Post by: Watchman_987 on March 14, 2005, 10:26:28 AM
I've run the following:
Ad-Aware SE
Spy Bot
Spy Sweeper
l2mfix
kill2me
TDS-3
Norton's
VX2Find
CWShredder
All come up clean except for VX2Find and HijackThis. The following two logs are from VX2Find and HijackThis;
Code: [Select]
Files Found---
Guardian Key--- is called:
Asynchronous 000
DllName
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Shutdown WinShutdown
User Agent String---
{782117A7-F846-94C0-C408-3F250AC614A8}
Logfile of HijackThis v1.99.1
Scan saved at 8:17:57 AM, on 3/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\cc\Desktop\REmoval\vx2finder.exe
C:\Program Files\NoteTab Pro\NotePro.exe
C:\Documents and Settings\cc\My Documents\Documents\Programs\Hijack_this\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thevirtualillusion.com/main/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thevirtualillusion.com/main/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\dnnq0155e.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exeAs a further note, I cannot locate any guard.tmp file. I have made certain all hidden files are viewable and have done countless searches on variations of the name and by date (last accessed) all to no avail. Yet the symptoms of the added registry keys and the elusive changing DLL in system32/keep occurring.
I appreciate any help anyone can give me with this.
Post by: guestolo on March 14, 2005, 11:20:06 PM
But if you haven't tried this yet
Please do
Download L2mfix from here
http://www.atribune.org/downloads/l2mfix.exe (http://\"http://www.atribune.org/downloads/l2mfix.exe\")
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
[color=\"red\"]IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so![/color]
Can you post this log anyways, thanks
Post by: Watchman_987 on March 15, 2005, 08:20:25 AM
The following is the result of the log from l2mfix
Code: [Select]
L2MFIX find log 1.02b
These are the registry keys present
********************************************************************************
**
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\l46o0ej3eho.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
********************************************************************************
**
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{42B3D3FA-40C6-BC2E-D70E-7B0EE216FAD4}"=""
********************************************************************************
**
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{F802F260-519B-11D1-BB5D-0060974C6013}"="ICQ Shell Extension"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{336B02CE-F88A-4aea-8731-79EF94D3723A}"="Free AOL & Unlimited Internet.url"
"{5E44E225-A408-11CF-B581-008029601108}"="Roxio DragToDisc Shell Extension"
"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}"="My Media"
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{57C9D926-056E-45D7-9D44-CE8D98A69476}"=""
"{52303D83-FD27-4FCF-9FFF-97AAC024F29D}"=""
********************************************************************************
**
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{57C9D926-056E-45D7-9D44-CE8D98A69476}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{57C9D926-056E-45D7-9D44-CE8D98A69476}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{57C9D926-056E-45D7-9D44-CE8D98A69476}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{57C9D926-056E-45D7-9D44-CE8D98A69476}\InprocServer32]
@="C:\\WINDOWS\\system32\\ioircl.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{52303D83-FD27-4FCF-9FFF-97AAC024F29D}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{52303D83-FD27-4FCF-9FFF-97AAC024F29D}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{52303D83-FD27-4FCF-9FFF-97AAC024F29D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{52303D83-FD27-4FCF-9FFF-97AAC024F29D}\InprocServer32]
@="C:\\WINDOWS\\system32\\jrsd400.dll"
"ThreadingModel"="Apartment"
********************************************************************************
**
Files Found are not all bad files:
C:\WINDOWS\SYSTEM32\
bqdispl.dll Thu Mar 10 2005 12:34:40p ..S.R 232,808 227.35 K
ceyptui.dll Thu Mar 10 2005 4:54:24p ..S.R 232,556 227.11 K
cxmsvcs.dll Mon Mar 14 2005 10:00:34a ..S.R 234,558 229.06 K
debugg.dll Mon Mar 7 2005 9:55:32a A.... 0 0.00 K
dz3j.dll Thu Mar 10 2005 4:47:38p ..S.R 235,408 229.89 K
en88l1~1.dll Thu Mar 10 2005 4:06:52p ..S.R 233,164 227.70 K
gccoll~1.dll Fri Dec 31 2004 3:00:00p A.... 134,880 131.72 K
gcmd5q~1.dll Mon Jan 10 2005 9:21:20p A.... 10,752 10.50 K
gcunco~1.dll Fri Dec 31 2004 1:14:32p A.... 130,272 127.22 K
hashlib.dll Fri Dec 31 2004 3:00:00p A.... 81,120 79.22 K
ikcvid.dll Fri Mar 11 2005 7:52:00a ..S.R 234,748 229.25 K
il50_qcx.dll Fri Mar 11 2005 7:37:54a ..S.R 233,944 228.46 K
ioircl.dll Fri Mar 11 2005 7:09:14a ..S.R 232,556 227.11 K
ipsutil.dll Mon Mar 14 2005 9:25:32a ..S.R 232,824 227.37 K
iwsecsnp.dll Thu Mar 10 2005 5:27:14p ..S.R 236,260 230.72 K
jrsd400.dll Mon Mar 14 2005 4:57:10p ..S.R 233,188 227.72 K
k280lc~1.dll Fri Mar 11 2005 6:10:50p ..S.R 233,150 227.68 K
kadnec.dll Thu Mar 10 2005 7:59:42a ..S.R 233,732 228.25 K
kcuser.dll Mon Mar 14 2005 7:08:02a ..S.R 234,718 229.21 K
ksdmac.dll Fri Mar 11 2005 8:00:02a ..S.R 234,764 229.26 K
l46o0e~1.dll Mon Mar 14 2005 10:13:48a ..S.R 233,188 227.72 K
lebfcur.dll Mon Mar 14 2005 8:07:16a ..S.R 235,659 230.13 K
lzxlmpm.dll Thu Mar 10 2005 7:52:42a ..S.R 232,736 227.28 K
mlvcr71.dll Fri Mar 11 2005 7:32:40a ..S.R 234,792 229.29 K
mqihnd.dll Fri Mar 11 2005 7:46:40a ..S.R 234,213 228.72 K
muaatext.dll Fri Mar 11 2005 9:41:50a ..S.R 233,150 227.68 K
mv8ql9~1.dll Thu Mar 10 2005 12:16:36p ..S.R 234,397 228.90 K
mvn2l9~1.dll Thu Mar 10 2005 9:38:42a ..S.R 232,853 227.39 K
mvpol9~1.dll Thu Mar 10 2005 5:45:48p ..S.R 233,935 228.45 K
nawrssl.dll Thu Mar 10 2005 3:46:40p ..S.R 233,180 227.71 K
nbrszhc.dll Fri Mar 11 2005 8:23:46a ..S.R 236,003 230.47 K
ntwrsru.dll Fri Mar 11 2005 6:12:12p ..S.R 234,718 229.21 K
o684lg~1.dll Mon Mar 14 2005 4:57:10p ..S.R 234,674 229.17 K
paofmap.dll Thu Mar 10 2005 9:45:12a ..S.R 235,596 230.07 K
pdlstore.dll Thu Mar 10 2005 4:51:36p ..S.R 235,804 230.28 K
pirfdisk.dll Tue Mar 8 2005 5:29:26p ..S.R 232,736 227.28 K
pyrfproc.dll Tue Mar 8 2005 5:29:20p ..S.R 232,736 227.28 K
rccres.dll Thu Mar 10 2005 4:44:38p ..S.R 235,122 229.61 K
rzched20.dll Fri Mar 11 2005 7:55:48a ..S.R 234,213 228.72 K
s32evnt1.dll Mon Dec 20 2004 6:58:18p A.... 83,664 81.70 K
skrio600.dll Thu Mar 10 2005 9:38:42a ..S.R 235,596 230.07 K
smlights.dll Thu Mar 10 2005 1:43:22p ..S.R 233,787 228.30 K
snc.dll Thu Mar 10 2005 1:02:00p ..S.R 233,446 227.97 K
swndmail.dll Fri Mar 11 2005 7:27:14a ..S.R 233,944 228.46 K
symneti.dll Fri Jan 21 2005 10:31:54p A.... 513,752 501.71 K
symredir.dll Fri Jan 21 2005 10:31:52p A.... 141,016 137.71 K
syrialui.dll Thu Mar 10 2005 1:57:24p ..S.R 234,917 229.41 K
tjd32.dll Thu Mar 10 2005 1:17:00p ..S.R 233,787 228.30 K
tvkwks.dll Thu Mar 10 2005 5:45:50p ..S.R 232,556 227.11 K
ukrv42a.dll Mon Mar 14 2005 10:13:48a ..S.R 232,824 227.37 K
wssdmoe2.dll Thu Mar 10 2005 3:48:52p ..S.R 235,122 229.61 K
51 items found: 51 files (43 H/S), 0 directories.
Total of file sizes: 11,159,518 bytes 10.64 M
Locate .tmp files:
No matches found.
********************************************************************************
**
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is C8DC-65E8
Directory of C:\WINDOWS\System32
03/14/2005 04:57 PM 233,188 jrsd400.dll
03/14/2005 04:57 PM 234,674 o684lglq16qe.dll
03/14/2005 10:13 AM 232,824 ukrv42a.dll
03/14/2005 10:13 AM 233,188 l46o0ej3eho.dll
03/14/2005 10:00 AM 234,558 cxmsvcs.dll
03/14/2005 09:25 AM 232,824 ipsutil.dll
03/14/2005 08:07 AM 235,659 LEBFCUR.DLL
03/14/2005 07:08 AM 234,718 kcuser.dll
03/11/2005 06:12 PM 234,718 ntwrsru.dll
03/11/2005 06:10 PM 233,150 k280lclm1fqa.dll
03/11/2005 09:41 AM 233,150 muaatext.dll
03/11/2005 08:23 AM 236,003 nbrszhc.dll
03/11/2005 08:00 AM 234,764 ksdmac.dll
03/11/2005 07:55 AM 234,213 rzched20.dll
03/11/2005 07:51 AM 234,748 ikcvid.dll
03/11/2005 07:46 AM 234,213 mqihnd.dll
03/11/2005 07:37 AM 233,944 il50_qcx.dll
03/11/2005 07:32 AM 234,792 mlvcr71.dll
03/11/2005 07:27 AM 233,944 swndmail.dll
03/11/2005 07:09 AM 232,556 ioircl.dll
03/10/2005 05:45 PM 232,556 tvkwks.dll
03/10/2005 05:45 PM 233,935 mvpol9731.dll
03/10/2005 05:27 PM 236,260 iwsecsnp.dll
03/10/2005 04:54 PM 232,556 ceyptui.dll
03/10/2005 04:51 PM 235,804 pdlstore.dll
03/10/2005 04:47 PM 235,408 dz3j.dll
03/10/2005 04:44 PM 235,122 RCCRES.dll
03/10/2005 04:06 PM 233,164 en88l1lu1.dll
03/10/2005 03:48 PM 235,122 wssdmoe2.dll
03/10/2005 03:46 PM 233,180 nawrssl.dll
03/10/2005 01:57 PM 234,917 syrialui.dll
03/10/2005 01:43 PM 233,787 SMLights.dll
03/10/2005 01:16 PM 233,787 tjd32.dll
03/10/2005 01:01 PM 233,446 snc.dll
03/10/2005 12:58 PM <DIR> dllcache
03/10/2005 12:34 PM 232,808 bqdispl.dll
03/10/2005 12:16 PM 234,397 mv8ql9l51.dll
03/10/2005 09:45 AM 235,596 paofmap.dll
03/10/2005 09:38 AM 235,596 skrio600.dll
03/10/2005 09:38 AM 232,853 mvn2l95o1.dll
03/10/2005 07:59 AM 233,732 kadnec.dll
03/10/2005 07:52 AM 232,736 lzxlmpm.dll
03/08/2005 05:29 PM 232,736 pirfdisk.dll
03/08/2005 05:29 PM 232,736 pyrfproc.dll
08/13/2003 08:32 AM <DIR> Microsoft
43 File(s) 10,064,062 bytes
2 Dir(s) 82,689,544,192 bytes freeHere is what I've discovered, note the key here;[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]
That last directory called \Setup just got created, in fact there is a whole list of names that keep getting recreated there all linking to that DLL file which also keeps changing. Each time I go in and delete that directory and all the sub keys, then delete that DLL file, they all return and I cannot seem to pinpoint what is re-creating them.
Just some additional information, not sure if it's useful or not.
Post by: guestolo on March 15, 2005, 08:12:10 PM
Close any programs you have open since this step requires a reboot.
Open L2Mfix and run l2mfix.bat
Select option #4 and then press Enter
Select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.
Note: once the pc has restarted if a text does not open run the "second.bat" located inside the L2mfix folder.
[color=\"purple\"]IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so![/color]
Post by: Watchman_987 on March 16, 2005, 07:54:04 AM
I've followed your instructions with one variation. After running the second.bat file (the first one did not open the text file) the guard.tmp file appeard in the systems32 folder. I deleted that file.
The following are the two logs:
Code: [Select]
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\kt0sl7d71.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001Followed by the HijackThis log:
Code: [Select]
Logfile of HijackThis v1.99.1
Scan saved at 7:48:07 AM, on 3/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Documents and Settings\cc\My Documents\Documents\Programs\Hijack_this\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thevirtualillusion.com/main/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thevirtualillusion.com/main/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\fp6803jue.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Post by: guestolo on March 16, 2005, 10:08:52 AM
I'm on my way to work
But could I get you to delete your version of L2Mfix
Redownload it please and reinstall
Download L2mfix from here
http://www.atribune.org/downloads/l2mfix.exe (http://\"http://www.atribune.org/downloads/l2mfix.exe\")
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
Post by: Watchman_987 on March 16, 2005, 10:33:48 AM
L2MFIX find log 1.03
These are the registry keys present
********************************************************************************
**
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hr6m05j1e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000
********************************************************************************
**
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E73EDE8B-5A10-D4CB-B4C5-7D11228C70D7}"=""
********************************************************************************
**
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{F802F260-519B-11D1-BB5D-0060974C6013}"="ICQ Shell Extension"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{336B02CE-F88A-4aea-8731-79EF94D3723A}"="Free AOL & Unlimited Internet.url"
"{5E44E225-A408-11CF-B581-008029601108}"="Roxio DragToDisc Shell Extension"
"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}"="My Media"
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{A4193AA0-2DAD-4E4C-A9F9-CEA4FF4A09AF}"=""
"{C9FB244E-D8B1-4B77-9C3B-78684680793F}"=""
********************************************************************************
**
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{A4193AA0-2DAD-4E4C-A9F9-CEA4FF4A09AF}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A4193AA0-2DAD-4E4C-A9F9-CEA4FF4A09AF}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A4193AA0-2DAD-4E4C-A9F9-CEA4FF4A09AF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A4193AA0-2DAD-4E4C-A9F9-CEA4FF4A09AF}\InprocServer32]
@="C:\\WINDOWS\\system32\\uwlmon.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{C9FB244E-D8B1-4B77-9C3B-78684680793F}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{C9FB244E-D8B1-4B77-9C3B-78684680793F}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{C9FB244E-D8B1-4B77-9C3B-78684680793F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{C9FB244E-D8B1-4B77-9C3B-78684680793F}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
********************************************************************************
**
Files Found are not all bad files:
C:\WINDOWS\SYSTEM32\
bqdispl.dll Thu Mar 10 2005 12:34:40p ..S.R 232,808 227.35 K
ceyptui.dll Thu Mar 10 2005 4:54:24p ..S.R 232,556 227.11 K
cxmsvcs.dll Mon Mar 14 2005 10:00:34a ..S.R 234,558 229.06 K
debugg.dll Mon Mar 7 2005 9:55:32a A.... 0 0.00 K
dkmclien.dll Tue Mar 15 2005 2:30:44p ..S.R 233,036 227.57 K
dz3j.dll Thu Mar 10 2005 4:47:38p ..S.R 235,408 229.89 K
en88l1~1.dll Thu Mar 10 2005 4:06:52p ..S.R 233,164 227.70 K
gccoll~1.dll Fri Dec 31 2004 3:00:00p A.... 134,880 131.72 K
gcmd5q~1.dll Mon Jan 10 2005 9:21:20p A.... 10,752 10.50 K
gcunco~1.dll Fri Dec 31 2004 1:14:32p A.... 130,272 127.22 K
hashlib.dll Fri Dec 31 2004 3:00:00p A.... 81,120 79.22 K
hr6m05~1.dll Wed Mar 16 2005 7:40:08a ..S.R 233,741 228.26 K
ikcvid.dll Fri Mar 11 2005 7:52:00a ..S.R 234,748 229.25 K
il50_qcx.dll Fri Mar 11 2005 7:37:54a ..S.R 233,944 228.46 K
ioircl.dll Fri Mar 11 2005 7:09:14a ..S.R 232,556 227.11 K
ipsutil.dll Mon Mar 14 2005 9:25:32a ..S.R 232,824 227.37 K
iwsecsnp.dll Thu Mar 10 2005 5:27:14p ..S.R 236,260 230.72 K
jrsd400.dll Mon Mar 14 2005 4:57:10p ..S.R 233,188 227.72 K
k280lc~1.dll Fri Mar 11 2005 6:10:50p ..S.R 233,150 227.68 K
kadnec.dll Thu Mar 10 2005 7:59:42a ..S.R 233,732 228.25 K
kcuser.dll Mon Mar 14 2005 7:08:02a ..S.R 234,718 229.21 K
ksdmac.dll Fri Mar 11 2005 8:00:02a ..S.R 234,764 229.26 K
lebfcur.dll Mon Mar 14 2005 8:07:16a ..S.R 235,659 230.13 K
lzxlmpm.dll Thu Mar 10 2005 7:52:42a ..S.R 232,736 227.28 K
mlvcr71.dll Fri Mar 11 2005 7:32:40a ..S.R 234,792 229.29 K
mnmxsdk.dll Wed Mar 16 2005 7:16:08a ..S.R 233,741 228.26 K
mqihnd.dll Fri Mar 11 2005 7:46:40a ..S.R 234,213 228.72 K
muaatext.dll Fri Mar 11 2005 9:41:50a ..S.R 233,150 227.68 K
mv8ql9~1.dll Thu Mar 10 2005 12:16:36p ..S.R 234,397 228.90 K
mvn2l9~1.dll Thu Mar 10 2005 9:38:42a ..S.R 232,853 227.39 K
mvpol9~1.dll Thu Mar 10 2005 5:45:48p ..S.R 233,935 228.45 K
mzrd3x40.dll Wed Mar 16 2005 8:14:56a ..S.R 233,741 228.26 K
nawrssl.dll Thu Mar 10 2005 3:46:40p ..S.R 233,180 227.71 K
nbrszhc.dll Fri Mar 11 2005 8:23:46a ..S.R 236,003 230.47 K
ntwrsru.dll Fri Mar 11 2005 6:12:12p ..S.R 234,718 229.21 K
paofmap.dll Thu Mar 10 2005 9:45:12a ..S.R 235,596 230.07 K
pdlstore.dll Thu Mar 10 2005 4:51:36p ..S.R 235,804 230.28 K
pirfdisk.dll Tue Mar 8 2005 5:29:26p ..S.R 232,736 227.28 K
pyrfproc.dll Tue Mar 8 2005 5:29:20p ..S.R 232,736 227.28 K
r2p80c~1.dll Wed Mar 16 2005 8:14:56a ..S.R 234,613 229.11 K
rccres.dll Thu Mar 10 2005 4:44:38p ..S.R 235,122 229.61 K
rzched20.dll Fri Mar 11 2005 7:55:48a ..S.R 234,213 228.72 K
s32evnt1.dll Mon Dec 20 2004 6:58:18p A.... 83,664 81.70 K
skrio600.dll Thu Mar 10 2005 9:38:42a ..S.R 235,596 230.07 K
smlights.dll Thu Mar 10 2005 1:43:22p ..S.R 233,787 228.30 K
snc.dll Thu Mar 10 2005 1:02:00p ..S.R 233,446 227.97 K
swndmail.dll Fri Mar 11 2005 7:27:14a ..S.R 233,944 228.46 K
symneti.dll Fri Jan 21 2005 10:31:54p A.... 513,752 501.71 K
symredir.dll Fri Jan 21 2005 10:31:52p A.... 141,016 137.71 K
syrialui.dll Thu Mar 10 2005 1:57:24p ..S.R 234,917 229.41 K
tjd32.dll Thu Mar 10 2005 1:17:00p ..S.R 233,787 228.30 K
tvkwks.dll Thu Mar 10 2005 5:45:50p ..S.R 232,556 227.11 K
ukrv42a.dll Mon Mar 14 2005 10:13:48a ..S.R 232,824 227.37 K
uwlmon.dll Wed Mar 16 2005 7:41:12a ..S.R 233,036 227.57 K
wssdmoe2.dll Thu Mar 10 2005 3:48:52p ..S.R 235,122 229.61 K
55 items found: 55 files (47 H/S), 0 directories.
Total of file sizes: 12,093,564 bytes 11.53 M
Locate .tmp files:
C:\WINDOWS\SYSTEM32\
guard.tmp Wed Mar 16 2005 8:17:30a ..S.R 233,741 228.26 K
1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 233,741 bytes 228.26 K
********************************************************************************
**
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is C8DC-65E8
Directory of C:\WINDOWS\System32
03/16/2005 08:17 AM 233,741 guard.tmp
03/16/2005 08:14 AM 233,741 mzrd3x40.dll
03/16/2005 08:14 AM 234,613 r2p80c7uef.dll
03/16/2005 07:41 AM 233,036 uwlmon.dll
03/16/2005 07:40 AM 233,741 hr6m05j1e.dll
03/16/2005 07:16 AM 233,741 mnmxsdk.dll
03/15/2005 02:30 PM 233,036 dkmclien.dll
03/14/2005 04:57 PM 233,188 jrsd400.dll
03/14/2005 10:13 AM 232,824 ukrv42a.dll
03/14/2005 10:00 AM 234,558 cxmsvcs.dll
03/14/2005 09:25 AM 232,824 ipsutil.dll
03/14/2005 08:07 AM 235,659 LEBFCUR.DLL
03/14/2005 07:08 AM 234,718 kcuser.dll
03/11/2005 06:12 PM 234,718 ntwrsru.dll
03/11/2005 06:10 PM 233,150 k280lclm1fqa.dll
03/11/2005 09:41 AM 233,150 muaatext.dll
03/11/2005 08:23 AM 236,003 nbrszhc.dll
03/11/2005 08:00 AM 234,764 ksdmac.dll
03/11/2005 07:55 AM 234,213 rzched20.dll
03/11/2005 07:51 AM 234,748 ikcvid.dll
03/11/2005 07:46 AM 234,213 mqihnd.dll
03/11/2005 07:37 AM 233,944 il50_qcx.dll
03/11/2005 07:32 AM 234,792 mlvcr71.dll
03/11/2005 07:27 AM 233,944 swndmail.dll
03/11/2005 07:09 AM 232,556 ioircl.dll
03/10/2005 05:45 PM 232,556 tvkwks.dll
03/10/2005 05:45 PM 233,935 mvpol9731.dll
03/10/2005 05:27 PM 236,260 iwsecsnp.dll
03/10/2005 04:54 PM 232,556 ceyptui.dll
03/10/2005 04:51 PM 235,804 pdlstore.dll
03/10/2005 04:47 PM 235,408 dz3j.dll
03/10/2005 04:44 PM 235,122 RCCRES.dll
03/10/2005 04:06 PM 233,164 en88l1lu1.dll
03/10/2005 03:48 PM 235,122 wssdmoe2.dll
03/10/2005 03:46 PM 233,180 nawrssl.dll
03/10/2005 01:57 PM 234,917 syrialui.dll
03/10/2005 01:43 PM 233,787 SMLights.dll
03/10/2005 01:16 PM 233,787 tjd32.dll
03/10/2005 01:01 PM 233,446 snc.dll
03/10/2005 12:58 PM <DIR> dllcache
03/10/2005 12:34 PM 232,808 bqdispl.dll
03/10/2005 12:16 PM 234,397 mv8ql9l51.dll
03/10/2005 09:45 AM 235,596 paofmap.dll
03/10/2005 09:38 AM 235,596 skrio600.dll
03/10/2005 09:38 AM 232,853 mvn2l95o1.dll
03/10/2005 07:59 AM 233,732 kadnec.dll
03/10/2005 07:52 AM 232,736 lzxlmpm.dll
03/08/2005 05:29 PM 232,736 pirfdisk.dll
03/08/2005 05:29 PM 232,736 pyrfproc.dll
08/13/2003 08:32 AM <DIR> Microsoft
48 File(s) 11,231,849 bytes
2 Dir(s) 82,691,264,512 bytes free
Here is the HIjackThis log as well.
Logfile of HijackThis v1.99.1
Scan saved at 10:25:34 AM, on 3/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\NoteTab Pro\NotePro.exe
C:\Documents and Settings\cc\My Documents\Documents\Programs\Hijack_this\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thevirtualillusion.com/main/index.php (http://\"http://www.thevirtualillusion.com/main/index.php\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thevirtualillusion.com/main/index.php (http://\"http://www.thevirtualillusion.com/main/index.php\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab (http://\"http://www.ipix.com/download/ipixx.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409\")
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab (http://\"http://chat.yahoo.com/cab/yacsui.cab\")
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\hr6m05j1e.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Thanks again for the continued assistance!
Post by: guestolo on March 16, 2005, 07:26:10 PM
Try running this from Normal mode
Close any programs you have open since this step requires a reboot.
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.
[color=\"red\"]IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so![/color]
NOTE:After restart and L2MFIX finishes scanning for files>>give this time to finish
If a text doesn't open, run the "second.bat" located inside the L2mfix folder
Post by: Watchman_987 on March 17, 2005, 12:31:14 PM
Code: [Select]
Logfile of HijackThis v1.99.1
Scan saved at 11:52:01 AM, on 3/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\cc\My Documents\Documents\Programs\Hijack_this\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thevirtualillusion.com/main/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thevirtualillusion.com/main/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exeCode: [Select]
L2Mfix 1.03
Running From:
C:\Documents and Settings\cc\Desktop\l2mfix
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting registry permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry
Registry Permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting up for Reboot
Starting Reboot!
C:\Documents and Settings\cc\Desktop\l2mfix
System Rebooted!
Running From:
C:\Documents and Settings\cc\Desktop\l2mfix
killing explorer and rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 416 'explorer.exe'
Killing PID 416 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 1136 'rundll32.exe'
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Backing Up: C:\WINDOWS\system32\bqdispl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ceyptui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cxmsvcs.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dkmclien.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dz3j.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en88l1lu1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ikcvid.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\il50_qcx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ioircl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ipsutil.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iwsecsnp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jrsd400.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k280lclm1fqa.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kadnec.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kcuser.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kkdinbe1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ksdmac.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\LEBFCUR.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lzxlmpm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mlvcr71.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mnmxsdk.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mqihnd.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\muaatext.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mv8ql9l51.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvn2l95o1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvpol9731.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mzrd3x40.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nawrssl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nbrszhc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ntwrsru.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p8n8li5u18.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\paofmap.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pdlstore.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pirfdisk.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pyrfproc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\RCCRES.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rzched20.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\skrio600.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\SMLights.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\snc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\solwid.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\swndmail.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\syrialui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\tjd32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\tvkwks.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ukrv42a.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uwlmon.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wssdmoe2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wtvdmoe.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\bqdispl.dll
Successfully Deleted: C:\WINDOWS\system32\bqdispl.dll
deleting: C:\WINDOWS\system32\ceyptui.dll
Successfully Deleted: C:\WINDOWS\system32\ceyptui.dll
deleting: C:\WINDOWS\system32\cxmsvcs.dll
Successfully Deleted: C:\WINDOWS\system32\cxmsvcs.dll
deleting: C:\WINDOWS\system32\dkmclien.dll
Successfully Deleted: C:\WINDOWS\system32\dkmclien.dll
deleting: C:\WINDOWS\system32\dz3j.dll
Successfully Deleted: C:\WINDOWS\system32\dz3j.dll
deleting: C:\WINDOWS\system32\en88l1lu1.dll
Successfully Deleted: C:\WINDOWS\system32\en88l1lu1.dll
deleting: C:\WINDOWS\system32\ikcvid.dll
Successfully Deleted: C:\WINDOWS\system32\ikcvid.dll
deleting: C:\WINDOWS\system32\il50_qcx.dll
Successfully Deleted: C:\WINDOWS\system32\il50_qcx.dll
deleting: C:\WINDOWS\system32\ioircl.dll
Successfully Deleted: C:\WINDOWS\system32\ioircl.dll
deleting: C:\WINDOWS\system32\ipsutil.dll
Successfully Deleted: C:\WINDOWS\system32\ipsutil.dll
deleting: C:\WINDOWS\system32\iwsecsnp.dll
Successfully Deleted: C:\WINDOWS\system32\iwsecsnp.dll
deleting: C:\WINDOWS\system32\jrsd400.dll
Successfully Deleted: C:\WINDOWS\system32\jrsd400.dll
deleting: C:\WINDOWS\system32\k280lclm1fqa.dll
Successfully Deleted: C:\WINDOWS\system32\k280lclm1fqa.dll
deleting: C:\WINDOWS\system32\kadnec.dll
Successfully Deleted: C:\WINDOWS\system32\kadnec.dll
deleting: C:\WINDOWS\system32\kcuser.dll
Successfully Deleted: C:\WINDOWS\system32\kcuser.dll
deleting: C:\WINDOWS\system32\kkdinbe1.dll
Successfully Deleted: C:\WINDOWS\system32\kkdinbe1.dll
deleting: C:\WINDOWS\system32\ksdmac.dll
Successfully Deleted: C:\WINDOWS\system32\ksdmac.dll
deleting: C:\WINDOWS\system32\LEBFCUR.DLL
Successfully Deleted: C:\WINDOWS\system32\LEBFCUR.DLL
deleting: C:\WINDOWS\system32\lzxlmpm.dll
Successfully Deleted: C:\WINDOWS\system32\lzxlmpm.dll
deleting: C:\WINDOWS\system32\mlvcr71.dll
Successfully Deleted: C:\WINDOWS\system32\mlvcr71.dll
deleting: C:\WINDOWS\system32\mnmxsdk.dll
Successfully Deleted: C:\WINDOWS\system32\mnmxsdk.dll
deleting: C:\WINDOWS\system32\mqihnd.dll
Successfully Deleted: C:\WINDOWS\system32\mqihnd.dll
deleting: C:\WINDOWS\system32\muaatext.dll
Successfully Deleted: C:\WINDOWS\system32\muaatext.dll
deleting: C:\WINDOWS\system32\mv8ql9l51.dll
Successfully Deleted: C:\WINDOWS\system32\mv8ql9l51.dll
deleting: C:\WINDOWS\system32\mvn2l95o1.dll
Successfully Deleted: C:\WINDOWS\system32\mvn2l95o1.dll
deleting: C:\WINDOWS\system32\mvpol9731.dll
Successfully Deleted: C:\WINDOWS\system32\mvpol9731.dll
deleting: C:\WINDOWS\system32\mzrd3x40.dll
Successfully Deleted: C:\WINDOWS\system32\mzrd3x40.dll
deleting: C:\WINDOWS\system32\nawrssl.dll
Successfully Deleted: C:\WINDOWS\system32\nawrssl.dll
deleting: C:\WINDOWS\system32\nbrszhc.dll
Successfully Deleted: C:\WINDOWS\system32\nbrszhc.dll
deleting: C:\WINDOWS\system32\ntwrsru.dll
Successfully Deleted: C:\WINDOWS\system32\ntwrsru.dll
deleting: C:\WINDOWS\system32\p8n8li5u18.dll
Successfully Deleted: C:\WINDOWS\system32\p8n8li5u18.dll
deleting: C:\WINDOWS\system32\paofmap.dll
Successfully Deleted: C:\WINDOWS\system32\paofmap.dll
deleting: C:\WINDOWS\system32\pdlstore.dll
Successfully Deleted: C:\WINDOWS\system32\pdlstore.dll
deleting: C:\WINDOWS\system32\pirfdisk.dll
Successfully Deleted: C:\WINDOWS\system32\pirfdisk.dll
deleting: C:\WINDOWS\system32\pyrfproc.dll
Successfully Deleted: C:\WINDOWS\system32\pyrfproc.dll
deleting: C:\WINDOWS\system32\RCCRES.dll
Successfully Deleted: C:\WINDOWS\system32\RCCRES.dll
deleting: C:\WINDOWS\system32\rzched20.dll
Successfully Deleted: C:\WINDOWS\system32\rzched20.dll
deleting: C:\WINDOWS\system32\skrio600.dll
Successfully Deleted: C:\WINDOWS\system32\skrio600.dll
deleting: C:\WINDOWS\system32\SMLights.dll
Successfully Deleted: C:\WINDOWS\system32\SMLights.dll
deleting: C:\WINDOWS\system32\snc.dll
Successfully Deleted: C:\WINDOWS\system32\snc.dll
deleting: C:\WINDOWS\system32\solwid.dll
Successfully Deleted: C:\WINDOWS\system32\solwid.dll
deleting: C:\WINDOWS\system32\swndmail.dll
Successfully Deleted: C:\WINDOWS\system32\swndmail.dll
deleting: C:\WINDOWS\system32\syrialui.dll
Successfully Deleted: C:\WINDOWS\system32\syrialui.dll
deleting: C:\WINDOWS\system32\tjd32.dll
Successfully Deleted: C:\WINDOWS\system32\tjd32.dll
deleting: C:\WINDOWS\system32\tvkwks.dll
Successfully Deleted: C:\WINDOWS\system32\tvkwks.dll
deleting: C:\WINDOWS\system32\ukrv42a.dll
Successfully Deleted: C:\WINDOWS\system32\ukrv42a.dll
deleting: C:\WINDOWS\system32\uwlmon.dll
Successfully Deleted: C:\WINDOWS\system32\uwlmon.dll
deleting: C:\WINDOWS\system32\wssdmoe2.dll
Successfully Deleted: C:\WINDOWS\system32\wssdmoe2.dll
deleting: C:\WINDOWS\system32\wtvdmoe.dll
Successfully Deleted: C:\WINDOWS\system32\wtvdmoe.dll
Zipping up files for submission:
adding: bqdispl.dll (164 bytes security) (deflated 4%)
adding: ceyptui.dll (164 bytes security) (deflated 4%)
adding: cxmsvcs.dll (164 bytes security) (deflated 5%)
adding: dkmclien.dll (164 bytes security) (deflated 4%)
adding: dz3j.dll (164 bytes security) (deflated 5%)
adding: en88l1lu1.dll (164 bytes security) (deflated 4%)
adding: ikcvid.dll (164 bytes security) (deflated 5%)
adding: il50_qcx.dll (164 bytes security) (deflated 5%)
adding: ioircl.dll (164 bytes security) (deflated 4%)
adding: ipsutil.dll (164 bytes security) (deflated 4%)
adding: iwsecsnp.dll (164 bytes security) (deflated 6%)
adding: jrsd400.dll (164 bytes security) (deflated 4%)
adding: k280lclm1fqa.dll (164 bytes security) (deflated 4%)
adding: kadnec.dll (164 bytes security) (deflated 5%)
adding: kcuser.dll (164 bytes security) (deflated 5%)
adding: kkdinbe1.dll (164 bytes security) (deflated 5%)
adding: ksdmac.dll (164 bytes security) (deflated 5%)
adding: LEBFCUR.DLL (164 bytes security) (deflated 5%)
adding: lzxlmpm.dll (164 bytes security) (deflated 4%)
adding: mlvcr71.dll (164 bytes security) (deflated 5%)
adding: mnmxsdk.dll (164 bytes security) (deflated 5%)
adding: mqihnd.dll (164 bytes security) (deflated 5%)
adding: muaatext.dll (164 bytes security) (deflated 4%)
adding: mv8ql9l51.dll (164 bytes security) (deflated 5%)
adding: mvn2l95o1.dll (164 bytes security) (deflated 4%)
adding: mvpol9731.dll (164 bytes security) (deflated 5%)
adding: mzrd3x40.dll (164 bytes security) (deflated 5%)
adding: nawrssl.dll (164 bytes security) (deflated 4%)
adding: nbrszhc.dll (164 bytes security) (deflated 6%)
adding: ntwrsru.dll (164 bytes security) (deflated 5%)
adding: p8n8li5u18.dll (164 bytes security) (deflated 5%)
adding: paofmap.dll (164 bytes security) (deflated 5%)
adding: pdlstore.dll (164 bytes security) (deflated 5%)
adding: pirfdisk.dll (164 bytes security) (deflated 4%)
adding: pyrfproc.dll (164 bytes security) (deflated 4%)
adding: RCCRES.dll (164 bytes security) (deflated 5%)
adding: rzched20.dll (164 bytes security) (deflated 5%)
adding: skrio600.dll (164 bytes security) (deflated 5%)
adding: SMLights.dll (164 bytes security) (deflated 5%)
adding: snc.dll (164 bytes security) (deflated 5%)
adding: solwid.dll (164 bytes security) (deflated 5%)
adding: swndmail.dll (164 bytes security) (deflated 5%)
adding: syrialui.dll (164 bytes security) (deflated 5%)
adding: tjd32.dll (164 bytes security) (deflated 5%)
adding: tvkwks.dll (164 bytes security) (deflated 4%)
adding: ukrv42a.dll (164 bytes security) (deflated 4%)
adding: uwlmon.dll (164 bytes security) (deflated 4%)
adding: wssdmoe2.dll (164 bytes security) (deflated 5%)
adding: wtvdmoe.dll (164 bytes security) (deflated 5%)
adding: clear.reg (164 bytes security) (deflated 37%)
adding: echo.reg (164 bytes security) (deflated 8%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 86%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 67%)
adding: test.txt (164 bytes security) (deflated 83%)
adding: test2.txt (164 bytes security) (deflated 17%)
adding: test3.txt (164 bytes security) (deflated 17%)
adding: test5.txt (164 bytes security) (deflated 17%)
adding: xfind.txt (164 bytes security) (deflated 78%)
adding: backregs/A4193AA0-2DAD-4E4C-A9F9-CEA4FF4A09AF.reg (164 bytes security) (deflated 70%)
adding: backregs/C9FB244E-D8B1-4B77-9C3B-78684680793F.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)
Restoring Registry Permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Registry permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
deleting local copy: bqdispl.dll
deleting local copy: ceyptui.dll
deleting local copy: cxmsvcs.dll
deleting local copy: dkmclien.dll
deleting local copy: dz3j.dll
deleting local copy: en88l1lu1.dll
deleting local copy: ikcvid.dll
deleting local copy: il50_qcx.dll
deleting local copy: ioircl.dll
deleting local copy: ipsutil.dll
deleting local copy: iwsecsnp.dll
deleting local copy: jrsd400.dll
deleting local copy: k280lclm1fqa.dll
deleting local copy: kadnec.dll
deleting local copy: kcuser.dll
deleting local copy: kkdinbe1.dll
deleting local copy: ksdmac.dll
deleting local copy: LEBFCUR.DLL
deleting local copy: lzxlmpm.dll
deleting local copy: mlvcr71.dll
deleting local copy: mnmxsdk.dll
deleting local copy: mqihnd.dll
deleting local copy: muaatext.dll
deleting local copy: mv8ql9l51.dll
deleting local copy: mvn2l95o1.dll
deleting local copy: mvpol9731.dll
deleting local copy: mzrd3x40.dll
deleting local copy: nawrssl.dll
deleting local copy: nbrszhc.dll
deleting local copy: ntwrsru.dll
deleting local copy: p8n8li5u18.dll
deleting local copy: paofmap.dll
deleting local copy: pdlstore.dll
deleting local copy: pirfdisk.dll
deleting local copy: pyrfproc.dll
deleting local copy: RCCRES.dll
deleting local copy: rzched20.dll
deleting local copy: skrio600.dll
deleting local copy: SMLights.dll
deleting local copy: snc.dll
deleting local copy: solwid.dll
deleting local copy: swndmail.dll
deleting local copy: syrialui.dll
deleting local copy: tjd32.dll
deleting local copy: tvkwks.dll
deleting local copy: ukrv42a.dll
deleting local copy: uwlmon.dll
deleting local copy: wssdmoe2.dll
deleting local copy: wtvdmoe.dll
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\bqdispl.dll
C:\WINDOWS\system32\ceyptui.dll
C:\WINDOWS\system32\cxmsvcs.dll
C:\WINDOWS\system32\dkmclien.dll
C:\WINDOWS\system32\dz3j.dll
C:\WINDOWS\system32\en88l1lu1.dll
C:\WINDOWS\system32\ikcvid.dll
C:\WINDOWS\system32\il50_qcx.dll
C:\WINDOWS\system32\ioircl.dll
C:\WINDOWS\system32\ipsutil.dll
C:\WINDOWS\system32\iwsecsnp.dll
C:\WINDOWS\system32\jrsd400.dll
C:\WINDOWS\system32\k280lclm1fqa.dll
C:\WINDOWS\system32\kadnec.dll
C:\WINDOWS\system32\kcuser.dll
C:\WINDOWS\system32\kkdinbe1.dll
C:\WINDOWS\system32\ksdmac.dll
C:\WINDOWS\system32\LEBFCUR.DLL
C:\WINDOWS\system32\lzxlmpm.dll
C:\WINDOWS\system32\mlvcr71.dll
C:\WINDOWS\system32\mnmxsdk.dll
C:\WINDOWS\system32\mqihnd.dll
C:\WINDOWS\system32\muaatext.dll
C:\WINDOWS\system32\mv8ql9l51.dll
C:\WINDOWS\system32\mvn2l95o1.dll
C:\WINDOWS\system32\mvpol9731.dll
C:\WINDOWS\system32\mzrd3x40.dll
C:\WINDOWS\system32\nawrssl.dll
C:\WINDOWS\system32\nbrszhc.dll
C:\WINDOWS\system32\ntwrsru.dll
C:\WINDOWS\system32\p8n8li5u18.dll
C:\WINDOWS\system32\paofmap.dll
C:\WINDOWS\system32\pdlstore.dll
C:\WINDOWS\system32\pirfdisk.dll
C:\WINDOWS\system32\pyrfproc.dll
C:\WINDOWS\system32\RCCRES.dll
C:\WINDOWS\system32\rzched20.dll
C:\WINDOWS\system32\skrio600.dll
C:\WINDOWS\system32\SMLights.dll
C:\WINDOWS\system32\snc.dll
C:\WINDOWS\system32\solwid.dll
C:\WINDOWS\system32\swndmail.dll
C:\WINDOWS\system32\syrialui.dll
C:\WINDOWS\system32\tjd32.dll
C:\WINDOWS\system32\tvkwks.dll
C:\WINDOWS\system32\ukrv42a.dll
C:\WINDOWS\system32\uwlmon.dll
C:\WINDOWS\system32\wssdmoe2.dll
C:\WINDOWS\system32\wtvdmoe.dll
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{A4193AA0-2DAD-4E4C-A9F9-CEA4FF4A09AF}"=-
"{C9FB244E-D8B1-4B77-9C3B-78684680793F}"=-
[-HKEY_CLASSES_ROOT\CLSID\{A4193AA0-2DAD-4E4C-A9F9-CEA4FF4A09AF}]
[-HKEY_CLASSES_ROOT\CLSID\{C9FB244E-D8B1-4B77-9C3B-78684680793F}]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************Let me know what you think, and thanks again for all your help!
Post by: guestolo on March 17, 2005, 09:17:11 PM
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> If everything is running better
You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once back in Windows and System Restore is reenabled
You should set up protection against future attacks
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
FYI>>IE-Spyad works also with Windows XP SP2
Post by: Watchman_987 on March 18, 2005, 07:58:49 AM
I've downloaded the tools you've suggested and will certainly use them. This infection I got occurred with updated versions of both Spy Sweeper and Norton's both actively running without even giving an alert. This was a bad one....
Thanks again!
Post by: guestolo on March 18, 2005, 09:28:07 PM
I'll lock this thread as your problems appear resolved
If you need it reopened please PM a Mod or the site Admin and supply a link to this thread
Take Care