Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help Pleeease!


  • Please log in to reply
17 replies to this topic

#1 nimdeos

nimdeos

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 30 April 2005 - 12:42 AM

Logfile of HijackThis v1.99.1
Scan saved at 2:37:58 PM, on 4/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Bang & Olufsen\BeoPlayer\Beotray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bang & Olufsen\BeoPlayer\BeoPlayer.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hjt\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Beoplayertray] C:\Program Files\Bang & Olufsen\BeoPlayer\Beotray.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BeoPlayer.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2022EE84-1E1F-45B0-8D35-FF9DA75366BC} (ExpressViewer Class) - http://download.softforum.co.kr/XecureExpr...ei_install2.cab
O16 - DPF: {32CE8465-2D18-4AEE-9098-837844E6E926} (OcxChart Control) - http://version.edaily.co.kr/version/EDACHART/OcxChart.cab
O16 - DPF: {5CA5E00D-80A8-475A-BF08-816FD56DBC38} (KTCtrl Class) - http://support.kornet.net/sw5/order/Speed/...peedNewCtrl.cab
O16 - DPF: {7C09DD8F-D1C6-4315-AE96-AC328FDF734B} (KTActiveX Control) - http://files.kornet.net/sw5/order/cab/KTActiveX.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://www.mybank.co.kr/efps/xw_install.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.bang-olufsen.com/InstallObjs/isetup.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab8/dmcc2.cab
O16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A37A0F3D8E18} (p3bgset Class) - http://player.bugs.co.kr/install/bugsLoader20040708.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4us.cab
O16 - DPF: {C854C4D1-ED53-4B1F-AA45-783B3CF3315C} (DacomUpload Control) - http://program.webhard.co.kr/Plus/active_u...DacomUpload.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} (CParamWr Class) - http://toolbar.azesearch.com/install/azesearch.cab
O16 - DPF: {F1F07506-6CB4-44AC-8615-66D1234EFD05} (WebCtl Class) - http://banking.nonghyup.com/plugin/client/INIS.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab30149.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\n6r2lg9o16.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:51 PM

Posted 30 April 2005 - 01:56 PM

Hi nimdeos and welcome to the BC forums. It appears that you have an ISRVS infection. Let's see if we can't take care of that first and then we will clean up the rest. Please proceed with the follwoing steps in order.
  • Start HijackThis and follow these steps:
    • * Click on Config button
      * Click on the Misc Tools button
      * Click on the Open Process Manager button
  • Select the following files and click on Kill process. Answer Yes to the "Are you sure..." question.
    • desktop.exe
    • edmond.exe
    • ffisearch.exe
  • Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop.

REGEDIT4

[-HKEY_CLASSES_ROOT\clsid\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}]
[-HKEY_CLASSES_ROOT\clsid\{950238fb-c706-4791-8674-4d429f85897e}]
[-HKEY_CLASSES_ROOT\mfiltis]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\ext\clsid\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}]
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_delprot]
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\services\delprot]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"desktop search"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ffis"=-

  • Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer Yes and wait for a message to appear similar to Merged Successfully.

  • Restart your computer.

  • Launch Notepad, and copy/paste the box below into the new document. Save it as Unreg.bat and save it on your Desktop:

regsvr32 /u C:\Windows\isrvs\msfiltis.dll
regsvr32 /u C:\Windows\isrvs\msdbhk.dll
regsvr32 /u C:\Windows\isrvs\sysupd.dll

  • Locate Unreg.bat on your Desktop and double-click on it.
  • Delete the following files/folders (if present) in C:\Windows or C:\Windows\System32
    • delprot.ini
    • delprot.log
    • desktop.exe
    • isrvs (delete the entire folder)
  • Delete the following file: C:\Windows\System32\Drivers\Delprot.sys
  • Delete the following files/folder (if present) in C:\Documents and Settings\<your user name>\Desktop
    • anal exploits.url
    • big bleep school for 2.95.url
    • evidence eraser.lnk
    • popup blocker stops popups.lnk
    • spyware avenger.lnk
    • virus hunter security.lnk
    • your platinum visa.lnk
OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 nimdeos

nimdeos
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 01 May 2005 - 09:02 AM

thanks for the quick reply...

ill post a new log ssoon'

Edited by nimdeos, 01 May 2005 - 10:29 AM.


#4 nimdeos

nimdeos
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 01 May 2005 - 11:34 PM

I did everything you said to do.
Unreg.bat came up with a couple error messages.

I cant send mail on any of my email accounts... really stuck. I also get rerouted to "e-bloc" and "spybloc" webpages when trying to surf.

Thanks soo much for all your help....
Heres me new log...
Logfile of HijackThis v1.99.1
Scan saved at 1:29:11 PM, on 5/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Bang & Olufsen\BeoPlayer\Beotray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bang & Olufsen\BeoPlayer\BeoPlayer.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\hjt\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Beoplayertray] C:\Program Files\Bang & Olufsen\BeoPlayer\Beotray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BeoPlayer.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2022EE84-1E1F-45B0-8D35-FF9DA75366BC} (ExpressViewer Class) - http://download.softforum.co.kr/XecureExpr...ei_install2.cab
O16 - DPF: {32CE8465-2D18-4AEE-9098-837844E6E926} (OcxChart Control) - http://version.edaily.co.kr/version/EDACHART/OcxChart.cab
O16 - DPF: {5CA5E00D-80A8-475A-BF08-816FD56DBC38} (KTCtrl Class) - http://support.kornet.net/sw5/order/Speed/...peedNewCtrl.cab
O16 - DPF: {7C09DD8F-D1C6-4315-AE96-AC328FDF734B} (KTActiveX Control) - http://files.kornet.net/sw5/order/cab/KTActiveX.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://www.mybank.co.kr/efps/xw_install.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.bang-olufsen.com/InstallObjs/isetup.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab8/dmcc2.cab
O16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A37A0F3D8E18} (p3bgset Class) - http://player.bugs.co.kr/install/bugsLoader20040708.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4us.cab
O16 - DPF: {C854C4D1-ED53-4B1F-AA45-783B3CF3315C} (DacomUpload Control) - http://program.webhard.co.kr/Plus/active_u...DacomUpload.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} (CParamWr Class) - http://toolbar.azesearch.com/install/azesearch.cab
O16 - DPF: {F1F07506-6CB4-44AC-8615-66D1234EFD05} (WebCtl Class) - http://banking.nonghyup.com/plugin/client/INIS.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab30149.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\fp2203foe.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe

#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:51 PM

Posted 02 May 2005 - 02:20 AM

Hi nimdeos. Looks better but you still have ISRVS hanging on and there is also an L2m infection now. Let's get those next. Please print these directions and then proceed with the following steps in order.

Step #1

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Step #2

Click Start>Run, type cmd into the Open editbox and then click the Ok button. At the command prompt type the following lines following each line with pressing the Enter key:cd\windows\isrvs
regsvr32 /u msfiltis.dll

Repeat this command for any other dll files in the folder substituting the dll filename for msfiltis.dll in the above command.

Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R3 - Default URLSearchHook is missing
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} (CParamWr Class) - http://toolbar.azesearch.com/install/azesearch.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\fp2203foe.dll

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\isrvs\ <--folder
C:\WINDOWS\system32\fp2203foe.dll

Note: If you receive any error messages while trying to delete any of the above files/folders then reboot into Safe Mode and try to delete them again. See the instructions below on how to boot into Safe Mode.

If needed, start in Safe Mode Using the F8 method:
  • Restart the computer in Safe Mode.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
If you rebooted into Safe Mode reboot normally now.

Step #5
  • Download l2mfix.exe and save it to your desktop.
  • Double click l2mfix.exe to start the installation.
  • Click the Install button to extract the files and follow the prompts.
  • Open the newly added l2mfix folder on your desktop.
  • Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing the Enter key.
This will scan your computer and it may appear nothing is happening, then, after a minute or 2, Notepad will open with a log. Copy/paste the entire content of that log into this thread and I will review the information when it comes in.

Step #6

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file and the log from the L2m scan back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#6 nimdeos

nimdeos
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 03 May 2005 - 12:00 AM

Heya OT...

Here are the logs...



L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Internet Settings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\azau0eh9eh4.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{C097E527-AD2C-D526-6E2B-CB6A7A95F1B5}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{C4213067-97B3-4929-9B98-B5600FBBBA13}"="TouchED"
"{1E2CDF40-419B-11D2-A5A1-002018648BA7}"="AVG Shell Extension"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{C169E5F0-E2B3-41F3-B81A-7BA529CBE193}"="ZipGenius Shell Extension"
"{2E5AC2E0-406D-11D4-86B3-FA5861508E25}"="ZipGenius Zip InfoTip"
"{310A0C95-EA11-42AE-A8E4-53E69E650310}"="ZipGenius Zip Drop handler"
"{FE8D01BF-610A-4261-9C6E-32D65A42C907}"="ZipGenius 5.5 DnD Extract handler"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{6BEF33F9-C985-4A10-9C3C-321706181B87}"=""
"{0524F5CD-BAE2-4346-BC1F-8DA0ECD877D0}"=""
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{B7562282-845C-4007-B3BD-13945784D07A}"=""
"{F29C7982-2982-40B1-88E6-7AAD3D06895A}"=""
"{596B4C3F-77CA-4498-B43F-915D47CEE8BC}"=""
"{8B116EDA-7D5E-4294-88D8-1D64829CF3FE}"=""
"{9993DD0A-55A5-4131-9D9C-3A4D22A33F4C}"=""
"{6D0AEB30-960F-45EA-8AB5-A975B3750EC2}"=""
"{B9162535-8067-4AD4-AF76-36C72646AE3B}"=""
"{DE29F8C1-137D-4ACC-99D8-E04309ED77E4}"=""
"{52B87208-9CCF-42C9-B88E-069281105805}"="Trojan Remover Shell Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6BEF33F9-C985-4A10-9C3C-321706181B87}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6BEF33F9-C985-4A10-9C3C-321706181B87}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6BEF33F9-C985-4A10-9C3C-321706181B87}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6BEF33F9-C985-4A10-9C3C-321706181B87}\InprocServer32]
@="C:\\WINDOWS\\system32\\hbd.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B7562282-845C-4007-B3BD-13945784D07A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B7562282-845C-4007-B3BD-13945784D07A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B7562282-845C-4007-B3BD-13945784D07A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B7562282-845C-4007-B3BD-13945784D07A}\InprocServer32]
@="C:\\WINDOWS\\system32\\okepro32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F29C7982-2982-40B1-88E6-7AAD3D06895A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F29C7982-2982-40B1-88E6-7AAD3D06895A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F29C7982-2982-40B1-88E6-7AAD3D06895A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F29C7982-2982-40B1-88E6-7AAD3D06895A}\InprocServer32]
@="C:\\WINDOWS\\system32\\mvjtes40.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{596B4C3F-77CA-4498-B43F-915D47CEE8BC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{596B4C3F-77CA-4498-B43F-915D47CEE8BC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{596B4C3F-77CA-4498-B43F-915D47CEE8BC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{596B4C3F-77CA-4498-B43F-915D47CEE8BC}\InprocServer32]
@="C:\\WINDOWS\\system32\\mpcomput.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8B116EDA-7D5E-4294-88D8-1D64829CF3FE}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8B116EDA-7D5E-4294-88D8-1D64829CF3FE}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8B116EDA-7D5E-4294-88D8-1D64829CF3FE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8B116EDA-7D5E-4294-88D8-1D64829CF3FE}\InprocServer32]
@="C:\\WINDOWS\\system32\\cEg18030.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9993DD0A-55A5-4131-9D9C-3A4D22A33F4C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9993DD0A-55A5-4131-9D9C-3A4D22A33F4C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9993DD0A-55A5-4131-9D9C-3A4D22A33F4C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9993DD0A-55A5-4131-9D9C-3A4D22A33F4C}\InprocServer32]
@="C:\\WINDOWS\\system32\\wL2topl.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6D0AEB30-960F-45EA-8AB5-A975B3750EC2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6D0AEB30-960F-45EA-8AB5-A975B3750EC2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6D0AEB30-960F-45EA-8AB5-A975B3750EC2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6D0AEB30-960F-45EA-8AB5-A975B3750EC2}\InprocServer32]
@="C:\\WINDOWS\\system32\\dkcdll.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B9162535-8067-4AD4-AF76-36C72646AE3B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B9162535-8067-4AD4-AF76-36C72646AE3B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B9162535-8067-4AD4-AF76-36C72646AE3B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B9162535-8067-4AD4-AF76-36C72646AE3B}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DE29F8C1-137D-4ACC-99D8-E04309ED77E4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DE29F8C1-137D-4ACC-99D8-E04309ED77E4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DE29F8C1-137D-4ACC-99D8-E04309ED77E4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DE29F8C1-137D-4ACC-99D8-E04309ED77E4}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 8475-E0F1

Directory of C:\WINDOWS\System32

05/03/2005 01:03 AM 233,966 cEg18030.dll
05/03/2005 01:03 AM 235,767 en08l1du1.dll
05/03/2005 12:58 AM 233,966 azau0eh9eh4.dll
05/03/2005 12:52 AM 235,864 ncmarta.dll
05/01/2005 10:27 PM 233,490 h84m0ih1e84.dll
04/29/2005 12:20 AM 235,560 n84slih7184.dll
04/16/2005 01:22 AM 234,828 lv6o09j3e.dll
04/16/2005 01:07 AM 233,234 ir6ol5j31.dll
04/15/2005 08:57 AM 234,593 ktrol7931.dll
04/14/2005 11:04 AM 16 AdCache
04/07/2005 10:07 PM 235,184 fp8203loe.dll
03/31/2005 01:39 PM 235,421 gpr4l39q1.dll
03/31/2005 06:22 AM 233,916 irp6l57s1.dll
03/23/2005 12:23 PM 233,916 lv0u09d9e.dll
03/23/2005 12:00 PM 233,916 dkcdll.dll
03/23/2005 10:44 AM 233,301 p6n8lg5u16.dll
03/18/2005 03:19 PM 234,711 h0j4la1q1d.dll
03/18/2005 02:41 PM 233,301 j04olah31d4.dll
03/18/2005 09:34 AM 233,301 wL2topl.dll
03/18/2005 09:34 AM 235,017 k6jslg1716.dll
03/18/2005 02:10 AM 235,222 en2ul1f91.dll
03/18/2005 01:48 AM 233,248 q4rq0e95eh.dll
03/16/2005 02:14 PM 233,248 LogitCheckControl.DLL
03/16/2005 02:14 PM 233,248 khrwbrkr.dll
03/16/2005 01:14 PM 233,248 dtmstor.dll
03/16/2005 01:14 PM 233,248 djauth.dll
03/16/2005 12:14 PM 233,248 wepcd.dll
03/16/2005 12:14 PM 233,248 wwpcd.dll
03/16/2005 11:14 AM 233,248 pgintui.dll
03/16/2005 11:14 AM 233,248 pzcrt.dll
03/16/2005 10:14 AM 233,248 mbdtcuiu.dll
03/16/2005 10:14 AM 233,248 mtdadiag.dll
03/16/2005 09:14 AM 233,248 IaagXR7.dll
03/16/2005 09:14 AM 233,248 htpertrm.dll
03/16/2005 08:14 AM 233,248 wjpui.dll
03/16/2005 08:14 AM 233,248 wridx.dll
03/16/2005 07:14 AM 233,248 smlsrv32.dll
03/16/2005 07:14 AM 233,248 sulwid.dll
03/16/2005 06:14 AM 233,248 mrapsspc.dll
03/16/2005 06:14 AM 233,248 mjacm32.dll
03/16/2005 05:14 AM 233,248 dmtmsft3.dll
03/16/2005 05:14 AM 233,248 dround.dll
03/15/2005 01:13 PM 232,736 dutrans.dll
03/15/2005 01:12 PM 232,736 lv6s09j7e.dll
03/15/2005 11:19 AM 232,736 mbnetobj.dll
03/15/2005 11:19 AM 232,736 muobjs.dll
03/15/2005 10:19 AM 232,736 elent97.dll
03/15/2005 10:19 AM 232,736 dewave.dll
03/15/2005 09:19 AM 232,736 ftsmon.dll
03/15/2005 09:19 AM 232,736 eu.dll
03/15/2005 08:19 AM 232,736 sjlsrv32.dll
03/15/2005 08:19 AM 232,736 sjlunirl.dll
03/15/2005 07:19 AM 232,736 kudus.dll
03/15/2005 07:19 AM 232,736 kmdsp.dll
03/15/2005 06:19 AM 232,736 mzfutil.dll
03/15/2005 06:19 AM 232,736 mzdemui.dll
03/15/2005 05:19 AM 232,736 cjbcatq.dll
03/15/2005 05:19 AM 232,736 ccbcatq.dll
03/15/2005 04:19 AM 232,736 omcache.dll
03/15/2005 04:19 AM 232,736 nemssvc.dll
03/15/2005 03:19 AM 232,736 smcurity.dll
03/15/2005 03:19 AM 232,736 srclogon.dll
03/15/2005 02:19 AM 232,736 ij41_qcx.dll
03/15/2005 02:19 AM 232,736 iesecsnp.dll
03/15/2005 01:19 AM 232,736 tOpisrv.dll
03/15/2005 01:19 AM 232,736 tHpisrv.dll
03/15/2005 12:19 AM 232,736 arivtmxx.dll
03/15/2005 12:19 AM 232,736 bJtt.dll
03/14/2005 11:19 PM 232,736 mupbde40.dll
03/14/2005 11:19 PM 232,736 mmoert2.dll
03/14/2005 10:19 PM 232,736 ahifile.dll
03/14/2005 10:19 PM 232,736 axivtmxx.dll
03/14/2005 09:19 PM 232,736 IzagXRA7.dll
03/14/2005 09:18 PM 232,736 izgutil.dll
03/14/2005 08:19 PM 232,736 swecli.dll
03/14/2005 08:18 PM 232,736 sMfrcdlg.dll
03/14/2005 07:19 PM 232,736 cmvfat.dll
03/14/2005 07:18 PM 232,736 crmaddin.dll
03/14/2005 06:19 PM 232,736 mmisip.dll
03/14/2005 06:18 PM 232,736 mrimg32.dll
03/14/2005 05:19 PM 232,736 wetdecod.dll
03/14/2005 05:18 PM 232,736 wrvcore.dll
03/14/2005 04:18 PM 232,736 ieengine.dll
03/14/2005 04:18 PM 232,736 jxdw400.dll
03/14/2005 03:19 PM 232,736 RCCRES.dll
03/14/2005 03:18 PM 232,736 rkmps.dll
03/14/2005 02:19 PM 232,736 drloader.dll
03/14/2005 02:18 PM 232,736 dmcpcsvc.dll
03/14/2005 01:01 PM 232,736 asmparse.dll
03/14/2005 01:00 PM 232,736 aylui.dll
03/14/2005 01:00 PM 230,683 msg695.cpy.dll
03/14/2005 12:58 PM 232,736 p44u0eh9eh4.dll
03/09/2005 12:05 PM 232,736 risutils.dll
03/09/2005 12:05 PM 232,736 rbgapi.dll
03/09/2005 11:05 AM 232,736 iWsacct.dll
03/09/2005 11:05 AM 232,736 iOssvcs.dll
03/09/2005 10:05 AM 232,736 nttrap.dll
03/09/2005 10:05 AM 232,736 notapi32.dll
03/09/2005 09:05 AM 232,736 wqnotify.dll
03/09/2005 09:05 AM 232,736 wyaservc.dll
03/09/2005 08:05 AM 232,736 morddm.dll
03/09/2005 08:05 AM 232,736 mgapsspc.dll
03/09/2005 07:05 AM 232,736 undmxfrm.dll
03/09/2005 07:05 AM 232,736 sosinv.dll
03/05/2005 12:06 AM 230,683 r48s0el7ehq.dll
03/03/2005 05:52 PM 229,864 j40s0ed7eh0.dll
03/03/2005 05:50 PM 230,683 q6pslg7716.dll
02/25/2005 08:57 AM 229,864 okepro32.dll
02/24/2005 11:58 PM 230,527 fp6603jse.dll
02/09/2005 11:54 PM <DIR> dllcache
12/02/2003 06:41 PM <DIR> Microsoft
12/02/2003 04:51 PM 3,072 Thumbs.db
110 File(s) 25,168,970 bytes
2 Dir(s) 19,354,955,776 bytes free

Logfile of HijackThis v1.99.1
Scan saved at 1:11:16 AM, on 5/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Bang & Olufsen\BeoPlayer\Beotray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Bang & Olufsen\BeoPlayer\BeoPlayer.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hjt\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Beoplayertray] C:\Program Files\Bang & Olufsen\BeoPlayer\Beotray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BeoPlayer.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2022EE84-1E1F-45B0-8D35-FF9DA75366BC} (ExpressViewer Class) - http://download.softforum.co.kr/XecureExpr...ei_install2.cab
O16 - DPF: {32CE8465-2D18-4AEE-9098-837844E6E926} (OcxChart Control) - http://version.edaily.co.kr/version/EDACHART/OcxChart.cab
O16 - DPF: {5CA5E00D-80A8-475A-BF08-816FD56DBC38} (KTCtrl Class) - http://support.kornet.net/sw5/order/Speed/...peedNewCtrl.cab
O16 - DPF: {7C09DD8F-D1C6-4315-AE96-AC328FDF734B} (KTActiveX Control) - http://files.kornet.net/sw5/order/cab/KTActiveX.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://www.mybank.co.kr/efps/xw_install.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.bang-olufsen.com/InstallObjs/isetup.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab8/dmcc2.cab
O16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A37A0F3D8E18} (p3bgset Class) - http://player.bugs.co.kr/install/bugsLoader20040708.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4us.cab
O16 - DPF: {C854C4D1-ED53-4B1F-AA45-783B3CF3315C} (DacomUpload Control) - http://program.webhard.co.kr/Plus/active_u...DacomUpload.cab
O16 - DPF: {F1F07506-6CB4-44AC-8615-66D1234EFD05} (WebCtl Class) - http://banking.nonghyup.com/plugin/client/INIS.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab30149.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\azau0eh9eh4.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe

#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:51 PM

Posted 03 May 2005 - 12:08 AM

Hi nimdeos. Yes, we have an L2m infections here.

Print these directions or copy/paste them into a Notepad document and save it to your desktop. Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop:
  • Double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing the Enter key.
  • Press any key to reboot your computer.
After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, Notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Post the new L2m logs back here along with a new HijackThis log and I will review the information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 nimdeos

nimdeos
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 04 May 2005 - 12:08 AM

L2Mfix 1.03

Running From:
C:\Documents and Settings\Nimal\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Nimal\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Nimal\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1980 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 960 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\ahifile.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\arivtmxx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\asmparse.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\axivtmxx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\aylui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\bJtt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ccbcatq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cEg18030.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cjbcatq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cmvfat.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cplbact.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\crmaddin.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dewave.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\djauth.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dkcdll.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dmcpcsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dmtmsft3.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\drloader.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dround.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dtmstor.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dutrans.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\elent97.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en08l1du1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en2ul1f91.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\eu.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp6603jse.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp8203loe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ftsmon.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gpr4l39q1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\h0j4la1q1d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\h84m0ih1e84.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\htpertrm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\IaagXR7.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ieengine.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iesecsnp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ij41_qcx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iOssvcs.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir6ol5j31.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\irp6l57s1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iWsacct.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\IzagXRA7.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\izgutil.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j04olah31d4.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j40s0ed7eh0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jxdw400.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k6jslg1716.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\khrwbrkr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kmdsp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kt2ml7f11.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktrol7931.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kudus.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\LogitCheckControl.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv0u09d9e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv6o09j3e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv6s09j7e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mbdtcuiu.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mbnetobj.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mgapsspc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mjacm32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mmisip.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mmoert2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\morddm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mrapsspc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mrimg32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mrvfw32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\msg695.cpy.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mtdadiag.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\muobjs.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mupbde40.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mzdemui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mzfutil.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\n84slih7184.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ncmarta.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nemssvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\notapi32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nttrap.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\okepro32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\omcache.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p44u0eh9eh4.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p6n8lg5u16.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pgintui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pzcrt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\q4rq0e95eh.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\q6pslg7716.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\r48s0el7ehq.dll
1 file(s) copied.
Backing

#9 nimdeos

nimdeos
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 04 May 2005 - 12:22 AM

L2Mfix 1.03

Running From:
C:\Documents and Settings\Nimal\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Nimal\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Nimal\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1980 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 960 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\ahifile.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\arivtmxx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\asmparse.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\axivtmxx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\aylui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\bJtt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ccbcatq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cEg18030.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cjbcatq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cmvfat.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cplbact.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\crmaddin.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dewave.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\djauth.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dkcdll.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dmcpcsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dmtmsft3.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\drloader.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dround.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dtmstor.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dutrans.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\elent97.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en08l1du1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en2ul1f91.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\eu.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp6603jse.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp8203loe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ftsmon.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gpr4l39q1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\h0j4la1q1d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\h84m0ih1e84.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\htpertrm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\IaagXR7.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ieengine.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iesecsnp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ij41_qcx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iOssvcs.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir6ol5j31.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\irp6l57s1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iWsacct.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\IzagXRA7.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\izgutil.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j04olah31d4.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j40s0ed7eh0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jxdw400.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k6jslg1716.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\khrwbrkr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kmdsp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kt2ml7f11.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktrol7931.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kudus.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\LogitCheckControl.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv0u09d9e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv6o09j3e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv6s09j7e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mbdtcuiu.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mbnetobj.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mgapsspc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mjacm32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mmisip.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mmoert2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\morddm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mrapsspc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mrimg32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mrvfw32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\msg695.cpy.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mtdadiag.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\muobjs.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mupbde40.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mzdemui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mzfutil.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\n84slih7184.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ncmarta.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nemssvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\notapi32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nttrap.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\okepro32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\omcache.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p44u0eh9eh4.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p6n8lg5u16.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pgintui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pzcrt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\q4rq0e95eh.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\q6pslg7716.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\r48s0el7ehq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rbgapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\RCCRES.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\risutils.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rkmps.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sjlsrv32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sjlunirl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\smcurity.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sMfrcdlg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\smlsrv32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sosinv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\srclogon.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sulwid.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\swecli.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\tHpisrv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\tOpisrv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\undmxfrm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wepcd.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wetdecod.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wjpui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wL2topl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wqnotify.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wridx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wrvcore.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wwpcd.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wyaservc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\ahifile.dll
Successfully Deleted: C:\WINDOWS\system32\ahifile.dll
deleting: C:\WINDOWS\system32\arivtmxx.dll
Successfully Deleted: C:\WINDOWS\system32\arivtmxx.dll
deleting: C:\WINDOWS\system32\asmparse.dll
Successfully Deleted: C:\WINDOWS\system32\asmparse.dll
deleting: C:\WINDOWS\system32\axivtmxx.dll
Successfully Deleted: C:\WINDOWS\system32\axivtmxx.dll
deleting: C:\WINDOWS\system32\aylui.dll
Successfully Deleted: C:\WINDOWS\system32\aylui.dll
deleting: C:\WINDOWS\system32\bJtt.dll
Successfully Deleted: C:\WINDOWS\system32\bJtt.dll
deleting: C:\WINDOWS\system32\ccbcatq.dll
Successfully Deleted: C:\WINDOWS\system32\ccbcatq.dll
deleting: C:\WINDOWS\system32\cEg18030.dll
Successfully Deleted: C:\WINDOWS\system32\cEg18030.dll
deleting: C:\WINDOWS\system32\cjbcatq.dll
Successfully Deleted: C:\WINDOWS\system32\cjbcatq.dll
deleting: C:\WINDOWS\system32\cmvfat.dll
Successfully Deleted: C:\WINDOWS\system32\cmvfat.dll
deleting: C:\WINDOWS\system32\cplbact.dll
Successfully Deleted: C:\WINDOWS\system32\cplbact.dll
deleting: C:\WINDOWS\system32\crmaddin.dll
Successfully Deleted: C:\WINDOWS\system32\crmaddin.dll
deleting: C:\WINDOWS\system32\dewave.dll
Successfully Deleted: C:\WINDOWS\system32\dewave.dll
deleting: C:\WINDOWS\system32\djauth.dll
Successfully Deleted: C:\WINDOWS\system32\djauth.dll
deleting: C:\WINDOWS\system32\dkcdll.dll
Successfully Deleted: C:\WINDOWS\system32\dkcdll.dll
deleting: C:\WINDOWS\system32\dmcpcsvc.dll
Successfully Deleted: C:\WINDOWS\system32\dmcpcsvc.dll
deleting: C:\WINDOWS\system32\dmtmsft3.dll
Successfully Deleted: C:\WINDOWS\system32\dmtmsft3.dll
deleting: C:\WINDOWS\system32\drloader.dll
Successfully Deleted: C:\WINDOWS\system32\drloader.dll
deleting: C:\WINDOWS\system32\dround.dll
Successfully Deleted: C:\WINDOWS\system32\dround.dll
deleting: C:\WINDOWS\system32\dtmstor.dll
Successfully Deleted: C:\WINDOWS\system32\dtmstor.dll
deleting: C:\WINDOWS\system32\dutrans.dll
Successfully Deleted: C:\WINDOWS\system32\dutrans.dll
deleting: C:\WINDOWS\system32\elent97.dll
Successfully Deleted: C:\WINDOWS\system32\elent97.dll
deleting: C:\WINDOWS\system32\en08l1du1.dll
Successfully Deleted: C:\WINDOWS\system32\en08l1du1.dll
deleting: C:\WINDOWS\system32\en2ul1f91.dll
Successfully Deleted: C:\WINDOWS\system32\en2ul1f91.dll
deleting: C:\WINDOWS\system32\eu.dll
Successfully Deleted: C:\WINDOWS\system32\eu.dll
deleting: C:\WINDOWS\system32\fp6603jse.dll
Successfully Deleted: C:\WINDOWS\system32\fp6603jse.dll
deleting: C:\WINDOWS\system32\fp8203loe.dll
Successfully Deleted: C:\WINDOWS\system32\fp8203loe.dll
deleting: C:\WINDOWS\system32\ftsmon.dll
Successfully Deleted: C:\WINDOWS\system32\ftsmon.dll
deleting: C:\WINDOWS\system32\gpr4l39q1.dll
Successfully Deleted: C:\WINDOWS\system32\gpr4l39q1.dll
deleting: C:\WINDOWS\system32\h0j4la1q1d.dll
Successfully Deleted: C:\WINDOWS\system32\h0j4la1q1d.dll
deleting: C:\WINDOWS\system32\h84m0ih1e84.dll
Successfully Deleted: C:\WINDOWS\system32\h84m0ih1e84.dll
deleting: C:\WINDOWS\system32\htpertrm.dll
Successfully Deleted: C:\WINDOWS\system32\htpertrm.dll
deleting: C:\WINDOWS\system32\IaagXR7.dll
Successfully Deleted: C:\WINDOWS\system32\IaagXR7.dll
deleting: C:\WINDOWS\system32\ieengine.dll
Successfully Deleted: C:\WINDOWS\system32\ieengine.dll
deleting: C:\WINDOWS\system32\iesecsnp.dll
Successfully Deleted: C:\WINDOWS\system32\iesecsnp.dll
deleting: C:\WINDOWS\system32\ij41_qcx.dll
Successfully Deleted: C:\WINDOWS\system32\ij41_qcx.dll
deleting: C:\WINDOWS\system32\iOssvcs.dll
Successfully Deleted: C:\WINDOWS\system32\iOssvcs.dll
deleting: C:\WINDOWS\system32\ir6ol5j31.dll
Successfully Deleted: C:\WINDOWS\system32\ir6ol5j31.dll
deleting: C:\WINDOWS\system32\irp6l57s1.dll
Successfully Deleted: C:\WINDOWS\system32\irp6l57s1.dll
deleting: C:\WINDOWS\system32\iWsacct.dll
Successfully Deleted: C:\WINDOWS\system32\iWsacct.dll
deleting: C:\WINDOWS\system32\IzagXRA7.dll
Successfully Deleted: C:\WINDOWS\system32\IzagXRA7.dll
deleting: C:\WINDOWS\system32\izgutil.dll
Successfully Deleted: C:\WINDOWS\system32\izgutil.dll
deleting: C:\WINDOWS\system32\j04olah31d4.dll
Successfully Deleted: C:\WINDOWS\system32\j04olah31d4.dll
deleting: C:\WINDOWS\system32\j40s0ed7eh0.dll
Successfully Deleted: C:\WINDOWS\system32\j40s0ed7eh0.dll
deleting: C:\WINDOWS\system32\jxdw400.dll
Successfully Deleted: C:\WINDOWS\system32\jxdw400.dll
deleting: C:\WINDOWS\system32\k6jslg1716.dll
Successfully Deleted: C:\WINDOWS\system32\k6jslg1716.dll
deleting: C:\WINDOWS\system32\khrwbrkr.dll
Successfully Deleted: C:\WINDOWS\system32\khrwbrkr.dll
deleting: C:\WINDOWS\system32\kmdsp.dll
Successfully Deleted: C:\WINDOWS\system32\kmdsp.dll
deleting: C:\WINDOWS\system32\kt2ml7f11.dll
Successfully Deleted: C:\WINDOWS\system32\kt2ml7f11.dll
deleting: C:\WINDOWS\system32\ktrol7931.dll
Successfully Deleted: C:\WINDOWS\system32\ktrol7931.dll
deleting: C:\WINDOWS\system32\kudus.dll
Successfully Deleted: C:\WINDOWS\system32\kudus.dll
deleting: C:\WINDOWS\system32\LogitCheckControl.DLL
Successfully Deleted: C:\WINDOWS\system32\LogitCheckControl.DLL
deleting: C:\WINDOWS\system32\lv0u09d9e.dll
Successfully Deleted: C:\WINDOWS\system32\lv0u09d9e.dll
deleting: C:\WINDOWS\system32\lv6o09j3e.dll
Successfully Deleted: C:\WINDOWS\system32\lv6o09j3e.dll
deleting: C:\WINDOWS\system32\lv6s09j7e.dll
Successfully Deleted: C:\WINDOWS\system32\lv6s09j7e.dll
deleting: C:\WINDOWS\system32\mbdtcuiu.dll
Successfully Deleted: C:\WINDOWS\system32\mbdtcuiu.dll
deleting: C:\WINDOWS\system32\mbnetobj.dll
Successfully Deleted: C:\WINDOWS\system32\mbnetobj.dll
deleting: C:\WINDOWS\system32\mgapsspc.dll
Successfully Deleted: C:\WINDOWS\system32\mgapsspc.dll
deleting: C:\WINDOWS\system32\mjacm32.dll
Successfully Deleted: C:\WINDOWS\system32\mjacm32.dll
deleting: C:\WINDOWS\system32\mmisip.dll
Successfully Deleted: C:\WINDOWS\system32\mmisip.dll
deleting: C:\WINDOWS\system32\mmoert2.dll
Successfully Deleted: C:\WINDOWS\system32\mmoert2.dll
deleting: C:\WINDOWS\system32\morddm.dll
Successfully Deleted: C:\WINDOWS\system32\morddm.dll
deleting: C:\WINDOWS\system32\mrapsspc.dll
Successfully Deleted: C:\WINDOWS\system32\mrapsspc.dll
deleting: C:\WINDOWS\system32\mrimg32.dll
Successfully Deleted: C:\WINDOWS\system32\mrimg32.dll
deleting: C:\WINDOWS\system32\mrvfw32.dll
Successfully Deleted: C:\WINDOWS\system32\mrvfw32.dll
deleting: C:\WINDOWS\system32\msg695.cpy.dll
Successfully Deleted: C:\WINDOWS\system32\msg695.cpy.dll
deleting: C:\WINDOWS\system32\mtdadiag.dll
Successfully Deleted: C:\WINDOWS\system32\mtdadiag.dll
deleting: C:\WINDOWS\system32\muobjs.dll
Successfully Deleted: C:\WINDOWS\system32\muobjs.dll
deleting: C:\WINDOWS\system32\mupbde40.dll
Successfully Deleted: C:\WINDOWS\system32\mupbde40.dll
deleting: C:\WINDOWS\system32\mzdemui.dll
Successfully Deleted: C:\WINDOWS\system32\mzdemui.dll
deleting: C:\WINDOWS\system32\mzfutil.dll
Successfully Deleted: C:\WINDOWS\system32\mzfutil.dll
deleting: C:\WINDOWS\system32\n84slih7184.dll
Successfully Deleted: C:\WINDOWS\system32\n84slih7184.dll
deleting: C:\WINDOWS\system32\ncmarta.dll
Successfully Deleted: C:\WINDOWS\system32\ncmarta.dll
deleting: C:\WINDOWS\system32\nemssvc.dll
Successfully Deleted: C:\WINDOWS\system32\nemssvc.dll
deleting: C:\WINDOWS\system32\notapi32.dll
Successfully Deleted: C:\WINDOWS\system32\notapi32.dll
deleting: C:\WINDOWS\system32\nttrap.dll
Successfully Deleted: C:\WINDOWS\system32\nttrap.dll
deleting: C:\WINDOWS\system32\okepro32.dll
Successfully Deleted: C:\WINDOWS\system32\okepro32.dll
deleting: C:\WINDOWS\system32\omcache.dll
Successfully Deleted: C:\WINDOWS\system32\omcache.dll
deleting: C:\WINDOWS\system32\p44u0eh9eh4.dll
Successfully Deleted: C:\WINDOWS\system32\p44u0eh9eh4.dll
deleting: C:\WINDOWS\system32\p6n8lg5u16.dll
Successfully Deleted: C:\WINDOWS\system32\p6n8lg5u16.dll
deleting: C:\WINDOWS\system32\pgintui.dll
Successfully Deleted: C:\WINDOWS\system32\pgintui.dll
deleting: C:\WINDOWS\system32\pzcrt.dll
Successfully Deleted: C:\WINDOWS\system32\pzcrt.dll
deleting: C:\WINDOWS\system32\q4rq0e95eh.dll
Successfully Deleted: C:\WINDOWS\system32\q4rq0e95eh.dll
deleting: C:\WINDOWS\system32\q6pslg7716.dll
Successfully Deleted: C:\WINDOWS\system32\q6pslg7716.dll
deleting: C:\WINDOWS\system32\r48s0el7ehq.dll
Successfully Deleted: C:\WINDOWS\system32\r48s0el7ehq.dll
deleting: C:\WINDOWS\system32\rbgapi.dll
Successfully Deleted: C:\WINDOWS\system32\rbgapi.dll
deleting: C:\WINDOWS\system32\RCCRES.dll
Successfully Deleted: C:\WINDOWS\system32\RCCRES.dll
deleting: C:\WINDOWS\system32\risutils.dll
Successfully Deleted: C:\WINDOWS\system32\risutils.dll
deleting: C:\WINDOWS\system32\rkmps.dll
Successfully Deleted: C:\WINDOWS\system32\rkmps.dll
deleting: C:\WINDOWS\system32\sjlsrv32.dll
Successfully Deleted: C:\WINDOWS\system32\sjlsrv32.dll
deleting: C:\WINDOWS\system32\sjlunirl.dll
Successfully Deleted: C:\WINDOWS\system32\sjlunirl.dll
deleting: C:\WINDOWS\system32\smcurity.dll
Successfully Deleted: C:\WINDOWS\system32\smcurity.dll
deleting: C:\WINDOWS\system32\sMfrcdlg.dll
Successfully Deleted: C:\WINDOWS\system32\sMfrcdlg.dll
deleting: C:\WINDOWS\system32\smlsrv32.dll
Successfully Deleted: C:\WINDOWS\system32\smlsrv32.dll
deleting: C:\WINDOWS\system32\sosinv.dll
Successfully Deleted: C:\WINDOWS\system32\sosinv.dll
deleting: C:\WINDOWS\system32\srclogon.dll
Successfully Deleted: C:\WINDOWS\system32\srclogon.dll
deleting: C:\WINDOWS\system32\sulwid.dll
Successfully Deleted: C:\WINDOWS\system32\sulwid.dll
deleting: C:\WINDOWS\system32\swecli.dll
Successfully Deleted: C:\WINDOWS\system32\swecli.dll
deleting: C:\WINDOWS\system32\tHpisrv.dll
Successfully Deleted: C:\WINDOWS\system32\tHpisrv.dll
deleting: C:\WINDOWS\system32\tOpisrv.dll
Successfully Deleted: C:\WINDOWS\system32\tOpisrv.dll
deleting: C:\WINDOWS\system32\undmxfrm.dll
Successfully Deleted: C:\WINDOWS\system32\undmxfrm.dll
deleting: C:\WINDOWS\system32\wepcd.dll
Successfully Deleted: C:\WINDOWS\system32\wepcd.dll
deleting: C:\WINDOWS\system32\wetdecod.dll
Successfully Deleted: C:\WINDOWS\system32\wetdecod.dll
deleting: C:\WINDOWS\system32\wjpui.dll
Successfully Deleted: C:\WINDOWS\system32\wjpui.dll
deleting: C:\WINDOWS\system32\wL2topl.dll
Successfully Deleted: C:\WINDOWS\system32\wL2topl.dll
deleting: C:\WINDOWS\system32\wqnotify.dll
Successfully Deleted: C:\WINDOWS\system32\wqnotify.dll
deleting: C:\WINDOWS\system32\wridx.dll
Successfully Deleted: C:\WINDOWS\system32\wridx.dll
deleting: C:\WINDOWS\system32\wrvcore.dll
Successfully Deleted: C:\WINDOWS\system32\wrvcore.dll
deleting: C:\WINDOWS\system32\wwpcd.dll
Successfully Deleted: C:\WINDOWS\system32\wwpcd.dll
deleting: C:\WINDOWS\system32\wyaservc.dll
Successfully Deleted: C:\WINDOWS\system32\wyaservc.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: ahifile.dll (164 bytes security) (deflated 4%)
adding: arivtmxx.dll (164 bytes security) (deflated 4%)
adding: asmparse.dll (164 bytes security) (deflated 4%)
adding: axivtmxx.dll (164 bytes security) (deflated 4%)
adding: aylui.dll (164 bytes security) (deflated 4%)
adding: bJtt.dll (164 bytes security) (deflated 4%)
adding: ccbcatq.dll (164 bytes security) (deflated 4%)
adding: cEg18030.dll (164 bytes security) (deflated 5%)
adding: cjbcatq.dll (164 bytes security) (deflated 4%)
adding: cmvfat.dll (164 bytes security) (deflated 4%)
adding: cplbact.dll (164 bytes security) (deflated 5%)
adding: crmaddin.dll (164 bytes security) (deflated 4%)
adding: dewave.dll (164 bytes security) (deflated 4%)
adding: djauth.dll (164 bytes security) (deflated 4%)
adding: dkcdll.dll (164 bytes security) (deflated 5%)
adding: dmcpcsvc.dll (164 bytes security) (deflated 4%)
adding: dmtmsft3.dll (164 bytes security) (deflated 4%)
adding: drloader.dll (164 bytes security) (deflated 4%)
adding: dround.dll (164 bytes security) (deflated 4%)
adding: dtmstor.dll (164 bytes security) (deflated 4%)
adding: dutrans.dll (164 bytes security) (deflated 4%)
adding: elent97.dll (164 bytes security) (deflated 4%)
adding: en08l1du1.dll (164 bytes security) (deflated 5%)
adding: en2ul1f91.dll (164 bytes security) (deflated 5%)
adding: eu.dll (164 bytes security) (deflated 4%)
adding: fp6603jse.dll (164 bytes security) (deflated 5%)
adding: fp8203loe.dll (164 bytes security) (deflated 5%)
adding: ftsmon.dll (164 bytes security) (deflated 4%)
adding: gpr4l39q1.dll (164 bytes security) (deflated 5%)
adding: h0j4la1q1d.dll (164 bytes security) (deflated 5%)
adding: h84m0ih1e84.dll (164 bytes security) (deflated 4%)
adding: htpertrm.dll (164 bytes security) (deflated 4%)
adding: IaagXR7.dll (164 bytes security) (deflated 4%)
adding: ieengine.dll (164 bytes security) (deflated 4%)
adding: iesecsnp.dll (164 bytes security) (deflated 4%)
adding: ij41_qcx.dll (164 bytes security) (deflated 4%)
adding: iOssvcs.dll (164 bytes security) (deflated 4%)
adding: ir6ol5j31.dll (164 bytes security) (deflated 4%)
adding: irp6l57s1.dll (164 bytes security) (deflated 5%)
adding: iWsacct.dll (164 bytes security) (deflated 4%)
adding: IzagXRA7.dll (164 bytes security) (deflated 4%)
adding: izgutil.dll (164 bytes security) (deflated 4%)
adding: j04olah31d4.dll (164 bytes security) (deflated 4%)
adding: j40s0ed7eh0.dll (164 bytes security) (deflated 5%)
adding: jxdw400.dll (164 bytes security) (deflated 4%)
adding: k6jslg1716.dll (164 bytes security) (deflated 5%)
adding: khrwbrkr.dll (164 bytes security) (deflated 4%)
adding: kmdsp.dll (164 bytes security) (deflated 4%)
adding: kt2ml7f11.dll (164 bytes security) (deflated 5%)
adding: ktrol7931.dll (164 bytes security) (deflated 5%)
adding: kudus.dll (164 bytes security) (deflated 4%)
adding: LogitCheckControl.DLL (164 bytes security) (deflated 4%)
adding: lv0u09d9e.dll (164 bytes security) (deflated 5%)
adding: lv6o09j3e.dll (164 bytes security) (deflated 5%)
adding: lv6s09j7e.dll (164 bytes security) (deflated 4%)
adding: mbdtcuiu.dll (164 bytes security) (deflated 4%)
adding: mbnetobj.dll (164 bytes security) (deflated 4%)
adding: mgapsspc.dll (164 bytes security) (deflated 4%)
adding: mjacm32.dll (164 bytes security) (deflated 4%)
adding: mmisip.dll (164 bytes security) (deflated 4%)
adding: mmoert2.dll (164 bytes security) (deflated 4%)
adding: morddm.dll (164 bytes security) (deflated 4%)
adding: mrapsspc.dll (164 bytes security) (deflated 4%)
adding: mrimg32.dll (164 bytes security) (deflated 4%)
adding: mrvfw32.dll (164 bytes security) (deflated 4%)
adding: msg695.cpy.dll (164 bytes security) (deflated 5%)
adding: mtdadiag.dll (164 bytes security) (deflated 4%)
adding: muobjs.dll (164 bytes security) (deflated 4%)
adding: mupbde40.dll (164 bytes security) (deflated 4%)
adding: mzdemui.dll (164 bytes security) (deflated 4%)
adding: mzfutil.dll (164 bytes security) (deflated 4%)
adding: n84slih7184.dll (164 bytes security) (deflated 5%)
adding: ncmarta.dll (164 bytes security) (deflated 5%)
adding: nemssvc.dll (164 bytes security) (deflated 4%)
adding: notapi32.dll (164 bytes security) (deflated 4%)
adding: nttrap.dll (164 bytes security) (deflated 4%)
adding: okepro32.dll (164 bytes security) (deflated 5%)
adding: omcache.dll (164 bytes security) (deflated 4%)
adding: p44u0eh9eh4.dll (164 bytes security) (deflated 4%)
adding: p6n8lg5u16.dll (164 bytes security) (deflated 4%)
adding: pgintui.dll (164 bytes security) (deflated 4%)
adding: pzcrt.dll (164 bytes security) (deflated 4%)
adding: q4rq0e95eh.dll (164 bytes security) (deflated 4%)
adding: q6pslg7716.dll (164 bytes security) (deflated 5%)
adding: r48s0el7ehq.dll (164 bytes security) (deflated 5%)
adding: rbgapi.dll (164 bytes security) (deflated 4%)
adding: RCCRES.dll (164 bytes security) (deflated 4%)
adding: risutils.dll (164 bytes security) (deflated 4%)
adding: rkmps.dll (164 bytes security) (deflated 4%)
adding: sjlsrv32.dll (164 bytes security) (deflated 4%)
adding: sjlunirl.dll (164 bytes security) (deflated 4%)
adding: smcurity.dll (164 bytes security) (deflated 4%)
adding: sMfrcdlg.dll (164 bytes security) (deflated 4%)
adding: smlsrv32.dll (164 bytes security) (deflated 4%)
adding: sosinv.dll (164 bytes security) (deflated 4%)
adding: srclogon.dll (164 bytes security) (deflated 4%)
adding: sulwid.dll (164 bytes security) (deflated 4%)
adding: swecli.dll (164 bytes security) (deflated 4%)
adding: tHpisrv.dll (164 bytes security) (deflated 4%)
adding: tOpisrv.dll (164 bytes security) (deflated 4%)
adding: undmxfrm.dll (164 bytes security) (deflated 4%)
adding: wepcd.dll (164 bytes security) (deflated 4%)
adding: wetdecod.dll (164 bytes security) (deflated 4%)
adding: wjpui.dll (164 bytes security) (deflated 4%)
adding: wL2topl.dll (164 bytes security) (deflated 4%)
adding: wqnotify.dll (164 bytes security) (deflated 4%)
adding: wridx.dll (164 bytes security) (deflated 4%)
adding: wrvcore.dll (164 bytes security) (deflated 4%)
adding: wwpcd.dll (164 bytes security) (deflated 4%)
adding: wyaservc.dll (164 bytes security) (deflated 4%)
adding: guard.tmp (164 bytes security) (deflated 5%)
adding: clear.reg (164 bytes security) (deflated 64%)
adding: echo.reg (164 bytes security) (deflated 8%)
adding: desktop.ini (164 bytes security) (deflated 15%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 89%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 70%)
adding: test.txt (164 bytes security) (deflated 85%)
adding: test2.txt (164 bytes security) (deflated 45%)
adding: test3.txt (164 bytes security) (deflated 45%)
adding: test5.txt (164 bytes security) (deflated 45%)
adding: xfind.txt (164 bytes security) (deflated 80%)
adding: backregs/596B4C3F-77CA-4498-B43F-915D47CEE8BC.reg (164 bytes security) (deflated 70%)
adding: backregs/6BEF33F9-C985-4A10-9C3C-321706181B87.reg (164 bytes security) (deflated 70%)
adding: backregs/6D0AEB30-960F-45EA-8AB5-A975B3750EC2.reg (164 bytes security) (deflated 70%)
adding: backregs/8B116EDA-7D5E-4294-88D8-1D64829CF3FE.reg (164 bytes security) (deflated 70%)
adding: backregs/9993DD0A-55A5-4131-9D9C-3A4D22A33F4C.reg (164 bytes security) (deflated 70%)
adding: backregs/B7562282-845C-4007-B3BD-13945784D07A.reg (164 bytes security) (deflated 70%)
adding: backregs/B9162535-8067-4AD4-AF76-36C72646AE3B.reg (164 bytes security) (deflated 70%)
adding: backregs/DE29F8C1-137D-4ACC-99D8-E04309ED77E4.reg (164 bytes security) (deflated 70%)
adding: backregs/F29C7982-2982-40B1-88E6-7AAD3D06895A.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: ahifile.dll
deleting local copy: arivtmxx.dll
deleting local copy: asmparse.dll
deleting local copy: axivtmxx.dll
deleting local copy: aylui.dll
deleting local copy: bJtt.dll
deleting local copy: ccbcatq.dll
deleting local copy: cEg18030.dll
deleting local copy: cjbcatq.dll
deleting local copy: cmvfat.dll
deleting local copy: cplbact.dll
deleting local copy: crmaddin.dll
deleting local copy: dewave.dll
deleting local copy: djauth.dll
deleting local copy: dkcdll.dll
deleting local copy: dmcpcsvc.dll
deleting local copy: dmtmsft3.dll
deleting local copy: drloader.dll
deleting local copy: dround.dll
deleting local copy: dtmstor.dll
deleting local copy: dutrans.dll
deleting local copy: elent97.dll
deleting local copy: en08l1du1.dll
deleting local copy: en2ul1f91.dll
deleting local copy: eu.dll
deleting local copy: fp6603jse.dll
deleting local copy: fp8203loe.dll
deleting local copy: ftsmon.dll
deleting local copy: gpr4l39q1.dll
deleting local copy: h0j4la1q1d.dll
deleting local copy: h84m0ih1e84.dll
deleting local copy: htpertrm.dll
deleting local copy: IaagXR7.dll
deleting local copy: ieengine.dll
deleting local copy: iesecsnp.dll
deleting local copy: ij41_qcx.dll
deleting local copy: iOssvcs.dll
deleting local copy: ir6ol5j31.dll
deleting local copy: irp6l57s1.dll
deleting local copy: iWsacct.dll
deleting local copy: IzagXRA7.dll
deleting local copy: izgutil.dll
deleting local copy: j04olah31d4.dll
deleting local copy: j40s0ed7eh0.dll
deleting local copy: jxdw400.dll
deleting local copy: k6jslg1716.dll
deleting local copy: khrwbrkr.dll
deleting local copy: kmdsp.dll
deleting local copy: kt2ml7f11.dll
deleting local copy: ktrol7931.dll
deleting local copy: kudus.dll
deleting local copy: LogitCheckControl.DLL
deleting local copy: lv0u09d9e.dll
deleting local copy: lv6o09j3e.dll
deleting local copy: lv6s09j7e.dll
deleting local copy: mbdtcuiu.dll
deleting local copy: mbnetobj.dll
deleting local copy: mgapsspc.dll
deleting local copy: mjacm32.dll
deleting local copy: mmisip.dll
deleting local copy: mmoert2.dll
deleting local copy: morddm.dll
deleting local copy: mrapsspc.dll
deleting local copy: mrimg32.dll
deleting local copy: mrvfw32.dll
deleting local copy: msg695.cpy.dll
deleting local copy: mtdadiag.dll
deleting local copy: muobjs.dll
deleting local copy: mupbde40.dll
deleting local copy: mzdemui.dll
deleting local copy: mzfutil.dll
deleting local copy: n84slih7184.dll
deleting local copy: ncmarta.dll
deleting local copy: nemssvc.dll
deleting local copy: notapi32.dll
deleting local copy: nttrap.dll
deleting local copy: okepro32.dll
deleting local copy: omcache.dll
deleting local copy: p44u0eh9eh4.dll
deleting local copy: p6n8lg5u16.dll
deleting local copy: pgintui.dll
deleting local copy: pzcrt.dll
deleting local copy: q4rq0e95eh.dll
deleting local copy: q6pslg7716.dll
deleting local copy: r48s0el7ehq.dll
deleting local copy: rbgapi.dll
deleting local copy: RCCRES.dll
deleting local copy: risutils.dll
deleting local copy: rkmps.dll
deleting local copy: sjlsrv32.dll
deleting local copy: sjlunirl.dll
deleting local copy: smcurity.dll
deleting local copy: sMfrcdlg.dll
deleting local copy: smlsrv32.dll
deleting local copy: sosinv.dll
deleting local copy: srclogon.dll
deleting local copy: sulwid.dll
deleting local copy: swecli.dll
deleting local copy: tHpisrv.dll
deleting local copy: tOpisrv.dll
deleting local copy: undmxfrm.dll
deleting local copy: wepcd.dll
deleting local copy: wetdecod.dll
deleting local copy: wjpui.dll
deleting local copy: wL2topl.dll
deleting local copy: wqnotify.dll
deleting local copy: wridx.dll
deleting local copy: wrvcore.dll
deleting local copy: wwpcd.dll
deleting local copy: wyaservc.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\ahifile.dll
C:\WINDOWS\system32\arivtmxx.dll
C:\WINDOWS\system32\asmparse.dll
C:\WINDOWS\system32\axivtmxx.dll
C:\WINDOWS\system32\aylui.dll
C:\WINDOWS\system32\bJtt.dll
C:\WINDOWS\system32\ccbcatq.dll
C:\WINDOWS\system32\cEg18030.dll
C:\WINDOWS\system32\cjbcatq.dll
C:\WINDOWS\system32\cmvfat.dll
C:\WINDOWS\system32\cplbact.dll
C:\WINDOWS\system32\crmaddin.dll
C:\WINDOWS\system32\dewave.dll
C:\WINDOWS\system32\djauth.dll
C:\WINDOWS\system32\dkcdll.dll
C:\WINDOWS\system32\dmcpcsvc.dll
C:\WINDOWS\system32\dmtmsft3.dll
C:\WINDOWS\system32\drloader.dll
C:\WINDOWS\system32\dround.dll
C:\WINDOWS\system32\dtmstor.dll
C:\WINDOWS\system32\dutrans.dll
C:\WINDOWS\system32\elent97.dll
C:\WINDOWS\system32\en08l1du1.dll
C:\WINDOWS\system32\en2ul1f91.dll
C:\WINDOWS\system32\eu.dll
C:\WINDOWS\system32\fp6603jse.dll
C:\WINDOWS\system32\fp8203loe.dll
C:\WINDOWS\system32\ftsmon.dll
C:\WINDOWS\system32\gpr4l39q1.dll
C:\WINDOWS\system32\h0j4la1q1d.dll
C:\WINDOWS\system32\h84m0ih1e84.dll
C:\WINDOWS\system32\htpertrm.dll
C:\WINDOWS\system32\IaagXR7.dll
C:\WINDOWS\system32\ieengine.dll
C:\WINDOWS\system32\iesecsnp.dll
C:\WINDOWS\system32\ij41_qcx.dll
C:\WINDOWS\system32\iOssvcs.dll
C:\WINDOWS\system32\ir6ol5j31.dll
C:\WINDOWS\system32\irp6l57s1.dll
C:\WINDOWS\system32\iWsacct.dll
C:\WINDOWS\system32\IzagXRA7.dll
C:\WINDOWS\system32\izgutil.dll
C:\WINDOWS\system32\j04olah31d4.dll
C:\WINDOWS\system32\j40s0ed7eh0.dll
C:\WINDOWS\system32\jxdw400.dll
C:\WINDOWS\system32\k6jslg1716.dll
C:\WINDOWS\system32\khrwbrkr.dll
C:\WINDOWS\system32\kmdsp.dll
C:\WINDOWS\system32\kt2ml7f11.dll
C:\WINDOWS\system32\ktrol7931.dll
C:\WINDOWS\system32\kudus.dll
C:\WINDOWS\system32\LogitCheckControl.DLL
C:\WINDOWS\system32\lv0u09d9e.dll
C:\WINDOWS\system32\lv6o09j3e.dll
C:\WINDOWS\system32\lv6s09j7e.dll
C:\WINDOWS\system32\mbdtcuiu.dll
C:\WINDOWS\system32\mbnetobj.dll
C:\WINDOWS\system32\mgapsspc.dll
C:\WINDOWS\system32\mjacm32.dll
C:\WINDOWS\system32\mmisip.dll
C:\WINDOWS\system32\mmoert2.dll
C:\WINDOWS\system32\morddm.dll
C:\WINDOWS\system32\mrapsspc.dll
C:\WINDOWS\system32\mrimg32.dll
C:\WINDOWS\system32\mrvfw32.dll
C:\WINDOWS\system32\msg695.cpy.dll
C:\WINDOWS\system32\mtdadiag.dll
C:\WINDOWS\system32\muobjs.dll
C:\WINDOWS\system32\mupbde40.dll
C:\WINDOWS\system32\mzdemui.dll
C:\WINDOWS\system32\mzfutil.dll
C:\WINDOWS\system32\n84slih7184.dll
C:\WINDOWS\system32\ncmarta.dll
C:\WINDOWS\system32\nemssvc.dll
C:\WINDOWS\system32\notapi32.dll
C:\WINDOWS\system32\nttrap.dll
C:\WINDOWS\system32\okepro32.dll
C:\WINDOWS\system32\omcache.dll
C:\WINDOWS\system32\p44u0eh9eh4.dll
C:\WINDOWS\system32\p6n8lg5u16.dll
C:\WINDOWS\system32\pgintui.dll
C:\WINDOWS\system32\pzcrt.dll
C:\WINDOWS\system32\q4rq0e95eh.dll
C:\WINDOWS\system32\q6pslg7716.dll
C:\WINDOWS\system32\r48s0el7ehq.dll
C:\WINDOWS\system32\rbgapi.dll
C:\WINDOWS\system32\RCCRES.dll
C:\WINDOWS\system32\risutils.dll
C:\WINDOWS\system32\rkmps.dll
C:\WINDOWS\system32\sjlsrv32.dll
C:\WINDOWS\system32\sjlunirl.dll
C:\WINDOWS\system32\smcurity.dll
C:\WINDOWS\system32\sMfrcdlg.dll
C:\WINDOWS\system32\smlsrv32.dll
C:\WINDOWS\system32\sosinv.dll
C:\WINDOWS\system32\srclogon.dll
C:\WINDOWS\system32\sulwid.dll
C:\WINDOWS\system32\swecli.dll
C:\WINDOWS\system32\tHpisrv.dll
C:\WINDOWS\system32\tOpisrv.dll
C:\WINDOWS\system32\undmxfrm.dll
C:\WINDOWS\system32\wepcd.dll
C:\WINDOWS\system32\wetdecod.dll
C:\WINDOWS\system32\wjpui.dll
C:\WINDOWS\system32\wL2topl.dll
C:\WINDOWS\system32\wqnotify.dll
C:\WINDOWS\system32\wridx.dll
C:\WINDOWS\system32\wrvcore.dll
C:\WINDOWS\system32\wwpcd.dll
C:\WINDOWS\system32\wyaservc.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{6BEF33F9-C985-4A10-9C3C-321706181B87}"=-
"{0524F5CD-BAE2-4346-BC1F-8DA0ECD877D0}"=-
"{B7562282-845C-4007-B3BD-13945784D07A}"=-
"{F29C7982-2982-40B1-88E6-7AAD3D06895A}"=-
"{596B4C3F-77CA-4498-B43F-915D47CEE8BC}"=-
"{8B116EDA-7D5E-4294-88D8-1D64829CF3FE}"=-
"{9993DD0A-55A5-4131-9D9C-3A4D22A33F4C}"=-
"{6D0AEB30-960F-45EA-8AB5-A975B3750EC2}"=-
"{B9162535-8067-4AD4-AF76-36C72646AE3B}"=-
"{DE29F8C1-137D-4ACC-99D8-E04309ED77E4}"=-
[-HKEY_CLASSES_ROOT\CLSID\{6BEF33F9-C985-4A10-9C3C-321706181B87}]
[-HKEY_CLASSES_ROOT\CLSID\{0524F5CD-BAE2-4346-BC1F-8DA0ECD877D0}]
[-HKEY_CLASSES_ROOT\CLSID\{B7562282-845C-4007-B3BD-13945784D07A}]
[-HKEY_CLASSES_ROOT\CLSID\{F29C7982-2982-40B1-88E6-7AAD3D06895A}]
[-HKEY_CLASSES_ROOT\CLSID\{596B4C3F-77CA-4498-B43F-915D47CEE8BC}]
[-HKEY_CLASSES_ROOT\CLSID\{8B116EDA-7D5E-4294-88D8-1D64829CF3FE}]
[-HKEY_CLASSES_ROOT\CLSID\{9993DD0A-55A5-4131-9D9C-3A4D22A33F4C}]
[-HKEY_CLASSES_ROOT\CLSID\{6D0AEB30-960F-45EA-8AB5-A975B3750EC2}]
[-HKEY_CLASSES_ROOT\CLSID\{B9162535-8067-4AD4-AF76-36C72646AE3B}]
[-HKEY_CLASSES_ROOT\CLSID\{DE29F8C1-137D-4ACC-99D8-E04309ED77E4}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{1DE4B20E-DBB8-4440-B110-2E409328E712}</IDone>
<IDtwo>DS4</IDtwo>
<VERSION>200</VERSION>
****************************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 12:30:19 PM, on 5/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Bang & Olufsen\BeoPlayer\Beotray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\hjt\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Beoplayertray] C:\Program Files\Bang & Olufsen\BeoPlayer\Beotray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BeoPlayer.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:51 PM

Posted 04 May 2005 - 12:31 AM

Hi nimdeos. It appears that your HijackThis log got cut off ot the end. Can you please run HijackThis again and post a new log back here. The part of it that you did post looked pretty good :thumbsup:

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 nimdeos

nimdeos
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 05 May 2005 - 05:26 AM

heya ot...

Heres the HJT Log again... in full (dunno what happend laztime)

Logfile of HijackThis v1.99.1
Scan saved at 7:22:13 PM, on 5/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Bang & Olufsen\BeoPlayer\Beotray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bang & Olufsen\BeoPlayer\BeoPlayer.exe
C:\WINDOWS\system32\RAMASST.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\PROGRAM FILES\BANG & OLUFSEN\BEOPLAYER\BEONETMUSIC.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hjt\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Beoplayertray] C:\Program Files\Bang & Olufsen\BeoPlayer\Beotray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BeoPlayer.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2022EE84-1E1F-45B0-8D35-FF9DA75366BC} (ExpressViewer Class) - http://download.softforum.co.kr/XecureExpr...ei_install2.cab
O16 - DPF: {32CE8465-2D18-4AEE-9098-837844E6E926} (OcxChart Control) - http://version.edaily.co.kr/version/EDACHART/OcxChart.cab
O16 - DPF: {5CA5E00D-80A8-475A-BF08-816FD56DBC38} (KTCtrl Class) - http://support.kornet.net/sw5/order/Speed/...peedNewCtrl.cab
O16 - DPF: {7C09DD8F-D1C6-4315-AE96-AC328FDF734B} (KTActiveX Control) - http://files.kornet.net/sw5/order/cab/KTActiveX.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://www.mybank.co.kr/efps/xw_install.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.bang-olufsen.com/InstallObjs/isetup.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab8/dmcc2.cab
O16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A37A0F3D8E18} (p3bgset Class) - http://player.bugs.co.kr/install/bugsLoader20040708.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4us.cab
O16 - DPF: {C854C4D1-ED53-4B1F-AA45-783B3CF3315C} (DacomUpload Control) - http://program.webhard.co.kr/Plus/active_u...DacomUpload.cab
O16 - DPF: {F1F07506-6CB4-44AC-8615-66D1234EFD05} (WebCtl Class) - http://banking.nonghyup.com/plugin/client/INIS.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab30149.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:51 PM

Posted 05 May 2005 - 04:02 PM

Hi nimdeos. Your log is now clean. Good job! How are things running? Any problems?

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:and a good antivirus like the one you are currently using. It is critical to have both a firewall and an anti-virus application and to keep them updated.

To keep your operating system up to date visit monthly. And to keep your system clean run these free malware scanners
weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 nimdeos

nimdeos
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 07 May 2005 - 02:06 AM

thanks for everything OT !

My comp is runnin much smoother.

I seem to still have problems when it comes to accessing my email accounts though..

its really slow when I try to access hotmail/gmail/yahoo accounts...


What to do?



:thumbsup:

#14 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:51 PM

Posted 07 May 2005 - 01:12 PM

Hi nimdeos. Try uninstalling and then reinstalling AVG. Some of these infections really try to mess with the antivirus programs and disable them.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#15 nimdeos

nimdeos
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 08 May 2005 - 02:13 AM

heya ot..

I downloaded spybot...scanned..and fixed a "DSO Exploit" problem.

I uninstalled AVG and installed AVAST! ...scanned and it found "windows/iconu.exe and win/system32/delprot.sys... I moved both to chest.

Internet speed is lightning fast ...except for Email sites...really slow..

Dunno what to do

please help when you have time..

thanks again OT!

nimdeos




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users