Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

[RESOLVED] Rundll Umonitor errors


  • This topic is locked This topic is locked

#1
Extreme

Extreme

    New Member

  • Member
  • Pip
  • 9 posts
I have been Umonitor, VX2, Coolweb errors for some time now and Adaware and Spybot doesn't seem to get rid of this junk. Please help. Here is a list of my Hijack this log.

Logfile of HijackThis v1.99.0
Scan saved at 4:54:38 PM, on 1/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\PROMon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\Messenger\YPAGER.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\Documents and Settings\All Users\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8886DF84-BD1D-439A-B69F-3646B9C30C90}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{8886DF84-BD1D-439A-B69F-3646B9C30C90}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{8886DF84-BD1D-439A-B69F-3646B9C30C90}: NameServer = 192.168.0.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

Very much appreciate any help you can offer
  • 0

Advertisements


#2
Extreme

Extreme

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Here are the results of the L2MFIX log.

L2MFIX find log 1.02
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ModuleUsage]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\j4j6le1s1h.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{BF4041CD-5EC4-478C-82EE-7F10D76891EF}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}"="Compressed (zipped) Folder"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Unbind"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{AD31A2D4-DD44-4014-B81C-4F22A8F7E02E}"=""
"{C89C69E2-4AAC-45EE-B31D-093EAD498F30}"=""
"{9F24CB14-4434-4C95-AC1C-121544E169D0}"=""
"{AC35D345-BB5B-4093-A6DF-EAE5D5CEC961}"=""
"{E8E3E0B4-0843-41E9-AE59-7B00784EBF09}"=""
"{FC714565-C08A-4E38-A9B8-642C6FF624DE}"=""
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{ADDE43B7-39E4-4B41-8F93-4FE79DC5A8AC}"=""
"{6BE537BA-237F-412C-9637-57E0AC086C66}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{AD31A2D4-DD44-4014-B81C-4F22A8F7E02E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AD31A2D4-DD44-4014-B81C-4F22A8F7E02E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AD31A2D4-DD44-4014-B81C-4F22A8F7E02E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AD31A2D4-DD44-4014-B81C-4F22A8F7E02E}\InprocServer32]
@="C:\\WINDOWS\\system32\\spclient.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{FC714565-C08A-4E38-A9B8-642C6FF624DE}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FC714565-C08A-4E38-A9B8-642C6FF624DE}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FC714565-C08A-4E38-A9B8-642C6FF624DE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FC714565-C08A-4E38-A9B8-642C6FF624DE}\InprocServer32]
@="C:\\WINDOWS\\system32\\irsecsnp.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{ADDE43B7-39E4-4B41-8F93-4FE79DC5A8AC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ADDE43B7-39E4-4B41-8F93-4FE79DC5A8AC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ADDE43B7-39E4-4B41-8F93-4FE79DC5A8AC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ADDE43B7-39E4-4B41-8F93-4FE79DC5A8AC}\InprocServer32]
@="C:\\WINDOWS\\system32\\dfnmodem.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6BE537BA-237F-412C-9637-57E0AC086C66}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6BE537BA-237F-412C-9637-57E0AC086C66}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6BE537BA-237F-412C-9637-57E0AC086C66}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6BE537BA-237F-412C-9637-57E0AC086C66}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
acl.dll Mon Jan 10 2005 4:06:46p ..S.R 223,555 218.31 K
amledit.dll Sat Jan 8 2005 6:43:52a ..... 224,704 219.44 K
aovpack.dll Sat Jan 8 2005 6:16:50a ..... 224,704 219.44 K
ciodm.dll Thu Oct 28 2004 10:45:58a ..... 64,512 63.00 K
cscdll.dll Wed Oct 27 2004 8:29:54p ..... 92,160 90.00 K
d0ce0c~1.dll Sat Jan 22 2005 5:24:16p A.... 204,800 200.00 K
dhvvox.dll Fri Jan 14 2005 10:44:44p ..S.R 223,739 218.49 K
dneml.dll Mon Jan 10 2005 7:39:30p ..S.R 223,739 218.49 K
dosync.dll Sat Jan 15 2005 11:24:06a A.... 114,688 112.00 K
drlayx.dll Mon Jan 10 2005 7:33:20p A.... 223,775 218.53 K
dxcompos.dll Sun Jan 9 2005 8:43:12p ..... 224,560 219.30 K
e6f1873b.dll Sat Jan 22 2005 5:19:12p A.... 147,456 144.00 K
eeapi2.dll Mon Jan 10 2005 8:01:54p A.... 225,776 220.48 K
fprq03~1.dll Sat Jan 15 2005 9:04:30a ..... 223,739 218.49 K
g6jolg~1.dll Sun Jan 9 2005 11:59:06a ..... 224,932 219.66 K
gccoll~1.dll Fri Dec 31 2004 3:00:00p A.... 134,880 131.72 K
gcmd5q~1.dll Fri Jan 14 2005 10:48:06p A.... 10,752 10.50 K
gcunco~1.dll Fri Dec 31 2004 1:14:32p A.... 130,272 127.22 K
hashlib.dll Fri Dec 31 2004 3:00:00p A.... 81,120 79.22 K
hypertrm.dll Wed Nov 17 2004 12:57:02p ..... 493,056 481.50 K
ihxsap.dll Sat Jan 8 2005 8:04:10a ..... 223,146 217.91 K
irrql5~1.dll Sun Jan 9 2005 1:07:06p ..... 223,616 218.38 K
j4j6le~1.dll Sat Jan 22 2005 6:05:14p A.... 224,680 219.41 K
j4n20e~1.dll Sun Jan 9 2005 11:29:24a ..... 223,870 218.62 K
jtpl400.dll Sun Jan 9 2005 11:25:56a ..... 223,146 217.91 K
k0080a~1.dll Sat Jan 15 2005 10:43:26a ..S.R 226,148 220.85 K
khdaze.dll Sun Jan 9 2005 8:44:42p ..... 223,930 218.68 K
l02s0a~1.dll Sun Jan 9 2005 1:43:42p ..... 223,616 218.38 K
l8r00i~1.dll Mon Jan 24 2005 3:50:08p ..S.R 224,778 219.51 K
lsasrv.dll Wed Oct 27 2004 8:29:54p ..... 681,984 666.00 K
miapsspc.dll Sun Jan 9 2005 11:14:20a ..... 223,616 218.38 K
mlhtml.dll Fri Jan 14 2005 11:18:54p ..S.R 223,739 218.49 K
muvidctl.dll Mon Jan 10 2005 7:29:36p ..S.R 223,739 218.49 K
npsmsg.dll Mon Jan 10 2005 8:42:34p ..S.R 223,807 218.56 K
pncrt.dll Sun Dec 12 2004 6:05:12p ..... 278,528 272.00 K
pndx5016.dll Sun Dec 12 2004 6:05:12p ..... 6,656 6.50 K
pndx5032.dll Sun Dec 12 2004 6:05:12p ..... 5,632 5.50 K
query.dll Thu Oct 28 2004 10:46:00a ..... 1,350,144 1.29 M
risapi32.dll Mon Jan 10 2005 3:58:28p ..... 226,036 220.74 K
rmoc3260.dll Sun Dec 12 2004 6:05:16p ..... 176,167 172.04 K
rtpwsx.dll Sat Jan 8 2005 6:33:46a ..... 223,146 217.91 K
shdocvw.dll Thu Nov 11 2004 11:20:56p ..... 1,332,224 1.27 M
shsvcs.dll Wed Oct 27 2004 8:29:54p ..... 116,736 114.00 K
sinike.dll Thu Jan 20 2005 8:51:56p A.... 222,295 217.08 K
spmsg.dll Tue Nov 30 2004 2:46:38p ..... 7,168 7.00 K
sporder.dll Wed Jan 5 2005 6:46:42p ..... 8,464 8.27 K
t88uli~1.dll Sun Jan 9 2005 1:36:42p ..... 223,616 218.38 K
user32.dll Tue Dec 28 2004 8:31:44p ..... 574,464 561.00 K
wonsta.dll Fri Jan 14 2005 11:02:30p ..S.R 224,542 219.28 K

49 items found: 49 files (9 H/S), 0 directories.
Total of file sizes: 12,286,552 bytes 11.71 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Mon Jan 24 2005 4:13:08p ..... 224,680 219.41 K

1 item found: 1 file, 0 directories.
Total of file sizes: 224,680 bytes 219.41 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 40D5-28B4

Directory of C:\WINDOWS\System32

01/24/2005 03:50 PM <DIR> dllcache
01/24/2005 03:50 PM 224,778 l8r00i9me8.dll
01/15/2005 10:43 AM 226,148 k0080adued080.dll
01/14/2005 11:18 PM 223,739 MLHTML.DLL
01/14/2005 11:02 PM 224,542 wonsta.dll
01/14/2005 10:44 PM 223,739 dhvvox.dll
01/10/2005 08:42 PM 223,807 NPSMsg.DLL
01/10/2005 07:39 PM 223,739 dneml.dll
01/10/2005 07:29 PM 223,739 muvidctl.dll
01/10/2005 05:32 PM 32 {369B0E0D-8EC6-4720-8FDF-05843C280080}.dat
01/10/2005 04:06 PM 223,555 acl.dll
02/05/2003 02:20 PM <DIR> Microsoft
10 File(s) 2,017,818 bytes
2 Dir(s) 70,076,186,624 bytes free
  • 0

#3
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

-=jonnyrotten=- :tazz:
  • 0

#4
Extreme

Extreme

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks for the quick response. Here is the updated L2Mfix log

L2Mfix 1.02

Running From:
C:\Documents and Settings\user\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C access for really "Everyone"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\user\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\user\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1484 'explorer.exe'
Killing PID 1484 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1724 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\acl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\amledit.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\aovpack.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dhvvox.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dneml.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\drlayx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dxcompos.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\EEAPI2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en20l1fm1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fprq0395e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\g6jolg1316.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ihxsap.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\irrql5951.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j4n20e5oeh.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jtpl400.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k0080adued080.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\khdaze.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l02s0af7ed2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\miapsspc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MLHTML.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\muvidctl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\NPSMsg.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\PTDLIB32.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rIsapi32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rtpwsx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sinike.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sxlwoa.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\t88ulil918q.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wonsta.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\acl.dll
Successfully Deleted: C:\WINDOWS\system32\acl.dll
deleting: C:\WINDOWS\system32\amledit.dll
Successfully Deleted: C:\WINDOWS\system32\amledit.dll
deleting: C:\WINDOWS\system32\aovpack.dll
Successfully Deleted: C:\WINDOWS\system32\aovpack.dll
deleting: C:\WINDOWS\system32\dhvvox.dll
Successfully Deleted: C:\WINDOWS\system32\dhvvox.dll
deleting: C:\WINDOWS\system32\dneml.dll
Successfully Deleted: C:\WINDOWS\system32\dneml.dll
deleting: C:\WINDOWS\system32\drlayx.dll
Successfully Deleted: C:\WINDOWS\system32\drlayx.dll
deleting: C:\WINDOWS\system32\dxcompos.dll
Successfully Deleted: C:\WINDOWS\system32\dxcompos.dll
deleting: C:\WINDOWS\system32\EEAPI2.dll
Successfully Deleted: C:\WINDOWS\system32\EEAPI2.dll
deleting: C:\WINDOWS\system32\en20l1fm1.dll
Successfully Deleted: C:\WINDOWS\system32\en20l1fm1.dll
deleting: C:\WINDOWS\system32\fprq0395e.dll
Successfully Deleted: C:\WINDOWS\system32\fprq0395e.dll
deleting: C:\WINDOWS\system32\g6jolg1316.dll
Successfully Deleted: C:\WINDOWS\system32\g6jolg1316.dll
deleting: C:\WINDOWS\system32\ihxsap.dll
Successfully Deleted: C:\WINDOWS\system32\ihxsap.dll
deleting: C:\WINDOWS\system32\irrql5951.dll
Successfully Deleted: C:\WINDOWS\system32\irrql5951.dll
deleting: C:\WINDOWS\system32\j4n20e5oeh.dll
Successfully Deleted: C:\WINDOWS\system32\j4n20e5oeh.dll
deleting: C:\WINDOWS\system32\jtpl400.dll
Successfully Deleted: C:\WINDOWS\system32\jtpl400.dll
deleting: C:\WINDOWS\system32\k0080adued080.dll
Successfully Deleted: C:\WINDOWS\system32\k0080adued080.dll
deleting: C:\WINDOWS\system32\khdaze.dll
Successfully Deleted: C:\WINDOWS\system32\khdaze.dll
deleting: C:\WINDOWS\system32\l02s0af7ed2.dll
Successfully Deleted: C:\WINDOWS\system32\l02s0af7ed2.dll
deleting: C:\WINDOWS\system32\miapsspc.dll
Successfully Deleted: C:\WINDOWS\system32\miapsspc.dll
deleting: C:\WINDOWS\system32\MLHTML.DLL
Successfully Deleted: C:\WINDOWS\system32\MLHTML.DLL
deleting: C:\WINDOWS\system32\muvidctl.dll
Successfully Deleted: C:\WINDOWS\system32\muvidctl.dll
deleting: C:\WINDOWS\system32\NPSMsg.DLL
Successfully Deleted: C:\WINDOWS\system32\NPSMsg.DLL
deleting: C:\WINDOWS\system32\PTDLIB32.DLL
Successfully Deleted: C:\WINDOWS\system32\PTDLIB32.DLL
deleting: C:\WINDOWS\system32\rIsapi32.dll
Successfully Deleted: C:\WINDOWS\system32\rIsapi32.dll
deleting: C:\WINDOWS\system32\rtpwsx.dll
Successfully Deleted: C:\WINDOWS\system32\rtpwsx.dll
deleting: C:\WINDOWS\system32\sinike.dll
Successfully Deleted: C:\WINDOWS\system32\sinike.dll
deleting: C:\WINDOWS\system32\sxlwoa.dll
Successfully Deleted: C:\WINDOWS\system32\sxlwoa.dll
deleting: C:\WINDOWS\system32\t88ulil918q.dll
Successfully Deleted: C:\WINDOWS\system32\t88ulil918q.dll
deleting: C:\WINDOWS\system32\wonsta.dll
Successfully Deleted: C:\WINDOWS\system32\wonsta.dll

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: acl.dll (164 bytes security) (deflated 4%)
adding: amledit.dll (164 bytes security) (deflated 4%)
adding: aovpack.dll (164 bytes security) (deflated 4%)
adding: dhvvox.dll (164 bytes security) (deflated 4%)
adding: dneml.dll (164 bytes security) (deflated 4%)
adding: drlayx.dll (164 bytes security) (deflated 4%)
adding: dxcompos.dll (164 bytes security) (deflated 4%)
adding: EEAPI2.dll (164 bytes security) (deflated 5%)
adding: en20l1fm1.dll (164 bytes security) (deflated 5%)
adding: fprq0395e.dll (164 bytes security) (deflated 4%)
adding: g6jolg1316.dll (164 bytes security) (deflated 4%)
adding: ihxsap.dll (164 bytes security) (deflated 3%)
adding: irrql5951.dll (164 bytes security) (deflated 4%)
adding: j4n20e5oeh.dll (164 bytes security) (deflated 4%)
adding: jtpl400.dll (164 bytes security) (deflated 3%)
adding: k0080adued080.dll (164 bytes security) (deflated 5%)
adding: khdaze.dll (164 bytes security) (deflated 4%)
adding: l02s0af7ed2.dll (164 bytes security) (deflated 4%)
adding: miapsspc.dll (164 bytes security) (deflated 4%)
adding: MLHTML.DLL (164 bytes security) (deflated 4%)
adding: muvidctl.dll (164 bytes security) (deflated 4%)
adding: NPSMsg.DLL (164 bytes security) (deflated 4%)
adding: PTDLIB32.DLL (164 bytes security) (deflated 4%)
adding: rIsapi32.dll (164 bytes security) (deflated 5%)
adding: rtpwsx.dll (164 bytes security) (deflated 3%)
adding: sinike.dll (164 bytes security) (deflated 3%)
adding: sxlwoa.dll (164 bytes security) (deflated 4%)
adding: t88ulil918q.dll (164 bytes security) (deflated 4%)
adding: wonsta.dll (164 bytes security) (deflated 4%)
adding: cecho.reg (164 bytes security) (deflated 2%)
adding: clear.reg (164 bytes security) (deflated 63%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: desktop.ini (164 bytes security) (deflated 15%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 84%)
adding: readme.txt (164 bytes security) (deflated 48%)
adding: report.txt (164 bytes security) (deflated 67%)
adding: test.txt (164 bytes security) (deflated 80%)
adding: test2.txt (164 bytes security) (deflated 44%)
adding: xfind.txt (164 bytes security) (deflated 74%)
adding: backregs/6BE537BA-237F-412C-9637-57E0AC086C66.reg (164 bytes security) (deflated 70%)
adding: backregs/AD31A2D4-DD44-4014-B81C-4F22A8F7E02E.reg (164 bytes security) (deflated 70%)
adding: backregs/ADDE43B7-39E4-4B41-8F93-4FE79DC5A8AC.reg (164 bytes security) (deflated 70%)
adding: backregs/DD3901F3-09BD-4AF4-8941-B741EEA2F9E3.reg (164 bytes security) (deflated 70%)
adding: backregs/FC714565-C08A-4E38-A9B8-642C6FF624DE.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for really "Everyone"


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: acl.dll
deleting local copy: amledit.dll
deleting local copy: aovpack.dll
deleting local copy: dhvvox.dll
deleting local copy: dneml.dll
deleting local copy: drlayx.dll
deleting local copy: dxcompos.dll
deleting local copy: EEAPI2.dll
deleting local copy: en20l1fm1.dll
deleting local copy: fprq0395e.dll
deleting local copy: g6jolg1316.dll
deleting local copy: ihxsap.dll
deleting local copy: irrql5951.dll
deleting local copy: j4n20e5oeh.dll
deleting local copy: jtpl400.dll
deleting local copy: k0080adued080.dll
deleting local copy: khdaze.dll
deleting local copy: l02s0af7ed2.dll
deleting local copy: miapsspc.dll
deleting local copy: MLHTML.DLL
deleting local copy: muvidctl.dll
deleting local copy: NPSMsg.DLL
deleting local copy: PTDLIB32.DLL
deleting local copy: rIsapi32.dll
deleting local copy: rtpwsx.dll
deleting local copy: sinike.dll
deleting local copy: sxlwoa.dll
deleting local copy: t88ulil918q.dll
deleting local copy: wonsta.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\acl.dll
C:\WINDOWS\system32\amledit.dll
C:\WINDOWS\system32\aovpack.dll
C:\WINDOWS\system32\dhvvox.dll
C:\WINDOWS\system32\dneml.dll
C:\WINDOWS\system32\drlayx.dll
C:\WINDOWS\system32\dxcompos.dll
C:\WINDOWS\system32\EEAPI2.dll
C:\WINDOWS\system32\en20l1fm1.dll
C:\WINDOWS\system32\fprq0395e.dll
C:\WINDOWS\system32\g6jolg1316.dll
C:\WINDOWS\system32\ihxsap.dll
C:\WINDOWS\system32\irrql5951.dll
C:\WINDOWS\system32\j4n20e5oeh.dll
C:\WINDOWS\system32\jtpl400.dll
C:\WINDOWS\system32\k0080adued080.dll
C:\WINDOWS\system32\khdaze.dll
C:\WINDOWS\system32\l02s0af7ed2.dll
C:\WINDOWS\system32\miapsspc.dll
C:\WINDOWS\system32\MLHTML.DLL
C:\WINDOWS\system32\muvidctl.dll
C:\WINDOWS\system32\NPSMsg.DLL
C:\WINDOWS\system32\PTDLIB32.DLL
C:\WINDOWS\system32\rIsapi32.dll
C:\WINDOWS\system32\rtpwsx.dll
C:\WINDOWS\system32\sinike.dll
C:\WINDOWS\system32\sxlwoa.dll
C:\WINDOWS\system32\t88ulil918q.dll
C:\WINDOWS\system32\wonsta.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{AD31A2D4-DD44-4014-B81C-4F22A8F7E02E}"=-
"{C89C69E2-4AAC-45EE-B31D-093EAD498F30}"=-
"{9F24CB14-4434-4C95-AC1C-121544E169D0}"=-
"{AC35D345-BB5B-4093-A6DF-EAE5D5CEC961}"=-
"{E8E3E0B4-0843-41E9-AE59-7B00784EBF09}"=-
"{FC714565-C08A-4E38-A9B8-642C6FF624DE}"=-
"{ADDE43B7-39E4-4B41-8F93-4FE79DC5A8AC}"=-
"{6BE537BA-237F-412C-9637-57E0AC086C66}"=-
"{DD3901F3-09BD-4AF4-8941-B741EEA2F9E3}"=-
[-HKEY_CLASSES_ROOT\CLSID\{AD31A2D4-DD44-4014-B81C-4F22A8F7E02E}]
[-HKEY_CLASSES_ROOT\CLSID\{C89C69E2-4AAC-45EE-B31D-093EAD498F30}]
[-HKEY_CLASSES_ROOT\CLSID\{9F24CB14-4434-4C95-AC1C-121544E169D0}]
[-HKEY_CLASSES_ROOT\CLSID\{AC35D345-BB5B-4093-A6DF-EAE5D5CEC961}]
[-HKEY_CLASSES_ROOT\CLSID\{E8E3E0B4-0843-41E9-AE59-7B00784EBF09}]
[-HKEY_CLASSES_ROOT\CLSID\{FC714565-C08A-4E38-A9B8-642C6FF624DE}]
[-HKEY_CLASSES_ROOT\CLSID\{ADDE43B7-39E4-4B41-8F93-4FE79DC5A8AC}]
[-HKEY_CLASSES_ROOT\CLSID\{6BE537BA-237F-412C-9637-57E0AC086C66}]
[-HKEY_CLASSES_ROOT\CLSID\{DD3901F3-09BD-4AF4-8941-B741EEA2F9E3}]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{BF4041CD-5EC4-478C-82EE-7F10D76891EF}"=-
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{BF4041CD-5EC4-478C-82EE-7F10D76891EF}</IDone>
<IDtwo>VT00</IDtwo>
<VERSION>200</VERSION>
****************************************************************************
Classid's found from regsearch:
****************************************************************************



Here is the updated Hijackthis log



Logfile of HijackThis v1.99.0
Scan saved at 7:49:06 PM, on 1/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\PROMon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Yahoo!\Messenger\YPAGER.EXE
C:\Documents and Settings\All Users\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8886DF84-BD1D-439A-B69F-3646B9C30C90}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{8886DF84-BD1D-439A-B69F-3646B9C30C90}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{8886DF84-BD1D-439A-B69F-3646B9C30C90}: NameServer = 192.168.0.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

Thanks again
  • 0

#5
Extreme

Extreme

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I'm not sure if the log.txt is the the log you're looking for. Here is L2MFix logfile.

L2MFIX find log 1.02
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}"="Compressed (zipped) Folder"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Unbind"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
ciodm.dll Thu Oct 28 2004 10:45:58a ..... 64,512 63.00 K
cscdll.dll Wed Oct 27 2004 8:29:54p ..... 92,160 90.00 K
d0ce0c~1.dll Sat Jan 22 2005 5:24:16p A.... 204,800 200.00 K
dosync.dll Sat Jan 15 2005 11:24:06a A.... 114,688 112.00 K
e6f1873b.dll Sat Jan 22 2005 5:19:12p A.... 147,456 144.00 K
gccoll~1.dll Fri Dec 31 2004 3:00:00p A.... 134,880 131.72 K
gcmd5q~1.dll Fri Jan 14 2005 10:48:06p A.... 10,752 10.50 K
gcunco~1.dll Fri Dec 31 2004 1:14:32p A.... 130,272 127.22 K
hashlib.dll Fri Dec 31 2004 3:00:00p A.... 81,120 79.22 K
hypertrm.dll Wed Nov 17 2004 12:57:02p ..... 493,056 481.50 K
lsasrv.dll Wed Oct 27 2004 8:29:54p ..... 681,984 666.00 K
pncrt.dll Sun Dec 12 2004 6:05:12p ..... 278,528 272.00 K
pndx5016.dll Sun Dec 12 2004 6:05:12p ..... 6,656 6.50 K
pndx5032.dll Sun Dec 12 2004 6:05:12p ..... 5,632 5.50 K
query.dll Thu Oct 28 2004 10:46:00a ..... 1,350,144 1.29 M
rmoc3260.dll Sun Dec 12 2004 6:05:16p ..... 176,167 172.04 K
shdocvw.dll Thu Nov 11 2004 11:20:56p ..... 1,332,224 1.27 M
shsvcs.dll Wed Oct 27 2004 8:29:54p ..... 116,736 114.00 K
spmsg.dll Tue Nov 30 2004 2:46:38p ..... 7,168 7.00 K
sporder.dll Wed Jan 5 2005 6:46:42p ..... 8,464 8.27 K
user32.dll Tue Dec 28 2004 8:31:44p ..... 574,464 561.00 K

21 items found: 21 files, 0 directories.
Total of file sizes: 6,011,863 bytes 5.73 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 40D5-28B4

Directory of C:\WINDOWS\System32

01/24/2005 07:38 PM <DIR> dllcache
01/10/2005 05:32 PM 32 {369B0E0D-8EC6-4720-8FDF-05843C280080}.dat
02/05/2003 02:20 PM <DIR> Microsoft
1 File(s) 32 bytes
2 Dir(s) 70,020,591,616 bytes free
  • 0

#6
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Looks good, lets clean the Hijack This log now.

You may wish to print out a copy of these instructions to follow while you complete this procedure.
Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

Reboot and post a new Hijack This log.

-=jonnyrotten=- :tazz:
  • 0

#7
Extreme

Extreme

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks for you help, I really appreciate it. Here is the new Hijackthislog file. :tazz:

Logfile of HijackThis v1.99.0
Scan saved at 6:27:09 AM, on 1/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\PROMon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\YPAGER.EXE
C:\Documents and Settings\All Users\Desktop\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8886DF84-BD1D-439A-B69F-3646B9C30C90}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{8886DF84-BD1D-439A-B69F-3646B9C30C90}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{8886DF84-BD1D-439A-B69F-3646B9C30C90}: NameServer = 192.168.0.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
  • 0

#8
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox Posted Image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. ;)
  • 0

#9
Extreme

Extreme

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
You guys are awesome. I really appreciate your help and I will be taking the necessary steps to prevent this from happening again. One more question though, I still have some entries in my hosts file under the system32 directory, is it ok to just remove these so the hosts file would be clean as well?


Thanks again, w :tazz:
  • 0

#10
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Just out of curiosity what are the entries and IP's? Yes you can clear them manually or with this:

Reset your host file. Click Here to download HostsFileReader. To reset the host file to default, simply open the program, click the "reset default" button, and confirm the changes.

-=jonnyrotten=- :tazz:
  • 0

#11
Extreme

Extreme

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I been out all day and won't be home until later. When I get home though I will copy and paste the host file as it sits right now on my computer.

Thanks again for your support. :tazz:
  • 0

#12
Extreme

Extreme

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
JohnnyRotten here is the contents of my host file.


127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com

Looks like junk to me.
  • 0

#13
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
127.0.0.1 is the "loopback" address. That means that if something tries to go to that address your pc will send a packet to the Network Card and back to itself. The way your host file is setup is that if you try to go to any one of those sites then you will not be able to. That is actually good. Some programs you have installed might have done that or you can manually add in any sites you would like. Browse Safely! :tazz:

-=jonnyrotten=- ;)
  • 0

#14
Extreme

Extreme

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks for all your help. You guy are awesome. :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP