  • 0

#10
Guest_thatman_*
Posted 18 January 2005 - 01:33 AM

Guest_thatman_*
  • Guest
Found the latest vx2 fix http://www.downloads...g/VX2Finder.exe

run the fix and let me know how it went will stay on line if you need help

kc :tazz:
  • 0

Advertisements

#11
mothaefa
Posted 18 January 2005 - 01:54 AM

mothaefa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Not to sure exactly what im to do with that program but here is the log file it created. Any suggestions?

Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
AtiExtEvent
crypt32chain
cryptnet
cscdll
CSCSettings
PCANotify
rainit
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

Guardian Key--- :

User Agent String---
{64FAC624-0B39-4C44-BF16-C8CDB4806271}
  • 0

#12
Guest_thatman_*
Posted 18 January 2005 - 02:17 AM

Guest_thatman_*
  • Guest
Hi mothaefa

Please post a findit.log will look at it and post later today

kc :tazz:
  • 0

#13
mothaefa
Posted 18 January 2005 - 09:14 PM

mothaefa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here is the latest FindIt log file run at 10:12EST on 1/18/05

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Downloads\Hijack CleanUP Apps\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 84A4-1352

Directory of C:\WINDOWS\System32

01/18/2005 03:12 AM 224,446 m2polc731f.dll
01/18/2005 01:15 AM 224,446 h2l2lc3o1f.dll
01/18/2005 12:14 AM 223,107 jt4s07h7e.dll
01/17/2005 12:49 AM <DIR> dllcache
01/15/2005 05:42 AM 223,107 ktjql7151.dll
01/14/2005 12:21 AM 223,107 upbui.dll
01/14/2005 12:11 AM 225,531 kvdbr.dll
01/13/2005 09:08 PM 226,203 ajstream.dll
01/13/2005 03:19 AM 225,531 iaencode.dll
01/13/2005 03:16 AM 225,531 szimeng.dll
01/12/2005 07:25 AM 223,592 irl2l53o1.dll
01/12/2005 03:15 AM 223,592 kfdbe.dll
01/12/2005 02:28 AM 223,592 mhfutil.dll
01/12/2005 01:56 AM 223,592 pLpgasvc.dll
01/12/2005 01:55 AM 225,049 m4820eloehqc0.dll
01/12/2005 12:56 AM 225,049 mzvci70.dll
01/07/2005 11:44 PM 223,592 sasvc.dll
01/06/2005 11:08 PM 223,138 lv6409jqe.dll
01/05/2005 08:48 PM 223,232 wwsapi32.dll
01/05/2005 01:48 AM 224,123 dnr8019ue.dll
07/08/2004 08:37 PM 7,168 Thumbs.db
07/18/2003 08:45 PM <DIR> Microsoft
09/30/1999 06:21 PM 166,672 mstext35.dll
09/28/1999 08:42 PM 1,050,896 msjet35.dll
09/09/1999 09:06 PM 252,688 msexcl35.dll
09/09/1999 09:06 PM 168,720 msltus35.dll
08/25/1999 01:57 PM 415,504 msrepl35.dll
06/07/1999 05:59 PM 250,128 mspdox35.dll
04/25/1999 04:00 PM 287,504 Msxbse35.dll
27 File(s) 6,858,840 bytes
2 Dir(s) 22,513,864,704 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 84A4-1352

Directory of C:\WINDOWS\System32

01/17/2005 01:53 AM <DIR> vmss
01/17/2005 12:49 AM <DIR> dllcache
07/08/2004 08:37 PM 7,168 Thumbs.db
07/18/2003 07:44 AM 488 logonui.exe.manifest
07/18/2003 07:44 AM 488 WindowsLogon.manifest
07/18/2003 07:44 AM 749 sapi.cpl.manifest
07/18/2003 07:44 AM 749 nwc.cpl.manifest
07/18/2003 07:44 AM 749 ncpa.cpl.manifest
07/18/2003 07:44 AM 749 cdplayer.exe.manifest
07/18/2003 07:44 AM 749 wuaucpl.cpl.manifest
8 File(s) 11,889 bytes
2 Dir(s) 22,513,860,608 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 84A4-1352

Directory of C:\WINDOWS\System32

01/18/2005 10:04 PM 224,446 guard.tmp
1 File(s) 224,446 bytes
0 Dir(s) 22,513,860,608 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 84A4-1352

Directory of C:\WINDOWS\System32

01/18/2005 10:04 PM 224,446 guard.tmp
1 File(s) 224,446 bytes
0 Dir(s) 22,513,860,608 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{64FAC624-0B39-4C44-BF16-C8CDB4806271}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PCANotify]
"DllName"="PCANotify.dll"
"Startup"="WLEventStartup"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rainit]
"Asynchronous"=dword:00000000
"DllName"=hex(2):52,41,69,6e,69,74,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Lock"="WLEventLock"
"Logoff"="WLEventLogoff"
"Logon"="WLEventLogon"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StartShell"="WLEventStartShell"
"Startup"="WLEventStartup"
"StopScreenSaver"="WLEventStopScreenSaver"
"Unlock"="WLEventUnlock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\h2l2lc3o1f.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
ajstream.dll Thu Jan 13 2005 9:08:50p ..S.R 226,203 220.90 K
dnr801~1.dll Wed Jan 5 2005 1:48:04a ..S.R 224,123 218.87 K
h2l2lc~1.dll Tue Jan 18 2005 1:15:34a ..S.R 224,446 219.18 K
iaencode.dll Thu Jan 13 2005 3:19:26a ..S.R 225,531 220.24 K
irl2l5~1.dll Wed Jan 12 2005 7:25:38a ..S.R 223,592 218.35 K
jt4s07~1.dll Tue Jan 18 2005 12:14:12a ..S.R 223,107 217.88 K
kfdbe.dll Wed Jan 12 2005 3:15:36a ..S.R 223,592 218.35 K
ktjql7~1.dll Sat Jan 15 2005 5:42:10a ..S.R 223,107 217.88 K
kvdbr.dll Fri Jan 14 2005 12:11:34a ..S.R 225,531 220.24 K
lv6409~1.dll Thu Jan 6 2005 11:08:58p ..S.R 223,138 217.91 K
m2polc~1.dll Tue Jan 18 2005 3:12:04a ..S.R 224,446 219.18 K
m4820e~1.dll Wed Jan 12 2005 1:55:12a ..S.R 225,049 219.77 K
mhfutil.dll Wed Jan 12 2005 2:28:18a ..S.R 223,592 218.35 K
mzvci70.dll Wed Jan 12 2005 12:56:10a ..S.R 225,049 219.77 K
plpgasvc.dll Wed Jan 12 2005 1:56:24a ..S.R 223,592 218.35 K
sasvc.dll Fri Jan 7 2005 11:44:12p ..S.R 223,592 218.35 K
szimeng.dll Thu Jan 13 2005 3:16:02a ..S.R 225,531 220.24 K
upbui.dll Fri Jan 14 2005 12:21:54a ..S.R 223,107 217.88 K
wwsapi32.dll Wed Jan 5 2005 8:48:48p ..S.R 223,232 218.00 K

19 items found: 19 files, 0 directories.
Total of file sizes: 4,259,560 bytes 4.06 M

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\gggolp.dll: updates.qoologic.com
C:\WINDOWS\system32\pppwlq.exe: updates.qoologic.com
C:\WINDOWS\system32\zzzbia.dll: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\installer.exe: .aspack
C:\WINDOWS\system32\ntdll.dll: .aspack
C:\WINDOWS\system32\qqqbwv.dat: .aspack
C:\WINDOWS\system32\yyyrvk.exe: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\yyytkn.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Norton Ghost 9.0"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\Agent\\GhostTray.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"Narrator"="C:\\WINDOWS\\system32\\yyyrvk.exe"
"D-Link AirPlus Xtreme G"="C:\\Program Files\\D-Link\\AirPlus Xtreme G\\AirPlusCFG.exe"
"ANIWZCSService"="C:\\Program Files\\Alpha Networks\\ANIWZCS Service\\WZCSLDR.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#14
Guest_thatman_*
Posted 25 January 2005 - 10:05 AM

Guest_thatman_*
  • Guest
Hi mothaefa

Sorry for the delay yes i did forget, ok lets start with the fix

You need the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

kc :tazz:
  • 0

#15
mothaefa
Posted 27 January 2005 - 11:18 PM

mothaefa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thanks for the reply, I did exactly as you said, the only thing is this log file came up almost instantaneously, no delay at all, so I'm kinda wondering if its accurate, but anyway here it is.


L2MFIX find log 1.02
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PCANotify]
"DllName"="PCANotify.dll"
"Startup"="WLEventStartup"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rainit]
"Asynchronous"=dword:00000000
"DllName"=hex(2):52,00,41,00,69,00,6e,00,69,00,74,00,2e,00,64,00,6c,00,6c,00,\
00,00
"Impersonate"=dword:00000000
"Lock"="WLEventLock"
"Logoff"="WLEventLogoff"
"Logon"="WLEventLogon"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StartShell"="WLEventStartShell"
"Startup"="WLEventStartup"
"StopScreenSaver"="WLEventStopScreenSaver"
"Unlock"="WLEventUnlock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Themes]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\q2860clsefq60.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{64FAC624-0B39-4C44-BF16-C8CDB4806271}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}"="Compressed (zipped) Folder"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{8F7261D0-D2B9-11D2-9909-00605205B24C}"="CuteFTP Shell Extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{B3ED2628-C806-4786-A250-81492239B410}"=""
"{7ABF6628-42B1-4B19-9174-6D52D7812716}"=""
"{6FAF3D86-B268-4027-BE96-6AE1AC2BB832}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B3ED2628-C806-4786-A250-81492239B410}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B3ED2628-C806-4786-A250-81492239B410}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B3ED2628-C806-4786-A250-81492239B410}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B3ED2628-C806-4786-A250-81492239B410}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7ABF6628-42B1-4B19-9174-6D52D7812716}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7ABF6628-42B1-4B19-9174-6D52D7812716}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7ABF6628-42B1-4B19-9174-6D52D7812716}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7ABF6628-42B1-4B19-9174-6D52D7812716}\InprocServer32]
@="C:\\WINDOWS\\system32\\unrv42a.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6FAF3D86-B268-4027-BE96-6AE1AC2BB832}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6FAF3D86-B268-4027-BE96-6AE1AC2BB832}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6FAF3D86-B268-4027-BE96-6AE1AC2BB832}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6FAF3D86-B268-4027-BE96-6AE1AC2BB832}\InprocServer32]
@="C:\\WINDOWS\\system32\\dsstyle.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
ajstream.dll Thu Jan 13 2005 9:08:50p ..S.R 226,203 220.90 K
cacore.dll Thu Jan 6 2005 2:30:18a A.... 151,552 148.00 K
carules.dll Thu Jan 6 2005 2:30:18a A.... 45,056 44.00 K
casync.dll Thu Jan 6 2005 2:30:18a A.... 114,688 112.00 K
d2j00c~1.dll Fri Jan 28 2005 12:02:28a ..S.R 224,446 219.18 K
dn4001~1.dll Sun Jan 23 2005 4:00:42a ..S.R 224,446 219.18 K
dnr801~1.dll Wed Jan 5 2005 1:48:04a ..S.R 224,123 218.87 K
dsstyle.dll Fri Jan 28 2005 12:07:06a ..... 224,446 219.18 K
e002la~1.dll Tue Jan 18 2005 10:10:08p ..S.R 224,446 219.18 K
gggolp.dll Fri Jan 7 2005 11:51:18p A.... 5,632 5.50 K
hypertrm.dll Wed Nov 17 2004 12:41:24p A.... 347,136 339.00 K
iaencode.dll Thu Jan 13 2005 3:19:26a ..S.R 225,531 220.24 K
irl2l5~1.dll Wed Jan 12 2005 7:25:38a ..S.R 223,592 218.35 K
jt4s07~1.dll Tue Jan 18 2005 12:14:12a ..S.R 223,107 217.88 K
k226lc~1.dll Tue Jan 18 2005 10:25:40p ..S.R 224,446 219.18 K
kfdbe.dll Wed Jan 12 2005 3:15:36a ..S.R 223,592 218.35 K
kt2sl7~1.dll Mon Jan 24 2005 4:07:56a ..S.R 224,446 219.18 K
ktjql7~1.dll Sat Jan 15 2005 5:42:10a ..S.R 223,107 217.88 K
kvdbr.dll Fri Jan 14 2005 12:11:34a ..S.R 225,531 220.24 K
lv6409~1.dll Thu Jan 6 2005 11:08:58p ..S.R 223,138 217.91 K
m2polc~1.dll Tue Jan 18 2005 3:12:04a ..S.R 224,446 219.18 K
m4820e~1.dll Wed Jan 12 2005 1:55:12a ..S.R 225,049 219.77 K
mhfutil.dll Wed Jan 12 2005 2:28:18a ..S.R 223,592 218.35 K
mzvci70.dll Wed Jan 12 2005 12:56:10a ..S.R 225,049 219.77 K
plpgasvc.dll Wed Jan 12 2005 1:56:24a ..S.R 223,592 218.35 K
q2860c~1.dll Wed Jan 26 2005 4:17:36a ..S.R 224,446 219.18 K
sasvc.dll Fri Jan 7 2005 11:44:12p ..S.R 223,592 218.35 K
sporder.dll Wed Jan 5 2005 1:36:18a A.... 8,464 8.27 K
szimeng.dll Thu Jan 13 2005 3:16:02a ..S.R 225,531 220.24 K
unrv42a.dll Wed Jan 5 2005 2:03:34a A.... 223,232 218.00 K
upbui.dll Fri Jan 14 2005 12:21:54a ..S.R 223,107 217.88 K
wincor~1.dll Sat Jan 15 2005 4:51:02a A.... 188,416 184.00 K
winlspak.dll Sat Jan 15 2005 4:51:02a A.... 196,608 192.00 K
winrul~1.dll Sat Jan 15 2005 4:51:02a A.... 110,592 108.00 K
winupdak.dll Sat Jan 15 2005 4:50:54a A.... 155,648 152.00 K
wwsapi32.dll Wed Jan 5 2005 8:48:48p ..S.R 223,232 218.00 K
zzzbia.dll Fri Jan 7 2005 11:51:18p A.... 24,576 24.00 K

37 items found: 37 files (24 H/S), 0 directories.
Total of file sizes: 7,177,836 bytes 6.84 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Fri Jan 28 2005 12:09:06a A.... 224,446 219.18 K

1 item found: 1 file, 0 directories.
Total of file sizes: 224,446 bytes 219.18 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 84A4-1352

Directory of C:\WINDOWS\System32

01/28/2005 12:02 AM 224,446 d2j00c1mef.dll
01/26/2005 04:17 AM 224,446 q2860clsefq60.dll
01/24/2005 04:07 AM 224,446 kt2sl7f71.dll
01/23/2005 04:00 AM 224,446 dn4001hme.dll
01/18/2005 10:25 PM 224,446 k226lcfs1f26.dll
01/18/2005 10:10 PM 224,446 e002lado1d0c.dll
01/18/2005 03:12 AM 224,446 m2polc731f.dll
01/18/2005 12:14 AM 223,107 jt4s07h7e.dll
01/17/2005 12:49 AM <DIR> dllcache
01/15/2005 05:42 AM 223,107 ktjql7151.dll
01/14/2005 12:21 AM 223,107 upbui.dll
01/14/2005 12:11 AM 225,531 kvdbr.dll
01/13/2005 09:08 PM 226,203 ajstream.dll
01/13/2005 03:19 AM 225,531 iaencode.dll
01/13/2005 03:16 AM 225,531 szimeng.dll
01/12/2005 07:25 AM 223,592 irl2l53o1.dll
01/12/2005 03:15 AM 223,592 kfdbe.dll
01/12/2005 02:28 AM 223,592 mhfutil.dll
01/12/2005 01:56 AM 223,592 pLpgasvc.dll
01/12/2005 01:55 AM 225,049 m4820eloehqc0.dll
01/12/2005 12:56 AM 225,049 mzvci70.dll
01/07/2005 11:44 PM 223,592 sasvc.dll
01/06/2005 11:08 PM 223,138 lv6409jqe.dll
01/05/2005 08:48 PM 223,232 wwsapi32.dll
01/05/2005 01:48 AM 224,123 dnr8019ue.dll
07/08/2004 08:37 PM 7,168 Thumbs.db
07/18/2003 08:45 PM <DIR> Microsoft
09/30/1999 06:21 PM 166,672 mstext35.dll
09/28/1999 08:42 PM 1,050,896 msjet35.dll
09/09/1999 09:06 PM 252,688 msexcl35.dll
09/09/1999 09:06 PM 168,720 msltus35.dll
08/25/1999 01:57 PM 415,504 msrepl35.dll
06/07/1999 05:59 PM 250,128 mspdox35.dll
04/25/1999 04:00 PM 287,504 Msxbse35.dll
32 File(s) 7,981,070 bytes
2 Dir(s) 22,559,494,144 bytes free
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP