DMVlite & People On Page

melissa1975 · 2005/03/26

Hi all,

I am very frustrated. I have run Pest Patrol, EZ-Armor & Ad-Aware. I cannot get these programs off. I get pop-ups all the time, even when not on-line. I ran hijackthis and below is my log:

Logfile of HijackThis v1.99.1
Scan saved at 4:02:29 PM, on 3/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\System32\explore1.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
C:\WINDOWS\System32\vmss\vmss.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\gpt_disp.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\??plorer.exe
C:\Documents and Settings\MELISSA\Application Data\osoa.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Antispyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/Home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O2 - BHO: NavErrRedir Class - {0026AD90-C86F-4269-97F3-DAB4897C6D06} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {4D1929BB-2B5E-A064-6B49-502457C2F2B3} - C:\WINDOWS\System32\mrawiylq.dll (file missing)
O2 - BHO: (no name) - {619A9746-7989-077A-8089-5640459FFCC9} - C:\WINDOWS\system32\bautw.dll
O2 - BHO: (no name) - {C6B41CEA-D829-40E0-8AD7-50DE0F80D2BD} - C:\WINDOWS\System32\mnmm.dll (file missing)
O2 - BHO: (no name) - {F2F7716A-9634-F885-815C-07AD8701F360} - C:\WINDOWS\System32\oafcomjx.dll (file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Optimum Online Toolbar - {720B3C59-7EDE-44d1-AD9C-71106A7550AF} - C:\Program Files\OptimumOnline\insptbar.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe "
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [Explore1] C:\WINDOWS\System32\explore1.exe
O4 - HKLM\..\Run: [eudhzc] C:\WINDOWS\System32\eudhzc.exe
O4 - HKLM\..\Run: [nviwgc] C:\WINDOWS\System32\nviwgc.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe "
O4 - HKLM\..\Run: [ntechin] C:\Documents and Settings\DAMEE\stlb2_dist36.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [v73k34i] gpt_disp.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Fozcjsbp] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [ewsqRQGEh] rsnwgc.exe
O4 - HKCU\..\Run: [dpnwsock] C:\WINDOWS\System32\dpnwsock.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\MELISSA\Application Data\osoa.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Optimum Online Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\OptimumOnline\contextsearch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/FunBuddyIconsFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.inf...W/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\guard.tmp (file missing)
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\fp4m03h1e.dll (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

PLEASE HELP!!!

noahdfear · 2005/03/27

Welcome to WindowsBBS melissa1975

Please download L2mfix

http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

melissa1975 · 2005/03/27

Thanks for the quick reply and the welcome. Here is the log from l2mfix...

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous "=dword:00000000
"Impersonate "=dword:00000000
"DllName "=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff "= "ChainWlxLogoffEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous "=dword:00000000
"Impersonate "=dword:00000000
"DllName "=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff "= "CryptnetWlxLogoffEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName "= "cscdll.dll "
"Logon "= "WinlogonLogonEvent "
"Logoff "= "WinlogonLogoffEvent "
"ScreenSaver "= "WinlogonScreenSaverEvent "
"Startup "= "WinlogonStartupEvent "
"Shutdown "= "WinlogonShutdownEvent "
"StartShell "= "WinlogonStartShellEvent "
"Impersonate "=dword:00000000
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=" "
"DLLName "= "igfxsrvc.dll "
"Asynchronous "=dword:00000001
"Impersonate "=dword:00000001
"Unlock "= "WinlogonUnlockEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation]
"Asynchronous "=dword:00000000
"DllName "= "C:\\WINDOWS\\system32\\guard.tmp "
"Impersonate "=dword:00000000
"Logon "= "WinLogon "
"Logoff "= "WinLogoff "
"Shutdown "= "WinShutdown "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName "= "wlnotify.dll "
"Logon "= "SCardStartCertProp "
"Logoff "= "SCardStopCertProp "
"Lock "= "SCardSuspendCertProp "
"Unlock "= "SCardResumeCertProp "
"Enabled "=dword:00000001
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous "=dword:00000000
"DllName "=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate "=dword:00000000
"StartShell "= "SchedStartShell "
"Logoff "= "SchedEventLogOff "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff "= "WLEventLogoff "
"Impersonate "=dword:00000000
"Asynchronous "=dword:00000001
"DllName "=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName "= "WlNotify.dll "
"Lock "= "SensLockEvent "
"Logon "= "SensLogonEvent "
"Logoff "= "SensLogoffEvent "
"Safe "=dword:00000001
"MaxWait "=dword:00000258
"StartScreenSaver "= "SensStartScreenSaverEvent "
"StopScreenSaver "= "SensStopScreenSaverEvent "
"Startup "= "SensStartupEvent "
"Shutdown "= "SensShutdownEvent "
"StartShell "= "SensStartShellEvent "
"PostShell "= "SensPostShellEvent "
"Disconnect "= "SensDisconnectEvent "
"Reconnect "= "SensReconnectEvent "
"Unlock "= "SensUnlockEvent "
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SideBySide]
"Asynchronous "=dword:00000000
"DllName "= "C:\\WINDOWS\\system32\\fp4m03h1e.dll "
"Impersonate "=dword:00000000
"Logon "= "WinLogon "
"Logoff "= "WinLogoff "
"Shutdown "= "WinShutdown "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous "=dword:00000000
"DllName "=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate "=dword:00000000
"Logoff "= "TSEventLogoff "
"Logon "= "TSEventLogon "
"PostShell "= "TSEventPostShell "
"Shutdown "= "TSEventShutdown "
"StartShell "= "TSEventStartShell "
"Startup "= "TSEventStartup "
"MaxWait "=dword:00000258
"Reconnect "= "TSEventReconnect "
"Disconnect "= "TSEventDisconnect "

noahdfear · 2005/03/27

Is that the entire log?

melissa1975 · 2005/03/27

I ran it again. Here it is in 2 parts:
L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous "=dword:00000000
"Impersonate "=dword:00000000
"DllName "=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff "= "ChainWlxLogoffEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous "=dword:00000000
"Impersonate "=dword:00000000
"DllName "=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff "= "CryptnetWlxLogoffEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName "= "cscdll.dll "
"Logon "= "WinlogonLogonEvent "
"Logoff "= "WinlogonLogoffEvent "
"ScreenSaver "= "WinlogonScreenSaverEvent "
"Startup "= "WinlogonStartupEvent "
"Shutdown "= "WinlogonShutdownEvent "
"StartShell "= "WinlogonStartShellEvent "
"Impersonate "=dword:00000000
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=" "
"DLLName "= "igfxsrvc.dll "
"Asynchronous "=dword:00000001
"Impersonate "=dword:00000001
"Unlock "= "WinlogonUnlockEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation]
"Asynchronous "=dword:00000000
"DllName "= "C:\\WINDOWS\\system32\\guard.tmp "
"Impersonate "=dword:00000000
"Logon "= "WinLogon "
"Logoff "= "WinLogoff "
"Shutdown "= "WinShutdown "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName "= "wlnotify.dll "
"Logon "= "SCardStartCertProp "
"Logoff "= "SCardStopCertProp "
"Lock "= "SCardSuspendCertProp "
"Unlock "= "SCardResumeCertProp "
"Enabled "=dword:00000001
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous "=dword:00000000
"DllName "=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate "=dword:00000000
"StartShell "= "SchedStartShell "
"Logoff "= "SchedEventLogOff "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff "= "WLEventLogoff "
"Impersonate "=dword:00000000
"Asynchronous "=dword:00000001
"DllName "=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName "= "WlNotify.dll "
"Lock "= "SensLockEvent "
"Logon "= "SensLogonEvent "
"Logoff "= "SensLogoffEvent "
"Safe "=dword:00000001
"MaxWait "=dword:00000258
"StartScreenSaver "= "SensStartScreenSaverEvent "
"StopScreenSaver "= "SensStopScreenSaverEvent "
"Startup "= "SensStartupEvent "
"Shutdown "= "SensShutdownEvent "
"StartShell "= "SensStartShellEvent "
"PostShell "= "SensPostShellEvent "
"Disconnect "= "SensDisconnectEvent "
"Reconnect "= "SensReconnectEvent "
"Unlock "= "SensUnlockEvent "
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SideBySide]
"Asynchronous "=dword:00000000
"DllName "= "C:\\WINDOWS\\system32\\fp4m03h1e.dll "
"Impersonate "=dword:00000000
"Logon "= "WinLogon "
"Logoff "= "WinLogoff "
"Shutdown "= "WinShutdown "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous "=dword:00000000
"DllName "=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate "=dword:00000000
"Logoff "= "TSEventLogoff "
"Logon "= "TSEventLogon "
"PostShell "= "TSEventPostShell "
"Shutdown "= "TSEventShutdown "
"StartShell "= "TSEventStartShell "
"Startup "= "TSEventStartup "
"MaxWait "=dword:00000258
"Reconnect "= "TSEventReconnect "
"Disconnect "= "TSEventDisconnect "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName "= "wlnotify.dll "
"Logon "= "RegisterTicketExpiredNotificationEvent "
"Logoff "= "UnregisterTicketExpiredNotificationEvent "
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{7884062C-33FE-4D53-84BC-A798BE5C0033} "=" "
"SV1 "=" "

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046} "= "Multimedia File Property Sheet "
"{176d6597-26d3-11d1-b350-080036a75b03} "= "ICM Scanner Management "
"{1F2E5C40-9550-11CE-99D2-00AA006E086C} "= "NTFS Security Page "
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32} "= "OLE Docfile Property Page "
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6} "= "Shell extensions for sharing "
"{41E300E0-78B6-11ce-849B-444553540000} "= "PlusPack CPL Extension "
"{42071712-76d4-11d1-8b24-00a0c9068ff3} "= "Display Adapter CPL Extension "
"{42071713-76d4-11d1-8b24-00a0c9068ff3} "= "Display Monitor CPL Extension "
"{42071714-76d4-11d1-8b24-00a0c9068ff3} "= "Display Panning CPL Extension "
"{4E40F770-369C-11d0-8922-00A024AB2DBB} "= "DS Security Page "
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8} "= "Compatibility Page "
"{56117100-C0CD-101B-81E2-00AA004AE837} "= "Shell Scrap DataHandler "
"{59099400-57FF-11CE-BD94-0020AF85B590} "= "Disk Copy Extension "
"{59be4990-f85c-11ce-aff7-00aa003ca9f6} "= "Shell extensions for Microsoft Windows Network objects "
"{5DB2625A-54DF-11D0-B6C4-0800091AA605} "= "ICM Monitor Management "
"{675F097E-4C4D-11D0-B6C1-0800091AA605} "= "ICM Printer Management "
"{764BF0E1-F219-11ce-972D-00AA00A14F56} "= "Shell extensions for file compression "
"{77597368-7b15-11d0-a0c2-080036af3f03} "= "Web Printer Shell Extension "
"{7988B573-EC89-11cf-9C00-00AA00A14F56} "= "Disk Quota UI "
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "= "Encryption Context Menu "
"{85BBD920-42A0-1069-A2E4-08002B30309D} "= "Briefcase "
"{88895560-9AA2-1069-930E-00AA0030EBC8} "= "HyperTerminal Icon Ext "
"{BD84B380-8CA2-1069-AB1D-08000948F534} "= "Fonts "
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27} "= "ICC Profile "
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723} "= "Printers Security Page "
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} "= "Shell extensions for sharing "
"{f92e8c40-3d33-11d2-b1aa-080036a75b03} "= "Display TroubleShoot CPL Extension "
"{7444C717-39BF-11D1-8CD9-00C04FC29D45} "= "Crypto PKO Extension "
"{7444C719-39BF-11D1-8CD9-00C04FC29D45} "= "Crypto Sign Extension "
"{7007ACC7-3202-11D1-AAD2-00805FC1270E} "= "Network Connections "
"{992CFFA0-F557-101A-88EC-00DD010CCC48} "= "Network Connections "
"{E211B736-43FD-11D1-9EFB-0000F8757FCD} "= "Scanners & Cameras "
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD} "= "Scanners & Cameras "
"{905667aa-acd6-11d2-8080-00805f6596d2} "= "Scanners & Cameras "
"{3F953603-1008-4f6e-A73A-04AAC7A992F1} "= "Scanners & Cameras "
"{83bbcbf3-b28a-4919-a5aa-73027445d672} "= "Scanners & Cameras "
"{F0152790-D56E-4445-850E-4F3117DB740C} "= "Remote Sessions CPL Extension "
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED} "= "Auto Update Property Sheet Extension "
"{60254CA5-953B-11CF-8C96-00AA00B8708C} "= "Shell extensions for Windows Script Host "
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829} "= "Microsoft Data Link "
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF} "= "Tasks Folder Icon Handler "
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF} "= "Tasks Folder Shell Extension "
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF} "= "Scheduled Tasks "
"{0DF44EAA-FF21-4412-828E-260A8728E7F1} "= "Taskbar and Start Menu "
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0} "= "Search "
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0} "= "Help and Support "
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0} "= "Help and Support "
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0} "= "Run... "
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0} "= "Internet "
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0} "= "E-mail "
"{D20EA4E1-3957-11d2-A40B-0C5020524152} "= "Fonts "
"{D20EA4E1-3957-11d2-A40B-0C5020524153} "= "Administrative Tools "
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78} "= "Audio Media Properties Handler "
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817} "= "Video Media Properties Handler "
"{E4B29F9D-D390-480b-92FD-7DDB47101D71} "= "Wav Properties Handler "
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E} "= "Avi Properties Handler "
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9} "= "Midi Properties Handler "
"{c5a40261-cd64-4ccf-84cb-c394da41d590} "= "Video Thumbnail Extractor "
"{5E6AB780-7743-11CF-A12B-00AA004AE837} "= "Microsoft Internet Toolbar "
"{22BF0C20-6DA7-11D0-B373-00A0C9034938} "= "Download Status "
"{91EA3F8B-C99B-11d0-9815-00C04FD91972} "= "Augmented Shell Folder "
"{6413BA2C-B461-11d1-A18A-080036B11A03} "= "Augmented Shell Folder 2 "
"{F61FFEC1-754F-11d0-80CA-00AA005B4383} "= "BandProxy "
"{7BA4C742-9E81-11CF-99D3-00AA004AE837} "= "Microsoft BrowserBand "
"{30D02401-6A81-11d0-8274-00C04FD5AE38} "= "Search Band "
"{32683183-48a0-441b-a342-7c2a440a9478} "= "Media Band "
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13} "= "In-pane search "
"{07798131-AF23-11d1-9111-00A0C98BA67D} "= "Web Search "
"{AF4F6510-F982-11d0-8595-00AA004CD6D8} "= "Registry Tree Options Utility "
"{01E04581-4EEE-11d0-BFE9-00AA005B4383} "= "&Address "
"{A08C11D2-A228-11d0-825B-00AA005B4383} "= "Address EditBox "
"{00BB2763-6A77-11D0-A535-00C04FD7D062} "= "Microsoft AutoComplete "
"{7376D660-C583-11d0-A3A5-00C04FD706EC} "= "TridentImageExtractor "
"{6756A641-DE71-11d0-831B-00AA005B4383} "= "MRU AutoComplete List "
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A} "= "Custom MRU AutoCompleted List "
"{7e653215-fa25-46bd-a339-34a2790f3cb7} "= "Accessible "
"{acf35015-526e-4230-9596-becbe19f0ac9} "= "Track Popup Bar "
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2} "= "Address Bar Parser "
"{00BB2764-6A77-11D0-A535-00C04FD7D062} "= "Microsoft History AutoComplete List "
"{03C036F1-A186-11D0-824A-00AA005B4383} "= "Microsoft Shell Folder AutoComplete List "
"{00BB2765-6A77-11D0-A535-00C04FD7D062} "= "Microsoft Multiple AutoComplete List Container "
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1} "= "Shell Band Site Menu "
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF} "= "Shell DeskBarApp "
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1} "= "Shell DeskBar "
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1} "= "Shell Rebar BandSite "
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C} "= "User Assist "
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11} "= "Global Folder Settings "
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E} "= "Favorites Band "
"{0A89A860-D7B1-11CE-8350-444553540000} "= "Shell Automation Inproc Service "
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} "= "Shell DocObject Viewer "
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61} "= "Microsoft Browser Architecture "
"{FBF23B40-E3F0-101B-8488-00AA003E56F8} "= "InternetShortcut "
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE} "= "Microsoft Url History Service "
"{FF393560-C2A7-11CF-BFF4-444553540000} "= "History "
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933} "= "Temporary Internet Files "
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933} "= "Temporary Internet Files "
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497} "= "Microsoft Url Search Hook "
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC} "= "IE4 Suite Splash Screen "
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13} "= "CDF Extension Copy Hook "
"{131A6951-7F78-11D0-A979-00C04FD705A2} "= "ISFBand OC "
"{9461b922-3c5a-11d2-bf8b-00c04fb93661} "= "Search Assistant OC "
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} "= "The Internet "
"{871C5380-42A0-1069-A2EA-08002B30309D} "= "Internet Name Space "
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E} "= "Explorer Band "
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} "= "Sendmail service "
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} "= "Sendmail service "
"{88C6C381-2E85-11D0-94DE-444553540000} "= "ActiveX Cache Folder "
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "= "WebCheck "
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE} "= "Subscription Mgr "
"{F5175861-2688-11d0-9C5E-00AA00A45957} "= "Subscription Folder "
"{08165EA0-E946-11CF-9C87-00AA005127ED} "= "WebCheckWebCrawler "
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB} "= "WebCheckChannelAgent "
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7} "= "TrayAgent "
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02} "= "Code Download Agent "
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE} "= "ConnectionAgent "
"{D8BD2030-6FC9-11D0-864F-00AA006809D9} "= "PostAgent "
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB} "= "WebCheck SyncMgr Handler "
"{352EC2B7-8B9A-11D1-B8AE-006008059382} "= "Shell Application Manager "
"{0B124F8F-91F0-11D1-B8B5-006008059382} "= "Installed Apps Enumerator "
"{CFCCC7A0-A282-11D1-9082-006008059382} "= "Darwin App Publisher "
"{e84fda7c-1d6a-45f6-b725-cb260c236066} "= "Shell Image Verbs "
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178} "= "Shell Image Data Factory "
"{3F30C968-480A-4C6C-862D-EFC0897BB84B} "= "GDI+ file thumbnail extractor "
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC} "= "Summary Info Thumbnail handler (DOCFILES) "
"{EAB841A0-9550-11cf-8C16-00805F1408F3} "= "HTML Thumbnail Extractor "
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe} "= "Shell Image Property Handler "
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D} "= "Web Publishing Wizard "
"{add36aa8-751a-4579-a266-d66f5202ccbb} "= "Print Ordering via the Web "
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1} "= "Shell Publishing Wizard Object "
"{58f1f272-9240-4f51-b6d4-fd63d1618591} "= "Get a Passport Wizard "
"{7A9D77BD-5403-11d2-8785-2E0420524153} "= "User Accounts "
"{BD472F60-27FA-11cf-B8B4-444553540000} "= "Compressed (zipped) Folder Right Drag Handler "
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} "= "Compressed (zipped) Folder SendTo Target "
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433} "= "Channel File "
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434} "= "Channel Shortcut "
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435} "= "Channel Handler Object "
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437} "= "Channel Menu "
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438} "= "Channel Properties "
"{63da6ec0-2e98-11cf-8d82-444553540000} "= "FTP Folders Webview "
"{883373C3-BF89-11D1-BE35-080036B11A03} "= "Microsoft DocProp Shell Ext "
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D} "= "Microsoft DocProp Inplace Edit Box Control "
"{8EE97210-FD1F-4B19-91DA-67914005F020} "= "Microsoft DocProp Inplace ML Edit Box Control "
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB} "= "Microsoft DocProp Inplace Droplist Combo Control "
"{6A205B57-2567-4A2C-B881-F787FAB579A3} "= "Microsoft DocProp Inplace Calendar Control "
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33} "= "Microsoft DocProp Inplace Time Control "
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB} "= "Directory Query UI "
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} "= "Shell properties for a DS object "
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB} "= "Directory Object Find "
"{F020E586-5264-11d1-A532-0000F8757D7E} "= "Directory Start/Search Find "
"{0D45D530-764B-11d0-A1CA-00AA00C16E65} "= "Directory Property UI "
"{62AE1F9A-126A-11D0-A14B-0800361B1103} "= "Directory Context Menu Verbs "
"{ECF03A33-103D-11d2-854D-006008059367} "= "MyDocs Copy Hook "
"{ECF03A32-103D-11d2-854D-006008059367} "= "MyDocs Drop Target "
"{4a7ded0a-ad25-11d0-98a8-0800361b1103} "= "MyDocs Properties "
"{750fdf0e-2a26-11d1-a3ea-080036587f03} "= "Offline Files Menu "
"{10CFC467-4392-11d2-8DB4-00C04FA31A66} "= "Offline Files Folder Options "
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E} "= "Offline Files Folder "
"{143A62C8-C33B-11D1-84FE-00C04FA34A14} "= "Microsoft Agent Character Property Sheet Handler "
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6} "= "DfsShell "
"{60fd46de-f830-4894-a628-6fa81bc0190d} "= "%DESC_PublishDropTarget% "
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717} "= "MMC Icon Handler "
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262} "= ".CAB file viewer "
"{32714800-2E5F-11d0-8B85-00AA0044F941} "= "For &People... "
"{8DD448E6-C188-4aed-AF92-44956194EB1F} "= "Windows Media Player Play as Playlist Context Menu Handler "
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C} "= "Windows Media Player Burn Audio CD Context Menu Handler "
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD} "= "Windows Media Player Add to Playlist Context Menu Handler "
"{1D2680C9-0E2A-469d-B787-065558BC7D43} "= "Fusion Cache "
"{2F603045-309F-11CF-9774-0020AFD0CFF6} "= "Synaptics Control Panel "
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04} "= "RecordNow! SendToExt "
"{5CA3D70E-1895-11CF-8E15-001234567890} "= "DriveLetterAccess "
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F} "= "Web Folders "
"{00020D75-0000-0000-C000-000000000046} "= "Microsoft Office Outlook Desktop Icon Handler "
"{0006F045-0000-0000-C000-000000000046} "= "Microsoft Office Outlook Custom Icon Handler "
"{42042206-2D85-11D3-8CFF-005004838597} "= "Microsoft Office HTML Icon Handler "
"{640167b4-59b0-47a6-b335-a6b3c0695aea} "= "Portable Media Devices "
"{cc86590a-b60a-48e6-996b-41d25ed39a1e} "= "Portable Media Devices Menu "
"{5464D816-CF16-4784-B9F3-75C0DB52B499} "= "Yahoo! Mail "
"{BAA6FCCC-8B60-43F2-904D-A655E4B15AB8} "=" "
"{E77C334A-C1B7-42ED-B90A-9BF7EE989207} "=" "
"{922CDA9C-93F3-44CB-BE12-5FEBADBB30F7} "=" "
"{D9872D13-7651-4471-9EEE-F0A00218BEBB} "= "Multiscan "
"{0C532FCA-7192-4A71-88AF-75354E948FCD} "=" "
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} "= "iTunes "
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0} "= "Set Program Access and Defaults "
"{596AB062-B4D2-4215-9F74-E9109B0A8153} "= "Previous Versions Property Page "
"{9DB7A13C-F208-4981-8353-73CC61AE2783} "= "Previous Versions "
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87} "= "Extensions Manager Folder "

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BAA6FCCC-8B60-43F2-904D-A655E4B15AB8}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{BAA6FCCC-8B60-43F2-904D-A655E4B15AB8}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{BAA6FCCC-8B60-43F2-904D-A655E4B15AB8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{BAA6FCCC-8B60-43F2-904D-A655E4B15AB8}\InprocServer32]
@= "C:\\WINDOWS\\system32\\guard.tmp "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E77C334A-C1B7-42ED-B90A-9BF7EE989207}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{E77C334A-C1B7-42ED-B90A-9BF7EE989207}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{E77C334A-C1B7-42ED-B90A-9BF7EE989207}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{E77C334A-C1B7-42ED-B90A-9BF7EE989207}\InprocServer32]
@= "C:\\WINDOWS\\system32\\RICNS4.DLL "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{922CDA9C-93F3-44CB-BE12-5FEBADBB30F7}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{922CDA9C-93F3-44CB-BE12-5FEBADBB30F7}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{922CDA9C-93F3-44CB-BE12-5FEBADBB30F7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{922CDA9C-93F3-44CB-BE12-5FEBADBB30F7}\InprocServer32]
@= "C:\\WINDOWS\\system32\\iq6ml5j11.dll "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0C532FCA-7192-4A71-88AF-75354E948FCD}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{0C532FCA-7192-4A71-88AF-75354E948FCD}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{0C532FCA-7192-4A71-88AF-75354E948FCD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{0C532FCA-7192-4A71-88AF-75354E948FCD}\InprocServer32]
@= "C:\\WINDOWS\\system32\\guard.tmp "
"ThreadingModel "= "Apartment "

**********************************************************************************

melissa1975 · 2005/03/27

Part 2...

Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
azao0e~1.dll Thu Jan 13 2005 10:41:16p ..S.R 223,441 218.20 K
bautw.dll Thu Mar 17 2005 8:59:28a A.... 163,840 160.00 K
browseui.dll Thu Jan 27 2005 12:13:16p A.... 1,016,832 993.00 K
cdfview.dll Thu Jan 27 2005 12:13:16p A.... 151,040 147.50 K
e4200e~1.dll Tue Jan 4 2005 11:26:28a ..S.R 222,977 217.75 K
en0ql1~1.dll Mon Jan 3 2005 8:39:18p ..S.R 224,340 219.08 K
en4sl1~1.dll Sat Jan 8 2005 4:51:24p ..S.R 222,967 217.74 K
en84l1~1.dll Fri Jan 7 2005 9:55:10p ..S.R 224,894 219.62 K
en8ul1~1.dll Sun Jan 9 2005 10:01:44a ..S.R 222,967 217.74 K
enrsl1~1.dll Fri Jan 7 2005 11:27:18p ..S.R 224,758 219.49 K
eudhz.dll Sat Jan 15 2005 6:23:16p A.... 99,328 97.00 K
f42m0e~1.dll Sun Jan 9 2005 9:52:48a ..S.R 222,967 217.74 K
fpn003~1.dll Sat Jan 15 2005 9:02:12p ..S.R 224,701 219.43 K
g4040e~1.dll Mon Jan 10 2005 7:04:58p ..S.R 222,967 217.74 K
gp0ql3~1.dll Tue Jan 11 2005 6:49:42p ..S.R 222,967 217.74 K
h04mla~1.dll Sat Jan 15 2005 12:33:20p ..S.R 224,701 219.43 K
i0jq0a~1.dll Fri Dec 31 2004 10:05:04a ..S.R 223,048 217.82 K
iepeers.dll Thu Jan 27 2005 12:13:16p A.... 249,856 244.00 K
inseng.dll Thu Jan 27 2005 12:13:16p A.... 96,256 94.00 K
ir0ol5~1.dll Wed Dec 29 2004 10:00:00p ..S.R 225,896 220.60 K
ir40l5~1.dll Fri Jan 7 2005 11:04:48p ..S.R 222,967 217.74 K
ir6ml5~1.dll Sun Jan 2 2005 2:40:40p ..S.R 222,538 217.32 K
ir82l5~1.dll Sun Jan 16 2005 2:49:14p ..S.R 224,844 219.57 K
k4440e~1.dll Fri Dec 31 2004 9:45:36a ..S.R 222,982 217.75 K
l44q0e~1.dll Thu Jan 13 2005 3:30:40p ..S.R 223,441 218.20 K
lv6q09~1.dll Mon Jan 10 2005 8:19:34p ..S.R 222,967 217.74 K
m4nq0e~1.dll Thu Jan 13 2005 3:28:34p ..S.R 223,441 218.20 K
mdrdim.dll Mon Jan 10 2005 7:05:46p ..S.R 222,967 217.74 K
mforcl32.dll Thu Dec 30 2004 9:14:16a ..S.R 225,896 220.60 K
mshtml.dll Thu Jan 27 2005 12:13:18p A.... 3,006,976 2.87 M
n6l8lg~1.dll Thu Dec 30 2004 3:00:38p ..S.R 225,896 220.60 K
n6n6lg~1.dll Sat Jan 8 2005 12:07:18p ..S.R 222,967 217.74 K
nlwdev.dll Wed Dec 29 2004 9:35:50a ..S.R 225,896 220.60 K
nviwg.dll Sat Jan 15 2005 6:23:24p A.... 99,328 97.00 K
o0660a~1.dll Tue Jan 4 2005 11:37:24a ..S.R 223,613 218.37 K
o4480e~1.dll Sat Jan 8 2005 4:53:58p ..S.R 223,431 218.19 K
ole32.dll Fri Jan 14 2005 3:55:50a A.... 1,285,120 1.22 M
olecli32.dll Fri Jan 14 2005 3:55:50a A.... 74,752 73.00 K
olecnv32.dll Fri Jan 14 2005 3:55:50a A.... 37,888 37.00 K
oyeaccrc.dll Tue Jan 18 2005 9:12:58p A.... 224,844 219.57 K
q0rq0a~1.dll Fri Dec 31 2004 9:56:36a ..S.R 223,128 217.90 K
r26ulc~1.dll Wed Jan 5 2005 7:24:06p ..S.R 224,929 219.66 K
rpcss.dll Fri Jan 14 2005 3:55:50a A.... 395,776 386.50 K
rsocurs.dll Sun Jan 9 2005 10:00:44a ..S.R 222,967 217.74 K
shdocvw.dll Thu Jan 27 2005 12:13:18p A.... 1,483,264 1.41 M
shlwapi.dll Thu Jan 27 2005 12:13:18p A.... 473,600 462.50 K
urlmon.dll Thu Jan 27 2005 12:13:18p A.... 607,744 593.50 K
wininet.dll Thu Jan 27 2005 12:13:18p A.... 656,896 641.50 K

48 items found: 48 files (31 H/S), 0 directories.
Total of file sizes: 17,061,801 bytes 16.27 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 605A-7B9E

Directory of C:\WINDOWS\System32

02/20/2005 01:12 PM <DIR> DLLCACHE
01/16/2005 02:49 PM 224,844 ir82l5lo1.dll
01/15/2005 09:02 PM 224,701 fpn0035me.dll
01/15/2005 12:33 PM 224,701 h04mlah11d4.dll
01/13/2005 10:41 PM 223,441 azao0eh3eh4.dll
01/13/2005 03:30 PM 223,441 l44q0eh5eh4.dll
01/13/2005 03:28 PM 223,441 m4nq0e55eh.dll
01/11/2005 06:49 PM 222,967 gp0ql3d51.dll
01/11/2005 09:15 AM 401,408 ??plorer.exe
01/10/2005 08:19 PM 222,967 lv6q09j5e.dll
01/10/2005 07:05 PM 222,967 MDRDIM.DLL
01/10/2005 07:04 PM 222,967 g4040edqeh0e0.dll
01/09/2005 10:01 AM 222,967 en8ul1l91.dll
01/09/2005 10:00 AM 222,967 RSOCURS.DLL
01/09/2005 09:52 AM 222,967 f42m0ef1eh2.dll
01/08/2005 04:53 PM 223,431 o4480ehueh480.dll
01/08/2005 04:51 PM 222,967 en4sl1h71.dll
01/08/2005 12:07 PM 222,967 n6n6lg5s16.dll
01/07/2005 11:27 PM 224,758 enrsl1971.dll
01/07/2005 11:04 PM 222,967 ir40l5hm1.dll
01/07/2005 09:55 PM 224,894 en84l1lq1.dll
01/05/2005 07:24 PM 224,929 r26ulcj91fo.dll
01/04/2005 11:37 AM 223,613 o0660ajsedo60.dll
01/04/2005 11:26 AM 222,977 e4200efmeh2a0.dll
01/03/2005 08:39 PM 224,340 en0ql1d51.dll
01/02/2005 02:40 PM 222,538 ir6ml5j11.dll
12/31/2004 10:05 AM 223,048 i0jq0a15ed.dll
12/31/2004 09:56 AM 223,128 q0rq0a95ed.dll
12/31/2004 09:45 AM 222,982 k4440ehqeh4e0.dll
12/30/2004 03:00 PM 225,896 n6l8lg3u16.dll
12/30/2004 09:14 AM 225,896 MFORCL32.DLL
12/29/2004 09:59 PM 225,896 ir0ol5d31.dll
12/29/2004 09:35 AM 225,896 NLWDEV.DLL
12/26/2004 10:38 PM 224,400 m046lahs1d46.dll
12/26/2004 12:41 PM 224,400 MWPRIVS.DLL
12/24/2004 07:00 PM 224,400 PQRFNW.DLL
12/23/2004 10:25 PM 224,136 dowsockx.dll
12/23/2004 10:13 PM 224,380 i4420ehoeh4c0.dll
12/23/2004 09:57 PM 224,136 j44o0eh3eh4.dll
12/23/2004 09:50 PM 224,136 lv8009lme.dll
12/23/2004 09:36 PM 224,136 fp6o03j3e.dll
12/23/2004 09:19 PM 224,136 en6ql1j51.dll
12/22/2004 10:21 PM 224,136 fpn4035qe.dll
12/19/2004 11:14 PM 225,592 l6n4lg5q16.dll
12/18/2004 11:40 PM 224,136 enl8l13u1.dll
12/18/2004 07:38 PM 224,136 DYTACLEN.DLL
12/12/2004 03:11 PM 224,136 fp4o03h3e.dll
12/05/2004 03:57 PM 223,726 p4r40e9qeh.dll
12/05/2004 03:48 PM 223,250 d8j00i1me8.dll
07/21/2004 12:53 AM <DIR> Microsoft
48 File(s) 10,927,241 bytes
2 Dir(s) 17,814,724,608 bytes free

noahdfear · 2005/03/28

Thank you. Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

melissa1975 · 2005/03/28

new l2mfix log part 1

L2Mfix 1.03

Running From:
C:\Documents and Settings\MELISSA\Desktop\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators "
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\MELISSA\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\MELISSA\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 648 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\azao0eh3eh4.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\d8j00i1me8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dowsockx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\DYTACLEN.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\e4200efmeh2a0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en0ql1d51.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en4sl1h71.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en6ql1j51.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en84l1lq1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en8ul1l91.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\enl8l13u1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\enrsl1971.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\f42m0ef1eh2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp4o03h3e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp6o03j3e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fpn0035me.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fpn4035qe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\g4040edqeh0e0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gp0ql3d51.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\h04mlah11d4.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i0jq0a15ed.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i4420ehoeh4c0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir0ol5d31.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir40l5hm1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir6ml5j11.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir82l5lo1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j44o0eh3eh4.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k4440ehqeh4e0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l44q0eh5eh4.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l6n4lg5q16.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv6q09j5e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv8009lme.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m046lahs1d46.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m4nq0e55eh.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MDRDIM.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MFORCL32.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MWPRIVS.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\n6l8lg3u16.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\n6n6lg5s16.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\NLWDEV.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o0660ajsedo60.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o4480ehueh480.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\OYEACCRC.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p4r40e9qeh.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\PQRFNW.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\q0rq0a95ed.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\r26ulcj91fo.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\RICNS4.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\RSOCURS.DLL
1 file(s) copied.
deleting: C:\WINDOWS\system32\azao0eh3eh4.dll
Successfully Deleted: C:\WINDOWS\system32\azao0eh3eh4.dll
deleting: C:\WINDOWS\system32\d8j00i1me8.dll
Successfully Deleted: C:\WINDOWS\system32\d8j00i1me8.dll
deleting: C:\WINDOWS\system32\dowsockx.dll
Successfully Deleted: C:\WINDOWS\system32\dowsockx.dll
deleting: C:\WINDOWS\system32\DYTACLEN.DLL
Successfully Deleted: C:\WINDOWS\system32\DYTACLEN.DLL
deleting: C:\WINDOWS\system32\e4200efmeh2a0.dll
Successfully Deleted: C:\WINDOWS\system32\e4200efmeh2a0.dll
deleting: C:\WINDOWS\system32\en0ql1d51.dll
Successfully Deleted: C:\WINDOWS\system32\en0ql1d51.dll
deleting: C:\WINDOWS\system32\en4sl1h71.dll
Successfully Deleted: C:\WINDOWS\system32\en4sl1h71.dll
deleting: C:\WINDOWS\system32\en6ql1j51.dll
Successfully Deleted: C:\WINDOWS\system32\en6ql1j51.dll
deleting: C:\WINDOWS\system32\en84l1lq1.dll
Successfully Deleted: C:\WINDOWS\system32\en84l1lq1.dll
deleting: C:\WINDOWS\system32\en8ul1l91.dll
Successfully Deleted: C:\WINDOWS\system32\en8ul1l91.dll
deleting: C:\WINDOWS\system32\enl8l13u1.dll
Successfully Deleted: C:\WINDOWS\system32\enl8l13u1.dll
deleting: C:\WINDOWS\system32\enrsl1971.dll
Successfully Deleted: C:\WINDOWS\system32\enrsl1971.dll
deleting: C:\WINDOWS\system32\f42m0ef1eh2.dll
Successfully Deleted: C:\WINDOWS\system32\f42m0ef1eh2.dll
deleting: C:\WINDOWS\system32\fp4o03h3e.dll
Successfully Deleted: C:\WINDOWS\system32\fp4o03h3e.dll
deleting: C:\WINDOWS\system32\fp6o03j3e.dll
Successfully Deleted: C:\WINDOWS\system32\fp6o03j3e.dll
deleting: C:\WINDOWS\system32\fpn0035me.dll
Successfully Deleted: C:\WINDOWS\system32\fpn0035me.dll
deleting: C:\WINDOWS\system32\fpn4035qe.dll
Successfully Deleted: C:\WINDOWS\system32\fpn4035qe.dll
deleting: C:\WINDOWS\system32\g4040edqeh0e0.dll
Successfully Deleted: C:\WINDOWS\system32\g4040edqeh0e0.dll
deleting: C:\WINDOWS\system32\gp0ql3d51.dll
Successfully Deleted: C:\WINDOWS\system32\gp0ql3d51.dll
deleting: C:\WINDOWS\system32\h04mlah11d4.dll
Successfully Deleted: C:\WINDOWS\system32\h04mlah11d4.dll
deleting: C:\WINDOWS\system32\i0jq0a15ed.dll
Successfully Deleted: C:\WINDOWS\system32\i0jq0a15ed.dll
deleting: C:\WINDOWS\system32\i4420ehoeh4c0.dll
Successfully Deleted: C:\WINDOWS\system32\i4420ehoeh4c0.dll
deleting: C:\WINDOWS\system32\ir0ol5d31.dll
Successfully Deleted: C:\WINDOWS\system32\ir0ol5d31.dll
deleting: C:\WINDOWS\system32\ir40l5hm1.dll
Successfully Deleted: C:\WINDOWS\system32\ir40l5hm1.dll
deleting: C:\WINDOWS\system32\ir6ml5j11.dll
Successfully Deleted: C:\WINDOWS\system32\ir6ml5j11.dll
deleting: C:\WINDOWS\system32\ir82l5lo1.dll
Successfully Deleted: C:\WINDOWS\system32\ir82l5lo1.dll
deleting: C:\WINDOWS\system32\j44o0eh3eh4.dll
Successfully Deleted: C:\WINDOWS\system32\j44o0eh3eh4.dll
deleting: C:\WINDOWS\system32\k4440ehqeh4e0.dll
Successfully Deleted: C:\WINDOWS\system32\k4440ehqeh4e0.dll
deleting: C:\WINDOWS\system32\l44q0eh5eh4.dll
Successfully Deleted: C:\WINDOWS\system32\l44q0eh5eh4.dll
deleting: C:\WINDOWS\system32\l6n4lg5q16.dll
Successfully Deleted: C:\WINDOWS\system32\l6n4lg5q16.dll
deleting: C:\WINDOWS\system32\lv6q09j5e.dll
Successfully Deleted: C:\WINDOWS\system32\lv6q09j5e.dll
deleting: C:\WINDOWS\system32\lv8009lme.dll
Successfully Deleted: C:\WINDOWS\system32\lv8009lme.dll
deleting: C:\WINDOWS\system32\m046lahs1d46.dll
Successfully Deleted: C:\WINDOWS\system32\m046lahs1d46.dll
deleting: C:\WINDOWS\system32\m4nq0e55eh.dll
Successfully Deleted: C:\WINDOWS\system32\m4nq0e55eh.dll
deleting: C:\WINDOWS\system32\MDRDIM.DLL
Successfully Deleted: C:\WINDOWS\system32\MDRDIM.DLL
deleting: C:\WINDOWS\system32\MFORCL32.DLL
Successfully Deleted: C:\WINDOWS\system32\MFORCL32.DLL
deleting: C:\WINDOWS\system32\MWPRIVS.DLL
Successfully Deleted: C:\WINDOWS\system32\MWPRIVS.DLL
deleting: C:\WINDOWS\system32\n6l8lg3u16.dll
Successfully Deleted: C:\WINDOWS\system32\n6l8lg3u16.dll
deleting: C:\WINDOWS\system32\n6n6lg5s16.dll
Successfully Deleted: C:\WINDOWS\system32\n6n6lg5s16.dll
deleting: C:\WINDOWS\system32\NLWDEV.DLL
Successfully Deleted: C:\WINDOWS\system32\NLWDEV.DLL
deleting: C:\WINDOWS\system32\o0660ajsedo60.dll
Successfully Deleted: C:\WINDOWS\system32\o0660ajsedo60.dll
deleting: C:\WINDOWS\system32\o4480ehueh480.dll
Successfully Deleted: C:\WINDOWS\system32\o4480ehueh480.dll
deleting: C:\WINDOWS\system32\OYEACCRC.DLL
Successfully Deleted: C:\WINDOWS\system32\OYEACCRC.DLL
deleting: C:\WINDOWS\system32\p4r40e9qeh.dll
Successfully Deleted: C:\WINDOWS\system32\p4r40e9qeh.dll
deleting: C:\WINDOWS\system32\PQRFNW.DLL
Successfully Deleted: C:\WINDOWS\system32\PQRFNW.DLL
deleting: C:\WINDOWS\system32\q0rq0a95ed.dll
Successfully Deleted: C:\WINDOWS\system32\q0rq0a95ed.dll
deleting: C:\WINDOWS\system32\r26ulcj91fo.dll
Successfully Deleted: C:\WINDOWS\system32\r26ulcj91fo.dll
deleting: C:\WINDOWS\system32\RICNS4.DLL
Successfully Deleted: C:\WINDOWS\system32\RICNS4.DLL
deleting: C:\WINDOWS\system32\RSOCURS.DLL
Successfully Deleted: C:\WINDOWS\system32\RSOCURS.DLL

Desktop.ini sucessfully removed

melissa1975 · 2005/03/28

new l2mfix log part 2

Zipping up files for submission:
adding: azao0eh3eh4.dll (164 bytes security) (deflated 4%)
adding: d8j00i1me8.dll (164 bytes security) (deflated 3%)
adding: dowsockx.dll (164 bytes security) (deflated 4%)
adding: DYTACLEN.DLL (164 bytes security) (deflated 4%)
adding: e4200efmeh2a0.dll (164 bytes security) (deflated 4%)
adding: en0ql1d51.dll (164 bytes security) (deflated 4%)
adding: en4sl1h71.dll (164 bytes security) (deflated 4%)
adding: en6ql1j51.dll (164 bytes security) (deflated 4%)
adding: en84l1lq1.dll (164 bytes security) (deflated 4%)
adding: en8ul1l91.dll (164 bytes security) (deflated 4%)
adding: enl8l13u1.dll (164 bytes security) (deflated 4%)
adding: enrsl1971.dll (164 bytes security) (deflated 4%)
adding: f42m0ef1eh2.dll (164 bytes security) (deflated 4%)
adding: fp4o03h3e.dll (164 bytes security) (deflated 4%)
adding: fp6o03j3e.dll (164 bytes security) (deflated 4%)
adding: fpn0035me.dll (164 bytes security) (deflated 4%)
adding: fpn4035qe.dll (164 bytes security) (deflated 4%)
adding: g4040edqeh0e0.dll (164 bytes security) (deflated 4%)
adding: gp0ql3d51.dll (164 bytes security) (deflated 4%)
adding: h04mlah11d4.dll (164 bytes security) (deflated 4%)
adding: i0jq0a15ed.dll (164 bytes security) (deflated 4%)
adding: i4420ehoeh4c0.dll (164 bytes security) (deflated 4%)
adding: ir0ol5d31.dll (164 bytes security) (deflated 5%)
adding: ir40l5hm1.dll (164 bytes security) (deflated 4%)
adding: ir6ml5j11.dll (164 bytes security) (deflated 3%)
adding: ir82l5lo1.dll (164 bytes security) (deflated 4%)
adding: j44o0eh3eh4.dll (164 bytes security) (deflated 4%)
adding: k4440ehqeh4e0.dll (164 bytes security) (deflated 4%)
adding: l44q0eh5eh4.dll (164 bytes security) (deflated 4%)
adding: l6n4lg5q16.dll (164 bytes security) (deflated 4%)
adding: lv6q09j5e.dll (164 bytes security) (deflated 4%)
adding: lv8009lme.dll (164 bytes security) (deflated 4%)
adding: m046lahs1d46.dll (164 bytes security) (deflated 4%)
adding: m4nq0e55eh.dll (164 bytes security) (deflated 4%)
adding: MDRDIM.DLL (164 bytes security) (deflated 4%)
adding: MFORCL32.DLL (164 bytes security) (deflated 5%)
adding: MWPRIVS.DLL (164 bytes security) (deflated 4%)
adding: n6l8lg3u16.dll (164 bytes security) (deflated 5%)
adding: n6n6lg5s16.dll (164 bytes security) (deflated 4%)
adding: NLWDEV.DLL (164 bytes security) (deflated 5%)
adding: o0660ajsedo60.dll (164 bytes security) (deflated 4%)
adding: o4480ehueh480.dll (164 bytes security) (deflated 4%)
adding: OYEACCRC.DLL (164 bytes security) (deflated 4%)
adding: p4r40e9qeh.dll (164 bytes security) (deflated 4%)
adding: PQRFNW.DLL (164 bytes security) (deflated 4%)
adding: q0rq0a95ed.dll (164 bytes security) (deflated 4%)
adding: r26ulcj91fo.dll (164 bytes security) (deflated 4%)
adding: RICNS4.DLL (164 bytes security) (deflated 4%)
adding: RSOCURS.DLL (164 bytes security) (deflated 4%)
adding: clear.reg (164 bytes security) (deflated 52%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: desktop.ini (164 bytes security) (deflated 15%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 86%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 67%)
adding: test.txt (164 bytes security) (deflated 81%)
adding: test2.txt (164 bytes security) (deflated 34%)
adding: test3.txt (164 bytes security) (deflated 34%)
adding: test5.txt (164 bytes security) (deflated 34%)
adding: xfind.txt (164 bytes security) (deflated 76%)
adding: backregs/0C532FCA-7192-4A71-88AF-75354E948FCD.reg (164 bytes security) (deflated 70%)
adding: backregs/922CDA9C-93F3-44CB-BE12-5FEBADBB30F7.reg (164 bytes security) (deflated 70%)
adding: backregs/BAA6FCCC-8B60-43F2-904D-A655E4B15AB8.reg (164 bytes security) (deflated 70%)
adding: backregs/E77C334A-C1B7-42ED-B90A-9BF7EE989207.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators "
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: azao0eh3eh4.dll
deleting local copy: d8j00i1me8.dll
deleting local copy: dowsockx.dll
deleting local copy: DYTACLEN.DLL
deleting local copy: e4200efmeh2a0.dll
deleting local copy: en0ql1d51.dll
deleting local copy: en4sl1h71.dll
deleting local copy: en6ql1j51.dll
deleting local copy: en84l1lq1.dll
deleting local copy: en8ul1l91.dll
deleting local copy: enl8l13u1.dll
deleting local copy: enrsl1971.dll
deleting local copy: f42m0ef1eh2.dll
deleting local copy: fp4o03h3e.dll
deleting local copy: fp6o03j3e.dll
deleting local copy: fpn0035me.dll
deleting local copy: fpn4035qe.dll
deleting local copy: g4040edqeh0e0.dll
deleting local copy: gp0ql3d51.dll
deleting local copy: h04mlah11d4.dll
deleting local copy: i0jq0a15ed.dll
deleting local copy: i4420ehoeh4c0.dll
deleting local copy: ir0ol5d31.dll
deleting local copy: ir40l5hm1.dll
deleting local copy: ir6ml5j11.dll
deleting local copy: ir82l5lo1.dll
deleting local copy: j44o0eh3eh4.dll
deleting local copy: k4440ehqeh4e0.dll
deleting local copy: l44q0eh5eh4.dll
deleting local copy: l6n4lg5q16.dll
deleting local copy: lv6q09j5e.dll
deleting local copy: lv8009lme.dll
deleting local copy: m046lahs1d46.dll
deleting local copy: m4nq0e55eh.dll
deleting local copy: MDRDIM.DLL
deleting local copy: MFORCL32.DLL
deleting local copy: MWPRIVS.DLL
deleting local copy: n6l8lg3u16.dll
deleting local copy: n6n6lg5s16.dll
deleting local copy: NLWDEV.DLL
deleting local copy: o0660ajsedo60.dll
deleting local copy: o4480ehueh480.dll
deleting local copy: OYEACCRC.DLL
deleting local copy: p4r40e9qeh.dll
deleting local copy: PQRFNW.DLL
deleting local copy: q0rq0a95ed.dll
deleting local copy: r26ulcj91fo.dll
deleting local copy: RICNS4.DLL
deleting local copy: RSOCURS.DLL

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous "=dword:00000000
"Impersonate "=dword:00000000
"DllName "=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff "= "ChainWlxLogoffEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous "=dword:00000000
"Impersonate "=dword:00000000
"DllName "=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff "= "CryptnetWlxLogoffEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName "= "cscdll.dll "
"Logon "= "WinlogonLogonEvent "
"Logoff "= "WinlogonLogoffEvent "
"ScreenSaver "= "WinlogonScreenSaverEvent "
"Startup "= "WinlogonStartupEvent "
"Shutdown "= "WinlogonShutdownEvent "
"StartShell "= "WinlogonStartShellEvent "
"Impersonate "=dword:00000000
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=" "
"DLLName "= "igfxsrvc.dll "
"Asynchronous "=dword:00000001
"Impersonate "=dword:00000001
"Unlock "= "WinlogonUnlockEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation]
"Asynchronous "=dword:00000000
"DllName "= "C:\\WINDOWS\\system32\\guard.tmp "
"Impersonate "=dword:00000000
"Logon "= "WinLogon "
"Logoff "= "WinLogoff "
"Shutdown "= "WinShutdown "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName "= "wlnotify.dll "
"Logon "= "SCardStartCertProp "
"Logoff "= "SCardStopCertProp "
"Lock "= "SCardSuspendCertProp "
"Unlock "= "SCardResumeCertProp "
"Enabled "=dword:00000001
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous "=dword:00000000
"DllName "=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate "=dword:00000000
"StartShell "= "SchedStartShell "
"Logoff "= "SchedEventLogOff "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff "= "WLEventLogoff "
"Impersonate "=dword:00000000
"Asynchronous "=dword:00000001
"DllName "=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName "= "WlNotify.dll "
"Lock "= "SensLockEvent "
"Logon "= "SensLogonEvent "
"Logoff "= "SensLogoffEvent "
"Safe "=dword:00000001
"MaxWait "=dword:00000258
"StartScreenSaver "= "SensStartScreenSaverEvent "
"StopScreenSaver "= "SensStopScreenSaverEvent "
"Startup "= "SensStartupEvent "
"Shutdown "= "SensShutdownEvent "
"StartShell "= "SensStartShellEvent "
"PostShell "= "SensPostShellEvent "
"Disconnect "= "SensDisconnectEvent "
"Reconnect "= "SensReconnectEvent "
"Unlock "= "SensUnlockEvent "
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SideBySide]
"Asynchronous "=dword:00000000
"DllName "= "C:\\WINDOWS\\system32\\fp4m03h1e.dll "
"Impersonate "=dword:00000000
"Logon "= "WinLogon "
"Logoff "= "WinLogoff "
"Shutdown "= "WinShutdown "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous "=dword:00000000
"DllName "=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate "=dword:00000000
"Logoff "= "TSEventLogoff "
"Logon "= "TSEventLogon "
"PostShell "= "TSEventPostShell "
"Shutdown "= "TSEventShutdown "
"StartShell "= "TSEventStartShell "
"Startup "= "TSEventStartup "
"MaxWait "=dword:00000258
"Reconnect "= "TSEventReconnect "
"Disconnect "= "TSEventDisconnect "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName "= "wlnotify.dll "
"Logon "= "RegisterTicketExpiredNotificationEvent "
"Logoff "= "UnregisterTicketExpiredNotificationEvent "
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\azao0eh3eh4.dll
C:\WINDOWS\system32\d8j00i1me8.dll
C:\WINDOWS\system32\dowsockx.dll
C:\WINDOWS\system32\DYTACLEN.DLL
C:\WINDOWS\system32\e4200efmeh2a0.dll
C:\WINDOWS\system32\en0ql1d51.dll
C:\WINDOWS\system32\en4sl1h71.dll
C:\WINDOWS\system32\en6ql1j51.dll
C:\WINDOWS\system32\en84l1lq1.dll
C:\WINDOWS\system32\en8ul1l91.dll
C:\WINDOWS\system32\enl8l13u1.dll
C:\WINDOWS\system32\enrsl1971.dll
C:\WINDOWS\system32\f42m0ef1eh2.dll
C:\WINDOWS\system32\fp4o03h3e.dll
C:\WINDOWS\system32\fp6o03j3e.dll
C:\WINDOWS\system32\fpn0035me.dll
C:\WINDOWS\system32\fpn4035qe.dll
C:\WINDOWS\system32\g4040edqeh0e0.dll
C:\WINDOWS\system32\gp0ql3d51.dll
C:\WINDOWS\system32\h04mlah11d4.dll
C:\WINDOWS\system32\i0jq0a15ed.dll
C:\WINDOWS\system32\i4420ehoeh4c0.dll
C:\WINDOWS\system32\ir0ol5d31.dll
C:\WINDOWS\system32\ir40l5hm1.dll
C:\WINDOWS\system32\ir6ml5j11.dll
C:\WINDOWS\system32\ir82l5lo1.dll
C:\WINDOWS\system32\j44o0eh3eh4.dll
C:\WINDOWS\system32\k4440ehqeh4e0.dll
C:\WINDOWS\system32\l44q0eh5eh4.dll
C:\WINDOWS\system32\l6n4lg5q16.dll
C:\WINDOWS\system32\lv6q09j5e.dll
C:\WINDOWS\system32\lv8009lme.dll
C:\WINDOWS\system32\m046lahs1d46.dll
C:\WINDOWS\system32\m4nq0e55eh.dll
C:\WINDOWS\system32\MDRDIM.DLL
C:\WINDOWS\system32\MFORCL32.DLL
C:\WINDOWS\system32\MWPRIVS.DLL
C:\WINDOWS\system32\n6l8lg3u16.dll
C:\WINDOWS\system32\n6n6lg5s16.dll
C:\WINDOWS\system32\NLWDEV.DLL
C:\WINDOWS\system32\o0660ajsedo60.dll
C:\WINDOWS\system32\o4480ehueh480.dll
C:\WINDOWS\system32\OYEACCRC.DLL
C:\WINDOWS\system32\p4r40e9qeh.dll
C:\WINDOWS\system32\PQRFNW.DLL
C:\WINDOWS\system32\q0rq0a95ed.dll
C:\WINDOWS\system32\r26ulcj91fo.dll
C:\WINDOWS\system32\RICNS4.DLL
C:\WINDOWS\system32\RSOCURS.DLL

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{BAA6FCCC-8B60-43F2-904D-A655E4B15AB8} "=-
"{E77C334A-C1B7-42ED-B90A-9BF7EE989207} "=-
"{922CDA9C-93F3-44CB-BE12-5FEBADBB30F7} "=-
"{0C532FCA-7192-4A71-88AF-75354E948FCD} "=-
[-HKEY_CLASSES_ROOT\CLSID\{BAA6FCCC-8B60-43F2-904D-A655E4B15AB8}]
[-HKEY_CLASSES_ROOT\CLSID\{E77C334A-C1B7-42ED-B90A-9BF7EE989207}]
[-HKEY_CLASSES_ROOT\CLSID\{922CDA9C-93F3-44CB-BE12-5FEBADBB30F7}]
[-HKEY_CLASSES_ROOT\CLSID\{0C532FCA-7192-4A71-88AF-75354E948FCD}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1 "=" "
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{7884062C-33FE-4D53-84BC-A798BE5C0033}</IDone>
<IDtwo>DS3</IDtwo>
<VERSION>200</VERSION>
****************************************************************************

melissa1975 · 2005/03/28

hijack this - new log

Logfile of HijackThis v1.99.1
Scan saved at 7:37:11 PM, on 3/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\System32\explore1.exe
C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
C:\WINDOWS\System32\vmss\vmss.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\gpt_disp.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\System32\??plorer.exe
C:\WINDOWS\system32\rsnwgc.exe
C:\Documents and Settings\MELISSA\Application Data\osoa.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Antispyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/Home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O2 - BHO: NavErrRedir Class - {0026AD90-C86F-4269-97F3-DAB4897C6D06} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {4D1929BB-2B5E-A064-6B49-502457C2F2B3} - C:\WINDOWS\System32\mrawiylq.dll (file missing)
O2 - BHO: (no name) - {619A9746-7989-077A-8089-5640459FFCC9} - C:\WINDOWS\system32\bautw.dll
O2 - BHO: (no name) - {C6B41CEA-D829-40E0-8AD7-50DE0F80D2BD} - C:\WINDOWS\System32\mnmm.dll (file missing)
O2 - BHO: (no name) - {F2F7716A-9634-F885-815C-07AD8701F360} - C:\WINDOWS\System32\oafcomjx.dll (file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Optimum Online Toolbar - {720B3C59-7EDE-44d1-AD9C-71106A7550AF} - C:\Program Files\OptimumOnline\insptbar.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe "
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [Explore1] C:\WINDOWS\System32\explore1.exe
O4 - HKLM\..\Run: [eudhzc] C:\WINDOWS\System32\eudhzc.exe
O4 - HKLM\..\Run: [nviwgc] C:\WINDOWS\System32\nviwgc.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe "
O4 - HKLM\..\Run: [ntechin] C:\Documents and Settings\DAMEE\stlb2_dist36.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [v73k34i] gpt_disp.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Fozcjsbp] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [ewsqRQGEh] rsnwgc.exe
O4 - HKCU\..\Run: [dpnwsock] C:\WINDOWS\System32\dpnwsock.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\MELISSA\Application Data\osoa.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Optimum Online Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\OptimumOnline\contextsearch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/FunBuddyIconsFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.inf...W/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\guard.tmp (file missing)
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\fp4m03h1e.dll (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

noahdfear · 2005/03/28

You should print this out and save it to text where you can access it in safe mode. Saving to text allows for copy/pasting. Printing it will hightlight the files/folders I have colored red for deletion. It's very important to follow the instructions completely, and in the order given.

Check for updates to Ad-aware.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway <<< fix if you don't want as your homepage
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/Home <<< fix if you don't want as your homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: NavErrRedir Class - {0026AD90-C86F-4269-97F3-DAB4897C6D06} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing) Incredifind....might be another in a subfolder of C:
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {4D1929BB-2B5E-A064-6B49-502457C2F2B3} - C:\WINDOWS\System32\mrawiylq.dll (file missing)
O2 - BHO: (no name) - {619A9746-7989-077A-8089-5640459FFCC9} - C:\WINDOWS\system32\bautw.dll
O2 - BHO: (no name) - {C6B41CEA-D829-40E0-8AD7-50DE0F80D2BD} - C:\WINDOWS\System32\mnmm.dll (file missing)
O2 - BHO: (no name) - {F2F7716A-9634-F885-815C-07AD8701F360} - C:\WINDOWS\System32\oafcomjx.dll (file missing)
O3 - Toolbar: Optimum Online Toolbar - {720B3C59-7EDE-44d1-AD9C-71106A7550AF} - C:\Program Files\OptimumOnline\insptbar.dll Dogpile toolbar and still listed as a pest with Pest Patrol.......your call, as it's still in debate with other experts around the net
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [Explore1] C:\WINDOWS\System32\explore1.exe
O4 - HKLM\..\Run: [eudhzc] C:\WINDOWS\System32\eudhzc.exe
O4 - HKLM\..\Run: [nviwgc] C:\WINDOWS\System32\nviwgc.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [ntechin] C:\Documents and Settings\DAMEE\stlb2_dist36.exe
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [v73k34i] gpt_disp.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Fozcjsbp] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [ewsqRQGEh] rsnwgc.exe
O4 - HKCU\..\Run: [dpnwsock] C:\WINDOWS\System32\dpnwsock.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\MELISSA\Application Data\osoa.exe
O8 - Extra context menu item: Optimum Online Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\OptimumOnline\contextsearch.htm <<< Dogpile Toolbar
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...up1.0.0.8-2.cab
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\guard.tmp (file missing)
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\fp4m03h1e.dll (file missing)

Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and click OK. Click yes to restart. This will restart your computer in safe mode. Logon to your user account.

Now in safe mode, you will need to show hidden files and folders, as well as system files and extensions for known file types.

Do a search for the following files and delete any found.
utfyys.exe
pwrs0108.dll
pwrs0108tb0.cfg
Incredifind <<< folder

Delete all of the files and folders in red above, as well as the following, if present.

C:\Windows\system\incfindbho.dll
C:\Windows\system32\incfindbho.dll, rsnwgc.exe, gpt_disp.exe
C:\Windows\inf\zserv.inf

Open C:\Temp if present, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Windows\Prefetch, select all and delete.
Open C:\Documents and Settings\*username*\Local Settings\temp, select all and delete. Do this for all usernames.
Open the control panel, then internet options and delete the temporary internet files, checking the box for offline content. Close Internet Options. Then, still in the control panel, open the Java Plug-in, click the cache tab and then clear.

Open Ad-aware and run in full scan mode. Delete all it finds.

Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and click OK.
Uncheck the /safeboot box in msconfig and ok to reboot.

Upon reboot you will be greeted with a message window from the System Configuration Utility. Check the box not to use and don't show, then click OK.

Scan your PC with RAV. If any files are infected, click the report button then copy and paste it here.

Go to the Sun Java Website and update your JRE. Current is 1.4.2_07

Run another HijackThis scan and post the log.

Please copy the text below and click Start>run, then paste it in the dialog box and hit enter. Open Local Disk C: and locate winlogon.txt, open and copy/paste it's contents here.

regedit /e C:\winlogon.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify "

melissa1975 · 2005/04/01

rav log

Scan started at 4/1/2005 8:16:07 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Program Files\PestPatrol\Quarantine\20050322233124616.zip->Program Files/autoupdate/AutoUpdate.exe - TrojanDownloader:Win32/Apropo.G -> Infected
C:\WINDOWS\SSK_B5.EXE - TrojanDropper:Win32/Small.NF -> Infected
C:\WINDOWS\bundles\HelperInstaller.exe - TrojanDropper:Win32/Delf -> Infected
C:\WINDOWS\bundles\saie1101.exe - TrojanDropper:Win32/Small.NO -> Infected
C:\WINDOWS\bundles\SSK_B5.EXE - TrojanDropper:Win32/Small.NF -> Infected
C:\WINDOWS\SYSTEM32\aklsp.dll - TrojanDownloader:Win32/Agent.BR -> Infected
C:\WINDOWS\SYSTEM32\akrules.dll - TrojanDownloader:Win32/Agent.BT -> Infected
C:\WINDOWS\SYSTEM32\fltotepg.exe - TrojanDownloader:Win32/Apropo.T -> Infected
C:\WINDOWS\SYSTEM32\opkocuux.exe - TrojanDownloader:Win32/IstBar.IA.dam#2 -> Infected

Scanned
============================
Objects: 49397
Directories: 4474
Archives: 3495
Size(Kb): -1086076
Infected files: 9

Found
============================
Viruses found: 8
Suspicious files: 0
Disinfected files: 0
Mail files: 61

melissa1975 · 2005/04/01

hijack this - as of 4/1

Logfile of HijackThis v1.99.1
Scan saved at 9:02:39 PM, on 4/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jucheck.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Antispyware\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/Home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {4D1929BB-2B5E-A064-6B49-502457C2F2B3} - (no file)
O2 - BHO: (no name) - {F2F7716A-9634-F885-815C-07AD8701F360} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe "
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe "
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.inf...W/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

melissa1975 · 2005/04/01

Win logon

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous "=dword:00000000
"Impersonate "=dword:00000000
"DllName "=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff "= "ChainWlxLogoffEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous "=dword:00000000
"Impersonate "=dword:00000000
"DllName "=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff "= "CryptnetWlxLogoffEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName "= "cscdll.dll "
"Logon "= "WinlogonLogonEvent "
"Logoff "= "WinlogonLogoffEvent "
"ScreenSaver "= "WinlogonScreenSaverEvent "
"Startup "= "WinlogonStartupEvent "
"Shutdown "= "WinlogonShutdownEvent "
"StartShell "= "WinlogonStartShellEvent "
"Impersonate "=dword:00000000
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=" "
"DLLName "= "igfxsrvc.dll "
"Asynchronous "=dword:00000001
"Impersonate "=dword:00000001
"Unlock "= "WinlogonUnlockEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName "= "wlnotify.dll "
"Logon "= "SCardStartCertProp "
"Logoff "= "SCardStopCertProp "
"Lock "= "SCardSuspendCertProp "
"Unlock "= "SCardResumeCertProp "
"Enabled "=dword:00000001
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous "=dword:00000000
"DllName "=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate "=dword:00000000
"StartShell "= "SchedStartShell "
"Logoff "= "SchedEventLogOff "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff "= "WLEventLogoff "
"Impersonate "=dword:00000000
"Asynchronous "=dword:00000001
"DllName "=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName "= "WlNotify.dll "
"Lock "= "SensLockEvent "
"Logon "= "SensLogonEvent "
"Logoff "= "SensLogoffEvent "
"Safe "=dword:00000001
"MaxWait "=dword:00000258
"StartScreenSaver "= "SensStartScreenSaverEvent "
"StopScreenSaver "= "SensStopScreenSaverEvent "
"Startup "= "SensStartupEvent "
"Shutdown "= "SensShutdownEvent "
"StartShell "= "SensStartShellEvent "
"PostShell "= "SensPostShellEvent "
"Disconnect "= "SensDisconnectEvent "
"Reconnect "= "SensReconnectEvent "
"Unlock "= "SensUnlockEvent "
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous "=dword:00000000
"DllName "=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate "=dword:00000000
"Logoff "= "TSEventLogoff "
"Logon "= "TSEventLogon "
"PostShell "= "TSEventPostShell "
"Shutdown "= "TSEventShutdown "
"StartShell "= "TSEventStartShell "
"Startup "= "TSEventStartup "
"MaxWait "=dword:00000258
"Reconnect "= "TSEventReconnect "
"Disconnect "= "TSEventDisconnect "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName "= "wlnotify.dll "
"Logon "= "RegisterTicketExpiredNotificationEvent "
"Logoff "= "UnregisterTicketExpiredNotificationEvent "
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

noahdfear · 2005/04/01

Great! Fix the following with HijackThis.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {4D1929BB-2B5E-A064-6B49-502457C2F2B3} - (no file)
O2 - BHO: (no name) - {F2F7716A-9634-F885-815C-07AD8701F360} - (no file)

Open C:\Windows and delete the file SSK_B5.EXE and folder bundles.
Open C:\WINDOWS\SYSTEM32 and delete the following files.
aklsp.dll
akrules.dll
fltotepg.exe
opkocuux.exe

Clear the PestPatrol quarantined items.

Empty the recycle bin and reboot.

Re-enable System Restore and create a manual restore point. Also recommend you download Spybot Version 1.3 from my signature, install and update. Allow it to load SD Helper. Open it up and click mode on the toolbar, then advanced mode. Click immunize in the left pane, then immunize again, this time from above with the green + beside it (always recheck this setting after downloading updates). Click the link below that for SpywareBlaster, download, install, enable all protection and update. Check for updates regularly and watch for any protection being disabled. Then, still in Spybot, click tools button, then IE tweaks and at least lock the HOSTS file.
Then download IESpyad.exe, double click to extract (it extracts to C:\IESpyad by default), open the folder, double click the ie-ads.reg file and allow it to merge into the registry.

That will give you some added layers of protection against unwanted parasites.

Post one more HJT log when done.

BTW, I see Sun Java snuck in another update on me, and it's now 1.4.2_08

melissa1975 · 2005/04/01

Thanks so much for all your help. I can already see a difference!

Clear the PestPatrol quarantined items. I know how to delete the quarantined items from Ad-Aware but not Pest Patrol. Help, please.

Re-enable System Restore and create a manual restore point. Again, help!
BTW, I see Sun Java snuck in another update on me, and it's now 1.4.2_08 I noticed that too!

noahdfear · 2005/04/01

From eTrust

To delete or restore quarantined pests, perform the following steps:

In the eTrust PestPatrol by Computer Associates window, click the Advanced Settings link.

In the Manage section of the screen, click the Quarantined Pests link.

The eTrust PestPatrol--Manage Quarantine window opens.

(Optional) In the Quarantined Pests window pane, click the plus sign next to the quarantine file to view the contents of the quarantine.

Click the check box to select the quarantine. Note: All pests within the quarantine file are selected, as well as any subsequent quarantine files (those with a later date).

Click the Delete or Restore button. Deleted pests are permanently removed from your computer and cannot be recovered. Restored pests are replaced on your computer.

Click the Close button
Click to expand...

Right click My Computer and select properties. Click the system restore tab, then uncheck the box to turn off. Click OK to close. Click Start>All Programs>Accessories>System Tools>System Restore. Click create a restore point then Next. Name it After Cleanup or whatever strikes your fancy and click Create.

Glad you got control of your machine back, and happy to help. Good work!

Log in or Sign up

DMVlite & People On Page

melissa1975 Inactive Thread Starter

noahdfear Inactive

melissa1975 Inactive Thread Starter

noahdfear Inactive

melissa1975 Inactive Thread Starter

melissa1975 Inactive Thread Starter

noahdfear Inactive

melissa1975 Inactive Thread Starter

melissa1975 Inactive Thread Starter

melissa1975 Inactive Thread Starter

noahdfear Inactive

melissa1975 Inactive Thread Starter

melissa1975 Inactive Thread Starter

melissa1975 Inactive Thread Starter

noahdfear Inactive

melissa1975 Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

DMVlite & People On Page

melissa1975 Inactive Thread Starter

noahdfear Inactive

melissa1975 Inactive Thread Starter

noahdfear Inactive

melissa1975 Inactive Thread Starter

melissa1975 Inactive Thread Starter

noahdfear Inactive

melissa1975 Inactive Thread Starter

melissa1975 Inactive Thread Starter

melissa1975 Inactive Thread Starter

noahdfear Inactive

melissa1975 Inactive Thread Starter

melissa1975 Inactive Thread Starter

melissa1975 Inactive Thread Starter

noahdfear Inactive

melissa1975 Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches