Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Unremovable/renaming .dll (Winlogon Notify) [RESOLVED]

Started by cdelse , Nov 13 2005 07:55 PM

  • This topic is locked This topic is locked

#1
cdelse
Posted 13 November 2005 - 07:55 PM

cdelse

    New Member

  • Member
  • Pip
  • 8 posts
Hi there, just downloaded a bad .exe to my computer, and got a pretty major malware infection. Managed to delete the majority of it, however there is still one bad .dll that I am unable to delete itself, and if I try to delete it on reboot it renames itself. I was getting some popups because of it, however now I have that box completely offline, and am posting this from the PC next to mine. Here is my HiJackThis log, the .dll which concerns me most is in bold and red. Any help is appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 8:50:51 PM, on 11/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\nvraidservice.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\PowerDVD\PDVDServ.exe
D:\Winamp\Winampa.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Motherboard Monitor 5\MBM5.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.../main.adp?fc=1"); (C:\Program Files\Netscape\Users\default\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Startup: MBM 5.lnk = C:\Program Files\Motherboard Monitor 5\MBM5.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: MBM 5.lnk = C:\Program Files\Motherboard Monitor 5\MBM5.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101238363417
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.co...ts/deltacvx.cab
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\jt6807jue.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
  • 0

Advertisements

#2
Buckeye_Sam
Posted 15 November 2005 - 10:08 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0

#3
cdelse
Posted 15 November 2005 - 09:10 PM

cdelse

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Sorry for the late reply, was at work all day:

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jt6807jue.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{410EEA30-B6C1-ECBC-463B-A50985334A01}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{57C51AF9-DEF7-11D3-A801-00C04F163490}"="Ghost Shell Extension"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{950FF917-7A57-46BC-8017-59D9BF474000}"="Shell Extension for CDRW"
"{FDB3630F-C64C-47D5-B628-CA4590DFAC9E}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{FDB3630F-C64C-47D5-B628-CA4590DFAC9E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FDB3630F-C64C-47D5-B628-CA4590DFAC9E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FDB3630F-C64C-47D5-B628-CA4590DFAC9E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FDB3630F-C64C-47D5-B628-CA4590DFAC9E}\InprocServer32]
@="C:\\WINDOWS\\system32\\cdmaddin.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
appwiz.dll Sat Nov 12 2005 5:34:58p A.... 65,252 63.72 K
ati2cqag.dll Thu Oct 13 2005 10:40:00p A.... 233,472 228.00 K
ati2dvag.dll Thu Oct 13 2005 11:11:22p A.... 241,664 236.00 K
ati2edxx.dll Thu Oct 13 2005 11:07:08p A.... 39,936 39.00 K
ati2evxx.dll Thu Oct 13 2005 11:07:00p A.... 46,080 45.00 K
ati3duag.dll Thu Oct 13 2005 10:59:44p A.... 2,433,120 2.32 M
aticds10.dll Wed Sep 14 2005 8:05:00p A.... 368,640 360.00 K
atiddc.dll Thu Oct 13 2005 11:05:46p A.... 53,248 52.00 K
atidemgr.dll Thu Oct 13 2005 10:07:22p A.... 258,048 252.00 K
atiicdxx.dll Wed Sep 14 2005 8:05:00p A.... 380,928 372.00 K
atiiiexx.dll Thu Oct 13 2005 11:03:32p A.... 307,200 300.00 K
atikvmag.dll Thu Oct 13 2005 10:44:50p A.... 147,456 144.00 K
atioglx1.dll Thu Oct 13 2005 11:49:30p A.... 6,680,576 6.37 M
atioglxx.dll Sat Oct 15 2005 2:02:56p A.... 4,952,064 4.72 M
atipdlxx.dll Thu Oct 13 2005 11:07:28p A.... 106,496 104.00 K
atipdsxx.dll Wed Sep 14 2005 8:05:00p A.... 266,240 260.00 K
atippaxx.dll Wed Sep 14 2005 8:05:00p A.... 94,208 92.00 K
atipuixx.dll Wed Sep 14 2005 8:05:00p A.... 2,039,808 1.95 M
atitvo32.dll Thu Oct 13 2005 10:44:18p A.... 17,408 17.00 K
ativvaxx.dll Thu Oct 13 2005 10:55:10p A.... 601,760 587.66 K
bjdispl.dll Sat Nov 12 2005 8:50:54p ..S.R 234,272 228.78 K
browseui.dll Fri Sep 2 2005 6:52:04p A.... 1,019,904 996.00 K
cdfview.dll Fri Sep 2 2005 6:52:04p A.... 151,040 147.50 K
cdmaddin.dll Tue Nov 15 2005 3:59:38p ..S.R 233,809 228.33 K
cdosys.dll Fri Sep 9 2005 8:53:42p A.... 2,067,968 1.97 M
cmdlin~1.dll Mon Aug 29 2005 4:59:08p A.... 43,520 42.50 K
cmdlin~2.dll Sat Sep 24 2005 8:37:12p A.... 98,304 96.00 K
danim.dll Fri Sep 2 2005 6:52:04p A.... 1,053,696 1.00 M
dtmsrpcn.dll Sat Nov 12 2005 11:45:52p ..S.R 235,711 230.18 K
dxtrans.dll Fri Sep 2 2005 6:52:04p A.... 205,312 200.50 K
dyspex.dll Sat Nov 12 2005 11:24:40p ..S.R 234,272 228.78 K
espsrv.dll Sun Nov 13 2005 10:41:14a ..S.R 236,983 231.43 K
extmgr.dll Fri Sep 2 2005 6:52:04p ..... 55,808 54.50 K
gdi32.dll Wed Oct 5 2005 10:09:36p A.... 280,064 273.50 K
gp46l3~1.dll Sun Nov 13 2005 7:22:30p ..S.R 233,723 228.24 K
hdtplug.dll Sun Nov 13 2005 7:17:30p ..S.R 233,723 228.24 K
hyetmon.dll Sun Nov 13 2005 12:15:20a ..S.R 235,711 230.18 K
hztpapi.dll Sun Nov 13 2005 12:01:02a ..S.R 235,711 230.18 K
i6nm0g~1.dll Tue Nov 15 2005 12:53:52a ..S.R 233,809 228.33 K
iepeers.dll Fri Sep 2 2005 6:52:04p A.... 251,392 245.50 K
ijsmsnap.dll Sat Nov 12 2005 11:39:56p ..S.R 235,123 229.61 K
inseng.dll Fri Sep 2 2005 6:52:04p A.... 96,256 94.00 K
jt6807~1.dll Sun Nov 13 2005 8:10:58p ..S.R 233,809 228.33 K
k644lg~1.dll Tue Nov 15 2005 3:43:24p ..S.R 235,255 229.74 K
kt68l7~1.dll Tue Nov 15 2005 3:59:38p ..S.R 235,676 230.15 K
ktj2l7~1.dll Sun Nov 13 2005 8:23:28p ..S.R 236,983 231.43 K
kvdir.dll Sun Nov 13 2005 7:54:14p ..S.R 237,005 231.45 K
linkinfo.dll Wed Aug 31 2005 8:41:54p A.... 19,968 19.50 K
lkprxy.dll Sun Nov 13 2005 8:08:58p ..S.R 233,809 228.33 K
lvl809~1.dll Sun Nov 13 2005 8:29:10p ..S.R 233,809 228.33 K
mivcp70.dll Sat Nov 12 2005 9:58:22p ..S.R 234,275 228.78 K
mmxml.dll Sun Nov 13 2005 7:41:24p ..S.R 237,005 231.45 K
mqdrv.dll Sat Nov 12 2005 10:26:10p ..S.R 235,123 229.61 K
mshtml.dll Tue Oct 4 2005 4:26:00p A.... 3,015,168 2.88 M
mshtmled.dll Fri Sep 2 2005 6:52:06p A.... 448,512 438.00 K
msrating.dll Fri Sep 2 2005 6:52:06p A.... 146,432 143.00 K
mstime.dll Fri Sep 2 2005 6:52:06p A.... 530,432 518.00 K
neroco.dll Thu Sep 15 2005 4:38:52p A.... 53,248 52.00 K
netman.dll Mon Aug 22 2005 1:29:46p A.... 197,632 193.00 K
oemdspif.dll Thu Oct 13 2005 11:07:18p A.... 73,728 72.00 K
ose2disp.dll Sun Nov 13 2005 12:11:04a ..S.R 236,983 231.43 K
ovedlg.dll Sun Nov 13 2005 7:49:12p ..S.R 236,983 231.43 K
pngfilt.dll Fri Sep 2 2005 6:52:06p A.... 39,424 38.50 K
pwgfilt.dll Sat Nov 12 2005 10:13:32p ..S.R 234,272 228.78 K
quartz.dll Mon Aug 29 2005 10:54:26p A.... 1,287,168 1.23 M
shdocvw.dll Fri Sep 2 2005 6:52:06p A.... 1,483,776 1.41 M
shell32.dll Thu Sep 22 2005 10:05:30p A.... 8,450,560 8.06 M
shlwapi.dll Fri Sep 2 2005 6:52:06p A.... 473,600 462.50 K
snnsapi.dll Sat Nov 12 2005 11:50:32p ..S.R 236,983 231.43 K
spfrcdlg.dll Sun Nov 13 2005 7:35:30p ..S.R 236,983 231.43 K
umpnpmgr.dll Mon Aug 22 2005 10:35:42p A.... 123,392 120.50 K
urlmon.dll Fri Sep 2 2005 6:52:06p A.... 608,768 594.50 K
wininet.dll Fri Sep 2 2005 6:52:06p A.... 658,432 643.00 K
winsrv.dll Wed Aug 31 2005 8:41:54p A.... 291,840 285.00 K
wyiscmgr.dll Sun Nov 13 2005 7:58:28p ..S.R 236,983 231.43 K
xdire_~1.dll Sun Nov 13 2005 8:20:28p ..S.R 236,983 231.43 K

76 items found: 76 files (28 H/S), 0 directories.
Total of file sizes: 49,150,714 bytes 46.87 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is Windows
Volume Serial Number is 3C18-E9E0

Directory of C:\WINDOWS\System32

11/15/2005 03:59 PM 233,809 cdmaddin.dll
11/15/2005 03:59 PM 235,676 kt68l7ju1.dll
11/15/2005 03:43 PM 235,255 k644lghq164e.dll
11/15/2005 03:09 PM <DIR> dllcache
11/15/2005 12:53 AM 233,809 i6nm0g51e6.dll
11/13/2005 08:29 PM 233,809 lvl8093ue.dll
11/13/2005 08:23 PM 236,983 ktj2l71o1.dll
11/13/2005 08:20 PM 236,983 xdire_lsp_10650.dll
11/13/2005 08:10 PM 233,809 jt6807jue.dll
11/13/2005 08:08 PM 233,809 lKprxy.dll
11/13/2005 07:58 PM 236,983 wyiscmgr.dll
11/13/2005 07:54 PM 237,005 kvdir.dll
11/13/2005 07:49 PM 236,983 ovedlg.dll
11/13/2005 07:41 PM 237,005 mmxml.dll
11/13/2005 07:35 PM 236,983 sPfrcdlg.dll
11/13/2005 07:22 PM 233,723 gp46l3hs1.dll
11/13/2005 07:17 PM 233,723 hdtplug.dll
11/13/2005 10:41 AM 236,983 espsrv.dll
11/13/2005 12:15 AM 235,711 hyetmon.dll
11/13/2005 12:11 AM 236,983 ose2disp.dll
11/13/2005 12:01 AM 235,711 hztpapi.dll
11/12/2005 11:50 PM 236,983 snnsapi.dll
11/12/2005 11:45 PM 235,711 dtmsrpcn.dll
11/12/2005 11:39 PM 235,123 ijsmsnap.dll
11/12/2005 11:24 PM 234,272 dyspex.dll
11/12/2005 10:26 PM 235,123 mqdrv.dll
11/12/2005 10:13 PM 234,272 pwgfilt.dll
11/12/2005 09:58 PM 234,275 mivcp70.dll
11/12/2005 08:50 PM 234,272 bjdispl.dll
06/27/2005 09:38 AM 12,208 KGyGaAvL.sys
03/17/2005 09:06 AM 417,792 ??anregw.exe
11/27/2004 11:51 AM 32 {AC1A9EEF-CD52-4DD6-AD02-0872C9C673A9}.dat
11/27/2004 11:51 AM 32 {5B3C9234-DD75-4C80-8FF1-835933734257}.dat
11/27/2004 11:50 AM 32 {64B0E976-FD38-46A4-8FCC-00B1A69EF46B}.dat
11/27/2004 11:49 AM 32 {17CB1FFF-BDCE-4071-BFEA-2F46B47E098E}.dat
11/27/2004 11:49 AM 32 {0C43BF83-F04E-44F9-9DFA-A654BA5CD746}.dat
11/27/2004 11:49 AM 32 {74AEACF7-72FA-43DB-960A-CFD6EAE60F78}.dat
11/27/2004 11:48 AM 32 {B3B32CF1-B1DC-460C-B03A-F9F02959F025}.dat
11/23/2004 05:51 PM <DIR> Microsoft
37 File(s) 7,021,990 bytes
2 Dir(s) 14,587,510,784 bytes free
  • 0

#4
Buckeye_Sam
Posted 16 November 2005 - 04:48 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
If after the reboot the desktop icons dont dissappear or the log does not pop up then in the l2mfix folder double click the second.bat file to continue with the fix.
  • 0

#5
cdelse
Posted 16 November 2005 - 11:38 PM

cdelse

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Did as instructed. Icons did not disappear on reboot, so I ran second.bat. Scan seemed to finish and now I just have a screen with my wallpaper and no icons. No log opened up, and HD wasn't doing anything. I went into Task Manager and ran explorer.exe manually, went into the l2mfix folder and retrieved the log manually from log.txt. I hope this is still acceptable:

L2MFIX LOG:
L2Mfix 1.04a

Running From:
C:\Documents and Settings\Chris\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(IO) access for predefined group "Administrators"
- adding new ACCESS DENY entry
- changing existing entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-CI) DENY --C------- BUILTIN\Administrators
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

Setting Directory
C:\Documents and Settings\Chris\Desktop\l2mfix

Running From:
C:\Documents and Settings\Chris\Desktop\l2mfix

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 696 'smss.exe'
Error 0x6 : The handle is invalid.
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 800 'winlogon.exe'
Error 0x6 : The handle is invalid.
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1716 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 524 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\bjdispl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cdmaddin.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dtmsrpcn.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dysenh.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dyspex.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\enr4l19q1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\espsrv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\g8lmli3118.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gp46l3hs1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gp88l3lu1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\h2l20c3oef.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hdtplug.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hyetmon.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hztpapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i6nm0g51e6.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ijsmsnap.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k644lghq164e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kqdtat.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kt68l7ju1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktj2l71o1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kvdir.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lKprxy.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvl8093ue.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mdrt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mivcp70.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mmxml.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mqdrv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mv4ul9h91.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ose2disp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ovedlg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pwgfilt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\snnsapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sPfrcdlg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wyiscmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\xdire_lsp_10650.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\bjdispl.dll
Successfully Deleted: C:\WINDOWS\system32\bjdispl.dll
deleting: C:\WINDOWS\system32\cdmaddin.dll
Successfully Deleted: C:\WINDOWS\system32\cdmaddin.dll
deleting: C:\WINDOWS\system32\dtmsrpcn.dll
Successfully Deleted: C:\WINDOWS\system32\dtmsrpcn.dll
deleting: C:\WINDOWS\system32\dysenh.dll
Successfully Deleted: C:\WINDOWS\system32\dysenh.dll
deleting: C:\WINDOWS\system32\dyspex.dll
Successfully Deleted: C:\WINDOWS\system32\dyspex.dll
deleting: C:\WINDOWS\system32\enr4l19q1.dll
Successfully Deleted: C:\WINDOWS\system32\enr4l19q1.dll
deleting: C:\WINDOWS\system32\espsrv.dll
Successfully Deleted: C:\WINDOWS\system32\espsrv.dll
deleting: C:\WINDOWS\system32\g8lmli3118.dll
Successfully Deleted: C:\WINDOWS\system32\g8lmli3118.dll
deleting: C:\WINDOWS\system32\gp46l3hs1.dll
Successfully Deleted: C:\WINDOWS\system32\gp46l3hs1.dll
deleting: C:\WINDOWS\system32\gp88l3lu1.dll
Successfully Deleted: C:\WINDOWS\system32\gp88l3lu1.dll
deleting: C:\WINDOWS\system32\h2l20c3oef.dll
Successfully Deleted: C:\WINDOWS\system32\h2l20c3oef.dll
deleting: C:\WINDOWS\system32\hdtplug.dll
Successfully Deleted: C:\WINDOWS\system32\hdtplug.dll
deleting: C:\WINDOWS\system32\hyetmon.dll
Successfully Deleted: C:\WINDOWS\system32\hyetmon.dll
deleting: C:\WINDOWS\system32\hztpapi.dll
Successfully Deleted: C:\WINDOWS\system32\hztpapi.dll
deleting: C:\WINDOWS\system32\i6nm0g51e6.dll
Successfully Deleted: C:\WINDOWS\system32\i6nm0g51e6.dll
deleting: C:\WINDOWS\system32\ijsmsnap.dll
Successfully Deleted: C:\WINDOWS\system32\ijsmsnap.dll
deleting: C:\WINDOWS\system32\k644lghq164e.dll
Successfully Deleted: C:\WINDOWS\system32\k644lghq164e.dll
deleting: C:\WINDOWS\system32\kqdtat.dll
Successfully Deleted: C:\WINDOWS\system32\kqdtat.dll
deleting: C:\WINDOWS\system32\kt68l7ju1.dll
Successfully Deleted: C:\WINDOWS\system32\kt68l7ju1.dll
deleting: C:\WINDOWS\system32\ktj2l71o1.dll
Successfully Deleted: C:\WINDOWS\system32\ktj2l71o1.dll
deleting: C:\WINDOWS\system32\kvdir.dll
Successfully Deleted: C:\WINDOWS\system32\kvdir.dll
deleting: C:\WINDOWS\system32\lKprxy.dll
Successfully Deleted: C:\WINDOWS\system32\lKprxy.dll
deleting: C:\WINDOWS\system32\lvl8093ue.dll
Successfully Deleted: C:\WINDOWS\system32\lvl8093ue.dll
deleting: C:\WINDOWS\system32\mdrt.dll
Successfully Deleted: C:\WINDOWS\system32\mdrt.dll
deleting: C:\WINDOWS\system32\mivcp70.dll
Successfully Deleted: C:\WINDOWS\system32\mivcp70.dll
deleting: C:\WINDOWS\system32\mmxml.dll
Successfully Deleted: C:\WINDOWS\system32\mmxml.dll
deleting: C:\WINDOWS\system32\mqdrv.dll
Successfully Deleted: C:\WINDOWS\system32\mqdrv.dll
deleting: C:\WINDOWS\system32\mv4ul9h91.dll
Successfully Deleted: C:\WINDOWS\system32\mv4ul9h91.dll
deleting: C:\WINDOWS\system32\ose2disp.dll
Successfully Deleted: C:\WINDOWS\system32\ose2disp.dll
deleting: C:\WINDOWS\system32\ovedlg.dll
Successfully Deleted: C:\WINDOWS\system32\ovedlg.dll
deleting: C:\WINDOWS\system32\pwgfilt.dll
Successfully Deleted: C:\WINDOWS\system32\pwgfilt.dll
deleting: C:\WINDOWS\system32\snnsapi.dll
Successfully Deleted: C:\WINDOWS\system32\snnsapi.dll
deleting: C:\WINDOWS\system32\sPfrcdlg.dll
Successfully Deleted: C:\WINDOWS\system32\sPfrcdlg.dll
deleting: C:\WINDOWS\system32\wyiscmgr.dll
Successfully Deleted: C:\WINDOWS\system32\wyiscmgr.dll
deleting: C:\WINDOWS\system32\xdire_lsp_10650.dll
Successfully Deleted: C:\WINDOWS\system32\xdire_lsp_10650.dll
deleting: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: bjdispl.dll (164 bytes security) (deflated 4%)
adding: cdmaddin.dll (164 bytes security) (deflated 4%)
adding: dtmsrpcn.dll (164 bytes security) (deflated 5%)
adding: dysenh.dll (164 bytes security) (deflated 5%)
adding: dyspex.dll (164 bytes security) (deflated 4%)
adding: enr4l19q1.dll (164 bytes security) (deflated 5%)
adding: espsrv.dll (164 bytes security) (deflated 5%)
adding: g8lmli3118.dll (164 bytes security) (deflated 5%)
adding: gp46l3hs1.dll (164 bytes security) (deflated 4%)
adding: gp88l3lu1.dll (164 bytes security) (deflated 5%)
adding: h2l20c3oef.dll (164 bytes security) (deflated 4%)
adding: hdtplug.dll (164 bytes security) (deflated 4%)
adding: hyetmon.dll (164 bytes security) (deflated 5%)
adding: hztpapi.dll (164 bytes security) (deflated 5%)
adding: i6nm0g51e6.dll (164 bytes security) (deflated 4%)
adding: ijsmsnap.dll (164 bytes security) (deflated 5%)
adding: k644lghq164e.dll (164 bytes security) (deflated 5%)
adding: kqdtat.dll (164 bytes security) (deflated 4%)
adding: kt68l7ju1.dll (164 bytes security) (deflated 5%)
adding: ktj2l71o1.dll (164 bytes security) (deflated 5%)
adding: kvdir.dll (164 bytes security) (deflated 5%)
adding: lKprxy.dll (164 bytes security) (deflated 4%)
adding: lvl8093ue.dll (164 bytes security) (deflated 4%)
adding: mdrt.dll (164 bytes security) (deflated 4%)
adding: mivcp70.dll (164 bytes security) (deflated 4%)
adding: mmxml.dll (164 bytes security) (deflated 5%)
adding: mqdrv.dll (164 bytes security) (deflated 5%)
adding: mv4ul9h91.dll (164 bytes security) (deflated 5%)
adding: ose2disp.dll (164 bytes security) (deflated 5%)
adding: ovedlg.dll (164 bytes security) (deflated 5%)
adding: pwgfilt.dll (164 bytes security) (deflated 4%)
adding: snnsapi.dll (164 bytes security) (deflated 5%)
adding: sPfrcdlg.dll (164 bytes security) (deflated 5%)
adding: wyiscmgr.dll (164 bytes security) (deflated 5%)
adding: xdire_lsp_10650.dll (164 bytes security) (deflated 5%)
adding: guard.tmp (164 bytes security) (deflated 5%)
adding: clear.reg (164 bytes security) (deflated 22%)
adding: echo.reg (164 bytes security) (deflated 11%)
zip warning: name not matched: *.ini

zip error: Nothing to do! (backup.zip)
adding: direct.txt (164 bytes security) (stored 0%)
adding: flag.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 85%)
adding: readme.txt (164 bytes security) (deflated 52%)
adding: report.txt (164 bytes security) (deflated 65%)
adding: test.txt (164 bytes security) (deflated 82%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: xfind.txt (164 bytes security) (deflated 77%)
adding: backregs/FDB3630F-C64C-47D5-B628-CA4590DFAC9E.reg (164 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: bjdispl.dll
deleting local copy: cdmaddin.dll
deleting local copy: dtmsrpcn.dll
deleting local copy: dysenh.dll
deleting local copy: dyspex.dll
deleting local copy: enr4l19q1.dll
deleting local copy: espsrv.dll
deleting local copy: g8lmli3118.dll
deleting local copy: gp46l3hs1.dll
deleting local copy: gp88l3lu1.dll
deleting local copy: h2l20c3oef.dll
deleting local copy: hdtplug.dll
deleting local copy: hyetmon.dll
deleting local copy: hztpapi.dll
deleting local copy: i6nm0g51e6.dll
deleting local copy: ijsmsnap.dll
deleting local copy: k644lghq164e.dll
deleting local copy: kqdtat.dll
deleting local copy: kt68l7ju1.dll
deleting local copy: ktj2l71o1.dll
deleting local copy: kvdir.dll
deleting local copy: lKprxy.dll
deleting local copy: lvl8093ue.dll
deleting local copy: mdrt.dll
deleting local copy: mivcp70.dll
deleting local copy: mmxml.dll
deleting local copy: mqdrv.dll
deleting local copy: mv4ul9h91.dll
deleting local copy: ose2disp.dll
deleting local copy: ovedlg.dll
deleting local copy: pwgfilt.dll
deleting local copy: snnsapi.dll
deleting local copy: sPfrcdlg.dll
deleting local copy: wyiscmgr.dll
deleting local copy: xdire_lsp_10650.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnceEx]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\n44s0eh7eh4.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\bjdispl.dll
C:\WINDOWS\system32\cdmaddin.dll
C:\WINDOWS\system32\dtmsrpcn.dll
C:\WINDOWS\system32\dysenh.dll
C:\WINDOWS\system32\dyspex.dll
C:\WINDOWS\system32\enr4l19q1.dll
C:\WINDOWS\system32\espsrv.dll
C:\WINDOWS\system32\g8lmli3118.dll
C:\WINDOWS\system32\gp46l3hs1.dll
C:\WINDOWS\system32\gp88l3lu1.dll
C:\WINDOWS\system32\h2l20c3oef.dll
C:\WINDOWS\system32\hdtplug.dll
C:\WINDOWS\system32\hyetmon.dll
C:\WINDOWS\system32\hztpapi.dll
C:\WINDOWS\system32\i6nm0g51e6.dll
C:\WINDOWS\system32\ijsmsnap.dll
C:\WINDOWS\system32\k644lghq164e.dll
C:\WINDOWS\system32\kqdtat.dll
C:\WINDOWS\system32\kt68l7ju1.dll
C:\WINDOWS\system32\ktj2l71o1.dll
C:\WINDOWS\system32\kvdir.dll
C:\WINDOWS\system32\lKprxy.dll
C:\WINDOWS\system32\lvl8093ue.dll
C:\WINDOWS\system32\mdrt.dll
C:\WINDOWS\system32\mivcp70.dll
C:\WINDOWS\system32\mmxml.dll
C:\WINDOWS\system32\mqdrv.dll
C:\WINDOWS\system32\mv4ul9h91.dll
C:\WINDOWS\system32\ose2disp.dll
C:\WINDOWS\system32\ovedlg.dll
C:\WINDOWS\system32\pwgfilt.dll
C:\WINDOWS\system32\snnsapi.dll
C:\WINDOWS\system32\sPfrcdlg.dll
C:\WINDOWS\system32\wyiscmgr.dll
C:\WINDOWS\system32\xdire_lsp_10650.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{FDB3630F-C64C-47D5-B628-CA4590DFAC9E}"=-
[-HKEY_CLASSES_ROOT\CLSID\{FDB3630F-C64C-47D5-B628-CA4590DFAC9E}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

HIJACK THIS LOG:
Logfile of HijackThis v1.99.1
Scan saved at 12:37:15 AM, on 11/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\nvraidservice.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\PowerDVD\PDVDServ.exe
D:\Winamp\Winampa.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Motherboard Monitor 5\MBM5.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.../main.adp?fc=1"); (C:\Program Files\Netscape\Users\default\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Startup: MBM 5.lnk = C:\Program Files\Motherboard Monitor 5\MBM5.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: MBM 5.lnk = C:\Program Files\Motherboard Monitor 5\MBM5.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101238363417
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.co...ts/deltacvx.cab
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\n44s0eh7eh4.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
  • 0

#6
Buckeye_Sam
Posted 17 November 2005 - 01:26 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
We didn't get it all. Please post a new log from L2Mfix option #1.
  • 0

#7
cdelse
Posted 17 November 2005 - 08:40 PM

cdelse

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnceEx]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\n44s0eh7eh4.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{410EEA30-B6C1-ECBC-463B-A50985334A01}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{57C51AF9-DEF7-11D3-A801-00C04F163490}"="Ghost Shell Extension"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{950FF917-7A57-46BC-8017-59D9BF474000}"="Shell Extension for CDRW"
"{D76A6DE1-8E6A-406E-9D02-922FDCA5040A}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D76A6DE1-8E6A-406E-9D02-922FDCA5040A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D76A6DE1-8E6A-406E-9D02-922FDCA5040A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D76A6DE1-8E6A-406E-9D02-922FDCA5040A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D76A6DE1-8E6A-406E-9D02-922FDCA5040A}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
appwiz.dll Sat Nov 12 2005 5:34:58p A.... 65,252 63.72 K
ati2cqag.dll Thu Oct 13 2005 10:40:00p A.... 233,472 228.00 K
ati2dvag.dll Thu Oct 13 2005 11:11:22p A.... 241,664 236.00 K
ati2edxx.dll Thu Oct 13 2005 11:07:08p A.... 39,936 39.00 K
ati2evxx.dll Thu Oct 13 2005 11:07:00p A.... 46,080 45.00 K
ati3duag.dll Thu Oct 13 2005 10:59:44p A.... 2,433,120 2.32 M
aticds10.dll Wed Sep 14 2005 8:05:00p A.... 368,640 360.00 K
atiddc.dll Thu Oct 13 2005 11:05:46p A.... 53,248 52.00 K
atidemgr.dll Thu Oct 13 2005 10:07:22p A.... 258,048 252.00 K
atiicdxx.dll Wed Sep 14 2005 8:05:00p A.... 380,928 372.00 K
atiiiexx.dll Thu Oct 13 2005 11:03:32p A.... 307,200 300.00 K
atikvmag.dll Thu Oct 13 2005 10:44:50p A.... 147,456 144.00 K
atioglx1.dll Thu Oct 13 2005 11:49:30p A.... 6,680,576 6.37 M
atioglxx.dll Sat Oct 15 2005 2:02:56p A.... 4,952,064 4.72 M
atipdlxx.dll Thu Oct 13 2005 11:07:28p A.... 106,496 104.00 K
atipdsxx.dll Wed Sep 14 2005 8:05:00p A.... 266,240 260.00 K
atippaxx.dll Wed Sep 14 2005 8:05:00p A.... 94,208 92.00 K
atipuixx.dll Wed Sep 14 2005 8:05:00p A.... 2,039,808 1.95 M
atitvo32.dll Thu Oct 13 2005 10:44:18p A.... 17,408 17.00 K
ativvaxx.dll Thu Oct 13 2005 10:55:10p A.... 601,760 587.66 K
browseui.dll Fri Sep 2 2005 6:52:04p A.... 1,019,904 996.00 K
cdfview.dll Fri Sep 2 2005 6:52:04p A.... 151,040 147.50 K
cdosys.dll Fri Sep 9 2005 8:53:42p A.... 2,067,968 1.97 M
cmdlin~1.dll Mon Aug 29 2005 4:59:08p A.... 43,520 42.50 K
cmdlin~2.dll Sat Sep 24 2005 8:37:12p A.... 98,304 96.00 K
danim.dll Fri Sep 2 2005 6:52:04p A.... 1,053,696 1.00 M
dxtrans.dll Fri Sep 2 2005 6:52:04p A.... 205,312 200.50 K
extmgr.dll Fri Sep 2 2005 6:52:04p ..... 55,808 54.50 K
gdi32.dll Wed Oct 5 2005 10:09:36p A.... 280,064 273.50 K
iepeers.dll Fri Sep 2 2005 6:52:04p A.... 251,392 245.50 K
inseng.dll Fri Sep 2 2005 6:52:04p A.... 96,256 94.00 K
linkinfo.dll Wed Aug 31 2005 8:41:54p A.... 19,968 19.50 K
mshtml.dll Tue Oct 4 2005 4:26:00p A.... 3,015,168 2.88 M
mshtmled.dll Fri Sep 2 2005 6:52:06p A.... 448,512 438.00 K
msrating.dll Fri Sep 2 2005 6:52:06p A.... 146,432 143.00 K
mstime.dll Fri Sep 2 2005 6:52:06p A.... 530,432 518.00 K
n44s0e~1.dll Thu Nov 17 2005 12:15:52a ..S.R 234,553 229.05 K
neroco.dll Thu Sep 15 2005 4:38:52p A.... 53,248 52.00 K
netman.dll Mon Aug 22 2005 1:29:46p A.... 197,632 193.00 K
oemdspif.dll Thu Oct 13 2005 11:07:18p A.... 73,728 72.00 K
pngfilt.dll Fri Sep 2 2005 6:52:06p A.... 39,424 38.50 K
quartz.dll Mon Aug 29 2005 10:54:26p A.... 1,287,168 1.23 M
s2880c~1.dll Thu Nov 17 2005 12:29:08a ..S.R 235,435 229.91 K
shdocvw.dll Fri Sep 2 2005 6:52:06p A.... 1,483,776 1.41 M
shell32.dll Thu Sep 22 2005 10:05:30p A.... 8,450,560 8.06 M
shlwapi.dll Fri Sep 2 2005 6:52:06p A.... 473,600 462.50 K
umpnpmgr.dll Mon Aug 22 2005 10:35:42p A.... 123,392 120.50 K
urlmon.dll Fri Sep 2 2005 6:52:06p A.... 608,768 594.50 K
wininet.dll Fri Sep 2 2005 6:52:06p A.... 658,432 643.00 K
winsrv.dll Wed Aug 31 2005 8:41:54p A.... 291,840 285.00 K

50 items found: 50 files (2 H/S), 0 directories.
Total of file sizes: 43,028,936 bytes 41.04 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Thu Nov 17 2005 12:31:08a ..... 234,553 229.05 K

1 item found: 1 file, 0 directories.
Total of file sizes: 234,553 bytes 229.05 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C is Windows
Volume Serial Number is 3C18-E9E0

Directory of C:\WINDOWS\System32

11/17/2005 04:23 PM <DIR> dllcache
11/17/2005 12:29 AM 235,435 s2880cluefq80.dll
11/17/2005 12:15 AM 234,553 n44s0eh7eh4.dll
06/27/2005 09:38 AM 12,208 KGyGaAvL.sys
03/17/2005 09:06 AM 417,792 ??anregw.exe
11/27/2004 11:51 AM 32 {AC1A9EEF-CD52-4DD6-AD02-0872C9C673A9}.dat
11/27/2004 11:51 AM 32 {5B3C9234-DD75-4C80-8FF1-835933734257}.dat
11/27/2004 11:50 AM 32 {64B0E976-FD38-46A4-8FCC-00B1A69EF46B}.dat
11/27/2004 11:49 AM 32 {17CB1FFF-BDCE-4071-BFEA-2F46B47E098E}.dat
11/27/2004 11:49 AM 32 {0C43BF83-F04E-44F9-9DFA-A654BA5CD746}.dat
11/27/2004 11:49 AM 32 {74AEACF7-72FA-43DB-960A-CFD6EAE60F78}.dat
11/27/2004 11:48 AM 32 {B3B32CF1-B1DC-460C-B03A-F9F02959F025}.dat
11/23/2004 05:51 PM <DIR> Microsoft
11 File(s) 900,212 bytes
2 Dir(s) 14,125,158,400 bytes free
  • 0

#8
Buckeye_Sam
Posted 18 November 2005 - 08:24 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Download Pocket Killbox
  • Place it in a folder on your Desktop.
  • Extract Pocket KillBox from the zip file
  • Double-click on Killbox.exe to run the program.
  • At the bottom right of the main screen, click on the arrow to the right of System Process
    • (The area is to the left of the yellow triangle.)
    • Select the following entry: rundll32.exe
    • Now click the yellow triangle to End Task
    • Wait a few seconds, and check again for rundll32.exe, as it may reload!
      If so, End Task once again.
  • Next, select Standard File Kill
    • Highlight the entries below and press the Ctrl and the C key at the same time to copy them to the clipboard:
      C:\WINDOWS\system32\n44s0eh7eh4.dll
      C:\WINDOWS\system32\s2880cluefq80.dll
      C:\WINDOWS\system32\guard.tmp

    • Click on the File menu of Pocket KillBox and select: Paste from Clipboard
    • In the Full Path of File to Delete box you should see the first entry.
    • Use the down arrow to see the rest of the files.
    • Make sure CC:\WINDOWS\system32\guard.tmp appears on the list.
      • If not, click on the arrow to the right of System Process
      • Once again select the following entry: rundll32.exe
      • Click the yellow triangle to End Task
      • End Task on rundll32.exe until C:\WINDOWS\system32\guard.tmp is on the list!
    • Then, highlight the file entries once again and press the Ctrl and the C key at the same time to copy them to the clipboard:
    • Click on the File menu of Pocket KillBox and select: Paste from Clipboard
    • In the Full Path of File to Delete box you should see the first entry.
    • Once again, use the down arrow to see the rest of the files.
      C:\WINDOWS\system32\guard.tmp must appear on the list!!
    • Press the button with a red circle and a white X (Delete File button)
    • Click Yes at the confirmation message that files will be deleted on next reboot
    • Click Yes at the request to reboot.
  • If you get an error message at this time, reboot manually.

Immediately after reboot, please run L2mFix option #2.



Then reboot once more and post a new log from L2MFix - option #1 and a new hijackthis log.
  • 0

#9
cdelse
Posted 19 November 2005 - 01:12 PM

cdelse

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
L2MFIX OPTION #2:
L2Mfix 1.04a

Running From:
C:\Documents and Settings\Chris\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(IO) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-CI) DENY --C------- BUILTIN\Administrators
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

Setting Directory
C:\Documents and Settings\Chris\Desktop\l2mfix

Running From:
C:\Documents and Settings\Chris\Desktop\l2mfix

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 696 'smss.exe'
Error 0x6 : The handle is invalid.
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 800 'winlogon.exe'
Error 0x6 : The handle is invalid.
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 2080 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1820 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\axi2dvag.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mficda.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wjhatm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\axi2dvag.dll
Successfully Deleted: C:\WINDOWS\system32\axi2dvag.dll
deleting: C:\WINDOWS\system32\mficda.dll
Successfully Deleted: C:\WINDOWS\system32\mficda.dll
deleting: C:\WINDOWS\system32\wjhatm.dll
Successfully Deleted: C:\WINDOWS\system32\wjhatm.dll
deleting: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: axi2dvag.dll (164 bytes security) (deflated 6%)
adding: mficda.dll (164 bytes security) (deflated 6%)
adding: wjhatm.dll (164 bytes security) (deflated 4%)
updating: guard.tmp (164 bytes security) (deflated 6%)
updating: clear.reg (164 bytes security) (deflated 22%)
updating: echo.reg (164 bytes security) (deflated 11%)
zip warning: name not matched: *.ini

zip error: Nothing to do! (backup.zip)
updating: direct.txt (164 bytes security) (stored 0%)
updating: flag.txt (164 bytes security) (stored 0%)
updating: lo2.txt (164 bytes security) (deflated 76%)
updating: readme.txt (164 bytes security) (deflated 52%)
updating: report.txt (164 bytes security) (deflated 65%)
updating: test.txt (164 bytes security) (deflated 56%)
updating: test2.txt (164 bytes security) (stored 0%)
updating: test3.txt (164 bytes security) (stored 0%)
updating: test5.txt (164 bytes security) (stored 0%)
updating: xfind.txt (164 bytes security) (deflated 50%)
updating: log.txt (164 bytes security) (deflated 76%)
updating: backregs/FDB3630F-C64C-47D5-B628-CA4590DFAC9E.reg (164 bytes security) (deflated 70%)
updating: backregs/notibac.reg (164 bytes security) (deflated 87%)
updating: backregs/shell.reg (164 bytes security) (deflated 74%)
updating: backregs/D76A6DE1-8E6A-406E-9D02-922FDCA5040A.reg (164 bytes security) (deflated 70%)
adding: backregs/861B6517-08E2-42CB-A805-FFD4C5AC9394.reg (164 bytes security) (deflated 70%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: axi2dvag.dll
deleting local copy: mficda.dll
deleting local copy: wjhatm.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Fonts]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\h62o0gf3e62.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\axi2dvag.dll
C:\WINDOWS\system32\mficda.dll
C:\WINDOWS\system32\wjhatm.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{861B6517-08E2-42CB-A805-FFD4C5AC9394}"=-
[-HKEY_CLASSES_ROOT\CLSID\{861B6517-08E2-42CB-A805-FFD4C5AC9394}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

L2MFIX OPTION #1:
L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Fonts]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\h62o0gf3e62.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{410EEA30-B6C1-ECBC-463B-A50985334A01}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{57C51AF9-DEF7-11D3-A801-00C04F163490}"="Ghost Shell Extension"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{950FF917-7A57-46BC-8017-59D9BF474000}"="Shell Extension for CDRW"
"{EEF707EF-63A2-49A8-BF47-D736C24C9E5E}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{EEF707EF-63A2-49A8-BF47-D736C24C9E5E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EEF707EF-63A2-49A8-BF47-D736C24C9E5E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EEF707EF-63A2-49A8-BF47-D736C24C9E5E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EEF707EF-63A2-49A8-BF47-D736C24C9E5E}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
appwiz.dll Sat Nov 12 2005 5:34:58p A.... 65,252 63.72 K
ati2cqag.dll Thu Oct 13 2005 10:40:00p A.... 233,472 228.00 K
ati2dvag.dll Thu Oct 13 2005 11:11:22p A.... 241,664 236.00 K
ati2edxx.dll Thu Oct 13 2005 11:07:08p A.... 39,936 39.00 K
ati2evxx.dll Thu Oct 13 2005 11:07:00p A.... 46,080 45.00 K
ati3duag.dll Thu Oct 13 2005 10:59:44p A.... 2,433,120 2.32 M
aticds10.dll Wed Sep 14 2005 8:05:00p A.... 368,640 360.00 K
atiddc.dll Thu Oct 13 2005 11:05:46p A.... 53,248 52.00 K
atidemgr.dll Thu Oct 13 2005 10:07:22p A.... 258,048 252.00 K
atiicdxx.dll Wed Sep 14 2005 8:05:00p A.... 380,928 372.00 K
atiiiexx.dll Thu Oct 13 2005 11:03:32p A.... 307,200 300.00 K
atikvmag.dll Thu Oct 13 2005 10:44:50p A.... 147,456 144.00 K
atioglx1.dll Thu Oct 13 2005 11:49:30p A.... 6,680,576 6.37 M
atioglxx.dll Sat Oct 15 2005 2:02:56p A.... 4,952,064 4.72 M
atipdlxx.dll Thu Oct 13 2005 11:07:28p A.... 106,496 104.00 K
atipdsxx.dll Wed Sep 14 2005 8:05:00p A.... 266,240 260.00 K
atippaxx.dll Wed Sep 14 2005 8:05:00p A.... 94,208 92.00 K
atipuixx.dll Wed Sep 14 2005 8:05:00p A.... 2,039,808 1.95 M
atitvo32.dll Thu Oct 13 2005 10:44:18p A.... 17,408 17.00 K
ativvaxx.dll Thu Oct 13 2005 10:55:10p A.... 601,760 587.66 K
browseui.dll Fri Sep 2 2005 6:52:04p A.... 1,019,904 996.00 K
cdfview.dll Fri Sep 2 2005 6:52:04p A.... 151,040 147.50 K
cdosys.dll Fri Sep 9 2005 8:53:42p A.... 2,067,968 1.97 M
cmdlin~1.dll Mon Aug 29 2005 4:59:08p A.... 43,520 42.50 K
cmdlin~2.dll Sat Sep 24 2005 8:37:12p A.... 98,304 96.00 K
danim.dll Fri Sep 2 2005 6:52:04p A.... 1,053,696 1.00 M
dxtrans.dll Fri Sep 2 2005 6:52:04p A.... 205,312 200.50 K
extmgr.dll Fri Sep 2 2005 6:52:04p ..... 55,808 54.50 K
gdi32.dll Wed Oct 5 2005 10:09:36p A.... 280,064 273.50 K
h62o0g~1.dll Sat Nov 19 2005 1:14:54a ..S.R 237,007 231.45 K
iepeers.dll Fri Sep 2 2005 6:52:04p A.... 251,392 245.50 K
inseng.dll Fri Sep 2 2005 6:52:04p A.... 96,256 94.00 K
ktrml7~1.dll Sat Nov 19 2005 12:07:34p ..S.R 233,846 228.36 K
linkinfo.dll Wed Aug 31 2005 8:41:54p A.... 19,968 19.50 K
mshtml.dll Tue Oct 4 2005 4:26:00p A.... 3,015,168 2.88 M
mshtmled.dll Fri Sep 2 2005 6:52:06p A.... 448,512 438.00 K
msrating.dll Fri Sep 2 2005 6:52:06p A.... 146,432 143.00 K
mstime.dll Fri Sep 2 2005 6:52:06p A.... 530,432 518.00 K
neroco.dll Thu Sep 15 2005 4:38:52p A.... 53,248 52.00 K
netman.dll Mon Aug 22 2005 1:29:46p A.... 197,632 193.00 K
oemdspif.dll Thu Oct 13 2005 11:07:18p A.... 73,728 72.00 K
pngfilt.dll Fri Sep 2 2005 6:52:06p A.... 39,424 38.50 K
quartz.dll Mon Aug 29 2005 10:54:26p A.... 1,287,168 1.23 M
shdocvw.dll Fri Sep 2 2005 6:52:06p A.... 1,483,776 1.41 M
shell32.dll Thu Sep 22 2005 10:05:30p A.... 8,450,560 8.06 M
shlwapi.dll Fri Sep 2 2005 6:52:06p A.... 473,600 462.50 K
umpnpmgr.dll Mon Aug 22 2005 10:35:42p A.... 123,392 120.50 K
urlmon.dll Fri Sep 2 2005 6:52:06p A.... 608,768 594.50 K
wininet.dll Fri Sep 2 2005 6:52:06p A.... 658,432 643.00 K
winsrv.dll Wed Aug 31 2005 8:41:54p A.... 291,840 285.00 K

50 items found: 50 files (2 H/S), 0 directories.
Total of file sizes: 43,029,801 bytes 41.04 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Sat Nov 19 2005 12:09:34p ..... 237,007 231.45 K

1 item found: 1 file, 0 directories.
Total of file sizes: 237,007 bytes 231.45 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C is Windows
Volume Serial Number is 3C18-E9E0

Directory of C:\WINDOWS\System32

11/19/2005 12:13 PM <DIR> dllcache
11/19/2005 12:07 PM 233,846 ktrml7911.dll
11/19/2005 01:14 AM 237,007 h62o0gf3e62.dll
06/27/2005 09:38 AM 12,208 KGyGaAvL.sys
03/17/2005 09:06 AM 417,792 ??anregw.exe
11/27/2004 11:51 AM 32 {AC1A9EEF-CD52-4DD6-AD02-0872C9C673A9}.dat
11/27/2004 11:51 AM 32 {5B3C9234-DD75-4C80-8FF1-835933734257}.dat
11/27/2004 11:50 AM 32 {64B0E976-FD38-46A4-8FCC-00B1A69EF46B}.dat
11/27/2004 11:49 AM 32 {17CB1FFF-BDCE-4071-BFEA-2F46B47E098E}.dat
11/27/2004 11:49 AM 32 {0C43BF83-F04E-44F9-9DFA-A654BA5CD746}.dat
11/27/2004 11:49 AM 32 {74AEACF7-72FA-43DB-960A-CFD6EAE60F78}.dat
11/27/2004 11:48 AM 32 {B3B32CF1-B1DC-460C-B03A-F9F02959F025}.dat
11/23/2004 05:51 PM <DIR> Microsoft
11 File(s) 901,077 bytes
2 Dir(s) 13,767,798,784 bytes free

HIJACK THIS:
Logfile of HijackThis v1.99.1
Scan saved at 12:14:06 PM, on 11/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\nvraidservice.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\PowerDVD\PDVDServ.exe
D:\Winamp\Winampa.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Motherboard Monitor 5\MBM5.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.../main.adp?fc=1"); (C:\Program Files\Netscape\Users\default\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Startup: MBM 5.lnk = C:\Program Files\Motherboard Monitor 5\MBM5.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: MBM 5.lnk = C:\Program Files\Motherboard Monitor 5\MBM5.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101238363417
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.co...ts/deltacvx.cab
O20 - Winlogon Notify: Fonts - C:\WINDOWS\system32\h62o0gf3e62.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
  • 0

#10
Buckeye_Sam
Posted 19 November 2005 - 06:05 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Please download the trial version of WebRoot SpySweeper
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

  • 0

Advertisements

#11
cdelse
Posted 19 November 2005 - 06:57 PM

cdelse

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
********
7:32 PM: | Start of Session, Saturday, November 19, 2005 |
7:32 PM: Spy Sweeper started
7:32 PM: Sweep initiated using definitions version 574
7:32 PM: Starting Memory Sweep
7:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:33 PM: Found Adware: icannnews
7:33 PM: Detected running threat: C:\WINDOWS\system32\h62o0gf3e62.dll (ID = 83)
7:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:34 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:34 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:34 PM: Memory Sweep Complete, Elapsed Time: 00:01:44
7:34 PM: Starting Registry Sweep
7:34 PM: Found Adware: look2me
7:34 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\setup\ (6 subtraces) (ID = 129941)
7:34 PM: Found Adware: minigolf
7:34 PM: HKCR\optionsfile\ (5 subtraces) (ID = 135049)
7:34 PM: HKLM\software\classes\optionsfile\ (5 subtraces) (ID = 135050)
7:34 PM: Found Trojan Horse: trojan-backdoor-zubox
7:34 PM: HKCR\appid\{78364d99-a640-4ddf-b91a-67eff8373045}\ (ID = 650832)
7:34 PM: HKCR\clsid\{78364d99-a640-4ddf-b91a-67eff8373045}\ (3 subtraces) (ID = 650833)
7:34 PM: HKLM\software\windows\ || shots (ID = 650869)
7:34 PM: HKLM\software\classes\appid\{78364d99-a640-4ddf-b91a-67eff8373045}\ (ID = 650872)
7:34 PM: HKLM\software\classes\clsid\{78364d99-a640-4ddf-b91a-67eff8373045}\ (3 subtraces) (ID = 650873)
7:34 PM: Registry Sweep Complete, Elapsed Time:00:00:09
7:34 PM: Starting Cookie Sweep
7:34 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
7:34 PM: Starting File Sweep
7:35 PM: Found Adware: dealhelper
7:35 PM: igwmlpu3.xml (ID = 57652)
7:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:35 PM: Found Adware: internetoptimizer
7:35 PM: opt.exe (ID = 107288)
7:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:36 PM: cln760.tmp (ID = 107288)
7:37 PM: Found Adware: spysheriff
7:37 PM: secure32.html (ID = 184319)
7:37 PM: 00172419.dll (ID = 159)
7:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:38 PM: 00172442.dll (ID = 163672)
7:39 PM: 00175863.dll (ID = 159)
7:39 PM: igwmlpk2.xml (ID = 57648)
7:39 PM: igwmlpk.xml (ID = 57646)
7:39 PM: 00172645.dll (ID = 159)
7:39 PM: 00172646.dll (ID = 159)
7:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:40 PM: 00172437.dll (ID = 159)
7:40 PM: 00172415.dll (ID = 159)
7:40 PM: guard.tmp (ID = 159)
7:40 PM: Found Adware: purityscan
7:40 PM: ??anregw.exe (ID = 73087)
7:40 PM: HKU\WRSS_Profile_S-1-5-21-2000478354-861567501-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Run || Dclmjrgg (ID = 0)
7:40 PM: 00175848.dll (ID = 159)
7:41 PM: 00175939.dll (ID = 159)
7:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:41 PM: g0400ahmed4a0.dll (ID = 159)
7:41 PM: 00175235.dll (ID = 159)
7:41 PM: igwmlpk1.xml (ID = 57647)
7:41 PM: 00175849.dll (ID = 159)
7:41 PM: g822lifo182c.dll (ID = 159)
7:42 PM: 00172425.dll (ID = 159)
7:42 PM: 00172424.dll (ID = 159)
7:42 PM: 00175168.dll (ID = 159)
7:42 PM: 00172421.dll (ID = 159)
7:42 PM: 00172443.dll (ID = 159)
7:42 PM: 00172637.dll (ID = 159)
7:42 PM: 00172638.dll (ID = 159)
7:42 PM: 00175094.dll (ID = 159)
7:42 PM: 00175096.dll (ID = 159)
7:42 PM: 00172655.dll (ID = 159)
7:42 PM: 00172656.dll (ID = 159)
7:42 PM: 00172427.dll (ID = 159)
7:42 PM: 00172649.dll (ID = 159)
7:42 PM: 00172650.dll (ID = 159)
7:42 PM: 00172445.dll (ID = 159)
7:42 PM: 00172657.dll (ID = 159)
7:42 PM: 00172658.dll (ID = 159)
7:42 PM: 00175913.dll (ID = 159)
7:42 PM: 00175902.dll (ID = 159)
7:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:42 PM: 00172417.dll (ID = 159)
7:42 PM: 00172398.dll (ID = 159)
7:42 PM: 00172414.dll (ID = 159)
7:42 PM: 00172438.dll (ID = 159)
7:42 PM: 00172643.dll (ID = 159)
7:42 PM: 00172644.dll (ID = 159)
7:42 PM: 00174568.dll (ID = 159)
7:42 PM: 00174953.dll (ID = 159)
7:43 PM: dnjm0111e.dll (ID = 159)
7:43 PM: 00175165.dll (ID = 159)
7:43 PM: 00174602.dll (ID = 159)
7:43 PM: 00172423.dll (ID = 159)
7:43 PM: 00175703.dll (ID = 159)
7:43 PM: k662lgjo16oc.dll (ID = 159)
7:43 PM: 00175447.dll (ID = 159)
7:43 PM: 00174942.dll (ID = 159)
7:43 PM: 00175864.dll (ID = 159)
7:43 PM: 00175110.dll (ID = 159)
7:43 PM: 00175111.dll (ID = 159)
7:43 PM: twflog.dll (ID = 159)
7:43 PM: 00175112.dll (ID = 159)
7:43 PM: 00175103.dll (ID = 159)
7:43 PM: 00175104.dll (ID = 159)
7:43 PM: 00175107.dll (ID = 159)
7:43 PM: 00172420.dll (ID = 159)
7:43 PM: 00172641.dll (ID = 159)
7:43 PM: 00172642.dll (ID = 159)
7:43 PM: 00174937.dll (ID = 159)
7:43 PM: 00172444.dll (ID = 159)
7:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:43 PM: 00172436.dll (ID = 159)
7:43 PM: 00174611.dll (ID = 159)
7:43 PM: 00175448.dll (ID = 159)
7:43 PM: 00175245.dll (ID = 159)
7:43 PM: 00175901.dll (ID = 159)
7:43 PM: 00172633.dll (ID = 159)
7:43 PM: 00172634.dll (ID = 159)
7:43 PM: 00172440.dll (ID = 159)
7:43 PM: 00172426.dll (ID = 159)
7:43 PM: guard.tmp (ID = 159)
7:43 PM: 00172441.dll (ID = 159)
7:43 PM: 00172432.dll (ID = 159)
7:43 PM: 00172435.dll (ID = 159)
7:43 PM: 00172659.dll (ID = 159)
7:43 PM: 00172660.dll (ID = 159)
7:43 PM: 00172661.dll (ID = 163672)
7:43 PM: mv8ol9l31.dll (ID = 159)
7:43 PM: 00174935.dll (ID = 159)
7:43 PM: 00172109.dll (ID = 159)
7:43 PM: 00172429.dll (ID = 159)
7:43 PM: 00172428.dll (ID = 159)
7:43 PM: 00175449.dll (ID = 159)
7:43 PM: 00175887.dll (ID = 159)
7:43 PM: 00172328.dll (ID = 159)
7:43 PM: 00175113.dll (ID = 159)
7:43 PM: h62o0gf3e62.dll (ID = 159)
7:43 PM: 00172431.dll (ID = 159)
7:43 PM: 00172639.dll (ID = 159)
7:43 PM: 00172640.dll (ID = 159)
7:43 PM: 00172651.dll (ID = 159)
7:43 PM: 00172652.dll (ID = 159)
7:43 PM: 00175179.dll (ID = 159)
7:43 PM: 00174873.dll (ID = 159)
7:43 PM: 00174954.dll (ID = 159)
7:43 PM: 00175093.dll (ID = 159)
7:43 PM: 00172635.dll (ID = 163672)
7:43 PM: 00172636.dll (ID = 159)
7:43 PM: 00175702.dll (ID = 159)
7:43 PM: lv8609lse.dll (ID = 159)
7:43 PM: e4200efmeh2a0.dll (ID = 159)
7:43 PM: 00172430.dll (ID = 159)
7:43 PM: 00172439.dll (ID = 159)
7:43 PM: 00175246.dll (ID = 159)
7:43 PM: 00172412.dll (ID = 163672)
7:43 PM: 00175126.dll (ID = 159)
7:43 PM: 00175128.dll (ID = 159)
7:43 PM: 00175129.dll (ID = 159)
7:43 PM: 00175167.dll (ID = 159)
7:43 PM: 00175687.dll (ID = 159)
7:43 PM: 00172662.dll (ID = 159)
7:43 PM: 00172663.dll (ID = 159)
7:43 PM: 00172664.dll (ID = 159)
7:43 PM: 00172631.dll (ID = 163672)
7:43 PM: 00172632.dll (ID = 159)
7:43 PM: 00172422.dll (ID = 159)
7:43 PM: 00172653.dll (ID = 159)
7:43 PM: 00172654.dll (ID = 159)
7:43 PM: 00175632.dll (ID = 159)
7:43 PM: 00172413.dll (ID = 159)
7:43 PM: 00172665.dll (ID = 159)
7:44 PM: 00175656.dll (ID = 159)
7:44 PM: 00175688.dll (ID = 159)
7:44 PM: 00172434.dll (ID = 159)
7:44 PM: 00172446.dll (ID = 159)
7:44 PM: 00175878.dll (ID = 159)
7:44 PM: 00172647.dll (ID = 159)
7:44 PM: 00172648.dll (ID = 159)
7:44 PM: 00172418.dll (ID = 159)
7:44 PM: Found Trojan Horse: spamrelayer_alpiok
7:44 PM: hjijedpp.exe (ID = 183253)
7:44 PM: 00174943.dll (ID = 159)
7:44 PM: Found Trojan Horse: trojan-backdoor-us15info
7:44 PM: countrydial.exe (ID = 183857)
7:44 PM: ktrml7911.dll (ID = 159)
7:44 PM: 00172433.dll (ID = 159)
7:44 PM: 00172416.dll (ID = 163672)
7:44 PM: fnj0211mg.dll (ID = 159)
7:44 PM: 00175886.dll (ID = 159)
7:44 PM: Found Trojan Horse: trojan-backdoor-securemulti
7:44 PM: sstray.exe (ID = 192569)
7:44 PM: tool4.exe (ID = 183857)
7:44 PM: tool5.exe (ID = 183857)
7:44 PM: 00174781.dll (ID = 159)
7:44 PM: 00175657.dll (ID = 159)
7:44 PM: 00174938.dll (ID = 159)
7:44 PM: 00174944.dll (ID = 159)
7:44 PM: 00175098.dll (ID = 159)
7:44 PM: 00175099.dll (ID = 159)
7:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:44 PM: 00175244.dll (ID = 159)
7:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:49 PM: File Sweep Complete, Elapsed Time: 00:15:08
7:49 PM: Full Sweep has completed. Elapsed time 00:17:11
7:49 PM: Traces Found: 188
7:50 PM: Removal process initiated
7:50 PM: Quarantining All Traces: icannnews
7:50 PM: icannnews is in use. It will be removed on reboot.
7:50 PM: C:\WINDOWS\system32\h62o0gf3e62.dll is in use. It will be removed on reboot.
7:50 PM: Quarantining All Traces: look2me
7:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:51 PM: look2me is in use. It will be removed on reboot.
7:51 PM: mv8ol9l31.dll is in use. It will be removed on reboot.
7:51 PM: h62o0gf3e62.dll is in use. It will be removed on reboot.
7:51 PM: Quarantining All Traces: purityscan
7:51 PM: Quarantining All Traces: spamrelayer_alpiok
7:51 PM: Quarantining All Traces: spysheriff
7:51 PM: Quarantining All Traces: trojan-backdoor-securemulti
7:51 PM: Quarantining All Traces: trojan-backdoor-us15info
7:51 PM: Quarantining All Traces: trojan-backdoor-zubox
7:51 PM: Quarantining All Traces: internetoptimizer
7:51 PM: Quarantining All Traces: dealhelper
7:51 PM: Quarantining All Traces: minigolf
7:51 PM: Preparing to restart your computer. Please wait...
7:51 PM: Removal process completed. Elapsed time 00:01:19
********
7:31 PM: | Start of Session, Saturday, November 19, 2005 |
7:31 PM: Spy Sweeper started
7:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
  • 0

#12
Buckeye_Sam
Posted 20 November 2005 - 08:22 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Please post a new hijackthis log and a new log from L2Mfix option #1.
  • 0

#13
cdelse
Posted 20 November 2005 - 07:22 PM

cdelse

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{410EEA30-B6C1-ECBC-463B-A50985334A01}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{57C51AF9-DEF7-11D3-A801-00C04F163490}"="Ghost Shell Extension"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{950FF917-7A57-46BC-8017-59D9BF474000}"="Shell Extension for CDRW"
"{EEF707EF-63A2-49A8-BF47-D736C24C9E5E}"=""
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
appwiz.dll Sat Nov 12 2005 5:34:58p A.... 65,252 63.72 K
ati2cqag.dll Thu Oct 13 2005 10:40:00p A.... 233,472 228.00 K
ati2dvag.dll Thu Oct 13 2005 11:11:22p A.... 241,664 236.00 K
ati2edxx.dll Thu Oct 13 2005 11:07:08p A.... 39,936 39.00 K
ati2evxx.dll Thu Oct 13 2005 11:07:00p A.... 46,080 45.00 K
ati3duag.dll Thu Oct 13 2005 10:59:44p A.... 2,433,120 2.32 M
aticds10.dll Wed Sep 14 2005 8:05:00p A.... 368,640 360.00 K
atiddc.dll Thu Oct 13 2005 11:05:46p A.... 53,248 52.00 K
atidemgr.dll Thu Oct 13 2005 10:07:22p A.... 258,048 252.00 K
atiicdxx.dll Wed Sep 14 2005 8:05:00p A.... 380,928 372.00 K
atiiiexx.dll Thu Oct 13 2005 11:03:32p A.... 307,200 300.00 K
atikvmag.dll Thu Oct 13 2005 10:44:50p A.... 147,456 144.00 K
atioglx1.dll Thu Oct 13 2005 11:49:30p A.... 6,680,576 6.37 M
atioglxx.dll Sat Oct 15 2005 2:02:56p A.... 4,952,064 4.72 M
atipdlxx.dll Thu Oct 13 2005 11:07:28p A.... 106,496 104.00 K
atipdsxx.dll Wed Sep 14 2005 8:05:00p A.... 266,240 260.00 K
atippaxx.dll Wed Sep 14 2005 8:05:00p A.... 94,208 92.00 K
atipuixx.dll Wed Sep 14 2005 8:05:00p A.... 2,039,808 1.95 M
atitvo32.dll Thu Oct 13 2005 10:44:18p A.... 17,408 17.00 K
ativvaxx.dll Thu Oct 13 2005 10:55:10p A.... 601,760 587.66 K
browseui.dll Fri Sep 2 2005 6:52:04p A.... 1,019,904 996.00 K
cdfview.dll Fri Sep 2 2005 6:52:04p A.... 151,040 147.50 K
cdosys.dll Fri Sep 9 2005 8:53:42p A.... 2,067,968 1.97 M
cmdlin~1.dll Mon Aug 29 2005 4:59:08p A.... 43,520 42.50 K
cmdlin~2.dll Sat Sep 24 2005 8:37:12p A.... 98,304 96.00 K
danim.dll Fri Sep 2 2005 6:52:04p A.... 1,053,696 1.00 M
dxtrans.dll Fri Sep 2 2005 6:52:04p A.... 205,312 200.50 K
extmgr.dll Fri Sep 2 2005 6:52:04p ..... 55,808 54.50 K
gdi32.dll Wed Oct 5 2005 10:09:36p A.... 280,064 273.50 K
iepeers.dll Fri Sep 2 2005 6:52:04p A.... 251,392 245.50 K
inseng.dll Fri Sep 2 2005 6:52:04p A.... 96,256 94.00 K
linkinfo.dll Wed Aug 31 2005 8:41:54p A.... 19,968 19.50 K
mshtml.dll Tue Oct 4 2005 4:26:00p A.... 3,015,168 2.88 M
mshtmled.dll Fri Sep 2 2005 6:52:06p A.... 448,512 438.00 K
msrating.dll Fri Sep 2 2005 6:52:06p A.... 146,432 143.00 K
mstime.dll Fri Sep 2 2005 6:52:06p A.... 530,432 518.00 K
neroco.dll Thu Sep 15 2005 4:38:52p A.... 53,248 52.00 K
netman.dll Mon Aug 22 2005 1:29:46p A.... 197,632 193.00 K
oemdspif.dll Thu Oct 13 2005 11:07:18p A.... 73,728 72.00 K
pngfilt.dll Fri Sep 2 2005 6:52:06p A.... 39,424 38.50 K
quartz.dll Mon Aug 29 2005 10:54:26p A.... 1,287,168 1.23 M
shdocvw.dll Fri Sep 2 2005 6:52:06p A.... 1,483,776 1.41 M
shell32.dll Thu Sep 22 2005 10:05:30p A.... 8,450,560 8.06 M
shlwapi.dll Fri Sep 2 2005 6:52:06p A.... 473,600 462.50 K
umpnpmgr.dll Mon Aug 22 2005 10:35:42p A.... 123,392 120.50 K
urlmon.dll Fri Sep 2 2005 6:52:06p A.... 608,768 594.50 K
wininet.dll Fri Sep 2 2005 6:52:06p A.... 658,432 643.00 K
winsrv.dll Wed Aug 31 2005 8:41:54p A.... 291,840 285.00 K
wrlogo~1.dll Wed Nov 16 2005 2:38:16p A.... 492,544 481.00 K
wrlzma.dll Wed Nov 16 2005 2:38:12p A.... 17,920 17.50 K

50 items found: 50 files, 0 directories.
Total of file sizes: 43,069,412 bytes 41.07 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is Windows
Volume Serial Number is 3C18-E9E0

Directory of C:\WINDOWS\System32

11/20/2005 10:45 AM <DIR> dllcache
06/27/2005 09:38 AM 12,208 KGyGaAvL.sys
11/27/2004 11:51 AM 32 {AC1A9EEF-CD52-4DD6-AD02-0872C9C673A9}.dat
11/27/2004 11:51 AM 32 {5B3C9234-DD75-4C80-8FF1-835933734257}.dat
11/27/2004 11:50 AM 32 {64B0E976-FD38-46A4-8FCC-00B1A69EF46B}.dat
11/27/2004 11:49 AM 32 {17CB1FFF-BDCE-4071-BFEA-2F46B47E098E}.dat
11/27/2004 11:49 AM 32 {0C43BF83-F04E-44F9-9DFA-A654BA5CD746}.dat
11/27/2004 11:49 AM 32 {74AEACF7-72FA-43DB-960A-CFD6EAE60F78}.dat
11/27/2004 11:48 AM 32 {B3B32CF1-B1DC-460C-B03A-F9F02959F025}.dat
11/23/2004 05:51 PM <DIR> Microsoft
8 File(s) 12,432 bytes
2 Dir(s) 14,944,567,296 bytes free


Logfile of HijackThis v1.99.1
Scan saved at 8:22:37 PM, on 11/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\nvraidservice.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\PowerDVD\PDVDServ.exe
D:\Winamp\Winampa.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\games\steam\steam.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Motherboard Monitor 5\MBM5.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.../main.adp?fc=1"); (C:\Program Files\Netscape\Users\default\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Startup: MBM 5.lnk = C:\Program Files\Motherboard Monitor 5\MBM5.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: MBM 5.lnk = C:\Program Files\Motherboard Monitor 5\MBM5.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101238363417
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.co...ts/deltacvx.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
  • 0

#14
Buckeye_Sam
Posted 21 November 2005 - 03:20 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
That did it. Your log is clean! :)

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:tazz: :)
  • 0

#15
cdelse
Posted 21 November 2005 - 06:01 PM

cdelse

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thank you very much for all your help. I appreciate it.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP