Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijackthis log


  • Please log in to reply
21 replies to this topic

#1 netsolutions

netsolutions

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 15 April 2005 - 10:41 PM

I have a dell system running XP home. I have run spybot, counterspy and adaware and everything shows clean but i am still getting popups appearing on an irregular basis with nothing else running. Any help would be appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 12:27:24 PM, on 4/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitetcd32.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: LimeWire 4.2.6.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk08141US
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{56816191-72B7-4A7E-B5C3-6B3A357C0241}: NameServer = 10.1.1.9
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\mvp0l97m1.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:02 AM

Posted 15 April 2005 - 10:32 PM

Hello netsolutions and welcome to the BC forums. It appears that you have an L2M infection. Please do the following:
  • Download l2mfix.exe and save it to your desktop.
  • Double click l2mfix.exe to start the installation.
  • Click the Install button to extract the files and follow the prompts.
  • Open the newly added l2mfix folder on your desktop.
  • Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing the Enter key.
This will scan your computer and it may appear nothing is happening, then, after a minute or 2, Notepad will open with a log. Copy/paste the entire content of that log into this thread and I will review the information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 netsolutions

netsolutions
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 18 April 2005 - 01:41 PM

OT here is the report file from l2mfix.

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Uninstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\u8ruli9918.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{641A9C0E-F417-23D5-A8EB-B62D3B3C0EA0}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}"="RecordNow! SendToExt"
"{5CA3D70E-1895-11CF-8E15-001234567890}"="DriveLetterAccess"
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}"="6 Months of AOL Included"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{087CD559-E49F-45FA-98AE-EA2C64D678FC}"=""
"{50C90B80-C7C1-4855-9FCC-06FE0DF9DA08}"=""
"{C3B11514-9569-456E-B8E1-BD67134CB90A}"=""
"{29033996-7D23-4A84-8690-AAE92ADC1D6E}"=""
"{3B759D4E-12A9-4E83-AE72-7C52A460E24D}"=""
"{A0E6E4ED-AE54-4E31-9B1D-81154045AE82}"=""
"{E93DDD09-2F39-488B-8B5F-F14E26BFB251}"=""
"{3A8375A5-C3A4-4D6D-8DD4-CF63C4A59C66}"=""
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{422AB022-38F4-4D69-A73B-B45C4A0D9B6B}"=""
"{E2A89356-4F94-43F9-99A5-460B08AF7327}"=""
"{C10FF615-43B7-4272-9C89-DD6EACE4EF2B}"=""
"{47FD0FEB-DA74-46F2-9519-3FB104FA5EB8}"=""
"{DB6F0005-21FA-47B6-9705-5C4781024F27}"=""
"{C8368372-48AB-4FA5-9CCC-4FBB13897908}"=""
"{98015F2F-3048-41AD-A404-8F0AD2D152AE}"=""
"{EDC422C2-183B-4CF0-B427-1E173A52C74A}"=""
"{9B3CDF8C-5A40-4C3F-B591-A8E072DF6EB4}"=""
"{66ACA7BA-640A-4321-B4D1-BBFD515119A0}"=""
"{CA671057-2C01-4C33-A09E-9543202DCFA7}"=""
"{E77D96D6-A277-4744-B41C-0F8E219DE9B0}"=""
"{9B0404C8-9DEC-47DA-A8E4-52906A1312DF}"=""
"{021A66A5-E395-4272-88D8-42311A991B22}"=""
"{4B32A5C8-257C-441D-B809-76188BFE6218}"=""
"{3575D627-108C-46A5-B6A2-52B3BFFCDA7B}"=""
"{D342913C-08E3-479A-845F-B8320AC7602C}"=""
"{9E499AEB-1389-4FA5-B4E4-C6EA258C4311}"=""
"{CAFC9C52-62CC-4F9D-97F1-65B6195DAB60}"=""
"{95DF130A-BF91-4D58-93CF-590FEE5ABBAC}"=""
"{5DD9EE8D-127C-4F40-8644-FB1B1AD2B193}"=""
"{5B7862A5-4E08-4935-81DD-B493E0190B0A}"=""
"{39D1E582-4F82-4737-B2A7-28F32D867608}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{087CD559-E49F-45FA-98AE-EA2C64D678FC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{087CD559-E49F-45FA-98AE-EA2C64D678FC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{087CD559-E49F-45FA-98AE-EA2C64D678FC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{087CD559-E49F-45FA-98AE-EA2C64D678FC}\InprocServer32]
@="C:\\WINDOWS\\system32\\TDRMMGR.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{50C90B80-C7C1-4855-9FCC-06FE0DF9DA08}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{50C90B80-C7C1-4855-9FCC-06FE0DF9DA08}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{50C90B80-C7C1-4855-9FCC-06FE0DF9DA08}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{50C90B80-C7C1-4855-9FCC-06FE0DF9DA08}\InprocServer32]
@="C:\\WINDOWS\\system32\\MYGENTR.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C3B11514-9569-456E-B8E1-BD67134CB90A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C3B11514-9569-456E-B8E1-BD67134CB90A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C3B11514-9569-456E-B8E1-BD67134CB90A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C3B11514-9569-456E-B8E1-BD67134CB90A}\InprocServer32]
@="C:\\WINDOWS\\system32\\MCRLE32.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{29033996-7D23-4A84-8690-AAE92ADC1D6E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{29033996-7D23-4A84-8690-AAE92ADC1D6E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{29033996-7D23-4A84-8690-AAE92ADC1D6E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{29033996-7D23-4A84-8690-AAE92ADC1D6E}\InprocServer32]
@="C:\\WINDOWS\\system32\\NKLANUI2.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3B759D4E-12A9-4E83-AE72-7C52A460E24D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3B759D4E-12A9-4E83-AE72-7C52A460E24D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3B759D4E-12A9-4E83-AE72-7C52A460E24D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3B759D4E-12A9-4E83-AE72-7C52A460E24D}\InprocServer32]
@="C:\\WINDOWS\\system32\\DJDRAMP.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A0E6E4ED-AE54-4E31-9B1D-81154045AE82}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A0E6E4ED-AE54-4E31-9B1D-81154045AE82}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A0E6E4ED-AE54-4E31-9B1D-81154045AE82}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A0E6E4ED-AE54-4E31-9B1D-81154045AE82}\InprocServer32]
@="C:\\WINDOWS\\system32\\MPRDO20.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E93DDD09-2F39-488B-8B5F-F14E26BFB251}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{E93DDD09-2F39-488B-8B5F-F14E26BFB251}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E93DDD09-2F39-488B-8B5F-F14E26BFB251}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E93DDD09-2F39-488B-8B5F-F14E26BFB251}\InprocServer32]
@="C:\\WINDOWS\\system32\\NFMSDBA.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3A8375A5-C3A4-4D6D-8DD4-CF63C4A59C66}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3A8375A5-C3A4-4D6D-8DD4-CF63C4A59C66}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3A8375A5-C3A4-4D6D-8DD4-CF63C4A59C66}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3A8375A5-C3A4-4D6D-8DD4-CF63C4A59C66}\InprocServer32]
@="C:\\WINDOWS\\system32\\LEADPERF.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{422AB022-38F4-4D69-A73B-B45C4A0D9B6B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{422AB022-38F4-4D69-A73B-B45C4A0D9B6B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{422AB022-38F4-4D69-A73B-B45C4A0D9B6B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{422AB022-38F4-4D69-A73B-B45C4A0D9B6B}\InprocServer32]
@="C:\\WINDOWS\\system32\\SCI_CI.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E2A89356-4F94-43F9-99A5-460B08AF7327}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E2A89356-4F94-43F9-99A5-460B08AF7327}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E2A89356-4F94-43F9-99A5-460B08AF7327}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E2A89356-4F94-43F9-99A5-460B08AF7327}\InprocServer32]
@="C:\\WINDOWS\\system32\\LUADPERF.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C10FF615-43B7-4272-9C89-DD6EACE4EF2B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C10FF615-43B7-4272-9C89-DD6EACE4EF2B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C10FF615-43B7-4272-9C89-DD6EACE4EF2B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C10FF615-43B7-4272-9C89-DD6EACE4EF2B}\InprocServer32]
@="C:\\WINDOWS\\system32\\duwsockx.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{47FD0FEB-DA74-46F2-9519-3FB104FA5EB8}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{47FD0FEB-DA74-46F2-9519-3FB104FA5EB8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{47FD0FEB-DA74-46F2-9519-3FB104FA5EB8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{47FD0FEB-DA74-46F2-9519-3FB104FA5EB8}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DB6F0005-21FA-47B6-9705-5C4781024F27}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DB6F0005-21FA-47B6-9705-5C4781024F27}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DB6F0005-21FA-47B6-9705-5C4781024F27}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DB6F0005-21FA-47B6-9705-5C4781024F27}\InprocServer32]
@="C:\\WINDOWS\\system32\\CPMREPL.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C8368372-48AB-4FA5-9CCC-4FBB13897908}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C8368372-48AB-4FA5-9CCC-4FBB13897908}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C8368372-48AB-4FA5-9CCC-4FBB13897908}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C8368372-48AB-4FA5-9CCC-4FBB13897908}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{98015F2F-3048-41AD-A404-8F0AD2D152AE}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{98015F2F-3048-41AD-A404-8F0AD2D152AE}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{98015F2F-3048-41AD-A404-8F0AD2D152AE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{98015F2F-3048-41AD-A404-8F0AD2D152AE}\InprocServer32]
@="C:\\WINDOWS\\system32\\IHCTL.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{EDC422C2-183B-4CF0-B427-1E173A52C74A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EDC422C2-183B-4CF0-B427-1E173A52C74A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EDC422C2-183B-4CF0-B427-1E173A52C74A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EDC422C2-183B-4CF0-B427-1E173A52C74A}\InprocServer32]
@="C:\\WINDOWS\\system32\\ckyptui.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9B3CDF8C-5A40-4C3F-B591-A8E072DF6EB4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9B3CDF8C-5A40-4C3F-B591-A8E072DF6EB4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9B3CDF8C-5A40-4C3F-B591-A8E072DF6EB4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9B3CDF8C-5A40-4C3F-B591-A8E072DF6EB4}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{66ACA7BA-640A-4321-B4D1-BBFD515119A0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{66ACA7BA-640A-4321-B4D1-BBFD515119A0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{66ACA7BA-640A-4321-B4D1-BBFD515119A0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{66ACA7BA-640A-4321-B4D1-BBFD515119A0}\InprocServer32]
@="C:\\WINDOWS\\system32\\RCSAUTO.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{CA671057-2C01-4C33-A09E-9543202DCFA7}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CA671057-2C01-4C33-A09E-9543202DCFA7}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CA671057-2C01-4C33-A09E-9543202DCFA7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CA671057-2C01-4C33-A09E-9543202DCFA7}\InprocServer32]
@="C:\\WINDOWS\\system32\\EEENTCLS.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E77D96D6-A277-4744-B41C-0F8E219DE9B0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E77D96D6-A277-4744-B41C-0F8E219DE9B0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E77D96D6-A277-4744-B41C-0F8E219DE9B0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E77D96D6-A277-4744-B41C-0F8E219DE9B0}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9B0404C8-9DEC-47DA-A8E4-52906A1312DF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9B0404C8-9DEC-47DA-A8E4-52906A1312DF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9B0404C8-9DEC-47DA-A8E4-52906A1312DF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9B0404C8-9DEC-47DA-A8E4-52906A1312DF}\InprocServer32]
@="C:\\WINDOWS\\system32\\IXWDIAL.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{021A66A5-E395-4272-88D8-42311A991B22}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{021A66A5-E395-4272-88D8-42311A991B22}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{021A66A5-E395-4272-88D8-42311A991B22}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{021A66A5-E395-4272-88D8-42311A991B22}\InprocServer32]
@="C:\\WINDOWS\\system32\\discript.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4B32A5C8-257C-441D-B809-76188BFE6218}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4B32A5C8-257C-441D-B809-76188BFE6218}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4B32A5C8-257C-441D-B809-76188BFE6218}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4B32A5C8-257C-441D-B809-76188BFE6218}\InprocServer32]
@="C:\\WINDOWS\\system32\\FLCLIENT.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3575D627-108C-46A5-B6A2-52B3BFFCDA7B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3575D627-108C-46A5-B6A2-52B3BFFCDA7B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3575D627-108C-46A5-B6A2-52B3BFFCDA7B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3575D627-108C-46A5-B6A2-52B3BFFCDA7B}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D342913C-08E3-479A-845F-B8320AC7602C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D342913C-08E3-479A-845F-B8320AC7602C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D342913C-08E3-479A-845F-B8320AC7602C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D342913C-08E3-479A-845F-B8320AC7602C}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9E499AEB-1389-4FA5-B4E4-C6EA258C4311}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9E499AEB-1389-4FA5-B4E4-C6EA258C4311}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9E499AEB-1389-4FA5-B4E4-C6EA258C4311}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9E499AEB-1389-4FA5-B4E4-C6EA258C4311}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{CAFC9C52-62CC-4F9D-97F1-65B6195DAB60}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CAFC9C52-62CC-4F9D-97F1-65B6195DAB60}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CAFC9C52-62CC-4F9D-97F1-65B6195DAB60}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CAFC9C52-62CC-4F9D-97F1-65B6195DAB60}\InprocServer32]
@="C:\\WINDOWS\\system32\\MTRICONS.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{95DF130A-BF91-4D58-93CF-590FEE5ABBAC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{95DF130A-BF91-4D58-93CF-590FEE5ABBAC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{95DF130A-BF91-4D58-93CF-590FEE5ABBAC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{95DF130A-BF91-4D58-93CF-590FEE5ABBAC}\InprocServer32]
@="C:\\WINDOWS\\system32\\ST2EVNT1.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5DD9EE8D-127C-4F40-8644-FB1B1AD2B193}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5DD9EE8D-127C-4F40-8644-FB1B1AD2B193}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5DD9EE8D-127C-4F40-8644-FB1B1AD2B193}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5DD9EE8D-127C-4F40-8644-FB1B1AD2B193}\InprocServer32]
@="C:\\WINDOWS\\system32\\IFSSUBA.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5B7862A5-4E08-4935-81DD-B493E0190B0A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5B7862A5-4E08-4935-81DD-B493E0190B0A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5B7862A5-4E08-4935-81DD-B493E0190B0A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5B7862A5-4E08-4935-81DD-B493E0190B0A}\InprocServer32]
@="C:\\WINDOWS\\system32\\IJSSAM.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{39D1E582-4F82-4737-B2A7-28F32D867608}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{39D1E582-4F82-4737-B2A7-28F32D867608}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{39D1E582-4F82-4737-B2A7-28F32D867608}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{39D1E582-4F82-4737-B2A7-28F32D867608}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 08E6-19B6

Directory of C:\WINDOWS\System32

04/18/2005 11:02 AM 234,021 guard.tmp
04/18/2005 10:55 AM 234,021 IJSSAM.DLL
04/17/2005 03:51 PM 235,798 k8440ihqe84e0.dll
04/17/2005 03:51 PM 234,021 IFSSUBA.DLL
04/17/2005 03:48 PM 234,021 u8ruli9918.dll
04/17/2005 03:20 PM 234,812 j8j60i1se8.dll
04/17/2005 01:58 PM 235,233 fp2603fse.dll
04/17/2005 01:58 PM 235,361 j04olah31d4.dll
04/17/2005 11:41 AM 235,032 ir86l5ls1.dll
04/16/2005 09:56 PM 233,059 fp2m03f1e.dll
04/15/2005 08:21 PM 232,348 ST2EVNT1.DLL
04/15/2005 01:47 PM 236,224 MTRICONS.DLL
04/15/2005 11:22 AM 233,139 s2rslc971f.dll
04/14/2005 10:58 PM 236,224 FLCLIENT.DLL
04/14/2005 04:28 PM 233,139 NBLANUI.DLL
04/12/2005 06:51 PM <DIR> DLLCACHE
09/07/2004 06:34 PM <DIR> Microsoft
15 File(s) 3,516,453 bytes
2 Dir(s) 64,267,952,128 bytes free

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:02 AM

Posted 18 April 2005 - 04:24 PM

Hi netsolutions. Yup, there it is. Please do the following:

Print these directions or copy/paste them into a Notepad document and save it to your desktop. Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop:
  • Double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing the Enter key.
  • Press any key to reboot your computer.
After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, Notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Post the new L2m logs back here along with a new HijackThis log and I will review the information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 netsolutions

netsolutions
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 18 April 2005 - 08:25 PM

Here is the L2MFIX log

L2Mfix 1.03

Running From:
C:\l2mfixmidnite\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\l2mfixmidnite\l2mfix
System Rebooted!

Running From:
C:\l2mfixmidnite\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 892 'explorer.exe'
Killing PID 892 'explorer.exe'
Killing PID 892 'explorer.exe'
Killing PID 892 'explorer.exe'
Killing PID 892 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\FLCLIENT.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp2603fse.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp2m03f1e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\IFSSUBA.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\IJSSAM.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir86l5ls1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j04olah31d4.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j8j60i1se8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MTRICONS.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvrul9991.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\NBLANUI.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\s2rslc971f.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ST2EVNT1.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\FLCLIENT.DLL
Successfully Deleted: C:\WINDOWS\system32\FLCLIENT.DLL
deleting: C:\WINDOWS\system32\fp2603fse.dll
Successfully Deleted: C:\WINDOWS\system32\fp2603fse.dll
deleting: C:\WINDOWS\system32\fp2m03f1e.dll
Successfully Deleted: C:\WINDOWS\system32\fp2m03f1e.dll
deleting: C:\WINDOWS\system32\IFSSUBA.DLL
Successfully Deleted: C:\WINDOWS\system32\IFSSUBA.DLL
deleting: C:\WINDOWS\system32\IJSSAM.DLL
Successfully Deleted: C:\WINDOWS\system32\IJSSAM.DLL
deleting: C:\WINDOWS\system32\ir86l5ls1.dll
Successfully Deleted: C:\WINDOWS\system32\ir86l5ls1.dll
deleting: C:\WINDOWS\system32\j04olah31d4.dll
Successfully Deleted: C:\WINDOWS\system32\j04olah31d4.dll
deleting: C:\WINDOWS\system32\j8j60i1se8.dll
Successfully Deleted: C:\WINDOWS\system32\j8j60i1se8.dll
deleting: C:\WINDOWS\system32\MTRICONS.DLL
Successfully Deleted: C:\WINDOWS\system32\MTRICONS.DLL
deleting: C:\WINDOWS\system32\mvrul9991.dll
Successfully Deleted: C:\WINDOWS\system32\mvrul9991.dll
deleting: C:\WINDOWS\system32\NBLANUI.DLL
Successfully Deleted: C:\WINDOWS\system32\NBLANUI.DLL
deleting: C:\WINDOWS\system32\s2rslc971f.dll
Successfully Deleted: C:\WINDOWS\system32\s2rslc971f.dll
deleting: C:\WINDOWS\system32\ST2EVNT1.DLL
Successfully Deleted: C:\WINDOWS\system32\ST2EVNT1.DLL
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: FLCLIENT.DLL (188 bytes security) (deflated 6%)
adding: fp2603fse.dll (188 bytes security) (deflated 5%)
adding: fp2m03f1e.dll (188 bytes security) (deflated 4%)
adding: IFSSUBA.DLL (188 bytes security) (deflated 5%)
adding: IJSSAM.DLL (188 bytes security) (deflated 5%)
adding: ir86l5ls1.dll (188 bytes security) (deflated 5%)
adding: j04olah31d4.dll (188 bytes security) (deflated 5%)
adding: j8j60i1se8.dll (188 bytes security) (deflated 5%)
adding: MTRICONS.DLL (188 bytes security) (deflated 6%)
adding: mvrul9991.dll (188 bytes security) (deflated 5%)
adding: NBLANUI.DLL (188 bytes security) (deflated 4%)
adding: s2rslc971f.dll (188 bytes security) (deflated 4%)
adding: ST2EVNT1.DLL (188 bytes security) (deflated 4%)
adding: guard.tmp (188 bytes security) (deflated 6%)
adding: clear.reg (188 bytes security) (deflated 71%)
adding: echo.reg (188 bytes security) (deflated 10%)
adding: desktop.ini (188 bytes security) (deflated 14%)
adding: direct.txt (188 bytes security) (deflated 16%)
adding: lo2.txt (188 bytes security) (deflated 81%)
adding: readme.txt (188 bytes security) (deflated 49%)
adding: report.txt (188 bytes security) (deflated 76%)
adding: test.txt (188 bytes security) (deflated 73%)
adding: test2.txt (188 bytes security) (deflated 50%)
adding: test3.txt (188 bytes security) (deflated 50%)
adding: test5.txt (188 bytes security) (deflated 50%)
adding: xfind.txt (188 bytes security) (deflated 66%)
adding: backregs/021A66A5-E395-4272-88D8-42311A991B22.reg (188 bytes security) (deflated 70%)
adding: backregs/087CD559-E49F-45FA-98AE-EA2C64D678FC.reg (188 bytes security) (deflated 70%)
adding: backregs/29033996-7D23-4A84-8690-AAE92ADC1D6E.reg (188 bytes security) (deflated 70%)
adding: backregs/3575D627-108C-46A5-B6A2-52B3BFFCDA7B.reg (188 bytes security) (deflated 70%)
adding: backregs/39D1E582-4F82-4737-B2A7-28F32D867608.reg (188 bytes security) (deflated 70%)
adding: backregs/3A8375A5-C3A4-4D6D-8DD4-CF63C4A59C66.reg (188 bytes security) (deflated 70%)
adding: backregs/3B759D4E-12A9-4E83-AE72-7C52A460E24D.reg (188 bytes security) (deflated 70%)
adding: backregs/422AB022-38F4-4D69-A73B-B45C4A0D9B6B.reg (188 bytes security) (deflated 70%)
adding: backregs/47FD0FEB-DA74-46F2-9519-3FB104FA5EB8.reg (188 bytes security) (deflated 70%)
adding: backregs/4B32A5C8-257C-441D-B809-76188BFE6218.reg (188 bytes security) (deflated 70%)
adding: backregs/50C90B80-C7C1-4855-9FCC-06FE0DF9DA08.reg (188 bytes security) (deflated 70%)
adding: backregs/5B7862A5-4E08-4935-81DD-B493E0190B0A.reg (188 bytes security) (deflated 70%)
adding: backregs/5DD9EE8D-127C-4F40-8644-FB1B1AD2B193.reg (188 bytes security) (deflated 70%)
adding: backregs/66ACA7BA-640A-4321-B4D1-BBFD515119A0.reg (188 bytes security) (deflated 70%)
adding: backregs/95DF130A-BF91-4D58-93CF-590FEE5ABBAC.reg (188 bytes security) (deflated 70%)
adding: backregs/98015F2F-3048-41AD-A404-8F0AD2D152AE.reg (188 bytes security) (deflated 70%)
adding: backregs/9B0404C8-9DEC-47DA-A8E4-52906A1312DF.reg (188 bytes security) (deflated 70%)
adding: backregs/9B3CDF8C-5A40-4C3F-B591-A8E072DF6EB4.reg (188 bytes security) (deflated 70%)
adding: backregs/9E499AEB-1389-4FA5-B4E4-C6EA258C4311.reg (188 bytes security) (deflated 70%)
adding: backregs/A0E6E4ED-AE54-4E31-9B1D-81154045AE82.reg (188 bytes security) (deflated 70%)
adding: backregs/C10FF615-43B7-4272-9C89-DD6EACE4EF2B.reg (188 bytes security) (deflated 70%)
adding: backregs/C3B11514-9569-456E-B8E1-BD67134CB90A.reg (188 bytes security) (deflated 70%)
adding: backregs/C8368372-48AB-4FA5-9CCC-4FBB13897908.reg (188 bytes security) (deflated 70%)
adding: backregs/CA671057-2C01-4C33-A09E-9543202DCFA7.reg (188 bytes security) (deflated 70%)
adding: backregs/CAFC9C52-62CC-4F9D-97F1-65B6195DAB60.reg (188 bytes security) (deflated 70%)
adding: backregs/D342913C-08E3-479A-845F-B8320AC7602C.reg (188 bytes security) (deflated 70%)
adding: backregs/DB6F0005-21FA-47B6-9705-5C4781024F27.reg (188 bytes security) (deflated 70%)
adding: backregs/E2A89356-4F94-43F9-99A5-460B08AF7327.reg (188 bytes security) (deflated 70%)
adding: backregs/E77D96D6-A277-4744-B41C-0F8E219DE9B0.reg (188 bytes security) (deflated 70%)
adding: backregs/E93DDD09-2F39-488B-8B5F-F14E26BFB251.reg (188 bytes security) (deflated 69%)
adding: backregs/EDC422C2-183B-4CF0-B427-1E173A52C74A.reg (188 bytes security) (deflated 70%)
adding: backregs/shell.reg (188 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: FLCLIENT.DLL
deleting local copy: fp2603fse.dll
deleting local copy: fp2m03f1e.dll
deleting local copy: IFSSUBA.DLL
deleting local copy: IJSSAM.DLL
deleting local copy: ir86l5ls1.dll
deleting local copy: j04olah31d4.dll
deleting local copy: j8j60i1se8.dll
deleting local copy: MTRICONS.DLL
deleting local copy: mvrul9991.dll
deleting local copy: NBLANUI.DLL
deleting local copy: s2rslc971f.dll
deleting local copy: ST2EVNT1.DLL
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\FLCLIENT.DLL
C:\WINDOWS\system32\fp2603fse.dll
C:\WINDOWS\system32\fp2m03f1e.dll
C:\WINDOWS\system32\IFSSUBA.DLL
C:\WINDOWS\system32\IJSSAM.DLL
C:\WINDOWS\system32\ir86l5ls1.dll
C:\WINDOWS\system32\j04olah31d4.dll
C:\WINDOWS\system32\j8j60i1se8.dll
C:\WINDOWS\system32\MTRICONS.DLL
C:\WINDOWS\system32\mvrul9991.dll
C:\WINDOWS\system32\NBLANUI.DLL
C:\WINDOWS\system32\s2rslc971f.dll
C:\WINDOWS\system32\ST2EVNT1.DLL
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{087CD559-E49F-45FA-98AE-EA2C64D678FC}"=-
"{50C90B80-C7C1-4855-9FCC-06FE0DF9DA08}"=-
"{C3B11514-9569-456E-B8E1-BD67134CB90A}"=-
"{29033996-7D23-4A84-8690-AAE92ADC1D6E}"=-
"{3B759D4E-12A9-4E83-AE72-7C52A460E24D}"=-
"{A0E6E4ED-AE54-4E31-9B1D-81154045AE82}"=-
"{E93DDD09-2F39-488B-8B5F-F14E26BFB251}"=-
"{3A8375A5-C3A4-4D6D-8DD4-CF63C4A59C66}"=-
"{422AB022-38F4-4D69-A73B-B45C4A0D9B6B}"=-
"{E2A89356-4F94-43F9-99A5-460B08AF7327}"=-
"{C10FF615-43B7-4272-9C89-DD6EACE4EF2B}"=-
"{47FD0FEB-DA74-46F2-9519-3FB104FA5EB8}"=-
"{DB6F0005-21FA-47B6-9705-5C4781024F27}"=-
"{C8368372-48AB-4FA5-9CCC-4FBB13897908}"=-
"{98015F2F-3048-41AD-A404-8F0AD2D152AE}"=-
"{EDC422C2-183B-4CF0-B427-1E173A52C74A}"=-
"{9B3CDF8C-5A40-4C3F-B591-A8E072DF6EB4}"=-
"{66ACA7BA-640A-4321-B4D1-BBFD515119A0}"=-
"{CA671057-2C01-4C33-A09E-9543202DCFA7}"=-
"{E77D96D6-A277-4744-B41C-0F8E219DE9B0}"=-
"{9B0404C8-9DEC-47DA-A8E4-52906A1312DF}"=-
"{021A66A5-E395-4272-88D8-42311A991B22}"=-
"{4B32A5C8-257C-441D-B809-76188BFE6218}"=-
"{3575D627-108C-46A5-B6A2-52B3BFFCDA7B}"=-
"{D342913C-08E3-479A-845F-B8320AC7602C}"=-
"{9E499AEB-1389-4FA5-B4E4-C6EA258C4311}"=-
"{CAFC9C52-62CC-4F9D-97F1-65B6195DAB60}"=-
"{95DF130A-BF91-4D58-93CF-590FEE5ABBAC}"=-
"{5DD9EE8D-127C-4F40-8644-FB1B1AD2B193}"=-
"{5B7862A5-4E08-4935-81DD-B493E0190B0A}"=-
"{39D1E582-4F82-4737-B2A7-28F32D867608}"=-
[-HKEY_CLASSES_ROOT\CLSID\{087CD559-E49F-45FA-98AE-EA2C64D678FC}]
[-HKEY_CLASSES_ROOT\CLSID\{50C90B80-C7C1-4855-9FCC-06FE0DF9DA08}]
[-HKEY_CLASSES_ROOT\CLSID\{C3B11514-9569-456E-B8E1-BD67134CB90A}]
[-HKEY_CLASSES_ROOT\CLSID\{29033996-7D23-4A84-8690-AAE92ADC1D6E}]
[-HKEY_CLASSES_ROOT\CLSID\{3B759D4E-12A9-4E83-AE72-7C52A460E24D}]
[-HKEY_CLASSES_ROOT\CLSID\{A0E6E4ED-AE54-4E31-9B1D-81154045AE82}]
[-HKEY_CLASSES_ROOT\CLSID\{E93DDD09-2F39-488B-8B5F-F14E26BFB251}]
[-HKEY_CLASSES_ROOT\CLSID\{3A8375A5-C3A4-4D6D-8DD4-CF63C4A59C66}]
[-HKEY_CLASSES_ROOT\CLSID\{422AB022-38F4-4D69-A73B-B45C4A0D9B6B}]
[-HKEY_CLASSES_ROOT\CLSID\{E2A89356-4F94-43F9-99A5-460B08AF7327}]
[-HKEY_CLASSES_ROOT\CLSID\{C10FF615-43B7-4272-9C89-DD6EACE4EF2B}]
[-HKEY_CLASSES_ROOT\CLSID\{47FD0FEB-DA74-46F2-9519-3FB104FA5EB8}]
[-HKEY_CLASSES_ROOT\CLSID\{DB6F0005-21FA-47B6-9705-5C4781024F27}]
[-HKEY_CLASSES_ROOT\CLSID\{C8368372-48AB-4FA5-9CCC-4FBB13897908}]
[-HKEY_CLASSES_ROOT\CLSID\{98015F2F-3048-41AD-A404-8F0AD2D152AE}]
[-HKEY_CLASSES_ROOT\CLSID\{EDC422C2-183B-4CF0-B427-1E173A52C74A}]
[-HKEY_CLASSES_ROOT\CLSID\{9B3CDF8C-5A40-4C3F-B591-A8E072DF6EB4}]
[-HKEY_CLASSES_ROOT\CLSID\{66ACA7BA-640A-4321-B4D1-BBFD515119A0}]
[-HKEY_CLASSES_ROOT\CLSID\{CA671057-2C01-4C33-A09E-9543202DCFA7}]
[-HKEY_CLASSES_ROOT\CLSID\{E77D96D6-A277-4744-B41C-0F8E219DE9B0}]
[-HKEY_CLASSES_ROOT\CLSID\{9B0404C8-9DEC-47DA-A8E4-52906A1312DF}]
[-HKEY_CLASSES_ROOT\CLSID\{021A66A5-E395-4272-88D8-42311A991B22}]
[-HKEY_CLASSES_ROOT\CLSID\{4B32A5C8-257C-441D-B809-76188BFE6218}]
[-HKEY_CLASSES_ROOT\CLSID\{3575D627-108C-46A5-B6A2-52B3BFFCDA7B}]
[-HKEY_CLASSES_ROOT\CLSID\{D342913C-08E3-479A-845F-B8320AC7602C}]
[-HKEY_CLASSES_ROOT\CLSID\{9E499AEB-1389-4FA5-B4E4-C6EA258C4311}]
[-HKEY_CLASSES_ROOT\CLSID\{CAFC9C52-62CC-4F9D-97F1-65B6195DAB60}]
[-HKEY_CLASSES_ROOT\CLSID\{95DF130A-BF91-4D58-93CF-590FEE5ABBAC}]
[-HKEY_CLASSES_ROOT\CLSID\{5DD9EE8D-127C-4F40-8644-FB1B1AD2B193}]
[-HKEY_CLASSES_ROOT\CLSID\{5B7862A5-4E08-4935-81DD-B493E0190B0A}]
[-HKEY_CLASSES_ROOT\CLSID\{39D1E582-4F82-4737-B2A7-28F32D867608}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{F435007C-256C-4624-9E24-BFBDB33B1529}</IDone>
<IDtwo>DS3</IDtwo>
<VERSION>200</VERSION>
****************************************************************************



and the HighJackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 3:42:13 PM, on 4/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\WINDOWS\System32\vnarak.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\ezula\mmod.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\EXPLORER.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitetcd32.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vnarak.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msxml2r] C:\WINDOWS\System32\msxml2r.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: LimeWire 4.2.6.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk08141US
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:02 AM

Posted 18 April 2005 - 11:23 PM

Hi netsolutions. Good, that took care of the L2m infection. Now let's get the rest of them. Please proceed with the following steps in order.

Step #1

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitetcd32.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vnarak.exe
O4 - HKCU\..\Run: [msxml2r] C:\WINDOWS\System32\msxml2r.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk08141US
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #2

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\svcproc.exe
C:\windows\system32\elitetcd32.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\WINDOWS\System32\vnarak.exe
C:\WINDOWS\System32\msxml2r.exe
C:\PROGRAM FILES\ezula\ <--folder
C:\PROGRAM FILES\Web Offer\ <--folder

Step #3

Download CleanUp! and install it. Start CleanUp! and click on the CleanUp! button. Let it run to completion. It may take a few minutes depending on the size of your hard drive so be patient.

Step #4

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply buuton to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 netsolutions

netsolutions
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 19 April 2005 - 04:03 PM

here are some logs.

The first one is after all the steps and a reboot.
note that vnarak.exe is back in the registry.

The second is after another hijackthisrun, deleting the vnarak.exe registry entry and before a reboot.

The third is after a reboot. vnarak.exe registry entry is back.

Counterspy is stopping it from running but why is it continuing to come back?

ONE

Logfile of HijackThis v1.99.1
Scan saved at 1:42:04 PM, on 4/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ntud.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vnarak.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: LimeWire 4.2.6.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



TWO

Logfile of HijackThis v1.99.1
Scan saved at 1:43:40 PM, on 4/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ntud.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: LimeWire 4.2.6.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


THREE

Logfile of HijackThis v1.99.1
Scan saved at 1:46:25 PM, on 4/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ntud.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vnarak.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: LimeWire 4.2.6.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:02 AM

Posted 19 April 2005 - 06:02 PM

Hi netsolutions. Please do this:
  • Download FindQoologic2.zip save it to your Desktop.
  • Unzip Find-Qoologic2.zip to its own folder and then use Windows Explorer to navigate to that folder.
  • Double-click the Find-Qoologic2.bat file to run it. It will take some time so be patient.
  • When Notepad opens with the results in it copy/paste the entire contents of the document back here.
That is the only information that I need at this time.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 netsolutions

netsolutions
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 20 April 2005 - 03:37 PM

Here is the log


PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
Adobe Reader Speed Launch.lnk
desktop.ini

User Startup:
C:\Documents and Settings\mwhall\Start Menu\Programs\Startup
.
..
Coloreal Lite.lnk
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 17:05
Operating System: Windows XP SP2


HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]

#10 netsolutions

netsolutions
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 20 April 2005 - 03:43 PM

Sorry, wrong file, here is the correct one


PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f5bd48

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
America Online 9.0 Tray Icon.lnk
DESKTOP.INI
LimeWire 4.2.6.lnk
ntud.exe
RtlWake.lnk

User Startup:
C:\Documents and Settings\Midnight\Start Menu\Programs\Startup
.
..
DESKTOP.INI

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fqsgsxts
<NO NAME> REG_SZ {419649ba-5cc9-4368-a6a7-3fed075e072f}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
<NO NAME> REG_SZ {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 13:40
Operating System: Windows XP


HKLM\Software\Microsoft\Active Setup\Installed Components\
"4efc196c-c6b5-4813-9bd6-6efa641e106b\(Default)" = ""
\StubPath = "C:\WINDOWS\System32\boxcxmr.exe" [null data]
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]
"{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default)" = ""
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:02 AM

Posted 20 April 2005 - 06:34 PM

Hi netsolutions. Ok, we have a Qoologic infection here to so let's take care of that. Please open Notepad and copy/paste these directions into the new document and save it to your desktop to use as we proceed. Then perform the following steps.

Step #1
  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Select the option Delete on Reboot
  • Highlight the files in bold below and press the Ctrl key and the C key at the same time to copy them to the clipboard
    • C:\WINDOWS\System32\ntud.exe
      C:\WINDOWS\System32\boxcxmr.exe
      C:\WINDOWS\System32\vnarak.exe
      C:\WINDOWS\svcproc.exe
  • In Killbox click on the File menu and then the Paste from Clipboard item
  • In the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
  • Now click on the red button with a white 'X' in the middle to delete the files
  • Click Yes when it says all files will be deleted on the next reboot
  • Click Yes when it asks if you want to reboot now
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually
  • After your system reboots, open Notepad and copy/paste the text in the quotebox below into the new document

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4efc196c-c6b5-4813-9bd6-6efa641e106b}]
[-HKEY_CLASSES_ROOT\CLSID\{4efc196c-c6b5-4813-9bd6-6efa641e106b}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4efc196c-c6b5-4813-9bd6-6efa641e106b}]
[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fqsgsxts]
[-HKEY_CLASSES_ROOT\CLSID\{419649ba-5cc9-4368-a6a7-3fed075e072f}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{419649ba-5cc9-4368-a6a7-3fed075e072f}]

  • Save the document to your desktop as fixqoo.reg and close Notepad. Locate the fixqoo.reg file on your desktop and right-click on it
  • Choose Merge from the popup menu and answer Yes or Ok to any further prompts
  • Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:
    • <items>
  • Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.
  • Reboot and post a new HijackThis log along with a new Find-Qoologic2.bat log
I will review the new information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#12 netsolutions

netsolutions
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 21 April 2005 - 01:43 PM

What Items am suppose to be looking for in HijackThis?

#13 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:02 AM

Posted 21 April 2005 - 01:56 PM

Oh silly me. I must have been tired last night. Sorry about that.

Look for the following entries:O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vnarak.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

I also still recommend removing Limewire. See this link for infected P2P applications:

Clean and Infected File Sharing Programs

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#14 netsolutions

netsolutions
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 21 April 2005 - 04:16 PM

Hi OT,

Here are the logs

Logfile of HijackThis v1.99.1
Scan saved at 2:12:37 PM, on 4/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ntud.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vnarak.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: LimeWire 4.2.6.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe




and 2

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f5bd48

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
America Online 9.0 Tray Icon.lnk
DESKTOP.INI
LimeWire 4.2.6.lnk
ntud.exe
RtlWake.lnk

User Startup:
C:\Documents and Settings\Midnight\Start Menu\Programs\Startup
.
..
DESKTOP.INI

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fqsgsxts
<NO NAME> REG_SZ {a917dac9-da21-4faf-9222-64e37d5d4084}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
<NO NAME> REG_SZ {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 14:13
Operating System: Windows XP


HKLM\Software\Microsoft\Active Setup\Installed Components\
"4efc196c-c6b5-4813-9bd6-6efa641e106b\(Default)" = ""
\StubPath = "C:\WINDOWS\System32\boxcxmr.exe" [null data]
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]
"{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default)" = ""
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

#15 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:02 AM

Posted 21 April 2005 - 07:01 PM

Hmmm. Those should have been gone. They are not showing up here. Let's try something else.

Download rkfiles.zip and unzip it to its own permanent folder.

Important! Reboot in SAFE MODE !!

Start in Safe Mode Using the F8 method:
  • Restart the computer in Safe Mode.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the rkfiles.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.

Post the contents of C:\log.txt back here and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users