Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Here Is My Log


  • This topic is locked This topic is locked
27 replies to this topic

#1 weecher

weecher

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 14 July 2006 - 05:44 PM

Help here is my Hijack log

Logfile of HijackThis v1.99.1
Scan saved at 4:23:07 PM, on 7/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Yvonne\LOCALS~1\Temp\Rar$EX00.860\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {062492AF-392E-479D-BF52-A7A4BCA00307} - C:\WINDOWS\system32\compstuic.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\adwarealert\AdwareAlert.exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - Startup: csrss.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g1370906.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winexy32 - C:\WINDOWS\SYSTEM32\winexy32.dll
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by weecher, 14 July 2006 - 06:24 PM.


BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 18 July 2006 - 09:26 AM

Hello weecher, and welcome to Bleeping Computer. My name is Charles and I will be helping you to clean up your computer.
Please give me some time to look over your log and I will get back to you as soon as possible.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 weecher

weecher
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 19 July 2006 - 01:08 PM

Sure thing ty very much

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 22 July 2006 - 02:49 AM

Hello weecher, sorry for the delay in getting back to you.
I need to see another HijackThis log, but you need to extract (unzip) HijackThis first. Otherwise the backups made when items are fixed won't be secure. The easiest way to accomplish this is to reinstall and delete any copies of HijackThis.zip you have saved.

Please download the self-extracting version from the following link:

HijackThis Download Site

Save HijackThis_sfx to your desktop.

Double-click the file then click the Unzip button. Then close the Self-Extractor window.

Using My Computer/Windows Explorer, navigate to C:\Program Files\HijackThis and double click on HijackThis.exe to run it. If you would like to make a shortcut for your Desktop so it's more easily accessable, right click HijackThis.exe and choose Send To > Desktop (create shortcut).

Please run the extracted HijackThis.exe from now on. Delete any copies of HijackThis.zip that you have saved.

Open HijackThis and click Do a system scan and save a log file. Copy the entire contents of that log and post it here by clicking the Add Reply button.
Post back with the HijackThis log please,
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 weecher

weecher
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 23 July 2006 - 05:23 PM

For some reason its giving me a dead link Cant display the page

#6 weecher

weecher
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 23 July 2006 - 05:25 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:24:40 PM, on 7/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ishost.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\ismon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\World of Warcraft\Launcher.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {062492AF-392E-479D-BF52-A7A4BCA00307} - C:\WINDOWS\system32\compstuic.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\adwarealert\AdwareAlert.exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - Startup: csrss.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g1370906.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winexy32 - C:\WINDOWS\SYSTEM32\winexy32.dll
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#7 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 24 July 2006 - 08:31 AM

Hey weecher, sorry for the delay in getting back to you..
Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

*Save the file to your desktop and double click l2mfix.exe.
*Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.
*Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

If you receive, while running option #1, an error similar to ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. Choose close to terminate the application..", then please use option 5 or the web page link in the l2mfix folder to solve this error condition.


Please post back with the log created,
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#8 weecher

weecher
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 24 July 2006 - 02:33 PM

L2MFIX find log 051206
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cfgmngr32]
"DLLName"="C:\\WINDOWS\\g1370906.dll"
"logoff"="WACLEventLogoff"
"lock"="WACLEventLock"
"logon"="WACLEventLogon"
"startup"="WACLEventStartup"
"shutdown"="WACLEventShutdown"
"startshell"="WACLEventStartShell"
"unlock"="WACLEventUnlock"
"startscreensaver"="WACLEventStartScreenSaver"
"stopscreensaver"="WACLEventStopScreenSaver"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,12,eb,ad,a0,a4,cf,65,41,91,86,ce,e2,7e,e5,85,29,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,78,c9,a2,8e,bd,46,f9,76,\
f8,90,26,45,13,32,fc,63,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,89,\
a5,1b,c9,d9,e4,9a,80,f7,dd,bc,a5,20,6a,b8,08,08,06,00,00,37,1c,7f,ac,61,4c,\
aa,0a,19,ad,1b,41,a1,1c,48,55,e2,91,ef,22,e3,3c,30,e4,43,cc,24,dd,91,b4,5c,\
15,6f,d2,55,d0,2a,8f,7f,b2,79,da,ca,57,a5,6f,52,d7,26,99,62,f9,ec,9b,d1,44,\
8c,7c,00,fb,80,a0,1a,16,d2,94,4d,e5,d2,7d,8c,0a,fa,95,05,21,e6,b8,60,dc,69,\
9e,33,87,7f,8c,99,7c,be,be,c0,2b,15,f0,3e,d9,e1,f7,b4,5a,d4,26,ae,3d,dd,0c,\
86,0a,2e,66,4e,8b,ad,3b,f6,3c,fb,32,1d,27,1d,7f,48,15,00,56,2a,d1,6f,40,aa,\
bb,c0,7d,8f,f1,12,78,86,01,bc,66,cf,ac,eb,51,18,b0,08,b1,3a,41,85,c6,e2,09,\
15,98,e6,62,51,8e,97,a8,aa,01,2f,0e,3e,ce,c2,06,4f,a2,ae,3f,2e,3e,b9,b1,f6,\
9d,3d,48,64,42,7f,3e,5f,75,58,c1,46,10,bc,2f,8e,ec,ad,b5,c9,9c,07,65,d8,16,\
56,97,03,c2,ab,6f,f2,bd,e0,77,0c,96,5e,c4,ed,46,d7,a5,0f,66,2e,1a,9a,77,69,\
04,fd,ca,c7,56,b4,17,a7,e1,95,6c,bf,dd,f2,66,d3,99,e5,f4,48,53,b5,02,e2,25,\
25,cb,62,0e,0f,f7,3e,8e,e3,dd,5e,0d,cd,8c,de,a1,9f,82,28,03,c5,6a,b9,a3,bf,\
ab,8a,3c,38,41,37,55,4b,af,1e,92,63,99,a8,49,96,2d,29,a1,b7,d3,40,f4,80,ae,\
f2,ed,78,f8,c4,97,6a,6e,ce,bd,d7,c3,d3,58,62,77,7f,3b,7b,52,58,c1,a4,92,6a,\
ce,3e,1c,c9,8c,d1,31,a6,8f,e6,91,54,e5,89,0d,34,67,73,bc,6b,1f,8a,d2,94,5c,\
b5,65,b9,01,1f,69,ab,b2,86,6a,00,0d,e2,25,57,5e,a2,9a,6c,dc,e6,7c,92,60,16,\
9b,70,92,5d,d8,b1,8f,71,80,b7,ff,1b,fc,61,36,5b,89,8f,27,a8,37,ff,38,06,e6,\
fc,88,b3,d2,5e,0b,33,76,47,ea,55,75,17,56,40,65,8d,17,a0,39,ad,fa,4e,39,13,\
56,ab,d5,2c,c1,28,93,c0,f6,0c,a7,cd,2a,d6,97,de,39,b4,90,58,c2,d7,5d,81,72,\
13,46,71,a8,3a,79,ea,ee,6f,16,d2,d1,e9,72,d4,85,d0,03,50,77,c0,74,b8,a9,cb,\
d8,97,97,6e,e9,00,80,7a,fc,9e,1c,52,f9,b7,2c,cc,e5,b5,76,64,7e,a7,20,d7,35,\
76,b3,2c,57,df,7a,ed,11,75,94,df,75,45,3d,60,e9,8c,e3,62,e7,b2,74,4d,71,18,\
43,fc,1c,c4,11,a7,4b,a1,a4,1f,ee,eb,5f,b1,a8,a7,07,b8,59,d5,7a,79,87,f3,16,\
53,88,a7,38,1a,0d,59,69,cc,81,4a,d5,53,f6,12,86,1f,fe,38,02,c3,29,d0,15,95,\
e6,a3,7a,5b,b4,7b,d5,da,72,e5,07,d0,6b,67,76,9a,0a,5a,4a,20,fd,fa,ab,ca,7b,\
aa,1c,e8,48,38,18,4a,91,a1,d7,f1,b4,c1,09,97,a2,95,26,2a,88,bf,92,48,1f,49,\
87,8f,f7,b7,e0,9f,97,cc,35,7f,43,b2,d8,90,26,18,df,6e,aa,00,65,fd,c2,b6,e6,\
22,8b,37,fc,e8,8a,be,b3,95,1f,ce,8d,e8,e2,07,23,7d,12,a2,c6,1e,6d,24,f1,e3,\
af,8b,3b,7e,94,cc,df,c4,42,d2,1c,e8,2c,8b,1a,51,66,a6,b6,2a,ee,10,82,84,f5,\
99,9a,2e,e6,fe,d1,55,e5,ff,7c,30,47,02,4a,fa,e7,5c,a4,66,5c,53,e5,03,79,f0,\
bc,b2,ee,c5,cc,42,47,e4,09,1b,e6,d0,1c,83,aa,a1,3f,f3,17,c3,bb,b5,a6,33,40,\
ad,86,9b,dd,60,19,ce,6c,8e,c0,2c,88,ae,7e,83,fc,57,dd,10,9a,6c,cf,13,23,2b,\
6b,48,a9,3b,bf,1f,3d,ad,7d,b9,9c,31,ff,98,94,1e,e0,59,28,81,0d,4b,5b,b2,ff,\
fb,af,98,d5,ab,52,89,e2,b7,56,0c,5e,4f,44,e8,5e,7d,5b,6d,4d,92,f2,9c,e4,e0,\
05,3b,bb,d5,11,ac,33,46,01,c8,0a,d2,b8,1c,34,dd,39,aa,7a,50,f6,04,51,de,f0,\
5b,24,a9,89,c1,59,48,8c,c0,ef,af,82,d3,fb,cc,59,2c,d5,98,01,fb,b8,2e,34,5f,\
73,8d,95,c0,50,a0,1a,1b,46,8b,37,8b,14,22,1d,5a,a4,c0,0e,e5,9d,5b,0a,db,b3,\
78,ed,54,7b,47,5d,91,7a,4d,c4,56,46,83,3c,10,89,92,a1,cf,b2,b3,f4,83,a0,f0,\
37,99,05,b9,3c,03,da,6a,ef,8a,96,c5,07,9f,0c,a5,de,29,78,cf,d1,3c,8d,f5,09,\
db,f6,4c,04,e5,6f,a5,39,59,32,bd,2a,fc,19,ab,7c,3e,cf,f6,4d,c6,d1,7e,39,99,\
33,23,05,7d,0d,38,65,59,26,54,ee,17,1d,01,b3,08,36,9c,2d,9f,1c,e9,91,8b,e8,\
be,9a,4c,57,e3,4f,47,27,05,60,4a,13,89,db,7d,7a,57,9d,77,bd,cf,b9,99,6b,cf,\
d6,7e,0f,43,e3,89,03,59,24,46,22,3b,d2,86,1f,c9,47,c9,30,d8,cb,25,89,db,bd,\
77,ed,d6,a1,b7,54,24,91,27,4c,ce,92,e8,11,aa,b3,c2,98,7b,67,dc,15,c3,5c,2c,\
c8,46,a6,fc,9f,aa,74,c7,3a,8a,cb,9d,36,58,fb,e9,cd,73,92,3b,86,ed,44,77,7e,\
8a,81,e4,2c,6d,e2,87,6c,8d,bd,e8,56,38,78,58,ae,9d,d8,ce,f2,2a,b1,0b,e6,bc,\
32,46,7e,61,df,7d,84,13,ad,a7,59,26,7d,de,40,b8,ec,37,a3,4a,1a,d1,6b,0e,99,\
8d,7c,0e,be,b6,67,79,5b,56,f9,4f,a1,25,ea,19,16,45,d1,f6,42,88,7a,69,21,f1,\
d9,9f,a7,b5,4f,b7,dc,71,12,01,6f,88,32,af,24,6d,10,4f,34,52,32,b4,56,d7,6f,\
56,03,6c,93,1e,1d,7f,32,e4,21,a9,b2,d5,9c,f0,05,49,42,10,77,39,64,46,76,e9,\
6a,2e,e8,3b,18,92,bc,84,d9,a7,e5,af,ed,1f,e6,1a,42,13,72,a7,53,52,87,a6,ac,\
8e,95,8f,8c,11,68,8b,00,38,94,ec,b5,47,4a,e2,2e,18,f0,79,63,a3,c7,75,50,61,\
a0,fe,38,49,4b,e6,46,f9,f0,bb,17,d3,bc,0c,59,4b,46,95,2f,26,48,65,5f,12,20,\
1e,01,41,09,c7,b8,1f,79,79,c5,28,83,38,97,30,e7,d1,09,f3,a9,38,78,c3,cf,85,\
30,0a,c0,12,88,3f,ba,4e,62,2c,fe,28,72,45,a4,f2,98,1a,88,1d,9b,c3,c8,ea,2c,\
e1,cd,b2,c5,90,66,a3,85,77,03,91,8f,1a,b0,3d,dc,49,4f,02,e4,fc,a8,a4,57,f1,\
dd,b9,68,7e,0e,c3,38,ae,16,4d,8b,1e,d6,eb,ad,6c,33,b7,ec,3e,af,a2,6f,86,dd,\
12,f2,97,88,16,3a,c6,92,dc,81,05,9e,8a,31,f3,66,e1,52,1f,84,67,7d,96,80,ac,\
32,02,00,b1,9c,f5,df,c4,a5,4f,4f,70,0e,37,f9,53,49,f4,b4,1d,80,c5,14,16,0b,\
58,86,43,98,45,33,db,17,61,b5,0a,8a,96,86,00,9e,9a,a6,5b,97,77,c5,ab,53,1e,\
fd,88,23,f8,3e,20,79,eb,a2,f2,02,78,b7,d6,30,f8,7d,a8,ef,cb,d8,b2,25,72,85,\
bc,f4,2b,32,10,17,95,ad,9c,de,aa,13,30,5c,24,c0,56,1d,67,f0,ff,d2,2d,be,3c,\
5f,11,29,ca,62,31,89,50,7a,87,67,47,e8,14,00,00,00,a8,67,4e,21,b2,51,34,54,\
6a,dc,cf,fe,77,9c,b3,40,6f,64,4c,19

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winexy32]
"Asynchronous"=dword:00000001
"DllName"="winexy32.dll"
"Impersonate"=dword:00000000
"Startup"="EvtStartup"
"Shutdown"="EvtShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
admpar~1.dll Thu Jul 6 2006 1:29:56p A.... 49,664 48.50 K
browseui.dll Tue May 9 2006 10:23:00p A.... 1,022,976 999.00 K
cdfview.dll Tue May 9 2006 10:23:00p A.... 151,040 147.50 K
compst~1.dll Sat Jul 1 2006 11:24:56a A.... 69,632 68.00 K
danim.dll Tue May 9 2006 10:23:00p A.... 1,054,208 1.00 M
dhcpcsvc.dll Fri May 19 2006 5:59:42a A.... 111,616 109.00 K
dnsapi.dll Fri May 19 2006 5:59:42a A.... 148,480 145.00 K
dxtmsft.dll Tue May 9 2006 10:23:00p A.... 357,888 349.50 K
dxtrans.dll Tue May 9 2006 10:23:00p A.... 205,312 200.50 K
explorer.dll Thu Jun 29 2006 12:44:56p A.... 81,920 80.00 K
extmgr.dll Tue May 9 2006 10:23:00p ..... 55,808 54.50 K
frapsvid.dll Sun Apr 30 2006 6:45:16a A.... 36,864 36.00 K
iepeers.dll Tue May 9 2006 10:23:00p A.... 251,392 245.50 K
inseng.dll Tue May 9 2006 10:23:00p A.... 96,256 94.00 K
iphlpapi.dll Fri May 19 2006 5:59:42a A.... 94,720 92.50 K
jgdw400.dll Thu Jun 1 2006 11:47:08a A.... 163,840 160.00 K
jgpl400.dll Thu Jun 1 2006 11:47:08a A.... 27,648 27.00 K
jscript.dll Wed May 17 2006 10:24:26p A.... 450,560 440.00 K
jsproxy.dll Tue May 9 2006 10:23:00p A.... 16,384 16.00 K
legitc~1.dll Mon Jun 19 2006 4:19:42p ..... 571,184 557.80 K
libeay~1.dll Sun Jun 18 2006 5:54:08p A.... 796,584 777.91 K
mshtml.dll Fri May 19 2006 8:08:32a A.... 3,052,544 2.91 M
mshtmled.dll Tue May 9 2006 10:23:02p A.... 448,512 438.00 K
msrating.dll Tue May 9 2006 10:23:02p A.... 146,432 143.00 K
mstime.dll Tue May 9 2006 10:23:02p A.... 532,480 520.00 K
pngfilt.dll Tue May 9 2006 10:23:02p A.... 39,424 38.50 K
rasmans.dll Sun May 14 2006 1:44:08a A.... 181,248 177.00 K
shdocvw.dll Mon May 29 2006 8:30:34a A.... 1,494,016 1.42 M
shlwapi.dll Tue May 9 2006 10:23:02p A.... 474,112 463.00 K
urlmon.dll Tue May 9 2006 10:23:02p A.... 613,888 599.50 K
vsdata.dll Sun Jun 18 2006 5:54:18p A.... 83,960 81.99 K
vsinit.dll Sun Jun 18 2006 5:54:20p A.... 157,688 153.99 K
vsmonapi.dll Sun Jun 18 2006 5:54:20p A.... 104,440 101.99 K
vspubapi.dll Sun Jun 18 2006 5:54:20p A.... 268,280 261.99 K
vsregexp.dll Sun Jun 18 2006 5:54:22p A.... 71,672 69.99 K
vsutil.dll Sun Jun 18 2006 5:54:22p A.... 440,312 429.99 K
vswmi.dll Sun Jun 18 2006 5:54:24p A.... 59,384 57.99 K
vsxml.dll Sun Jun 18 2006 5:54:24p A.... 100,344 97.99 K
wgalogon.dll Mon Jun 19 2006 4:20:42p A.... 702,768 686.30 K
winexy32.dll Wed Jun 28 2006 10:45:22p A.... 15,872 15.50 K
wininet.dll Tue May 9 2006 10:23:04p A.... 658,432 643.00 K
wmp.dll Sat Apr 29 2006 6:07:48a A.... 5,533,696 5.28 M
xpsp3res.dll Thu May 11 2006 1:23:24a A.... 24,576 24.00 K
zlcomm.dll Sun Jun 18 2006 5:54:26p A.... 83,960 81.99 K
zlcommdb.dll Sun Jun 18 2006 5:54:26p A.... 71,672 69.99 K

45 items found: 45 files, 0 directories.
Total of file sizes: 21,173,688 bytes 20.19 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is B02E-4E9E

Directory of C:\WINDOWS\System32

07/13/2006 11:09 AM <DIR> dllcache
07/10/2006 10:18 PM <DIR> tbdkvdj
09/06/2005 03:16 PM <DIR> Microsoft
0 File(s) 0 bytes
3 Dir(s) 11,069,186,048 bytes free

#9 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 25 July 2006 - 12:52 PM

Hello weecher.
Close any programs you have open since this step requires a reboot.

*From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter.
*The fix will start. Please don't use your keyboard while the fix is running! Your desktop and icons will disappear (this is normal).
*L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. When asked, Press any key to reboot.
*After the reboot Notepad will open with a log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the log does not open double click on it in the l2mfix folder.


Download haxfix.exe.

Save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files)
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
A red "dos window" (dos box) will open.
This message will appear:

Insert the haxdoor notify subkey without the numbers,
and then press enter:


At this point please type the following: winexy
Press Enter to continue with the fix.

If an infection is found, you'll get a message to close all other open windows.
Close them, except the red dos window from haxfix and press Enter.
The computer will reboot.
After reboot find the logfile c:\haxfix.txt.
Post the contents of c:\haxfix.txt along with a new HijackThis log, and the look2me log..
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#10 weecher

weecher
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 26 July 2006 - 02:04 PM

HAXFIX logfile - by Marckie
______________
version 3.21
Wed 07/26/2006 12:03:20.70

checking for haxdoor
--------------------
checking for a3d files....
a3d files not found

checking for matching notify keys....
no matching notify keys found

checking for matching services....
no matching services found

checking for matching safeboot services....
no matching safeboot services found


Checking for goldun
-------------------
checking for notify keys....
no notify keys found

checking for services....
no services found


Finished



L2mfix 051206
Creating Account.
The account already exists.

More help is available by typing NET HELPMSG 2224.

Adding Administrative privleges.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!
Killing 'smss.exe'
\SystemRoot\System32\smss.exe (588)
Killing 'winlogon.exe'
winlogon.exe (660)
Killing 'explorer.exe'
C:\WINDOWS\Explorer.EXE (272)
Killing 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!


Running From:
C:\WINDOWS\system32

Killing Processes!
Killing 'smss.exe'
\SystemRoot\System32\smss.exe (584)
Killing 'winlogon.exe'
winlogon.exe (656)
Killing 'explorer.exe'
C:\WINDOWS\Explorer.EXE (908)
Killing 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cfgmngr32]
"DLLName"="C:\\WINDOWS\\g1370906.dll"
"logoff"="WACLEventLogoff"
"lock"="WACLEventLock"
"logon"="WACLEventLogon"
"startup"="WACLEventStartup"
"shutdown"="WACLEventShutdown"
"startshell"="WACLEventStartShell"
"unlock"="WACLEventUnlock"
"startscreensaver"="WACLEventStartScreenSaver"
"stopscreensaver"="WACLEventStopScreenSaver"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,12,eb,ad,a0,a4,cf,65,41,91,86,ce,e2,7e,e5,85,29,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,cf,3a,0c,31,b5,71,43,e8,\
67,d5,83,bc,22,96,9d,81,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,c8,\
95,11,db,03,f6,cf,61,f7,4d,83,9b,b1,4d,91,b9,08,06,00,00,89,21,4a,68,77,d2,\
41,a2,53,84,6d,c2,91,d9,35,48,b0,cd,6b,63,ea,2a,c8,d5,40,83,1f,8b,8d,d3,e2,\
13,df,ee,98,f7,e2,d1,75,7e,f9,88,81,23,28,0e,1f,f7,46,4d,e8,5c,c7,5f,7b,b5,\
bf,c4,0f,d8,3b,ef,c9,b0,1a,2d,db,20,cb,0c,2c,11,9c,fb,8a,fb,ef,23,10,c3,21,\
32,a6,cd,64,aa,d7,7e,a3,80,bd,e0,08,29,90,a8,fd,31,7c,11,27,8f,8a,38,ee,82,\
5c,db,ae,46,18,cd,8d,39,1b,4d,92,ec,8d,f3,e3,72,76,60,bb,21,7a,c5,76,1e,fe,\
78,d8,dd,1d,f1,44,d0,01,e1,72,ac,81,d2,e3,ba,44,03,be,73,71,cc,e9,b7,33,f0,\
18,41,ec,89,52,f9,9d,96,86,a8,1c,87,fb,c6,90,9e,c6,ec,dc,b7,a8,3c,ea,4d,32,\
da,80,58,d9,51,cb,2d,1b,db,cf,39,3c,de,a9,21,e7,f9,d3,f1,ca,25,c8,f5,1b,f9,\
d5,c9,8a,da,c8,bd,12,e4,57,e0,57,c6,e6,7a,23,3f,e1,da,35,69,e0,ac,59,ae,a3,\
d1,c2,e9,15,f9,77,61,12,b5,80,e2,5f,44,33,ae,17,9e,fc,1e,98,44,86,1f,b2,fb,\
f0,36,0f,cb,c8,c8,3b,23,62,7a,26,de,2e,d2,7b,a7,b7,0d,4f,a9,b9,fc,0c,af,5e,\
b8,72,6d,0e,b5,ab,56,d8,e5,a2,15,0f,f9,70,17,52,3b,40,07,c9,ee,67,da,50,b4,\
47,27,41,db,9c,41,45,b7,ec,87,74,db,fb,64,88,89,12,19,bd,25,15,e6,a4,f2,8a,\
b2,a2,46,1b,21,2c,22,6b,9e,06,16,d2,68,42,71,ee,80,7b,32,00,24,b7,cd,0d,6e,\
91,1a,d3,7d,5c,7d,04,c8,d4,b2,b2,c4,70,67,ef,cb,0c,1a,52,37,f3,bb,fc,51,f1,\
29,e2,2e,c0,81,94,54,7b,10,3d,63,77,93,d9,54,d1,6e,3c,89,1d,de,db,49,f1,b5,\
da,21,58,16,b4,8d,84,20,be,03,83,48,cb,e8,e6,94,04,31,42,11,4c,1a,ef,83,c0,\
02,b2,a7,01,c4,1c,d3,22,ea,b8,3b,00,33,ca,43,81,da,d9,bc,0a,a8,7a,13,da,2f,\
43,5a,ee,57,13,cc,41,85,a1,91,a6,4c,88,fc,8a,e4,4a,a2,14,6b,f0,2b,f9,c5,92,\
fd,f1,59,51,4d,a8,a4,82,ae,ff,0c,1b,45,03,44,82,8c,26,56,b3,4d,61,33,ef,1c,\
be,81,fe,4a,c9,e1,2e,1e,17,3a,d5,d3,1a,be,92,de,6d,da,56,56,4f,c8,f3,23,c3,\
fe,ff,1a,7f,e3,e0,1c,e3,42,ec,f8,c5,53,46,0a,2d,fa,79,b2,04,36,01,03,cd,23,\
a5,32,84,27,94,c5,c9,30,95,f9,03,99,86,48,df,e6,20,80,2f,bf,db,ef,34,a1,32,\
7b,9c,fc,40,9d,c3,7c,39,73,39,23,cb,0e,20,1b,53,99,ca,4e,84,bd,3c,47,fc,0e,\
ae,24,80,c3,50,df,7d,90,46,da,20,23,02,18,de,e5,37,5f,8e,61,6b,8c,2b,43,6c,\
6c,1a,e1,e0,7e,25,5e,e4,b9,07,b4,2b,6d,d2,ae,70,70,a6,c3,9a,e6,81,2d,08,03,\
2c,3a,cf,99,ea,de,dd,0d,e1,d9,2e,8e,7c,56,db,d8,4a,08,2c,dc,87,cb,52,e6,b1,\
7e,1f,fa,22,79,12,7e,bd,81,e9,32,73,db,aa,07,da,ca,60,53,20,ed,a2,26,ed,48,\
ec,f9,46,66,53,1f,e5,90,69,e2,61,04,b7,77,c2,83,46,19,eb,41,9a,4b,85,46,1a,\
17,ef,ef,42,00,93,e4,3b,61,4f,05,36,05,63,ab,ab,65,fc,9a,85,f1,f7,23,56,ec,\
e6,5b,6b,4d,ff,e0,8c,73,ec,33,eb,10,44,06,53,33,32,61,e8,d9,68,41,d3,ab,95,\
f2,9b,4b,24,d2,74,d6,ab,d6,2a,3f,26,11,dc,51,07,50,2c,72,50,fb,c3,eb,c5,c2,\
c0,05,61,f4,eb,50,72,79,92,f3,e5,ae,e8,ba,7b,cc,68,40,03,03,b6,ab,10,78,64,\
6b,c1,18,ec,79,0a,ff,41,c7,64,d9,9e,6a,56,4f,78,08,f8,5c,e7,8a,2c,e7,3b,5f,\
85,da,dd,19,9b,67,3e,d1,f2,45,be,c1,f7,f8,bd,cd,37,d9,b0,cf,ea,9d,d0,1e,7e,\
35,d3,54,19,9d,27,e3,7e,43,a9,35,e1,ad,48,82,ab,bf,90,29,21,09,0c,0f,de,60,\
52,54,d5,a3,54,64,e4,61,06,7b,00,70,1f,5c,02,ab,51,7e,c1,fa,de,d0,15,47,28,\
c7,97,9d,38,77,9c,26,13,62,27,d5,48,79,21,ab,54,06,0d,80,3b,43,d2,4d,3b,12,\
b7,19,41,da,ee,0c,d9,de,ed,d0,2e,d9,50,91,74,21,32,3d,17,78,0d,76,39,f6,38,\
07,6f,2e,ff,f0,3e,ae,1f,cf,04,b3,67,3e,ae,06,85,43,4c,7b,c7,bd,e0,18,3b,bc,\
52,f5,f3,90,b7,86,b7,e9,58,d2,8d,0a,11,46,7f,13,7c,3e,29,cb,d7,6a,7a,6d,d0,\
76,12,5b,8b,27,b0,60,a7,26,b7,a2,d8,bd,8e,a6,69,ab,56,12,a4,1e,c8,e6,55,2e,\
05,27,2b,14,ab,2e,40,64,e5,95,06,47,10,66,35,28,39,84,01,a1,eb,4e,81,29,dc,\
25,54,54,7f,6d,db,86,67,dd,d2,65,85,8c,5a,b9,37,76,b8,f4,8d,8e,5f,25,5d,e0,\
ff,8c,02,02,89,a9,fd,3f,d1,b6,ce,49,aa,6d,4d,41,9f,a4,c7,d9,d0,7e,d9,d8,1c,\
15,39,07,0d,f9,43,d2,81,36,d1,44,24,a2,d4,31,bd,89,4a,ac,f4,67,98,17,98,a3,\
2a,99,d5,16,e8,02,1e,ec,ff,83,89,87,6d,33,92,0a,27,dd,f3,b6,7f,dc,d6,b6,3a,\
5e,6b,22,a8,1c,36,b8,35,60,ee,69,11,3d,58,2b,b3,f2,ac,3c,15,c8,31,29,5f,12,\
4c,91,6b,0c,66,50,1f,2b,b4,b6,e0,f6,f3,ae,d2,7f,5b,0e,f6,2e,16,7d,83,01,14,\
75,08,bc,b6,cc,1f,20,af,62,2d,68,a5,f7,c1,4e,27,a2,a5,c5,b4,99,52,07,0c,f0,\
ef,5a,15,41,ff,39,44,cd,07,d0,8e,3e,e5,fc,c5,6a,a9,a6,9b,db,05,e0,8f,34,e6,\
26,40,19,21,34,4c,16,99,19,48,49,fa,93,07,5e,cf,d9,53,f2,de,37,07,ff,08,ce,\
54,56,ad,c0,5b,02,7d,0d,e6,70,b6,e8,4b,36,e8,b3,79,4c,c4,33,8f,64,8d,4d,12,\
ec,ef,fd,d2,ab,3e,f6,18,3b,1a,8b,2c,c8,99,84,55,48,9f,4c,68,a5,23,bf,9a,32,\
b5,89,dd,2b,82,92,89,05,cb,fb,3c,45,eb,8f,8b,8c,10,c1,9f,4b,0a,34,3f,83,b5,\
d3,f6,0d,46,84,e8,c1,0c,1f,08,b0,fa,cb,05,53,f5,6a,42,0d,ae,43,06,2d,61,91,\
a8,72,41,6d,68,e7,9f,4e,17,af,87,83,ec,76,87,c0,64,4d,c7,f6,94,bd,17,39,1a,\
da,1f,3d,0a,cc,cc,27,4b,55,03,50,a7,0b,dc,bd,8e,3c,7e,f1,ee,3e,7f,0d,0f,0c,\
34,47,d6,8d,e0,b0,13,2a,15,bf,98,27,4f,a2,6c,0e,fd,d3,ab,3e,73,e1,1a,ed,8b,\
16,a4,a7,7a,5b,f1,07,eb,39,73,99,dd,e7,9b,53,73,b1,25,2f,10,8d,ba,ba,ea,9a,\
d0,4b,2e,ac,14,88,ad,c2,99,88,34,d9,b0,e8,39,8c,b3,3f,e4,03,bb,c2,e8,bc,fd,\
8e,11,79,8b,48,57,99,e3,49,cc,b7,9b,81,14,00,00,00,a6,77,a5,56,e1,40,c6,ba,\
1c,df,72,20,4a,7e,46,99,3d,58,9a,f5

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winexy32]
"Asynchronous"=dword:00000001
"DllName"="winexy32.dll"
"Impersonate"=dword:00000000
"Startup"="EvtStartup"
"Shutdown"="EvtShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/notibac.reg (140 bytes security) (deflated 79%)

#11 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 27 July 2006 - 04:55 AM

Hello weecher, thanks for the logs.
Can you post me a new HijackThis log please, as that will show if they have been completely removed. :thumbsup:
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#12 weecher

weecher
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 28 July 2006 - 03:47 PM

Logfile of HijackThis v1.99.1
Scan saved at 1:45:28 PM, on 7/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ishost.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\ismon.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Yvonne\LOCALS~1\Temp\Rar$EX00.281\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {062492AF-392E-479D-BF52-A7A4BCA00307} - C:\WINDOWS\system32\compstuic.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\adwarealert\AdwareAlert.exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - Startup: csrss.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g1370906.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winexy32 - C:\WINDOWS\SYSTEM32\winexy32.dll
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#13 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 29 July 2006 - 05:33 AM

Hello weecher,
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

STEP 1
Download win32delfkil.exe.

Save it on your desktop.

Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil.

Close all windows, open the win32delfkil folder and double click on fix.bat.

The computer will reboot automatically.

Post the contents of the logfile c:\windelf.txt, along with a new HijackThis log.

STEP 2
You are running HJT from a temporary directory once again, please follow my previous instructions to resolve this.

STEP 3
Make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

STEP 4
Scan again with HijackThis and put a checkmark next to each of the following entries (if present):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
O2 - BHO: (no name) - {062492AF-392E-479D-BF52-A7A4BCA00307} - C:\WINDOWS\system32\compstuic.dll
O4 - Startup: csrss.lnk = ?
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g1370906.dll
O20 - Winlogon Notify: winexy32 - C:\WINDOWS\SYSTEM32\winexy32.dll

Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

STEP 5
Now, please reboot your computer into Safe Mode. This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep. Then select safe mode from the list. However, if this does not work, please follow the tutorial here.

STEP 6
Next, please find and delete the following files/folders (if present):
C:\WINDOWS\g1370906.dll<--This file
C:\WINDOWS\system32\compstuic.dll<--This file
C:\WINDOWS\SYSTEM32\winexy32.dll<--This file

To find the first file, double click on the My Computer icon on your desktop, and then double click on Local Disk (C:), then find the folder entitled WINDOWS and delete the file inside named g1370906.dll. Please repeat this with the other two..

Once you have done all this, please post another HJT log, along with the log created by win32delfkil.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#14 weecher

weecher
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 30 July 2006 - 06:30 PM

Logfile of HijackThis v1.99.1
Scan saved at 4:27:46 PM, on 7/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ishost.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Valve\Steam\Steam.exe
C:\WINDOWS\system32\ismon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\TEMP\win2829.tmp.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Yvonne\LOCALS~1\Temp\Rar$EX00.328\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\adwarealert\AdwareAlert.exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - Startup: csrss.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winexy32 - C:\WINDOWS\SYSTEM32\winexy32.dll
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe





************************
* WIN32DELFKIL LOGFILE *
************************
by Marckie


BEFORE RUNNING WIN32DELFKIL
***************************

File(s) found in Windows directory
----------------------------------

File(s) found in system32 folder
--------------------------------

Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"



Notify key
----------



AFTER RUNNING WIN32DELFKIL
**************************

File(s) found in Windows directory
----------------------------------

File(s) found in system32 folder
--------------------------------
Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"



Notify key
----------






I was unable to delete winexy32.dll wouldnt let me

#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 02 August 2006 - 09:38 AM

Hello weecher
Download WinPFind!
  • Extract WinPFind.zip to your c:\ folder.
  • Reboot your computer into Safe Mode
  • Then open c:\WinPFind and double-click on WinPFind.exe.
  • When the program is open, click on the Start Scan button to start scanning your computer.
  • Be patient as this scan may take a while. When it is done, it will show a log and tell you the scan is completed.
  • Reboot your computer back to normal mode and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.
Open HijackThis
- Click the Config... button, then go to the Misc Tools section.
- Click on Open Uninstall Manager. You'll see a list of programs.
- Click on Save List...

The file uninstall_list.txt will be created. Copy and paste the contents of this file to your next reply, along with the WinPFind log..
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users