TheTechGuide Forum

General Category => Tech Clinic => Topic started by: John Doe on January 17, 2005, 07:18:18 AM

Title: IST strikes again
Post by: John Doe on January 17, 2005, 07:18:18 AM
Hi! My computer is messed up because of this IST Virus as well. I read the other complaints and mine is no different. Here's my log of hijackthis 1.99:

Logfile of HijackThis v1.99.0
Scan saved at 6:01:42 AM, on 1/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\SED\SED.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jayson\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pikeonline.net (http://\"http://www.pikeonline.net\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pikeonline.net/ (http://\"http://www.pikeonline.net/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Pike Online, Ltd.
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [MdFRJUnX] C:\WINDOWS\ghxdwag.exe
O4 - HKLM\..\Run: [mediamotor.exe] C:\WINDOWS\mmups.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ghxdwag.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst.exe /remove
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Startup: FriendFinder Messenger.lnk = C:\Program Files\FriendFinder Messenger\FriendFinder Messenger.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\sophos\Remote Update\imonitor.exe
O4 - Global Startup: yufpkn.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pikeonline.net
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab\")
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Sophos Cache Manager - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: DVD-RAM_Service - Matsu[censored]a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sophos Anti-Virus Network - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

(Please......I'm pleading with you all! I need help!)
Title: IST strikes again
Post by: Edward on January 17, 2005, 12:26:33 PM
All i can tell u is do a virus scan with AVG it's free to u.      click this link and download it.  Run a virus scan if it's show's there r any virus then remove them by simply clicking the remove button when it's finished.  http://free.grisoft.com/freeweb.php/doc/2/...2/lng/us/tpl/v5 (http://\"http://free.grisoft.com/freeweb.php/doc/2/lng/us/tpl/v5\")



Also if there are any viruses that AVG did not remove simply follow the files of where they are.  It will show u for example   C:Program files/windows then followed by where the address was found.  If u can try not to go to that site again.
Title: IST strikes again
Post by: guestolo on January 17, 2005, 09:17:49 PM
You have a few infections John, so your log is a little different

We need some tools to help Identify the bad guys

All are small downloads, so please stick with me and supply the info I need, thanks

Can you Download DLLCompare (http://\"http://downloads.subratam.org/DllCompare.exe\")

Start the Program and click the Run Locate.com
Default settings should work---C:\Windows\System32 directory
Let it complete the SCAN, which won't take long
Click the Compare button to start the next process.This will take a bit longer.

When it's done click the Make a log of what was found button and post it back here

Download and save to desktop VX2 Finder (126) (http://\"http://downloads.subratam.org/VX2Finder(126).exe\")
Open VX2 Finder and press the "Click to Find VX2.BetterInternet
Press the "Make log"
Copy and paste the entire contents of the log back here

Download Findit.zip (http://\"http://forums.techguy.org/attachment.php?attachmentid=44854\")

Unzip its contents to its own folder
Open the folder and double click on Find.bat (File with a gear symbol)
Ignore any File not found messages
It runs for a minute or longer---Give this time to  finish, and produces a log
Please copy and paste the log on your next response.

I also want to check for another infection on your computer
Again, a small download and this runs quick
Could you also download Runkey.zip (http://\"http://forums.techguy.org/attachment.php?attachmentid=45168&stc=1\")

Unzip it and then doubleclick on RunKey2.bat. It will produce a All.txt file. Please copy and paste that here.

With the above logs could you also Supply me with a Startup list from Hijackthis
Open Hijackthis>>Open Misc Tools Section>>Check the "List All Minor Sections(Full)"
and then click the "Generate a Startup List log"
Post that log back here

And finally post back one more fresh Hijackthis log

It's Important after you post these logs, NOT to reboot your computer again until we have applied a fix, if you do advise me of it
I won't need to see all the logs in the future, but hold onto what I asked you to download until you are clean
Title: IST strikes again
Post by: John Doe on January 18, 2005, 02:51:21 PM
Ok, here what was found from dll compare:

*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\en26l1~1.dll   Mon Jan 17 2005   7:08:40p  ..S.R        224,802   219.53 K
C:\WINDOWS\SYSTEM32\fn0021~1.dll   Mon Jan 17 2005   7:28:24p  ..S.R        225,182   219.90 K
C:\WINDOWS\SYSTEM32\iqircl.dll     Tue Jan 18 2005   1:36:22p  ..S.R        224,075   218.82 K
C:\WINDOWS\SYSTEM32\lvj209~1.dll   Tue Jan 18 2005   1:36:22p  ..S.R        224,294   219.04 K
C:\WINDOWS\SYSTEM32\m4rm0e~1.dll   Sun Jan 16 2005   2:43:18a  ..S.R        223,902   218.65 K
C:\WINDOWS\SYSTEM32\t4r80e~1.dll   Tue Jan 18 2005  11:50:24a  ..S.R        224,075   218.82 K
________________________________________________

1,341 items found:  1,341 files (6 H/S), 0 directories.
Total of file sizes:  272,770,098 bytes    260.13 M

Administrator Account =  True

--------------------End log---------------------

Thank you so much!! And the post from Edward (just prior to yours) prescribed AVG. This actually did remove the IST bar virus from the computer, however other things are on my CPU (due to the fact that other popups that appear). (P.S.: Thank you Edward, the IST was the most annoying thing of all so far).
Title: IST strikes again
Post by: John Doe on January 18, 2005, 02:53:00 PM
Ok, here's the log from VX2 Finder:

Log for VX2.BetterInternet File Finder (msg126)

Files Found---
 
Additional Files---
 
Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
ShellCompatibility
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
{09CD2634-3D1B-4C7D-8C8F-46B5E68C970D}
Title: IST strikes again
Post by: John Doe on January 18, 2005, 03:04:31 PM
Here's the log from Find It:


Warning! This utility will find legitimate files in addition to malware.  
Do not remove anything unless you are sure you know what you're doing.

 ------- System Files in System32 Directory -------

 Volume in drive C has no label.
 Volume Serial Number is 1015-5A79

 Directory of C:\WINDOWS\System32

01/18/2005  01:36 PM           224,075 iqircl.dll
01/18/2005  01:36 PM           224,294 lvj2091oe.dll
01/18/2005  11:50 AM           224,075 t4r80e9ueh.dll
01/17/2005  07:28 PM           225,182 fn0021dmg.dll
01/17/2005  07:08 PM           224,802 en26l1fs1.dll
01/16/2005  02:43 AM           223,902 m4rm0e91eh.dll
01/15/2005  03:52 AM    <DIR>          dllcache
08/12/2003  12:43 PM    <DIR>          Microsoft
               6 File(s)      1,346,330 bytes
               2 Dir(s)   9,345,228,800 bytes free

 ------- Hidden Files in System32 Directory -------

 Volume in drive C has no label.
 Volume Serial Number is 1015-5A79

 Directory of C:\WINDOWS\System32

01/15/2005  03:52 AM    <DIR>          dllcache
01/13/2005  04:52 AM    <DIR>          vmss
01/13/2005  04:52 AM    <DIR>          wsxsvc
08/12/2003  12:34 PM               488 WindowsLogon.manifest
08/12/2003  12:34 PM               488 logonui.exe.manifest
08/12/2003  12:34 PM               749 sapi.cpl.manifest
08/12/2003  12:34 PM               749 nwc.cpl.manifest
08/12/2003  12:34 PM               749 ncpa.cpl.manifest
08/12/2003  12:34 PM               749 cdplayer.exe.manifest
08/12/2003  12:34 PM               749 wuaucpl.cpl.manifest
               7 File(s)          4,721 bytes
               3 Dir(s)   9,345,224,704 bytes free

 ---------- Files Named "Guard" -------------

 Volume in drive C has no label.
 Volume Serial Number is 1015-5A79

 Directory of C:\WINDOWS\System32


 --------- Temp Files in System32 Directory --------

 Volume in drive C has no label.
 Volume Serial Number is 1015-5A79

 Directory of C:\WINDOWS\System32

12/12/2002  02:14 AM           284,160 ddraw.dll.tmp
12/12/2002  02:14 AM           355,328 dsound.dll.tmp
08/29/2002  07:00 AM             2,577 CONFIG.TMP
               3 File(s)        642,065 bytes
               0 Dir(s)   9,345,220,608 bytes free

 ---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{09CD2634-3D1B-4C7D-8C8F-46B5E68C970D}"=""


 ------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\t4r80e9ueh.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


 ---------------- Xfind Results -----------------

C:\WINDOWS\System32\IQIRCL.DLL +++ File read error

 -------------- Locate.com Results ---------------


C:\WINDOWS\SYSTEM32\
   en26l1~1.dll   Mon Jan 17 2005   7:08:40p  ..S.R        224,802   219.53 K
   fn0021~1.dll   Mon Jan 17 2005   7:28:24p  ..S.R        225,182   219.90 K
   iqircl.dll     Tue Jan 18 2005   1:36:22p  ..S.R        224,075   218.82 K
   lvj209~1.dll   Tue Jan 18 2005   1:36:22p  ..S.R        224,294   219.04 K
   m4rm0e~1.dll   Sun Jan 16 2005   2:43:18a  ..S.R        223,902   218.65 K
   t4r80e~1.dll   Tue Jan 18 2005  11:50:24a  ..S.R        224,075   218.82 K

6 items found:  6 files, 0 directories.
   Total of file sizes:  1,346,330 bytes      1.28 M

Title: IST strikes again
Post by: John Doe on January 18, 2005, 03:16:20 PM
Here's the log from Runkey 2:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mediamotor.exe"="C:\\WINDOWS\\mmups.exe"
"SESync"="\"C:\\Program Files\\SED\\SED.exe\""
"Dvx"="C:\\WINDOWS\\System32\\wsxsvc\\wsxsvc.exe"
"vmss"="C:\\WINDOWS\\System32\\vmss\\vmss.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

REGEDIT4

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension]
@="{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gnskmq]
@="{dc5d2f07-d038-481e-878a-711ef3486762}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}]
@="Start Menu Pin"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\AVG7 Shell Extension]
@="{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\gnskmq]
@="{dc5d2f07-d038-481e-878a-711ef3486762}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}]
@="Start Menu Pin"


Title: IST strikes again
Post by: John Doe on January 18, 2005, 03:21:49 PM
Here's the HiJackThis startup log:

StartupList report, 1/18/2005, 2:17:22 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Jayson\Desktop\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\WINDOWS\mmups.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\SED\SED.exe
C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
C:\WINDOWS\System32\vmss\vmss.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\sophos\Remote Update\imonitor.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\GetRight\getright.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jayson\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Jayson\Start Menu\Programs\Startup]
AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
FriendFinder Messenger.lnk = C:\Program Files\FriendFinder Messenger\FriendFinder Messenger.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
Remote Update Monitor.lnk = C:\Program Files\sophos\Remote Update\imonitor.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

mediamotor.exe = C:\WINDOWS\mmups.exe
SESync = "C:\Program Files\SED\SED.exe"
Dvx = C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
vmss = C:\WINDOWS\System32\vmss\vmss.exe
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Weather = C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[4910c0a2-15e6-4f61-a55f-2e56eec004ab] *
StubPath = C:\WINDOWS\system32\pzxmlq.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=
SCRNSAVE.EXE=C:\WINDOWS\System32\SUMMER~1.SCR
drivers=

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Download Program Files:

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst0401.cab (http://\"http://download.yahoo.com/dl/installs/yinst0401.cab\")

[{B9191F79-5613-4C76-AA2A-398534BB8999}]
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab\")

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")

--------------------------------------------------

Enumerating Windows NT/2000/XP services

IPv6 Helper Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
AVG Network Redirector: \??\C:\WINDOWS\System32\Drivers\avgtdi.sys (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
C-DillaSrv: C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE (autostart)
Sophos Cache Manager: C:\Program Files\Sophos\Remote Update\cachemgr.exe (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
DVD-RAM_Service: C:\WINDOWS\System32\DVDRAMSV.exe (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Fax: %systemroot%\system32\fxssvc.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
IrDA Protocol: System32\DRIVERS\irda.sys (autostart)
Infrared Monitor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
WPA Security Protocol (IEEE 802.1x) v2.2.0.0: System32\DRIVERS\mdc8021x.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SoundMAX Agent Service: C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Sophos Anti-Virus Network: "C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE" (autostart)
Sophos Anti-Virus: "C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS" (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
ZESOFT: C:\WINDOWS\zeta.exe (autostart)


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 11,154 bytes
Report generated in 0.381 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only
Title: IST strikes again
Post by: John Doe on January 18, 2005, 03:26:11 PM
And here is the HiJackThis log:

Logfile of HijackThis v1.99.0
Scan saved at 2:20:53 PM, on 1/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\WINDOWS\mmups.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\SED\SED.exe
C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
C:\WINDOWS\System32\vmss\vmss.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\sophos\Remote Update\imonitor.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\GetRight\getright.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jayson\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pikeonline.net (http://\"http://www.pikeonline.net\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pikeonline.net/ (http://\"http://www.pikeonline.net/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Pike Online, Ltd.
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [mediamotor.exe] C:\WINDOWS\mmups.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Startup: FriendFinder Messenger.lnk = C:\Program Files\FriendFinder Messenger\FriendFinder Messenger.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\sophos\Remote Update\imonitor.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pikeonline.net
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab\")
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Sophos Cache Manager - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: DVD-RAM_Service - Matsu[censored]a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sophos Anti-Virus Network - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

Thank You!
Title: IST strikes again
Post by: guestolo on January 18, 2005, 08:54:53 PM
Hi John, a new tool as just came out to help combat part of the infection you have

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe (http://\"http://www.atribune.org/downloads/l2mfix.exe\")
http://www.downloads.subratam.org/l2mfix.exe (http://\"http://www.downloads.subratam.org/l2mfix.exe\")

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

[color=\"red\"]IMPORTANT:  Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so![/color]

Again don't Restart your computer until asked to do so
Title: IST strikes again
Post by: John Doe on January 19, 2005, 01:38:52 AM
Ok, here is the I2mfix log:

L2MFIX find log 1.01
These are the registry keys present
********************************************************************************
**
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\t4r80e9ueh.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

********************************************************************************
**
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{09CD2634-3D1B-4C7D-8C8F-46B5E68C970D}"=""

********************************************************************************
**
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
   docore.dll     Thu Jan 13 2005   1:17:54a  A....        151,552   148.00 K
   dolsp.dll      Thu Jan 13 2005   1:17:54a  A....        139,264   136.00 K
   dosync.dll     Thu Jan 13 2005   1:17:54a  A....        114,688   112.00 K
   en26l1~1.dll   Mon Jan 17 2005   7:08:40p  ..S.R        224,802   219.53 K
   fn0021~1.dll   Mon Jan 17 2005   7:28:24p  ..S.R        225,182   219.90 K
   hypertrm.dll   Wed Nov 17 2004  12:41:24p  A....        347,136   339.00 K
   iqircl.dll     Tue Jan 18 2005   1:36:22p  ..S.R        224,075   218.82 K
   lsasrv.dll     Wed Oct 27 2004   8:21:02p  A....        721,920   705.00 K
   lv6609~1.dll   Sat Jan 15 2005   3:03:10a  .....        223,902   218.65 K
   lvj209~1.dll   Tue Jan 18 2005   1:36:22p  ..S.R        224,294   219.04 K
   m4rm0e~1.dll   Sun Jan 16 2005   2:43:18a  ..S.R        223,902   218.65 K
   msvcp71.dll    Mon Jan 17 2005   7:17:28p  A....        499,712   488.00 K
   t4r80e~1.dll   Tue Jan 18 2005  11:50:24a  ..S.R        224,075   218.82 K
   zosuia.dll     Mon Jan 17 2005   4:23:38a  A....         24,576    24.00 K

14 items found:  14 files (6 H/S), 0 directories.
   Total of file sizes:  3,569,080 bytes      3.40 M
Locate .tmp files:

No matches found.
********************************************************************************
**
Directory Listing of system files:
 Volume in drive C has no label.
 Volume Serial Number is 1015-5A79

 Directory of C:\WINDOWS\System32

01/18/2005  01:36 PM           224,075 iqircl.dll
01/18/2005  01:36 PM           224,294 lvj2091oe.dll
01/18/2005  11:50 AM           224,075 t4r80e9ueh.dll
01/17/2005  07:28 PM           225,182 fn0021dmg.dll
01/17/2005  07:08 PM           224,802 en26l1fs1.dll
01/16/2005  02:43 AM           223,902 m4rm0e91eh.dll
01/15/2005  03:52 AM    <DIR>          dllcache
08/12/2003  12:43 PM    <DIR>          Microsoft
               6 File(s)      1,346,330 bytes
               2 Dir(s)   9,325,010,944 bytes free
Title: IST strikes again
Post by: guestolo on January 19, 2005, 01:50:27 AM
Don't run away John, this is a new fix and I would like to see the outcome tonight
If not I will see it tomorrow, my time

I should mention, this fix is working quite well for the newer VX2 infection which you also have


Posted instructions below

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

[color=\"red\"]IMPORTANT:  Do NOT run any other files in the l2mfix folder until you are asked to do so![/color]
Title: IST strikes again
Post by: guestolo on January 19, 2005, 01:57:25 AM
Bump, in case you didn't see my reply
Title: IST strikes again
Post by: John Doe on January 19, 2005, 04:09:25 PM
Here's the other log for l2mfix:

L2Mfix 1.01
 
Running From:
C:\Documents and Settings\Jayson\Desktop\l2mfix
 
Vbruntimes Found!
 
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW  Read           BUILTIN\Users
(ID-IO) ALLOW  Read           BUILTIN\Users
(ID-NI) ALLOW  Full access    BUILTIN\Administrators
(ID-IO) ALLOW  Full access    BUILTIN\Administrators
(ID-NI) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    CREATOR OWNER


 
Setting registry permissions:
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C access for really "Everyone"
 - adding new ACCESS DENY entry

 
Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI)    DENY   --C-------      Everyone
(ID-NI) ALLOW  Read           BUILTIN\Users
(ID-IO) ALLOW  Read           BUILTIN\Users
(ID-NI) ALLOW  Full access    BUILTIN\Administrators
(ID-IO) ALLOW  Full access    BUILTIN\Administrators
(ID-NI) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    CREATOR OWNER


 
Setting up for Reboot
 
 
Starting Reboot!
 
C:\Documents and Settings\Jayson\Desktop\l2mfix
System Rebooted!
 
Running From:
C:\Documents and Settings\Jayson\Desktop\l2mfix
 
killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1504 'explorer.exe'
Killing PID 1504 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1740 'rundll32.exe'
 
Scanning First Pass. Please Wait!
 
First Pass Completed
 
Second Pass Scanning
 
Second pass Completed!
Desktop.ini sucessfully removed
 
Zipping up files for submission:
  adding: cecho.reg (140 bytes security) (deflated 2%)
  adding: echo.reg (140 bytes security) (deflated 9%)
  adding: desktop.ini (140 bytes security) (deflated 14%)
  adding: direct.txt (140 bytes security) (stored 0%)
  adding: lo2.txt (140 bytes security) (deflated 70%)
  adding: readme.txt (140 bytes security) (deflated 47%)
  adding: report.txt (140 bytes security) (deflated 73%)
  adding: test.txt (140 bytes security) (stored 0%)
 
Restoring Registry Permissions:
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for really "Everyone"

 
Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW  Read           BUILTIN\Users
(ID-IO) ALLOW  Read           BUILTIN\Users
(ID-NI) ALLOW  Full access    BUILTIN\Administrators
(ID-IO) ALLOW  Full access    BUILTIN\Administrators
(ID-NI) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    CREATOR OWNER


Restoring Sedebugprivilege:
 
 Granting SeDebugPrivilege to Administrators   ... successful
 
 
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

 
The following are the files found:
****************************************************************************
 
Registry Entries to be Deleted:
Please verify that the listing looks ok. It shouldn't be longer than 13 lines
If approved by helper double click the cleanup.reg in the l2mfix folder.
****************************************************************************
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{09CD2634-3D1B-4C7D-8C8F-46B5E68C970D}"=-
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{09CD2634-3D1B-4C7D-8C8F-46B5E68C970D}</IDone>
<IDtwo>VT09</IDtwo>
<VERSION>200</VERSION>
****************************************************************************
Classid's found from regsearch:
****************************************************************************
 

Title: IST strikes again
Post by: guestolo on January 19, 2005, 04:56:58 PM
Let's try and clean the VX2 infection up and some other Nasties you have

Open Hijackthis>>Open Misc Tools Section>>Open Process Manager
Kill these process if still running
C:\WINDOWS\mmups.exe
C:\Program Files\SED\SED.exe
C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
C:\WINDOWS\System32\vmss\vmss.exe

Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Go back to the l2mfix folder on your desktop and double click cleanup.reg. Click Yes to the confirmation message, then click OK.

Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [mediamotor.exe] C:\WINDOWS\mmups.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe

O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)


After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")

Find and delete these files and folders if they exist:

C:\WINDOWS\mmups.exe <--this file

C:\Program Files\SED <--this folder
C:\WINDOWS\System32\wsxsvc <--folder
C:\WINDOWS\System32\vmss <--folder

Stay in safe mode and do a disk Cleanup
START>>RUN>>type in cleanmgr
and hit OK

Restart back to Normal mode

Back in Windows, Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates

Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer  to finish the cleaning process

Post back with a fresh Hijackthis log

Could you also open VX2 Finder and "Click to Find VX2.BetterInternet"
Let if finish scanning and post that log too, thanks

Also run DLLCompare again
Start the Program and click the Run Locate.com
Default settings should work---C:\Windows\System32 directory
Let it complete the SCAN, which won't take long
Click the Compare button to start the next process.This will take a bit longer.

When it's done click the Make a log of what was found button and post it back here
Title: IST strikes again
Post by: John Doe on January 21, 2005, 01:40:01 AM
l2mfix will not let me add "cleanup.reg" to the registry.....the window says that the file is not the correct script and that only binary files may be added to the registry key
Title: IST strikes again
Post by: John Doe on January 21, 2005, 01:41:48 AM
P.S. I stopped there on the directions because i don't know if it has any effect on the subsequent directions (it probably does)
Title: IST strikes again
Post by: guestolo on January 21, 2005, 01:44:34 AM
Stick with me on this John

If you can clean.reg to merge, stick with the first fix
Are you signed in with Adminstrative privileges?
If not
The tool has been updated

Please try this again, no need to run the Clean.reg with the newest version

Download this version of l2mfix.exe
http://www.atribune.org/downloads/l2mfix.exe (http://\"http://www.atribune.org/downloads/l2mfix.exe\")
http://www.downloads.subratam.org/l2mfix.exe (http://\"http://www.downloads.subratam.org/l2mfix.exe\")

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

[color=\"red\"]IMPORTANT:  Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so![/color]

Go ahead with the other fixes with Hijackthis
The fix for this is one that you must stick with and post back in near time
You seem to want to post after 24 hours leaving yourself open for reinfection
I know the tool doesn't take that long to run, I've tried it myself
Please try and do these fixes in minimal time, I've posted twice within minutes after your reply
Title: IST strikes again
Post by: John Doe on January 22, 2005, 01:01:37 PM
Here's the log fo l2mfix (P.S.: I have recently shut down my computer):



L2MFIX find log 1.02
These are the registry keys present
********************************************************************************
**
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\k4pm0e71eh.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

********************************************************************************
**
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F6EDC9D6-D2B0-42DD-985F-4E652F2DA8C4}"=""

********************************************************************************
**
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}"="Compressed (zipped) Folder"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{C4213067-97B3-4929-9B98-B5600FBBBA13}"="TouchED"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{248865E5-1534-4B1A-8C9F-399B3D0E99FA}"=""
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{0C55D3BE-4FEB-4C51-A428-A8F6A7EC8999}"=""
"{6371AF5C-EC86-406C-BCE3-8310835E6457}"=""
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"

********************************************************************************
**
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{248865E5-1534-4B1A-8C9F-399B3D0E99FA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{248865E5-1534-4B1A-8C9F-399B3D0E99FA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{248865E5-1534-4B1A-8C9F-399B3D0E99FA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{248865E5-1534-4B1A-8C9F-399B3D0E99FA}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0C55D3BE-4FEB-4C51-A428-A8F6A7EC8999}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0C55D3BE-4FEB-4C51-A428-A8F6A7EC8999}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0C55D3BE-4FEB-4C51-A428-A8F6A7EC8999}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0C55D3BE-4FEB-4C51-A428-A8F6A7EC8999}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6371AF5C-EC86-406C-BCE3-8310835E6457}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6371AF5C-EC86-406C-BCE3-8310835E6457}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6371AF5C-EC86-406C-BCE3-8310835E6457}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6371AF5C-EC86-406C-BCE3-8310835E6457}\InprocServer32]
@="C:\\WINDOWS\\system32\\oubcconf.dll"
"ThreadingModel"="Apartment"

********************************************************************************
**
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
   docore.dll     Thu Jan 13 2005   1:17:54a  A....        151,552   148.00 K
   dolsp.dll      Thu Jan 13 2005   1:17:54a  A....        139,264   136.00 K
   dosync.dll     Sat Jan 22 2005  11:47:24a  A....        114,688   112.00 K
   en26l1~1.dll   Mon Jan 17 2005   7:08:40p  ..S.R        224,802   219.53 K
   fn0021~1.dll   Mon Jan 17 2005   7:28:24p  ..S.R        225,182   219.90 K
   fpj003~1.dll   Fri Jan 21 2005   7:58:12a  ..S.R        224,262   219.00 K
   fvntext.dll    Wed Jan 19 2005   3:01:24p  A....        224,075   218.82 K
   hypertrm.dll   Wed Nov 17 2004  12:41:24p  A....        347,136   339.00 K
   k4pm0e~1.dll   Thu Jan 20 2005   3:53:10p  ..S.R        224,249   218.99 K
   lsasrv.dll     Wed Oct 27 2004   8:21:02p  A....        721,920   705.00 K
   lv6609~1.dll   Sat Jan 15 2005   3:03:10a  .....        223,902   218.65 K
   lvj209~1.dll   Tue Jan 18 2005   1:36:22p  ..S.R        224,294   219.04 K
   m4rm0e~1.dll   Sun Jan 16 2005   2:43:18a  ..S.R        223,902   218.65 K
   mmvcrt.dll     Wed Jan 19 2005   3:03:50p  A....        224,075   218.82 K
   msvcp71.dll    Mon Jan 17 2005   7:17:28p  A....        499,712   488.00 K
   oubcconf.dll   Fri Jan 21 2005   7:58:12a  ..S.R        224,249   218.99 K
   sporder.dll    Sat Jan 22 2005  11:47:28a  A....          8,464     8.27 K
   zosuia.dll     Mon Jan 17 2005   4:23:38a  A....         24,576    24.00 K

18 items found:  18 files (7 H/S), 0 directories.
   Total of file sizes:  4,250,304 bytes      4.05 M
Locate .tmp files:

No matches found.
********************************************************************************
**
Directory Listing of system files:
 Volume in drive C has no label.
 Volume Serial Number is 1015-5A79

 Directory of C:\WINDOWS\System32

01/21/2005  07:58 AM           224,249 oubcconf.dll
01/21/2005  07:58 AM           224,262 fpj0031me.dll
01/20/2005  03:53 PM           224,249 k4pm0e71eh.dll
01/18/2005  01:36 PM           224,294 lvj2091oe.dll
01/17/2005  07:28 PM           225,182 fn0021dmg.dll
01/17/2005  07:08 PM           224,802 en26l1fs1.dll
01/16/2005  02:43 AM           223,902 m4rm0e91eh.dll
01/15/2005  03:52 AM    <DIR>          dllcache
08/12/2003  12:43 PM    <DIR>          Microsoft
               7 File(s)      1,570,940 bytes
               2 Dir(s)   9,262,092,288 bytes free
Title: IST strikes again
Post by: John Doe on January 22, 2005, 01:22:03 PM
I am the administrator of this computer.
I apologize for the time inconvenience, however, I have been busy with moving to and from school.
I performed the fixes with HiJackThis as well
I'll try to keep posted more often.
Title: IST strikes again
Post by: John Doe on January 22, 2005, 01:33:59 PM
Hi, my computer decided to shut down again so, here's a new l2mfix log:
L2MFIX find log 1.02
These are the registry keys present
********************************************************************************
**
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Internet Settings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lv0409dqe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

********************************************************************************
**
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F6EDC9D6-D2B0-42DD-985F-4E652F2DA8C4}"=""

********************************************************************************
**
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}"="Compressed (zipped) Folder"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{C4213067-97B3-4929-9B98-B5600FBBBA13}"="TouchED"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{8894E728-EC3B-4148-BFAF-F767977D5110}"=""

********************************************************************************
**
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8894E728-EC3B-4148-BFAF-F767977D5110}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8894E728-EC3B-4148-BFAF-F767977D5110}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8894E728-EC3B-4148-BFAF-F767977D5110}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8894E728-EC3B-4148-BFAF-F767977D5110}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

********************************************************************************
**
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
   docore.dll     Thu Jan 13 2005   1:17:54a  A....        151,552   148.00 K
   dolsp.dll      Thu Jan 13 2005   1:17:54a  A....        139,264   136.00 K
   dosync.dll     Sat Jan 22 2005  11:47:24a  A....        114,688   112.00 K
   en26l1~1.dll   Mon Jan 17 2005   7:08:40p  ..S.R        224,802   219.53 K
   f6l02g~1.dll   Sat Jan 22 2005  12:26:42p  ..S.R        224,262   219.00 K
   fn0021~1.dll   Mon Jan 17 2005   7:28:24p  ..S.R        225,182   219.90 K
   fvntext.dll    Wed Jan 19 2005   3:01:24p  A....        224,075   218.82 K
   hypertrm.dll   Wed Nov 17 2004  12:41:24p  A....        347,136   339.00 K
   ip41_qc.dll    Sat Jan 22 2005  12:22:42p  ..S.R        224,262   219.00 K
   lsasrv.dll     Wed Oct 27 2004   8:21:02p  A....        721,920   705.00 K
   lv0409~1.dll   Sat Jan 22 2005  12:21:10p  ..S.R        224,249   218.99 K
   lv6609~1.dll   Sat Jan 15 2005   3:03:10a  .....        223,902   218.65 K
   lvj209~1.dll   Tue Jan 18 2005   1:36:22p  ..S.R        224,294   219.04 K
   m4rm0e~1.dll   Sun Jan 16 2005   2:43:18a  ..S.R        223,902   218.65 K
   mmvcrt.dll     Wed Jan 19 2005   3:03:50p  A....        224,075   218.82 K
   msvcp71.dll    Mon Jan 17 2005   7:17:28p  A....        499,712   488.00 K
   oubcconf.dll   Fri Jan 21 2005   7:58:12a  ..S.R        224,249   218.99 K
   sporder.dll    Sat Jan 22 2005  11:47:28a  A....          8,464     8.27 K

18 items found:  18 files (8 H/S), 0 directories.
   Total of file sizes:  4,449,990 bytes      4.24 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
   guard.tmp      Sat Jan 22 2005  12:28:46p  A....        224,249   218.99 K

1 item found:  1 file, 0 directories.
   Total of file sizes:  224,249 bytes    218.99 K
********************************************************************************
**
Directory Listing of system files:
 Volume in drive C has no label.
 Volume Serial Number is 1015-5A79

 Directory of C:\WINDOWS\System32

01/22/2005  12:26 PM           224,262 f6l02g3mg6.dll
01/22/2005  12:22 PM           224,262 ip41_qc.dll
01/22/2005  12:21 PM           224,249 lv0409dqe.dll
01/21/2005  07:58 AM           224,249 oubcconf.dll
01/18/2005  01:36 PM           224,294 lvj2091oe.dll
01/17/2005  07:28 PM           225,182 fn0021dmg.dll
01/17/2005  07:08 PM           224,802 en26l1fs1.dll
01/16/2005  02:43 AM           223,902 m4rm0e91eh.dll
01/15/2005  03:52 AM    <DIR>          dllcache
08/12/2003  12:43 PM    <DIR>          Microsoft
               8 File(s)      1,795,202 bytes
               2 Dir(s)   9,262,735,360 bytes free
Title: IST strikes again
Post by: John Doe on January 22, 2005, 01:35:53 PM
P.S. Now I'll finally do the fixes for HiJackThis.......the CPU shut down just as I was going to perform the fixes!!
Title: IST strikes again
Post by: guestolo on January 22, 2005, 01:51:43 PM
Don't run away, we just about have this thing finished

I'll post back in a bit
Title: IST strikes again
Post by: guestolo on January 22, 2005, 01:54:12 PM
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

[color=\"red\"]IMPORTANT:  Do NOT run any other files in the l2mfix folder unless you are asked to do so![/color]
Title: IST strikes again
Post by: John Doe on January 22, 2005, 02:10:44 PM
Here's the l2mfix log:

L2Mfix 1.02
 
Running From:
C:\Documents and Settings\Jayson\Desktop\l2mfix
 
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW  Read           BUILTIN\Users
(ID-IO) ALLOW  Read           BUILTIN\Users
(ID-NI) ALLOW  Full access    BUILTIN\Administrators
(ID-IO) ALLOW  Full access    BUILTIN\Administrators
(ID-NI) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    CREATOR OWNER


 
Setting registry permissions:
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C access for really "Everyone"
 - adding new ACCESS DENY entry

 
Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI)    DENY   --C-------      Everyone
(ID-NI) ALLOW  Read           BUILTIN\Users
(ID-IO) ALLOW  Read           BUILTIN\Users
(ID-NI) ALLOW  Full access    BUILTIN\Administrators
(ID-IO) ALLOW  Full access    BUILTIN\Administrators
(ID-NI) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    CREATOR OWNER


 
Setting up for Reboot
 
 
Starting Reboot!
 
C:\Documents and Settings\Jayson\Desktop\l2mfix
System Rebooted!
 
Running From:
C:\Documents and Settings\Jayson\Desktop\l2mfix
 
killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1412 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1960 'rundll32.exe'
 
Scanning First Pass. Please Wait!
 
First Pass Completed
 
Second Pass Scanning
 
Second pass Completed!
Backing Up: C:\WINDOWS\system32\dmser.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en26l1fs1.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fn0021dmg.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fu0021dmg.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fvntext.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ip41_qc.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv6609jse.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvj2091oe.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvrs0997e.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m4rm0e91eh.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mmvcrt.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\oubcconf.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sddocvw.dll
        1 file(s) copied.
deleting: C:\WINDOWS\system32\dmser.dll  
Successfully Deleted: C:\WINDOWS\system32\dmser.dll
deleting: C:\WINDOWS\system32\en26l1fs1.dll  
Successfully Deleted: C:\WINDOWS\system32\en26l1fs1.dll
deleting: C:\WINDOWS\system32\fn0021dmg.dll  
Successfully Deleted: C:\WINDOWS\system32\fn0021dmg.dll
deleting: C:\WINDOWS\system32\fu0021dmg.dll  
Successfully Deleted: C:\WINDOWS\system32\fu0021dmg.dll
deleting: C:\WINDOWS\system32\fvntext.dll  
Successfully Deleted: C:\WINDOWS\system32\fvntext.dll
deleting: C:\WINDOWS\system32\ip41_qc.dll  
Successfully Deleted: C:\WINDOWS\system32\ip41_qc.dll
deleting: C:\WINDOWS\system32\lv6609jse.dll  
Successfully Deleted: C:\WINDOWS\system32\lv6609jse.dll
deleting: C:\WINDOWS\system32\lvj2091oe.dll  
Successfully Deleted: C:\WINDOWS\system32\lvj2091oe.dll
deleting: C:\WINDOWS\system32\lvrs0997e.dll  
Successfully Deleted: C:\WINDOWS\system32\lvrs0997e.dll
deleting: C:\WINDOWS\system32\m4rm0e91eh.dll  
Successfully Deleted: C:\WINDOWS\system32\m4rm0e91eh.dll
deleting: C:\WINDOWS\system32\mmvcrt.dll  
Successfully Deleted: C:\WINDOWS\system32\mmvcrt.dll
deleting: C:\WINDOWS\system32\oubcconf.dll  
Successfully Deleted: C:\WINDOWS\system32\oubcconf.dll
deleting: C:\WINDOWS\system32\sddocvw.dll  
Successfully Deleted: C:\WINDOWS\system32\sddocvw.dll
 
Desktop.ini sucessfully removed
 
Zipping up files for submission:
  adding: dmser.dll (140 bytes security) (deflated 4%)
  adding: en26l1fs1.dll (140 bytes security) (deflated 4%)
  adding: fn0021dmg.dll (140 bytes security) (deflated 4%)
  adding: fu0021dmg.dll (140 bytes security) (deflated 4%)
  adding: fvntext.dll (140 bytes security) (deflated 4%)
  adding: ip41_qc.dll (140 bytes security) (deflated 4%)
  adding: lv6609jse.dll (140 bytes security) (deflated 4%)
  adding: lvj2091oe.dll (140 bytes security) (deflated 4%)
  adding: lvrs0997e.dll (140 bytes security) (deflated 4%)
  adding: m4rm0e91eh.dll (140 bytes security) (deflated 4%)
  adding: mmvcrt.dll (140 bytes security) (deflated 4%)
  adding: oubcconf.dll (140 bytes security) (deflated 4%)
  adding: sddocvw.dll (140 bytes security) (deflated 4%)
updating: cecho.reg (140 bytes security) (deflated 2%)
updating: echo.reg (140 bytes security) (deflated 9%)
  adding: cleanup.reg (140 bytes security) (deflated 2%)
  adding: clear.reg (140 bytes security) (deflated 46%)
updating: desktop.ini (140 bytes security) (deflated 14%)
updating: direct.txt (140 bytes security) (stored 0%)
updating: lo2.txt (140 bytes security) (deflated 80%)
updating: readme.txt (140 bytes security) (deflated 48%)
updating: report.txt (140 bytes security) (deflated 64%)
updating: test.txt (140 bytes security) (deflated 75%)
  adding: log.txt (140 bytes security) (deflated 77%)
  adding: test2.txt (140 bytes security) (deflated 27%)
  adding: xfind.txt (140 bytes security) (deflated 69%)
  adding: backregs/0C55D3BE-4FEB-4C51-A428-A8F6A7EC8999.reg (140 bytes security) (deflated 70%)
  adding: backregs/12F1BECF-E3CE-46A0-94D0-4C5A32F1516E.reg (140 bytes security) (deflated 70%)
  adding: backregs/248865E5-1534-4B1A-8C9F-399B3D0E99FA.reg (140 bytes security) (deflated 70%)
  adding: backregs/6371AF5C-EC86-406C-BCE3-8310835E6457.reg (140 bytes security) (deflated 70%)
  adding: backregs/8894E728-EC3B-4148-BFAF-F767977D5110.reg (140 bytes security) (deflated 70%)
  adding: backregs/BE8A58D2-5C98-4118-A36B-9129F859848A.reg (140 bytes security) (deflated 70%)
  adding: backregs/shell.reg (140 bytes security) (deflated 73%)
 
Restoring Registry Permissions:
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for really "Everyone"

 
Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW  Read           BUILTIN\Users
(ID-IO) ALLOW  Read           BUILTIN\Users
(ID-NI) ALLOW  Full access    BUILTIN\Administrators
(ID-IO) ALLOW  Full access    BUILTIN\Administrators
(ID-NI) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    CREATOR OWNER


Restoring Sedebugprivilege:
 
 Granting SeDebugPrivilege to Administrators   ... successful
 
deleting local copy: dmser.dll  
deleting local copy: en26l1fs1.dll  
deleting local copy: fn0021dmg.dll  
deleting local copy: fu0021dmg.dll  
deleting local copy: fvntext.dll  
deleting local copy: ip41_qc.dll  
deleting local copy: lv6609jse.dll  
deleting local copy: lvj2091oe.dll  
deleting local copy: lvrs0997e.dll  
deleting local copy: m4rm0e91eh.dll  
deleting local copy: mmvcrt.dll  
deleting local copy: oubcconf.dll  
deleting local copy: sddocvw.dll  
 
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

 
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\dmser.dll
C:\WINDOWS\system32\en26l1fs1.dll
C:\WINDOWS\system32\fn0021dmg.dll
C:\WINDOWS\system32\fu0021dmg.dll
C:\WINDOWS\system32\fvntext.dll
C:\WINDOWS\system32\ip41_qc.dll
C:\WINDOWS\system32\lv6609jse.dll
C:\WINDOWS\system32\lvj2091oe.dll
C:\WINDOWS\system32\lvrs0997e.dll
C:\WINDOWS\system32\m4rm0e91eh.dll
C:\WINDOWS\system32\mmvcrt.dll
C:\WINDOWS\system32\oubcconf.dll
C:\WINDOWS\system32\sddocvw.dll
 
Registry Entries that were Deleted:
Please verify that the listing looks ok. It shouldn't be longer than 13 lines
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{8894E728-EC3B-4148-BFAF-F767977D5110}"=-
"{BE8A58D2-5C98-4118-A36B-9129F859848A}"=-
"{12F1BECF-E3CE-46A0-94D0-4C5A32F1516E}"=-
[-HKEY_CLASSES_ROOT\CLSID\{8894E728-EC3B-4148-BFAF-F767977D5110}]
[-HKEY_CLASSES_ROOT\CLSID\{BE8A58D2-5C98-4118-A36B-9129F859848A}]
[-HKEY_CLASSES_ROOT\CLSID\{12F1BECF-E3CE-46A0-94D0-4C5A32F1516E}]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F6EDC9D6-D2B0-42DD-985F-4E652F2DA8C4}"=-
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{F6EDC9D6-D2B0-42DD-985F-4E652F2DA8C4}</IDone>
<IDtwo>AD</IDtwo>
<VERSION>200</VERSION>
****************************************************************************
Classid's found from regsearch:
****************************************************************************
 

Title: IST strikes again
Post by: John Doe on January 22, 2005, 02:11:42 PM
Here's the HiJackThis log:

Logfile of HijackThis v1.99.0
Scan saved at 1:06:46 PM, on 1/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\sophos\Remote Update\imonitor.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jayson\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pikeonline.net (http://\"http://www.pikeonline.net\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pikeonline.net/ (http://\"http://www.pikeonline.net/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Pike Online, Ltd.
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - Startup: FriendFinder Messenger.lnk = C:\Program Files\FriendFinder Messenger\FriendFinder Messenger.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\sophos\Remote Update\imonitor.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pikeonline.net
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab\")
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Sophos Cache Manager - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: DVD-RAM_Service - Matsu[censored]a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sophos Anti-Virus Network - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
Title: IST strikes again
Post by: guestolo on January 22, 2005, 03:03:13 PM
Please print this out or save to a Notepad  file on your desktop

Download a couple tools and then disconnect from the Internet
Also, know how to start into safe mode ahead of time, I'll be asking you to do this
soon, link explains how to below if your unsure

Can you download Winsock XP fix from this link
http://www.spychecker.com/program/winsockxpfix.html (http://\"http://www.spychecker.com/program/winsockxpfix.html\")
Save it to the desktop, don't run the FIX yet
Your Winsock settings have been hijacked, IF you lose Internet connection run the Fix with all other windows closed down and then Restart your computer

Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Ad-Aware may check for updates and run a scan when installing
Allow to update but don't run a scan at this time

Open Hijackthis>>Open Misc Tools Section>>Open Process manager
Kill these process if still running
C:\PROGRA~1\VBouncer\VirtualBouncer.exe

Access your Add/Remove programs and Remove if found
VirtualBouncer <--It's bogus, and can cause more problems, considered spyware itself

Don't allow the computer to Restart yet if removed
Do another scan with Hijackthis and put a check next to these entries:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1 <--considered optional to remove, I'm only asking you to remove it because the Install appears to be corrupt or this is a leftover
Many consider this to be Spyware itself

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis


RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")

Again access your Add/Remove Programs and remove Weatherbug
Don't allow the computer to restart
Instead find and delete these files or folders if they exist

C:\Program Files\VBouncer <--this folder
C:\Program Files\AWS

Stay in safe mode
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back to Normal Mode finish the cleaning process

Do what you can from the above and then
Post back with a Fresh hijackthis log afterwards

Can you also open VX2 Finder and "Click to Find VX2.Betterinternet"
When it's done scanning, make a log and post it back here, thanks
Title: IST strikes again
Post by: John Doe on January 22, 2005, 04:25:08 PM
Some notes:
- no "VBouncer" was detected under HiJackThis scan
- no weatherbug program was detected under "Add/Programs" under safe mode
- no "VBouncer" or "AWS" folder was found under safe mode

Logfile of HijackThis v1.99.0
Scan saved at 3:18:50 PM, on 1/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\sophos\Remote Update\imonitor.exe
C:\Program Files\GetRight\getright.exe
C:\Documents and Settings\Jayson\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pikeonline.net (http://\"http://www.pikeonline.net\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pikeonline.net/ (http://\"http://www.pikeonline.net/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Pike Online, Ltd.
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: FriendFinder Messenger.lnk = C:\Program Files\FriendFinder Messenger\FriendFinder Messenger.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\sophos\Remote Update\imonitor.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pikeonline.net
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab\")
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Sophos Cache Manager - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: DVD-RAM_Service - Matsu[censored]a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sophos Anti-Virus Network - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
Title: IST strikes again
Post by: John Doe on January 22, 2005, 04:26:33 PM
Log for VX2.BetterInternet File Finder (msg126)

Files Found---
VX2 log:

Additional Files---
 
Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
Title: IST strikes again
Post by: John Doe on January 22, 2005, 04:36:40 PM
Note:

- just performed the WinSock fix after being disconnected.....working so far
- forced to reboot
Title: IST strikes again
Post by: guestolo on January 22, 2005, 04:37:38 PM
Good work John, one last fix

But first make a clean restore point>>this is just for backup purposes
Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Create a fresh restore point>>Name it and click the Create button

After that is done

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the whole contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Quote
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]"SV1"=""

Disconnect completely from the Internet(Close down all browser windows)
and all unneccesaries running in the background

Double click on fix.reg and allow it to merge to the registry

Open Winsock Fix and click on the FIX button
follow the prompts <<FORGET about this part if you already ran it and back online

RESTART your computer afterwards and post back here one last hijackthis log

Could you also post another log from VX2 finder
Title: IST strikes again
Post by: John Doe on January 22, 2005, 04:50:16 PM
HiJackThis log:

Logfile of HijackThis v1.99.0
Scan saved at 3:45:58 PM, on 1/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\sophos\Remote Update\imonitor.exe
C:\Program Files\GetRight\getright.exe
C:\Documents and Settings\Jayson\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pikeonline.net (http://\"http://www.pikeonline.net\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pikeonline.net/ (http://\"http://www.pikeonline.net/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Pike Online, Ltd.
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: FriendFinder Messenger.lnk = C:\Program Files\FriendFinder Messenger\FriendFinder Messenger.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\sophos\Remote Update\imonitor.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pikeonline.net
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab\")
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Sophos Cache Manager - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: DVD-RAM_Service - Matsu[censored]a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sophos Anti-Virus Network - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
Title: IST strikes again
Post by: John Doe on January 22, 2005, 04:51:17 PM
Log for VX2.BetterInternet File Finder (msg126)

Files Found---
VX2 log:
 
Additional Files---
 
Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
SV1
Title: IST strikes again
Post by: guestolo on January 22, 2005, 05:02:35 PM
Just one final check

With windows set to show hidden files and folders

Can you go to this site please
Give the link time to load
http://virusscan.jotti.dhs.org/ (http://\"http://virusscan.jotti.dhs.org/\")
Use the Browse button at the top of that links page and navigate to this file
C:\WINDOWS\system32\pzxmlq.exe <--this file
Right click on it and Select it
Use the Submit button on the site
Wait for the scan results and post them back here
Title: IST strikes again
Post by: John Doe on January 22, 2005, 05:58:45 PM
here are the results:

"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"


.....i browsed and the file did not exist.....so i just copied the path into the word bar.....and that's what returned
Title: IST strikes again
Post by: guestolo on January 22, 2005, 06:53:57 PM
Yah, that online scanner will do that if you just copy and paste in the info

I think we're done here

Just let's make sure we do some final tidying up


Open Hijackthis>>Open Misc tools>>Click the Delete file on Reboot button
Copy and paste this full path of file to delete into the File name box

C:\WINDOWS\system32\pzxmlq.exe

Click the Open button
Hijackthis may prompt you that the file will be deleted and you must restart your computer
Allow to reboot

Back in Windows
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as clear.reg
Save this file on the desktop

Quote
REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\4910c0a2-15e6-4f61-a55f-2e56eec004ab][-HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\4910c0a2-15e6-4f61-a55f-2e56eec004ab]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\gnskmq]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{dc5d2f07-d038-481e-878a-711ef3486762}]

Double click on clear.reg and allow to Merge to the registry


Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as zesoft.reg
Save this file on the desktop

Quote
REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZESOFT][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ZESOFT]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZESOFT]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ZESOFT]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ZESOFT]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ZESOFT]

Double click on zesoft.reg and allow to merge

Restart your computer again

If everything is running better
you should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link==Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
Scroll down and click on IE-SPYAD.EXE Free! or IE-SPYAD2.EXE Free!

Regular IE-Spyad for the individual user or IE-Spyad 2 for global protection(All users) on your computer
You only need one or the other

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Post back and let me know how everything is running
Title: IST strikes again
Post by: John Doe on January 22, 2005, 09:26:04 PM
that definitely took care of all my popup issues (i have yet to see one and have been on for 20 minutes or so)....i would like to thank you......without your help i would have had no clue what to do....i wish there was some way to repay you for your commendable service.

the only issue i have now is that the wireless internet connection suddenly disconnects, and i have to play around with enabling/disabling and the firewall features to get it back on (which then only lasts for a little while)....i think the issue started as a result of installing XP service pack 2....should i get rid of that too?

Also, which programs (aside from the recent 2 you prescribed) should I keep (l2mfix, vx2 finder, runkey, find it, dll comapre, hijackthis, spybot search, ad-aware, and winsock)
Title: IST strikes again
Post by: guestolo on January 23, 2005, 06:58:56 AM
Let me know if this link is any help

http://www.thetechguide.com/forum/index.ph...showtopic=10926 (http://\"http://www.thetechguide.com/forum/index.php?showtopic=10926\")

If not, I would venture that Microsoft claims that anyone with Spyware or Viruses on their computer should not install SP2
And uninstall and reinstall is up to you
I would check out that link, if any possiblilites that you fix your Internet connection
Please post back and let them know
Title: IST strikes again
Post by: guestolo on January 23, 2005, 09:50:21 PM
Forgot to add this

Hold onto Ad-Aware and Spybot
Check for updates every couple of weeks and run a scan

l2mfix, vx2 finder, runkey, find it, dll comapre,winsock
You can manually delete, there not needed any more

Hijackthis>>>Hold onto it for a couple of weeks
At the end of that time you can delete the backups and Hijackthis
Title: IST strikes again
Post by: John Doe on January 29, 2005, 12:04:36 AM
Sorry for the lack of response, but I did take your advice.....I removed XP Service Pack 2 and everything works just fine now......I really appreciate all of your help.....even though my cooperation was not up to par (especially considering that this is my problem). I also took the liberty of deleting the programs that you okayed....thank you once again.....you are to computers what Bill Gates is to.....well, computers!!!! /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Title: IST strikes again
Post by: guestolo on January 29, 2005, 12:32:32 AM
I would still venture to try a reinstall of SP2 again
or at minimum make sure that you have at least Service Pack 1a installed and check for other Critical updates

If you decide to Reinstall Service pack 2
Ensure that all hardware drivers are up to date
Backup Important files and documents just in case
Know how to get out of trouble in advance just in case something goes wrong
http://support.microsoft.com/default.aspx?...=windowsxpsp2kb (http://\"http://support.microsoft.com/default.aspx?kbid=875355&product=windowsxpsp2kb\")

Wouldn't hurt to run an Online Virus scan just for a double check
Do one at Housecall's>>Set to Autoclean
http://housecall.trendmicro.com/ (http://\"http://housecall.trendmicro.com/\")

Run updated spyware checks with Spybot and Ad-Aware
Restarting in between if any bad guys found

Clean those temp folders, can't remember if I directed you to Windows CleanUp!
You should regularly (At least once every couple weeks)
If you would like to try this free utility to do it for you
Download and Install this small program
to help clean your temp folders,cookies,prefeth folder, etc...
Windows Cleanup (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
Open Windows CleanUp,
Click the CleanUp button, let it finish scanning for files and then Log off and back on
or Restart your computer

Defrag your Hard drive ahead of time>>Best done in safe mode
Restart back to Normal mode afterwards

If your updating to SP2 online It wouldn't hurt to disable your AV temporarily
I would also disable any third party download program>>Eg... Getright
And ensure that all other users are logged off
===If your on Dialup and need to order the CD, I believe you can still order it free from this link>>I'm on Cable and still ordered the CD, nice to have around
http://www.microsoft.com/windowsxp/downloa...us/default.mspx (http://\"http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/default.mspx\")

Let it download and install>>Even if it appears to hesitate at times
When it's done
Restart when prompted
Go back to Windows update and see if there are more High priority updates
Restart if prompted again

After your back in Windows run Windows CleanUp! again
Log off and back on

This should help to have a clean install of SP2
If it doesn't help than I would think it's more of a Wireless>>SP2 issue
That link has many suggestions
But you did have many problems in your Hijackthis log...
Title: IST strikes again
Post by: guestolo on February 04, 2005, 03:39:35 AM
I'll lock this topic as your problems are resolved
If you need it reopened, please PM the site Admin or a MOD
Supply a link to this thread

Anyone else with similiar problems please start your own topic and include a Hijackthis log