Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

starware - thx for the help! [CLOSED]

Started by cgfkccc , Dec 04 2005 07:28 PM

  • This topic is locked This topic is locked

#1
cgfkccc
Posted 04 December 2005 - 07:28 PM

cgfkccc

    New Member

  • Member
  • Pip
  • 6 posts
I have been reading other post until I get help,

So changing HJT to c drive prog folder and will run again and put last log below

NEW LOG FROM C DRIVE



Logfile of HijackThis v1.99.1
Scan saved at 4:27:29 PM, on 11/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SYSTEM32\sms_msn.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by InsightBB.com
O2 - BHO: ngsh35.clsIS - {392BAF48-A26A-45B5-9263-97128E429268} - C:\WINDOWS\SYSTEM32\ngsh35.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sms_msn] C:\WINDOWS\SYSTEM32\sms_msn.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131089966547
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\hrju0519e.dll
O20 - Winlogon Notify: Fonts - C:\WINDOWS\system32\fp8003lme.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\r66ulgj916o.dll (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements

#2
OwNt
Posted 04 December 2005 - 08:09 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, cgfkccc.

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.downloads....org/l2mfix.exe
http://www.atribune....oads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe,
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.
  • 0

#3
OwNt
Posted 17 December 2005 - 12:31 AM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#4
OwNt
Posted 29 December 2005 - 11:46 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Topic re-opened at user request.
  • 0

#5
cgfkccc
Posted 30 December 2005 - 04:52 AM

cgfkccc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
L2MFIX find log 122705
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hrpu0579e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Uninstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\i4420ehoeh4c0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\r66ulgj916o.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{C32693C4-C90B-D97A-337B-42DCEC78E50E}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}"="6 Months of AOL Included"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}"="Share-to-Web Upload Folder"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{CBB6D2CC-75EF-47A8-8C5D-C0B8F51693E2}"=""
"{A840280F-8FC4-4C76-BF81-2A47028D6E31}"=""
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{E94FE1D0-2AB4-40FF-A712-CCF276249E0D}"=""
"{4FBFC997-0199-4D55-99DC-9E84CF312F16}"=""
"{6C70FBDE-F6FB-4ABD-A55C-FFC71D230084}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{CBB6D2CC-75EF-47A8-8C5D-C0B8F51693E2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CBB6D2CC-75EF-47A8-8C5D-C0B8F51693E2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CBB6D2CC-75EF-47A8-8C5D-C0B8F51693E2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CBB6D2CC-75EF-47A8-8C5D-C0B8F51693E2}\InprocServer32]
@="C:\\WINDOWS\\system32\\byackbox.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A840280F-8FC4-4C76-BF81-2A47028D6E31}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A840280F-8FC4-4C76-BF81-2A47028D6E31}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A840280F-8FC4-4C76-BF81-2A47028D6E31}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A840280F-8FC4-4C76-BF81-2A47028D6E31}\InprocServer32]
@="C:\\WINDOWS\\system32\\HNL.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E94FE1D0-2AB4-40FF-A712-CCF276249E0D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E94FE1D0-2AB4-40FF-A712-CCF276249E0D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E94FE1D0-2AB4-40FF-A712-CCF276249E0D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E94FE1D0-2AB4-40FF-A712-CCF276249E0D}\InprocServer32]
@="C:\\WINDOWS\\system32\\prdx5016.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4FBFC997-0199-4D55-99DC-9E84CF312F16}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4FBFC997-0199-4D55-99DC-9E84CF312F16}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4FBFC997-0199-4D55-99DC-9E84CF312F16}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4FBFC997-0199-4D55-99DC-9E84CF312F16}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6C70FBDE-F6FB-4ABD-A55C-FFC71D230084}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6C70FBDE-F6FB-4ABD-A55C-FFC71D230084}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6C70FBDE-F6FB-4ABD-A55C-FFC71D230084}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6C70FBDE-F6FB-4ABD-A55C-FFC71D230084}\InprocServer32]
@="C:\\WINDOWS\\system32\\CTADMIN.DLL"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
byackbox.dll Fri Nov 18 2005 12:13:54p ..S.R 235,994 230.46 K
cppbk32.dll Sat Nov 5 2005 3:06:20a ..S.R 236,238 230.70 K
ctadmin.dll Fri Dec 30 2005 12:14:26a ..S.R 235,389 229.87 K
dhmsrpcn.dll Tue Dec 20 2005 9:43:36p ..S.R 234,572 229.07 K
dqvvox.dll Mon Dec 26 2005 4:00:02a ..S.R 235,381 229.86 K
dtnwsock.dll Tue Dec 27 2005 3:39:50a ..S.R 235,381 229.86 K
f02mla~1.dll Tue Nov 22 2005 2:36:12p ..S.R 234,173 228.68 K
fp0m03~1.dll Mon Dec 12 2005 5:09:02p ..S.R 234,276 228.79 K
g040la~1.dll Mon Dec 5 2005 4:28:52p ..S.R 235,578 230.05 K
g6402g~1.dll Sat Nov 26 2005 5:54:44a ..S.R 235,007 229.50 K
g8400i~1.dll Sat Dec 17 2005 3:40:22p ..S.R 234,173 228.68 K
hnl.dll Fri Dec 2 2005 7:28:48p ..S.R 234,173 228.68 K
hrpu05~1.dll Tue Dec 27 2005 4:46:04a ..S.R 235,389 229.87 K
hrr805~1.dll Fri Dec 30 2005 12:14:26a ..S.R 236,284 230.75 K
idseng.dll Wed Dec 14 2005 12:56:00a ..S.R 234,917 229.41 K
ir4ml5~1.dll Thu Nov 17 2005 6:44:10a ..S.R 236,238 230.70 K
ir6ml5~1.dll Sat Nov 26 2005 6:00:48p ..S.R 235,338 229.82 K
ir82l5~1.dll Wed Dec 28 2005 4:01:02a ..S.R 235,381 229.86 K
irp2l5~1.dll Thu Nov 17 2005 6:18:08p ..... 234,173 228.68 K
krdsw.dll Sat Dec 10 2005 10:58:16p ..S.R 235,368 229.85 K
kt4sl7~1.dll Sat Dec 17 2005 3:40:22p A.... 235,920 230.39 K
l0p2la~1.dll Tue Dec 20 2005 2:16:20p ..S.R 234,572 229.07 K
lpcwmi.dll Mon Dec 26 2005 4:19:32a ..S.R 235,381 229.86 K
lv8409~1.dll Sun Nov 27 2005 2:32:20p ..S.R 236,069 230.54 K
maexch40.dll Sat Nov 12 2005 8:53:32p ..S.R 236,238 230.70 K
mdhtmler.dll Wed Dec 21 2005 5:54:12a ..S.R 234,572 229.07 K
mecpx32r.dll Mon Dec 12 2005 9:26:18p ..S.R 234,173 228.68 K
mfimg32.dll Sat Dec 17 2005 3:22:20p ..S.R 234,173 228.68 K
mjfutil.dll Mon Dec 26 2005 9:24:52p ..S.R 235,381 229.86 K
mnexcl40.dll Thu Dec 8 2005 10:53:54p ..S.R 234,173 228.68 K
mnrapi.dll Tue Dec 6 2005 5:08:54a ..S.R 234,173 228.68 K
mviipl~1.dll Sun Dec 25 2005 6:43:24p ..S.R 234,572 229.07 K
ngsh35.dll Fri Oct 28 2005 4:50:34p A.... 81,977 80.05 K
ojjsel.dll Sat Dec 24 2005 1:03:16a ..S.R 235,381 229.86 K
p0n80a~1.dll Sat Nov 12 2005 8:53:32p ..S.R 237,088 231.53 K
prdx5016.dll Thu Dec 15 2005 3:14:56a ..S.R 234,917 229.41 K
q668lg~1.dll Thu Nov 10 2005 12:56:36p ..S.R 236,827 231.27 K
q686lg~1.dll Sat Nov 19 2005 4:29:18p ..S.R 235,994 230.46 K
q6nulg~1.dll Sun Dec 25 2005 7:27:30p ..S.R 237,337 231.77 K
qvery.dll Mon Dec 12 2005 5:09:02p ..S.R 234,173 228.68 K
rpsctrs.dll Mon Dec 19 2005 11:51:14p ..S.R 234,572 229.07 K
rxutetab.dll Wed Dec 28 2005 12:27:02a ..S.R 235,381 229.86 K
sihannel.dll Tue Dec 27 2005 4:42:04a ..S.R 235,389 229.87 K
susvcs.dll Wed Nov 16 2005 9:31:30p ..S.R 237,298 231.73 K
vbsdexnt.dll Fri Nov 25 2005 7:19:38p A.... 45,056 44.00 K
wivdmoe2.dll Wed Dec 14 2005 5:02:02p ..S.R 234,173 228.68 K
wpbcheck.dll Sat Dec 10 2005 2:49:14a ..S.R 234,173 228.68 K
xplnmon.dll Sat Nov 26 2005 3:16:20p A.... 15,360 15.00 K

48 items found: 48 files (43 H/S), 0 directories.
Total of file sizes: 10,727,916 bytes 10.23 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is laptop
Volume Serial Number is 0034-B73B

Directory of C:\WINDOWS\System32

12/30/2005 12:14 AM 235,389 CTADMIN.DLL
12/30/2005 12:14 AM 236,284 hrr8059ue.dll
12/28/2005 04:01 AM 235,381 ir82l5lo1.dll
12/28/2005 12:27 AM 235,381 RXUTETAB.DLL
12/27/2005 04:46 AM 235,389 hrpu0579e.dll
12/27/2005 04:42 AM 235,389 sihannel.dll
12/27/2005 04:21 AM <DIR> DLLCACHE
12/27/2005 03:39 AM 235,381 DTNWSOCK.DLL
12/26/2005 09:24 PM 235,381 MJFUTIL.DLL
12/26/2005 04:19 AM 235,381 LPCWMI.DLL
12/26/2005 04:00 AM 235,381 dqvvox.dll
12/25/2005 07:27 PM 237,337 q6nulg5916.dll
12/25/2005 06:43 PM 234,572 MVIIpl2P6.dll
12/24/2005 01:03 AM 235,381 OJJSEL.DLL
12/21/2005 05:54 AM 234,572 MDHTMLER.DLL
12/20/2005 09:43 PM 234,572 DHMSRPCN.DLL
12/20/2005 02:16 PM 234,572 l0p2la7o1d.dll
12/19/2005 11:51 PM 234,572 RPSCTRS.DLL
12/17/2005 03:40 PM 234,173 g8400ihme84a0.dll
12/17/2005 03:22 PM 234,173 MFIMG32.DLL
12/15/2005 03:14 AM 234,917 prdx5016.dll
12/14/2005 05:02 PM 234,173 wivdmoe2.dll
12/14/2005 12:55 AM 234,917 IDSENG.DLL
12/12/2005 09:26 PM 234,173 mecpx32r.dLL
12/12/2005 05:09 PM 234,173 QVERY.DLL
12/12/2005 05:09 PM 234,276 fp0m03d1e.dll
12/10/2005 10:58 PM 235,368 KRDSW.DLL
12/10/2005 02:49 AM 234,173 WPBCHECK.DLL
12/08/2005 10:53 PM 234,173 mnexcl40.dll
12/06/2005 05:08 AM 234,173 MNRAPI.DLL
12/05/2005 04:28 PM 235,578 g040lahm1d4a.dll
12/02/2005 07:28 PM 234,173 HNL.DLL
11/27/2005 02:32 PM 236,069 lv8409lqe.dll
11/26/2005 06:00 PM 235,338 ir6ml5j11.dll
11/26/2005 05:54 AM 235,007 g6402ghmg64a2.dll
11/22/2005 02:36 PM 234,173 f02mlaf11d2.dll
11/19/2005 04:29 PM 235,994 q686lgls16q6.dll
11/18/2005 12:13 PM 235,994 byackbox.dll
11/17/2005 06:44 AM 236,238 ir4ml5h11.dll
11/16/2005 09:31 PM 237,298 SUSVCS.DLL
11/12/2005 08:53 PM 236,238 maexch40.dll
11/12/2005 08:53 PM 237,088 p0n80a5ued.dll
11/10/2005 12:56 PM 236,827 q668lgju16o8.dll
11/05/2005 03:06 AM 236,238 CPPBK32.DLL
04/25/2003 08:37 PM <DIR> Microsoft
43 File(s) 10,115,430 bytes
2 Dir(s) 287,887,360 bytes free
  • 0

#6
OwNt
Posted 30 December 2005 - 12:17 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello cgfkccc,

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
If after the reboot the log does not open double click on it in the l2mfix folder.
  • 0

#7
cgfkccc
Posted 30 December 2005 - 09:46 PM

cgfkccc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
L2mfix Beta 122705
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 336 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 432 'winlogon.exe'
Killing PID 432 'winlogon.exe'
Killing PID 432 'winlogon.exe'
Killing PID 432 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1916 'explorer.exe'
Killing PID 1916 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 2144 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
moving: C:\WINDOWS\system32\byackbox.dll
Successfully Moved: C:\WINDOWS\system32\byackbox.dll
moving: C:\WINDOWS\system32\CPPBK32.DLL
Successfully Moved: C:\WINDOWS\system32\CPPBK32.DLL
moving: C:\WINDOWS\system32\DHMSRPCN.DLL
Successfully Moved: C:\WINDOWS\system32\DHMSRPCN.DLL
moving: C:\WINDOWS\system32\dqvvox.dll
Successfully Moved: C:\WINDOWS\system32\dqvvox.dll
moving: C:\WINDOWS\system32\DTNWSOCK.DLL
Successfully Moved: C:\WINDOWS\system32\DTNWSOCK.DLL
moving: C:\WINDOWS\system32\f02mlaf11d2.dll
Successfully Moved: C:\WINDOWS\system32\f02mlaf11d2.dll
moving: C:\WINDOWS\system32\fp0m03d1e.dll
Successfully Moved: C:\WINDOWS\system32\fp0m03d1e.dll
moving: C:\WINDOWS\system32\g040lahm1d4a.dll
Successfully Moved: C:\WINDOWS\system32\g040lahm1d4a.dll
moving: C:\WINDOWS\system32\g6402ghmg64a2.dll
Successfully Moved: C:\WINDOWS\system32\g6402ghmg64a2.dll
moving: C:\WINDOWS\system32\g8400ihme84a0.dll
Successfully Moved: C:\WINDOWS\system32\g8400ihme84a0.dll
moving: C:\WINDOWS\system32\HNL.DLL
Successfully Moved: C:\WINDOWS\system32\HNL.DLL
moving: C:\WINDOWS\system32\hrr8059ue.dll
Successfully Moved: C:\WINDOWS\system32\hrr8059ue.dll
moving: C:\WINDOWS\system32\IDSENG.DLL
Successfully Moved: C:\WINDOWS\system32\IDSENG.DLL
moving: C:\WINDOWS\system32\ir4ml5h11.dll
Successfully Moved: C:\WINDOWS\system32\ir4ml5h11.dll
moving: C:\WINDOWS\system32\ir6ml5j11.dll
Successfully Moved: C:\WINDOWS\system32\ir6ml5j11.dll
moving: C:\WINDOWS\system32\ir82l5lo1.dll
Successfully Moved: C:\WINDOWS\system32\ir82l5lo1.dll
moving: C:\WINDOWS\system32\irp2l57o1.dll
Successfully Moved: C:\WINDOWS\system32\irp2l57o1.dll
moving: C:\WINDOWS\system32\KADUSL.DLL
Successfully Moved: C:\WINDOWS\system32\KADUSL.DLL
moving: C:\WINDOWS\system32\KRDSW.DLL
Successfully Moved: C:\WINDOWS\system32\KRDSW.DLL
moving: C:\WINDOWS\system32\kt4sl7h71.dll
Successfully Moved: C:\WINDOWS\system32\kt4sl7h71.dll
moving: C:\WINDOWS\system32\l0p2la7o1d.dll
Successfully Moved: C:\WINDOWS\system32\l0p2la7o1d.dll
moving: C:\WINDOWS\system32\LPCWMI.DLL
Successfully Moved: C:\WINDOWS\system32\LPCWMI.DLL
moving: C:\WINDOWS\system32\lv8409lqe.dll
Successfully Moved: C:\WINDOWS\system32\lv8409lqe.dll
moving: C:\WINDOWS\system32\lvnq0955e.dll
Successfully Moved: C:\WINDOWS\system32\lvnq0955e.dll
moving: C:\WINDOWS\system32\maexch40.dll
Successfully Moved: C:\WINDOWS\system32\maexch40.dll
moving: C:\WINDOWS\system32\MDHTMLER.DLL
Successfully Moved: C:\WINDOWS\system32\MDHTMLER.DLL
moving: C:\WINDOWS\system32\mecpx32r.dLL
Successfully Moved: C:\WINDOWS\system32\mecpx32r.dLL
moving: C:\WINDOWS\system32\MFIMG32.DLL
Successfully Moved: C:\WINDOWS\system32\MFIMG32.DLL
moving: C:\WINDOWS\system32\MJFUTIL.DLL
Successfully Moved: C:\WINDOWS\system32\MJFUTIL.DLL
moving: C:\WINDOWS\system32\mnexcl40.dll
Successfully Moved: C:\WINDOWS\system32\mnexcl40.dll
moving: C:\WINDOWS\system32\MNRAPI.DLL
Successfully Moved: C:\WINDOWS\system32\MNRAPI.DLL
moving: C:\WINDOWS\system32\MVIIpl2P6.dll
Successfully Moved: C:\WINDOWS\system32\MVIIpl2P6.dll
moving: C:\WINDOWS\system32\OJJSEL.DLL
Successfully Moved: C:\WINDOWS\system32\OJJSEL.DLL
moving: C:\WINDOWS\system32\p0n80a5ued.dll
Successfully Moved: C:\WINDOWS\system32\p0n80a5ued.dll
moving: C:\WINDOWS\system32\p0p6la7s1d.dll
Successfully Moved: C:\WINDOWS\system32\p0p6la7s1d.dll
moving: C:\WINDOWS\system32\prdx5016.dll
Successfully Moved: C:\WINDOWS\system32\prdx5016.dll
moving: C:\WINDOWS\system32\q0rqla951d.dll
Successfully Moved: C:\WINDOWS\system32\q0rqla951d.dll
moving: C:\WINDOWS\system32\q668lgju16o8.dll
Successfully Moved: C:\WINDOWS\system32\q668lgju16o8.dll
moving: C:\WINDOWS\system32\q686lgls16q6.dll
Successfully Moved: C:\WINDOWS\system32\q686lgls16q6.dll
moving: C:\WINDOWS\system32\q6nulg5916.dll
Successfully Moved: C:\WINDOWS\system32\q6nulg5916.dll
moving: C:\WINDOWS\system32\QVERY.DLL
Successfully Moved: C:\WINDOWS\system32\QVERY.DLL
moving: C:\WINDOWS\system32\RPSCTRS.DLL
Successfully Moved: C:\WINDOWS\system32\RPSCTRS.DLL
moving: C:\WINDOWS\system32\RXUTETAB.DLL
Successfully Moved: C:\WINDOWS\system32\RXUTETAB.DLL
moving: C:\WINDOWS\system32\sihannel.dll
Successfully Moved: C:\WINDOWS\system32\sihannel.dll
moving: C:\WINDOWS\system32\SUSVCS.DLL
Successfully Moved: C:\WINDOWS\system32\SUSVCS.DLL
moving: C:\WINDOWS\system32\wivdmoe2.dll
Successfully Moved: C:\WINDOWS\system32\wivdmoe2.dll
moving: C:\WINDOWS\system32\WPBCHECK.DLL
Successfully Moved: C:\WINDOWS\system32\WPBCHECK.DLL
moving: C:\WINDOWS\system32\guard.tmp
Successfully Moved: C:\WINDOWS\system32\guard.tmp




Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ThemeManager]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lvnq0955e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Uninstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\i4420ehoeh4c0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\r66ulgj916o.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\byackbox.dll
C:\WINDOWS\system32\CPPBK32.DLL
C:\WINDOWS\system32\DHMSRPCN.DLL
C:\WINDOWS\system32\dqvvox.dll
C:\WINDOWS\system32\DTNWSOCK.DLL
C:\WINDOWS\system32\f02mlaf11d2.dll
C:\WINDOWS\system32\fp0m03d1e.dll
C:\WINDOWS\system32\g040lahm1d4a.dll
C:\WINDOWS\system32\g6402ghmg64a2.dll
C:\WINDOWS\system32\g8400ihme84a0.dll
C:\WINDOWS\system32\HNL.DLL
C:\WINDOWS\system32\hrr8059ue.dll
C:\WINDOWS\system32\IDSENG.DLL
C:\WINDOWS\system32\ir4ml5h11.dll
C:\WINDOWS\system32\ir6ml5j11.dll
C:\WINDOWS\system32\ir82l5lo1.dll
C:\WINDOWS\system32\irp2l57o1.dll
C:\WINDOWS\system32\KADUSL.DLL
C:\WINDOWS\system32\KRDSW.DLL
C:\WINDOWS\system32\kt4sl7h71.dll
C:\WINDOWS\system32\l0p2la7o1d.dll
C:\WINDOWS\system32\LPCWMI.DLL
C:\WINDOWS\system32\lv8409lqe.dll
C:\WINDOWS\system32\lvnq0955e.dll
C:\WINDOWS\system32\maexch40.dll
C:\WINDOWS\system32\MDHTMLER.DLL
C:\WINDOWS\system32\mecpx32r.dLL
C:\WINDOWS\system32\MFIMG32.DLL
C:\WINDOWS\system32\MJFUTIL.DLL
C:\WINDOWS\system32\mnexcl40.dll
C:\WINDOWS\system32\MNRAPI.DLL
C:\WINDOWS\system32\MVIIpl2P6.dll
C:\WINDOWS\system32\OJJSEL.DLL
C:\WINDOWS\system32\p0n80a5ued.dll
C:\WINDOWS\system32\p0p6la7s1d.dll
C:\WINDOWS\system32\prdx5016.dll
C:\WINDOWS\system32\q0rqla951d.dll
C:\WINDOWS\system32\q668lgju16o8.dll
C:\WINDOWS\system32\q686lgls16q6.dll
C:\WINDOWS\system32\q6nulg5916.dll
C:\WINDOWS\system32\QVERY.DLL
C:\WINDOWS\system32\RPSCTRS.DLL
C:\WINDOWS\system32\RXUTETAB.DLL
C:\WINDOWS\system32\sihannel.dll
C:\WINDOWS\system32\SUSVCS.DLL
C:\WINDOWS\system32\wivdmoe2.dll
C:\WINDOWS\system32\WPBCHECK.DLL
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{CBB6D2CC-75EF-47A8-8C5D-C0B8F51693E2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CBB6D2CC-75EF-47A8-8C5D-C0B8F51693E2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CBB6D2CC-75EF-47A8-8C5D-C0B8F51693E2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CBB6D2CC-75EF-47A8-8C5D-C0B8F51693E2}\InprocServer32]
@="C:\\WINDOWS\\system32\\byackbox.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A840280F-8FC4-4C76-BF81-2A47028D6E31}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A840280F-8FC4-4C76-BF81-2A47028D6E31}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A840280F-8FC4-4C76-BF81-2A47028D6E31}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A840280F-8FC4-4C76-BF81-2A47028D6E31}\InprocServer32]
@="C:\\WINDOWS\\system32\\HNL.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E94FE1D0-2AB4-40FF-A712-CCF276249E0D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E94FE1D0-2AB4-40FF-A712-CCF276249E0D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E94FE1D0-2AB4-40FF-A712-CCF276249E0D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E94FE1D0-2AB4-40FF-A712-CCF276249E0D}\InprocServer32]
@="C:\\WINDOWS\\system32\\prdx5016.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4FBFC997-0199-4D55-99DC-9E84CF312F16}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4FBFC997-0199-4D55-99DC-9E84CF312F16}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4FBFC997-0199-4D55-99DC-9E84CF312F16}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4FBFC997-0199-4D55-99DC-9E84CF312F16}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6C70FBDE-F6FB-4ABD-A55C-FFC71D230084}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6C70FBDE-F6FB-4ABD-A55C-FFC71D230084}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6C70FBDE-F6FB-4ABD-A55C-FFC71D230084}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6C70FBDE-F6FB-4ABD-A55C-FFC71D230084}\InprocServer32]
@="C:\\WINDOWS\\system32\\DRACTFRM.DLL"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{CBB6D2CC-75EF-47A8-8C5D-C0B8F51693E2}"=-
"{A840280F-8FC4-4C76-BF81-2A47028D6E31}"=-
"{E94FE1D0-2AB4-40FF-A712-CCF276249E0D}"=-
"{4FBFC997-0199-4D55-99DC-9E84CF312F16}"=-
"{6C70FBDE-F6FB-4ABD-A55C-FFC71D230084}"=-
[-HKEY_CLASSES_ROOT\CLSID\{CBB6D2CC-75EF-47A8-8C5D-C0B8F51693E2}]
[-HKEY_CLASSES_ROOT\CLSID\{A840280F-8FC4-4C76-BF81-2A47028D6E31}]
[-HKEY_CLASSES_ROOT\CLSID\{E94FE1D0-2AB4-40FF-A712-CCF276249E0D}]
[-HKEY_CLASSES_ROOT\CLSID\{4FBFC997-0199-4D55-99DC-9E84CF312F16}]
[-HKEY_CLASSES_ROOT\CLSID\{6C70FBDE-F6FB-4ABD-A55C-FFC71D230084}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/byackbox.dll (124 bytes security) (deflated 5%)
adding: dlls/CPPBK32.DLL (124 bytes security) (deflated 5%)
adding: dlls/DHMSRPCN.DLL (124 bytes security) (deflated 4%)
adding: dlls/dqvvox.dll (188 bytes security) (deflated 5%)
adding: dlls/DTNWSOCK.DLL (124 bytes security) (deflated 5%)
adding: dlls/f02mlaf11d2.dll (124 bytes security) (deflated 4%)
adding: dlls/fp0m03d1e.dll (124 bytes security) (deflated 4%)
adding: dlls/g040lahm1d4a.dll (124 bytes security) (deflated 5%)
adding: dlls/g6402ghmg64a2.dll (124 bytes security) (deflated 5%)
adding: dlls/g8400ihme84a0.dll (124 bytes security) (deflated 4%)
adding: dlls/guard.tmp (124 bytes security) (deflated 4%)
adding: dlls/HNL.DLL (124 bytes security) (deflated 4%)
adding: dlls/hrr8059ue.dll (124 bytes security) (deflated 5%)
adding: dlls/IDSENG.DLL (124 bytes security) (deflated 5%)
adding: dlls/ir4ml5h11.dll (124 bytes security) (deflated 5%)
adding: dlls/ir6ml5j11.dll (124 bytes security) (deflated 5%)
adding: dlls/ir82l5lo1.dll (124 bytes security) (deflated 5%)
adding: dlls/irp2l57o1.dll (124 bytes security) (deflated 4%)
adding: dlls/KADUSL.DLL (124 bytes security) (deflated 5%)
adding: dlls/KRDSW.DLL (124 bytes security) (deflated 5%)
adding: dlls/kt4sl7h71.dll (188 bytes security) (deflated 5%)
adding: dlls/l0p2la7o1d.dll (124 bytes security) (deflated 4%)
adding: dlls/LPCWMI.DLL (124 bytes security) (deflated 5%)
adding: dlls/lv8409lqe.dll (124 bytes security) (deflated 5%)
adding: dlls/lvnq0955e.dll (124 bytes security) (deflated 4%)
adding: dlls/maexch40.dll (124 bytes security) (deflated 5%)
adding: dlls/MDHTMLER.DLL (124 bytes security) (deflated 4%)
adding: dlls/mecpx32r.dLL (124 bytes security) (deflated 4%)
adding: dlls/MFIMG32.DLL (124 bytes security) (deflated 4%)
adding: dlls/MJFUTIL.DLL (124 bytes security) (deflated 5%)
adding: dlls/mnexcl40.dll (124 bytes security) (deflated 4%)
adding: dlls/MNRAPI.DLL (124 bytes security) (deflated 4%)
adding: dlls/MVIIpl2P6.dll (124 bytes security) (deflated 4%)
adding: dlls/OJJSEL.DLL (124 bytes security) (deflated 5%)
adding: dlls/p0n80a5ued.dll (124 bytes security) (deflated 5%)
adding: dlls/p0p6la7s1d.dll (124 bytes security) (deflated 5%)
adding: dlls/prdx5016.dll (124 bytes security) (deflated 5%)
adding: dlls/q0rqla951d.dll (124 bytes security) (deflated 5%)
adding: dlls/q668lgju16o8.dll (124 bytes security) (deflated 5%)
adding: dlls/q686lgls16q6.dll (124 bytes security) (deflated 5%)
adding: dlls/q6nulg5916.dll (124 bytes security) (deflated 6%)
adding: dlls/QVERY.DLL (124 bytes security) (deflated 4%)
adding: dlls/RPSCTRS.DLL (124 bytes security) (deflated 4%)
adding: dlls/RXUTETAB.DLL (124 bytes security) (deflated 5%)
adding: dlls/sihannel.dll (124 bytes security) (deflated 5%)
adding: dlls/SUSVCS.DLL (124 bytes security) (deflated 6%)
adding: dlls/wivdmoe2.dll (124 bytes security) (deflated 4%)
adding: dlls/WPBCHECK.DLL (124 bytes security) (deflated 4%)
adding: backregs/4FBFC997-0199-4D55-99DC-9E84CF312F16.reg (188 bytes security) (deflated 70%)
adding: backregs/6C70FBDE-F6FB-4ABD-A55C-FFC71D230084.reg (188 bytes security) (deflated 70%)
adding: backregs/A840280F-8FC4-4C76-BF81-2A47028D6E31.reg (188 bytes security) (deflated 70%)
adding: backregs/CBB6D2CC-75EF-47A8-8C5D-C0B8F51693E2.reg (188 bytes security) (deflated 70%)
adding: backregs/E94FE1D0-2AB4-40FF-A712-CCF276249E0D.reg (188 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 88%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)



Logfile of HijackThis v1.99.1
Scan saved at 10:41:59 PM, on 12/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\SYSTEM32\sms_msn.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by InsightBB.com
O2 - BHO: ngsh35.clsIS - {392BAF48-A26A-45B5-9263-97128E429268} - C:\WINDOWS\SYSTEM32\ngsh35.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sms_msn] C:\WINDOWS\SYSTEM32\sms_msn.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131089966547
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\lvnq0955e.dll (file missing)
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\i4420ehoeh4c0.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\r66ulgj916o.dll (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#8
OwNt
Posted 30 December 2005 - 10:54 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello cgfkccc,

Please open Hijackthis, scan, and place a checkmark by the following entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: ngsh35.clsIS - {392BAF48-A26A-45B5-9263-97128E429268} - C:\WINDOWS\SYSTEM32\ngsh35.dll
O4 - HKLM\..\Run: [sms_msn] C:\WINDOWS\SYSTEM32\sms_msn.exe
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\lvnq0955e.dll (file missing)
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\i4420ehoeh4c0.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\r66ulgj916o.dll (file missing)

Close all open windows/browsers and click Fix Checked.

Exit Hijackthis.

Then download CWShredder here to its own folder.

Update CWShredder

* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder


Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Then delete the following file:

C:\WINDOWS\SYSTEM32\sms_msn.exe

Now reboot your computer into normal windows.

Please post a fresh Hijackthis log.
  • 0

#9
OwNt
Posted 19 January 2006 - 11:25 AM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP