Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This log for analysis - please


  • Please log in to reply
18 replies to this topic

#1 xbspaul

xbspaul

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 09 April 2005 - 08:50 AM

Thanks for the reply to my first post. I followed the link and downloaded the latest version of Hijack this. I have run Spybot, Ad aware and MS Antispyware ad keep getting spyware reported and removed. Any help and advice greatly received.


Please find below the latest Hijack this log.
Logfile of HijackThis v1.99.1
Scan saved at 14:46:41, on 09/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\EasiDock\Dockmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\EasyDisk UFD Tool\UFDTMon.exe
C:\Program Files\EasyDisk UFD Tool\USBTool.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Generic\USB Card Reader Driver v2.2f\Disk_Monitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
C:\WINDOWS\system32\picsvr\picsvr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Paul Simpson\My Documents\downloads\Hijack\HijackThis.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [EasiDockMon] \EasiDock\Dockmon.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [9382 UFD Monitor] C:\Program Files\EasyDisk UFD Tool\UFDTMon.exe
O4 - HKLM\..\Run: [9382 UFD Utility] C:\Program Files\EasyDisk UFD Tool\USBTool.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\USB Card Reader Driver v2.2f\Disk_Monitor.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.bleepingcomputer.com
O15 - Trusted Zone: http://my.ebay.co.uk
O15 - Trusted Zone: http://www.northamptonsaints.co.uk
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/uk/dbgames/dbaccess.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = group.sira.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = group.sira.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{192CC4A3-7170-48E3-947E-18947EBEAD97}: NameServer = 195.92.195.95 195.92.195.94
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = group.sira.co.uk
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\hnrm0591e.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:24 AM

Posted 09 April 2005 - 01:49 PM

Hello xbspaul and welcome to the BC forums. After reviewin your log I see a couple of items that require our attention. Please proceed with the following steps in order.

Step #1

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/uk/dbgames/dbaccess.exe
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\hnrm0591e.dll

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #2

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\system32\nsvsvc\ <--folder
C:\WINDOWS\system32\picsvr\ <--folder
C:\WINDOWS\system32\hnrm0591e.dll

Next, let's clean up the temporary folders:* Click Start
* Point to Programs
* Point to Accessories
* Point to System Tools
* Click Disk Cleanup
* Select the following items that are present and then click the OK button.* Temp Setup Files
* Downloaded Program Files
* Temp Internet Files
* Debug Dump Files
* Office Setup Files
* old chkdsk files
* Recycle Bin
* Temp Remote Desktop Files
* Setup Log Files
* Temp Files
* WebClient temp files
[/list]Step #3

OK. Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here using the Add Reply button and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 xbspaul

xbspaul
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 10 April 2005 - 02:58 PM

Thanks for your help OT. I had a couple of problems carrying out the 3 steps. First was the delete of C:\WINDOWS\system32\hnrm0591e.dll wouldn't work as it said it was in use by another program. Next when I tried to clean up the system files I had an error message "The instruction at 0x1001393c referenced memory at 0x133b000. The memory could not be "read". Click OK to terminate or "Cancel " to debug. I tried both and both times I got a blue screen crash. I notice when I ran the Hijack this the log showed our old friend hnrm0591e.dll is back. Please find below my latest log.

Logfile of HijackThis v1.99.1
Scan saved at 20:52:05, on 10/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\EasiDock\Dockmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\EasyDisk UFD Tool\UFDTMon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EasyDisk UFD Tool\USBTool.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Generic\USB Card Reader Driver v2.2f\Disk_Monitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\Documents and Settings\Paul Simpson\My Documents\downloads\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [EasiDockMon] \EasiDock\Dockmon.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [9382 UFD Monitor] C:\Program Files\EasyDisk UFD Tool\UFDTMon.exe
O4 - HKLM\..\Run: [9382 UFD Utility] C:\Program Files\EasyDisk UFD Tool\USBTool.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\USB Card Reader Driver v2.2f\Disk_Monitor.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.bleepingcomputer.com
O15 - Trusted Zone: http://my.ebay.co.uk
O15 - Trusted Zone: http://www.northamptonsaints.co.uk
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = group.sira.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = group.sira.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{192CC4A3-7170-48E3-947E-18947EBEAD97}: NameServer = 195.92.195.95 195.92.195.94
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = group.sira.co.uk
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\hnrm0591e.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:24 AM

Posted 10 April 2005 - 04:34 PM

Hi xbspaul. Yeah, this is one of the persistent little buggers. Let's try it a different way. Please proceed with the following steps in order.

Step #1

Start Notepad and copy/paste the text from the quotebox below into the new document:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Save the document to your desktop as fixreg.reg and close Notepad. Now locate the fixreg.reg file on your desktop and right-click on it. Select the Merge option and choose Yes or Ok to any prompts asking if you want to merge the file into the registry.

Step #2

Reboot your computer normally and delete this file: C:\WINDOWS\system32\hnrm0591e.dll.

Step #3

OK. Reboot your computer normally again, start HijackThis and perform a new scan. Post your new log file back here using the Add Reply button and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 xbspaul

xbspaul
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 11 April 2005 - 01:31 PM

Thanks again. I have done as suggested OT and here is the latest Hijack This log. I still get pop ups when I am on the web though.

Logfile of HijackThis v1.99.1
Scan saved at 19:27:31, on 11/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\EasiDock\Dockmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\EasyDisk UFD Tool\UFDTMon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\EasyDisk UFD Tool\USBTool.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Generic\USB Card Reader Driver v2.2f\Disk_Monitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Paul Simpson\My Documents\downloads\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [EasiDockMon] \EasiDock\Dockmon.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [9382 UFD Monitor] C:\Program Files\EasyDisk UFD Tool\UFDTMon.exe
O4 - HKLM\..\Run: [9382 UFD Utility] C:\Program Files\EasyDisk UFD Tool\USBTool.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\USB Card Reader Driver v2.2f\Disk_Monitor.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.bleepingcomputer.com
O15 - Trusted Zone: http://my.ebay.co.uk
O15 - Trusted Zone: http://www.northamptonsaints.co.uk
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = group.sira.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = group.sira.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{192CC4A3-7170-48E3-947E-18947EBEAD97}: NameServer = 195.92.195.95 195.92.195.94
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = group.sira.co.uk
O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\l06olaj31do.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:24 AM

Posted 11 April 2005 - 01:51 PM

Hi xbspaul. Question for you. Are you able to delete the file C:\WINDOWS\system32\l06olaj31do.dll or do you get an error message?

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 xbspaul

xbspaul
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 11 April 2005 - 02:34 PM

Same thing OT. The C:\WINDOWS\system32\l06olaj31do.dll file is in use by another program. I see what you mean about the "tricky little bugger"

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:24 AM

Posted 11 April 2005 - 05:18 PM

Hey xbspaul. Yeah, it might be tricky but we're not done with it yet. Please do the following:

Step #1

Download the Pocket Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Double-click on KillBox.exe.
  • Click Delete on Reboot and then click in the checkbox for Use dummy.
  • Paste this file into the top Full Path of File to Delete box.
    • C:\WINDOWS\system32\l06olaj31do.dll
  • Click the Delete File button which looks like a stop sign.
  • Click Yes at the Delete on Reboot prompt.
  • Click Yes at the Delete next Reboot prompt.
  • If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually.
Step #2

After you have rebooted, start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\l06olaj31do.dll
Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #2

OK. Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here along with details of any problems you encountered performing the above steps using the Add Reply button and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 xbspaul

xbspaul
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 12 April 2005 - 01:16 PM

OT, I had the same error message when I tried to run Killbox. The same error message came up "The instruction at 0x1001393c referenced memory at 0x133b000. The memory could not be "read". Click OK to terminate or "Cancel " to debug." I didn't get the blue screen crash this time.

Also the O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\l06olaj31do.dll line did not appear in my Hijack this log.

The main popup web site I get is "LoadingWebSite" if that helps.

A rerun of the log is appended below.

Logfile of HijackThis v1.99.1
Scan saved at 19:09:21, on 12/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\EasyDisk UFD Tool\UFDTMon.exe
C:\Program Files\EasyDisk UFD Tool\USBTool.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Generic\USB Card Reader Driver v2.2f\Disk_Monitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Paul Simpson\My Documents\downloads\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [EasiDockMon] \EasiDock\Dockmon.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [9382 UFD Monitor] C:\Program Files\EasyDisk UFD Tool\UFDTMon.exe
O4 - HKLM\..\Run: [9382 UFD Utility] C:\Program Files\EasyDisk UFD Tool\USBTool.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\USB Card Reader Driver v2.2f\Disk_Monitor.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.bleepingcomputer.com
O15 - Trusted Zone: http://my.ebay.co.uk
O15 - Trusted Zone: http://www.northamptonsaints.co.uk
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = group.sira.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = group.sira.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{192CC4A3-7170-48E3-947E-18947EBEAD97}: NameServer = 195.92.195.95 195.92.195.94
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = group.sira.co.uk
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\lvlq0935e.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:24 AM

Posted 12 April 2005 - 04:56 PM

Hi xbspaul. Yeah the old line is gone but there is a new one there. I was conferring with some of my collegues on this and I need some information on that file. Please open Notepad and copy/paste the information in the quotebox below into the new document:

dir C:\WINDOWS\system32\lvlq0935e.dll /a h > files.txt notepad files.txt


Save the file to your desktop as find.bat . Now close Notepad, locate find.bat on your desktop and double-click it to run it. Notepad should open with some information in it. Please post that information back here for me to review (it will only be a small amount so don't worry).

Cheers.

OT

Edited by OldTimer, 12 April 2005 - 04:56 PM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 xbspaul

xbspaul
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 14 April 2005 - 12:56 PM

Thanks, OT. Sorry for the delay. I have been working away. Please find below the output from the text file. Doesn't look like much to me!

Volume in drive C has no label.
Volume Serial Number is 90EF-0F35

Directory of C:\WINDOWS\system32


Directory of C:\Documents and Settings\Paul Simpson\Desktop


Directory of C:\Documents and Settings\Paul Simpson\Desktop


Directory of C:\Documents and Settings\Paul Simpson\Desktop

14/04/2005 18:51 0 files.txt
1 File(s) 0 bytes
0 Dir(s) 23,651,184,640 bytes free

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:24 AM

Posted 14 April 2005 - 01:32 PM

Hi xbspaul. Ok, that tells me something anyway. Let's do this:

Download l2mfix.exe and save it to your desktop.

Double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing Enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 xbspaul

xbspaul
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 14 April 2005 - 05:34 PM

Thanks again. I have run the file and this is the log. I may not be able to do anything for a week as I am away on business. Again I appreciate tyhe help.

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reliability]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\n02u0af9ed2.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{1107B450-54CD-6079-4631-E7BD9CA4CD50}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{5CA3D70E-1895-11CF-8E15-001234567890}"="DriveLetterAccess"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{33D0B7CC-535E-4CD0-B33A-934372B1AEFD}"="Wise-FTP Network Places"
"{136F0404-8CF2-4a80-BD42-03E5C7B7A960}"="MP3 PlayerShell Hook"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}"="Universal Plug and Play Devices"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
@=""
"{6af09ec9-b429-11d4-a1fb-0090960218cb}"="My Bluetooth Places"
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}"="RecordNow! SendToExt"
"{9BCCA34E-9781-4953-A1B6-78A9E86937CA}"="AceBackup Context Menu Handler"
"{C5098102-EAF2-493A-883A-B7B751B21534}"="FolderBox Shell Extensions"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"="{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
"{D66DC78C-4F61-447F-942B-3FB6980118CF}"="{D66DC78C-4F61-447F-942B-3FB6980118CF}"
"{D7D83A74-CECB-4BC6-B114-DA66BAE4F43A}"=""
"{553C833F-B083-4049-941B-43A612F49F10}"=""
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{1812BF7C-A10D-4C63-996F-B85BDFA41004}"=""
"{EF9E6EE9-2F9A-4FC6-ABC4-E399678483DB}"=""
"{34AF6EF7-8E24-45CD-883B-2F561B6420E9}"=""
"{B366F4E3-3E40-4E3D-B76D-F6187788128B}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D7D83A74-CECB-4BC6-B114-DA66BAE4F43A}]
@=""
"IDEx"="DS3"

[HKEY_CLASSES_ROOT\CLSID\{D7D83A74-CECB-4BC6-B114-DA66BAE4F43A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7D83A74-CECB-4BC6-B114-DA66BAE4F43A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7D83A74-CECB-4BC6-B114-DA66BAE4F43A}\InprocServer32]
@="C:\\WINDOWS\\system32\\vra256.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{553C833F-B083-4049-941B-43A612F49F10}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{553C833F-B083-4049-941B-43A612F49F10}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{553C833F-B083-4049-941B-43A612F49F10}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{553C833F-B083-4049-941B-43A612F49F10}\InprocServer32]
@="C:\\WINDOWS\\system32\\abi3duag.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1812BF7C-A10D-4C63-996F-B85BDFA41004}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1812BF7C-A10D-4C63-996F-B85BDFA41004}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1812BF7C-A10D-4C63-996F-B85BDFA41004}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1812BF7C-A10D-4C63-996F-B85BDFA41004}\InprocServer32]
@="C:\\WINDOWS\\system32\\nztevent.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{EF9E6EE9-2F9A-4FC6-ABC4-E399678483DB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EF9E6EE9-2F9A-4FC6-ABC4-E399678483DB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EF9E6EE9-2F9A-4FC6-ABC4-E399678483DB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EF9E6EE9-2F9A-4FC6-ABC4-E399678483DB}\InprocServer32]
@="C:\\WINDOWS\\system32\\iasecsnp.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{34AF6EF7-8E24-45CD-883B-2F561B6420E9}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{34AF6EF7-8E24-45CD-883B-2F561B6420E9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{34AF6EF7-8E24-45CD-883B-2F561B6420E9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{34AF6EF7-8E24-45CD-883B-2F561B6420E9}\InprocServer32]
@="C:\\WINDOWS\\system32\\EdnClass.Dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B366F4E3-3E40-4E3D-B76D-F6187788128B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B366F4E3-3E40-4E3D-B76D-F6187788128B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B366F4E3-3E40-4E3D-B76D-F6187788128B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B366F4E3-3E40-4E3D-B76D-F6187788128B}\InprocServer32]
@="C:\\WINDOWS\\system32\\nvlanui.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Locate .tmp files:
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 90EF-0F35

Directory of C:\WINDOWS\System32

14/04/2005 23:32 <DIR> DLLCACHE
14/04/2005 18:46 232,684 abi3duag.dll
14/04/2005 18:46 233,185 dn0q01d5e.dll
14/04/2005 15:02 232,684 n02u0af9ed2.dll
14/04/2005 08:35 232,458 bdtsprx3.dll
14/04/2005 06:42 236,179 mzjet35.dll
13/04/2005 12:44 232,968 ecntagnt.dll
12/04/2005 22:13 236,179 mjimg32.dll
12/04/2005 21:10 236,179 i0lola331d.dll
12/04/2005 17:40 232,970 gpr4l39q1.dll
11/04/2005 19:21 236,179 ryr20.dll
11/04/2005 08:46 236,179 mid32.dll
10/04/2005 20:50 234,638 unrdpa.dll
10/04/2005 20:38 234,661 fp2003fme.dll
10/04/2005 19:52 235,963 ir2ol5f31.dll
10/04/2005 19:27 234,821 fp8m03l1e.dll
08/04/2005 15:42 234,638 k880lilm18qa.dll
08/04/2005 11:09 233,172 ktn4l75q1.dll
08/04/2005 07:06 234,638 syfolder.dll
07/04/2005 18:51 234,638 nvlanui.dll
07/04/2005 16:37 236,247 l88m0il1e8q.dll
07/04/2005 16:36 234,638 EdnClass.Dll
07/04/2005 15:40 234,638 iasecsnp.dll
07/04/2005 14:45 234,638 nztevent.dll
07/04/2005 09:44 234,638 iwss.dll
07/04/2005 09:44 235,662 e420lefm1h2a.dll
07/04/2005 07:13 235,187 ennsl1571.dll
06/04/2005 19:24 234,638 wbiprop.dll
06/04/2005 15:39 233,159 mgasn1.dll
06/04/2005 07:40 234,638 rXssapi.dll
06/04/2005 07:22 233,248 dscpmon.dll
05/04/2005 20:05 233,248 cyb.dll
05/04/2005 20:04 233,421 fp8203loe.dll
08/10/2004 12:13 <DIR> Microsoft
08/10/2004 09:46 32 {F1DAD716-07D8-4DFA-9694-3C4CBB01611F}.dat
33 File(s) 7,503,045 bytes
2 Dir(s) 23,584,641,024 bytes free

#14 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:24 AM

Posted 14 April 2005 - 06:39 PM

Hi xbspaul. Well, now I know what it is so we can deal with. When you get your next opportunity please do the following:

Print these directions or copy/paste them into a Notepad document and save it to your desktop. Close any programs you have open since this step requires a reboot

From the l2mfix folder on your desktop:
  • Double click l2mfix.bat to start the program.
  • Select option #4 for Merge Winlogon Notify Defaults by typing 4 and then pressing the Enter key.
  • Next, select option #2 for Run Fix by typing 2 and then pressing the Enter key.
  • Press any key to reboot your computer.
After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new HijackThis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

I will review the new information when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#15 xbspaul

xbspaul
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 22 April 2005 - 04:00 AM

Thanks, OT. Please find attached the Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 09:56:46, on 22/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\EasiDock\Dockmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\EasyDisk UFD Tool\UFDTMon.exe
C:\Program Files\EasyDisk UFD Tool\USBTool.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Generic\USB Card Reader Driver v2.2f\Disk_Monitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
C:\WINDOWS\system32\picsvr\picsvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Paul Simpson\My Documents\downloads\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [EasiDockMon] \EasiDock\Dockmon.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [9382 UFD Monitor] C:\Program Files\EasyDisk UFD Tool\UFDTMon.exe
O4 - HKLM\..\Run: [9382 UFD Utility] C:\Program Files\EasyDisk UFD Tool\USBTool.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\USB Card Reader Driver v2.2f\Disk_Monitor.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.bleepingcomputer.com
O15 - Trusted Zone: http://my.ebay.co.uk
O15 - Trusted Zone: http://*.elsmar.com
O15 - Trusted Zone: http://isotc.iso.org
O15 - Trusted Zone: http://www.northamptonsaints.co.uk
O15 - Trusted Zone: http://www.downloads.subratam.org
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = group.sira.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = group.sira.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = group.sira.co.uk
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

And the other log file:

L2Mfix 1.03

Running From:
C:\Documents and Settings\Paul Simpson\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Paul Simpson\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Paul Simpson\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'
Killing PID 1984 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 400 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\abi3duag.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\bdtsprx3.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\bldispl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cyb.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dscpmon.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\e420lefm1h2a.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ecntagnt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\EdnClass.Dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ennsl1571.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ey.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\f6l0lg3m16.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp2003fme.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp8203loe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp8m03l1e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gpr4l39q1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i0lola331d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iasecsnp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir2ol5f31.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iwss.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k880lilm18qa.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktn4l75q1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l88m0il1e8q.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mgasn1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mid32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mjimg32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mzjet35.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nvlanui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nztevent.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\oge2nls.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\Pe802_11.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rXssapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ryr20.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sgorage.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\skcurity.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\syfolder.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\unrdpa.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wbiprop.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wcninet.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wuadefui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\xJctsrv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\xrsp1res.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\abi3duag.dll
Successfully Deleted: C:\WINDOWS\system32\abi3duag.dll
deleting: C:\WINDOWS\system32\bdtsprx3.dll
Successfully Deleted: C:\WINDOWS\system32\bdtsprx3.dll
deleting: C:\WINDOWS\system32\bldispl.dll
Successfully Deleted: C:\WINDOWS\system32\bldispl.dll
deleting: C:\WINDOWS\system32\cyb.dll
Successfully Deleted: C:\WINDOWS\system32\cyb.dll
deleting: C:\WINDOWS\system32\dscpmon.dll
Successfully Deleted: C:\WINDOWS\system32\dscpmon.dll
deleting: C:\WINDOWS\system32\e420lefm1h2a.dll
Successfully Deleted: C:\WINDOWS\system32\e420lefm1h2a.dll
deleting: C:\WINDOWS\system32\ecntagnt.dll
Successfully Deleted: C:\WINDOWS\system32\ecntagnt.dll
deleting: C:\WINDOWS\system32\EdnClass.Dll
Successfully Deleted: C:\WINDOWS\system32\EdnClass.Dll
deleting: C:\WINDOWS\system32\ennsl1571.dll
Successfully Deleted: C:\WINDOWS\system32\ennsl1571.dll
deleting: C:\WINDOWS\system32\ey.dll
Successfully Deleted: C:\WINDOWS\system32\ey.dll
deleting: C:\WINDOWS\system32\f6l0lg3m16.dll
Successfully Deleted: C:\WINDOWS\system32\f6l0lg3m16.dll
deleting: C:\WINDOWS\system32\fp2003fme.dll
Successfully Deleted: C:\WINDOWS\system32\fp2003fme.dll
deleting: C:\WINDOWS\system32\fp8203loe.dll
Successfully Deleted: C:\WINDOWS\system32\fp8203loe.dll
deleting: C:\WINDOWS\system32\fp8m03l1e.dll
Successfully Deleted: C:\WINDOWS\system32\fp8m03l1e.dll
deleting: C:\WINDOWS\system32\gpr4l39q1.dll
Successfully Deleted: C:\WINDOWS\system32\gpr4l39q1.dll
deleting: C:\WINDOWS\system32\i0lola331d.dll
Successfully Deleted: C:\WINDOWS\system32\i0lola331d.dll
deleting: C:\WINDOWS\system32\iasecsnp.dll
Successfully Deleted: C:\WINDOWS\system32\iasecsnp.dll
deleting: C:\WINDOWS\system32\ir2ol5f31.dll
Successfully Deleted: C:\WINDOWS\system32\ir2ol5f31.dll
deleting: C:\WINDOWS\system32\iwss.dll
Successfully Deleted: C:\WINDOWS\system32\iwss.dll
deleting: C:\WINDOWS\system32\k880lilm18qa.dll
Successfully Deleted: C:\WINDOWS\system32\k880lilm18qa.dll
deleting: C:\WINDOWS\system32\ktn4l75q1.dll
Successfully Deleted: C:\WINDOWS\system32\ktn4l75q1.dll
deleting: C:\WINDOWS\system32\l88m0il1e8q.dll
Successfully Deleted: C:\WINDOWS\system32\l88m0il1e8q.dll
deleting: C:\WINDOWS\system32\mgasn1.dll
Successfully Deleted: C:\WINDOWS\system32\mgasn1.dll
deleting: C:\WINDOWS\system32\mid32.dll
Successfully Deleted: C:\WINDOWS\system32\mid32.dll
deleting: C:\WINDOWS\system32\mjimg32.dll
Successfully Deleted: C:\WINDOWS\system32\mjimg32.dll
deleting: C:\WINDOWS\system32\mzjet35.dll
Successfully Deleted: C:\WINDOWS\system32\mzjet35.dll
deleting: C:\WINDOWS\system32\nvlanui.dll
Successfully Deleted: C:\WINDOWS\system32\nvlanui.dll
deleting: C:\WINDOWS\system32\nztevent.dll
Successfully Deleted: C:\WINDOWS\system32\nztevent.dll
deleting: C:\WINDOWS\system32\oge2nls.dll
Successfully Deleted: C:\WINDOWS\system32\oge2nls.dll
deleting: C:\WINDOWS\system32\Pe802_11.dll
Successfully Deleted: C:\WINDOWS\system32\Pe802_11.dll
deleting: C:\WINDOWS\system32\rXssapi.dll
Successfully Deleted: C:\WINDOWS\system32\rXssapi.dll
deleting: C:\WINDOWS\system32\ryr20.dll
Successfully Deleted: C:\WINDOWS\system32\ryr20.dll
deleting: C:\WINDOWS\system32\sgorage.dll
Successfully Deleted: C:\WINDOWS\system32\sgorage.dll
deleting: C:\WINDOWS\system32\skcurity.dll
Successfully Deleted: C:\WINDOWS\system32\skcurity.dll
deleting: C:\WINDOWS\system32\syfolder.dll
Successfully Deleted: C:\WINDOWS\system32\syfolder.dll
deleting: C:\WINDOWS\system32\unrdpa.dll
Successfully Deleted: C:\WINDOWS\system32\unrdpa.dll
deleting: C:\WINDOWS\system32\wbiprop.dll
Successfully Deleted: C:\WINDOWS\system32\wbiprop.dll
deleting: C:\WINDOWS\system32\wcninet.dll
Successfully Deleted: C:\WINDOWS\system32\wcninet.dll
deleting: C:\WINDOWS\system32\wuadefui.dll
Successfully Deleted: C:\WINDOWS\system32\wuadefui.dll
deleting: C:\WINDOWS\system32\xJctsrv.dll
Successfully Deleted: C:\WINDOWS\system32\xJctsrv.dll
deleting: C:\WINDOWS\system32\xrsp1res.dll
Successfully Deleted: C:\WINDOWS\system32\xrsp1res.dll


Zipping up files for submission:
adding: abi3duag.dll (160 bytes security) (deflated 4%)
adding: bdtsprx3.dll (160 bytes security) (deflated 4%)
adding: bldispl.dll (160 bytes security) (deflated 4%)
adding: cyb.dll (160 bytes security) (deflated 4%)
adding: dscpmon.dll (160 bytes security) (deflated 4%)
adding: e420lefm1h2a.dll (160 bytes security) (deflated 5%)
adding: ecntagnt.dll (160 bytes security) (deflated 4%)
adding: EdnClass.Dll (160 bytes security) (deflated 5%)
adding: ennsl1571.dll (160 bytes security) (deflated 5%)
adding: ey.dll (160 bytes security) (deflated 4%)
adding: f6l0lg3m16.dll (160 bytes security) (deflated 5%)
adding: fp2003fme.dll (160 bytes security) (deflated 5%)
adding: fp8203loe.dll (160 bytes security) (deflated 4%)
adding: fp8m03l1e.dll (160 bytes security) (deflated 5%)
adding: gpr4l39q1.dll (160 bytes security) (deflated 4%)
adding: i0lola331d.dll (160 bytes security) (deflated 5%)
adding: iasecsnp.dll (160 bytes security) (deflated 5%)
adding: ir2ol5f31.dll (160 bytes security) (deflated 5%)
adding: iwss.dll (160 bytes security) (deflated 5%)
adding: k880lilm18qa.dll (160 bytes security) (deflated 5%)
adding: ktn4l75q1.dll (160 bytes security) (deflated 4%)
adding: l88m0il1e8q.dll (160 bytes security) (deflated 5%)
adding: mgasn1.dll (160 bytes security) (deflated 4%)
adding: mid32.dll (160 bytes security) (deflated 5%)
adding: mjimg32.dll (160 bytes security) (deflated 5%)
adding: mzjet35.dll (160 bytes security) (deflated 5%)
adding: nvlanui.dll (160 bytes security) (deflated 5%)
adding: nztevent.dll (160 bytes security) (deflated 5%)
adding: oge2nls.dll (160 bytes security) (deflated 4%)
adding: Pe802_11.dll (160 bytes security) (deflated 4%)
adding: rXssapi.dll (160 bytes security) (deflated 5%)
adding: ryr20.dll (160 bytes security) (deflated 5%)
adding: sgorage.dll (160 bytes security) (deflated 5%)
adding: skcurity.dll (160 bytes security) (deflated 4%)
adding: syfolder.dll (160 bytes security) (deflated 5%)
adding: unrdpa.dll (160 bytes security) (deflated 5%)
adding: wbiprop.dll (160 bytes security) (deflated 5%)
adding: wcninet.dll (160 bytes security) (deflated 4%)
adding: wuadefui.dll (160 bytes security) (deflated 4%)
adding: xJctsrv.dll (160 bytes security) (deflated 4%)
adding: xrsp1res.dll (160 bytes security) (deflated 4%)
adding: clear.reg (160 bytes security) (deflated 58%)
adding: echo.reg (160 bytes security) (deflated 9%)
adding: direct.txt (160 bytes security) (stored 0%)
adding: lo2.txt (160 bytes security) (deflated 93%)
adding: readme.txt (160 bytes security) (deflated 49%)
adding: test.txt (160 bytes security) (deflated 82%)
adding: test2.txt (160 bytes security) (deflated 42%)
adding: test3.txt (160 bytes security) (deflated 40%)
adding: test5.txt (160 bytes security) (deflated 42%)
adding: xfind.txt (160 bytes security) (deflated 77%)
adding: backregs/1812BF7C-A10D-4C63-996F-B85BDFA41004.reg (160 bytes security) (deflated 70%)
adding: backregs/34AF6EF7-8E24-45CD-883B-2F561B6420E9.reg (160 bytes security) (deflated 70%)
adding: backregs/553C833F-B083-4049-941B-43A612F49F10.reg (160 bytes security) (deflated 70%)
adding: backregs/B366F4E3-3E40-4E3D-B76D-F6187788128B.reg (160 bytes security) (deflated 70%)
adding: backregs/D7D83A74-CECB-4BC6-B114-DA66BAE4F43A.reg (160 bytes security) (deflated 69%)
adding: backregs/EF9E6EE9-2F9A-4FC6-ABC4-E399678483DB.reg (160 bytes security) (deflated 70%)
adding: backregs/notibac.reg (160 bytes security) (deflated 87%)
adding: backregs/shell.reg (160 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: abi3duag.dll
deleting local copy: bdtsprx3.dll
deleting local copy: bldispl.dll
deleting local copy: cyb.dll
deleting local copy: dscpmon.dll
deleting local copy: e420lefm1h2a.dll
deleting local copy: ecntagnt.dll
deleting local copy: EdnClass.Dll
deleting local copy: ennsl1571.dll
deleting local copy: ey.dll
deleting local copy: f6l0lg3m16.dll
deleting local copy: fp2003fme.dll
deleting local copy: fp8203loe.dll
deleting local copy: fp8m03l1e.dll
deleting local copy: gpr4l39q1.dll
deleting local copy: i0lola331d.dll
deleting local copy: iasecsnp.dll
deleting local copy: ir2ol5f31.dll
deleting local copy: iwss.dll
deleting local copy: k880lilm18qa.dll
deleting local copy: ktn4l75q1.dll
deleting local copy: l88m0il1e8q.dll
deleting local copy: mgasn1.dll
deleting local copy: mid32.dll
deleting local copy: mjimg32.dll
deleting local copy: mzjet35.dll
deleting local copy: nvlanui.dll
deleting local copy: nztevent.dll
deleting local copy: oge2nls.dll
deleting local copy: Pe802_11.dll
deleting local copy: rXssapi.dll
deleting local copy: ryr20.dll
deleting local copy: sgorage.dll
deleting local copy: skcurity.dll
deleting local copy: syfolder.dll
deleting local copy: unrdpa.dll
deleting local copy: wbiprop.dll
deleting local copy: wcninet.dll
deleting local copy: wuadefui.dll
deleting local copy: xJctsrv.dll
deleting local copy: xrsp1res.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\abi3duag.dll
C:\WINDOWS\system32\bdtsprx3.dll
C:\WINDOWS\system32\bldispl.dll
C:\WINDOWS\system32\cyb.dll
C:\WINDOWS\system32\dscpmon.dll
C:\WINDOWS\system32\e420lefm1h2a.dll
C:\WINDOWS\system32\ecntagnt.dll
C:\WINDOWS\system32\EdnClass.Dll
C:\WINDOWS\system32\ennsl1571.dll
C:\WINDOWS\system32\ey.dll
C:\WINDOWS\system32\f6l0lg3m16.dll
C:\WINDOWS\system32\fp2003fme.dll
C:\WINDOWS\system32\fp8203loe.dll
C:\WINDOWS\system32\fp8m03l1e.dll
C:\WINDOWS\system32\gpr4l39q1.dll
C:\WINDOWS\system32\i0lola331d.dll
C:\WINDOWS\system32\iasecsnp.dll
C:\WINDOWS\system32\ir2ol5f31.dll
C:\WINDOWS\system32\iwss.dll
C:\WINDOWS\system32\k880lilm18qa.dll
C:\WINDOWS\system32\ktn4l75q1.dll
C:\WINDOWS\system32\l88m0il1e8q.dll
C:\WINDOWS\system32\mgasn1.dll
C:\WINDOWS\system32\mid32.dll
C:\WINDOWS\system32\mjimg32.dll
C:\WINDOWS\system32\mzjet35.dll
C:\WINDOWS\system32\nvlanui.dll
C:\WINDOWS\system32\nztevent.dll
C:\WINDOWS\system32\oge2nls.dll
C:\WINDOWS\system32\Pe802_11.dll
C:\WINDOWS\system32\rXssapi.dll
C:\WINDOWS\system32\ryr20.dll
C:\WINDOWS\system32\sgorage.dll
C:\WINDOWS\system32\skcurity.dll
C:\WINDOWS\system32\syfolder.dll
C:\WINDOWS\system32\unrdpa.dll
C:\WINDOWS\system32\wbiprop.dll
C:\WINDOWS\system32\wcninet.dll
C:\WINDOWS\system32\wuadefui.dll
C:\WINDOWS\system32\xJctsrv.dll
C:\WINDOWS\system32\xrsp1res.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{D7D83A74-CECB-4BC6-B114-DA66BAE4F43A}"=-
"{553C833F-B083-4049-941B-43A612F49F10}"=-
"{1812BF7C-A10D-4C63-996F-B85BDFA41004}"=-
"{EF9E6EE9-2F9A-4FC6-ABC4-E399678483DB}"=-
"{34AF6EF7-8E24-45CD-883B-2F561B6420E9}"=-
"{B366F4E3-3E40-4E3D-B76D-F6187788128B}"=-
[-HKEY_CLASSES_ROOT\CLSID\{D7D83A74-CECB-4BC6-B114-DA66BAE4F43A}]
[-HKEY_CLASSES_ROOT\CLSID\{553C833F-B083-4049-941B-43A612F49F10}]
[-HKEY_CLASSES_ROOT\CLSID\{1812BF7C-A10D-4C63-996F-B85BDFA41004}]
[-HKEY_CLASSES_ROOT\CLSID\{EF9E6EE9-2F9A-4FC6-ABC4-E399678483DB}]
[-HKEY_CLASSES_ROOT\CLSID\{34AF6EF7-8E24-45CD-883B-2F561B6420E9}]
[-HKEY_CLASSES_ROOT\CLSID\{B366F4E3-3E40-4E3D-B76D-F6187788128B}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


I look forward to hearing from you. Regsrds, XBSPAUL




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users