Author Topic: alcan.a worm wont remove! (Read 2570 times)

Hauken · « **on:** January 22, 2006, 07:43:18 AM »

i've been infected by the alcan.a worm. and i've tried to remove it with adaware, Spybot and other anti-virus programs, but it wont go away. i have also read threads in this forum, and tried to do the same that they did, but that did'nt work eighter.. So i hope someone can help me.

Here is the highjacklog:

Logfile of HijackThis v1.99.1
Scan saved at 12:35:42, on 22.01.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programfiler\Ahead\InCD\InCD.exe
C:\OfficeScan NT\pccntmon.exe
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\OfficeScan NT\ClnScUpd.exe
C:\Programfiler\ewido anti-malware\ewidoctrl.exe
C:\Programfiler\ewido anti-malware\ewidoguard.exe
C:\Programfiler\Ahead\InCD\InCDsrv.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINDOWS\system32\userinit.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\OfficeScan NT\tmlisten.exe
C:\OfficeScan NT\ofcdog.exe
C:\Documents and Settings\Idrett\Skrivebord\hijackthis.exe
C:\OfficeScan NT\pccntupd.exe
C:\WINDOWS\System32\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.no
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.no
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Programfiler\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programfiler\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [xp] p2pnetworking.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\out\Office\OSA9.EXE
O4 - Global Startup: Snarvei til ClnScUpd.lnk = C:\OfficeScan NT\ClnScUpd.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c32.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = haugesund.kommune.no
O17 - HKLM\Software\..\Telephony: DomainName = haugesund.kommune.no
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = haugesund.kommune.no
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\n6n6lg5s16.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programfiler\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programfiler\ewido anti-malware\ewidoguard.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Programfiler\Ahead\InCD\InCDsrv.exe
O23 - Service: Network Monitor - Unknown owner - C:\Programfiler\Network Monitor\netmon.exe (file missing)
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\OfficeScan NT\tmlisten.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Programfiler\TightVNC\WinVNC.exe" -service (file missing)

guestolo · « **Reply #1 on:** January 22, 2006, 12:31:32 PM »

Hi Hauken, can you do the following please

When I ask you too download a zip file, make sure you choose SAVE TO DISK rather than Open
Can you open "MyComputer"
Double click to open Local Disk C: drive
Right click an empty spot and left click NEW>>Folder
A new folder will be placed in the C: folder , name it BFU
So you now have C:\BFU

Please download Brute Force Uninstaller
Unzip it to the folder (C:\BFU)

[color=\"#CC0000\"]RIGHT CLICK HERE[/color]
and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover.
Save it in the folder you made earlier (c:\BFU)

Open My Computer and navigate to the C:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute field copy and paste the line below, between the dotted lines

===========================
c:\bfu\p2pnetwork.bfu
===========================

Press execute and let it do it’s job.

Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

Reboot the computer

Back in Windows
Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

[color=\"red\"]IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! This Fix must NOT be run in safe mode for it to work.[/color]

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first and letting me see a log

Hauken · « **Reply #2 on:** January 23, 2006, 10:05:07 AM »

L2MFIX find log 010406
These are the registry keys present
********************************************************************************
**
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\n6l8lg3u16.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDLLs]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\e4200efmeh2a0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

********************************************************************************
**
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{B4DF9F27-197C-8036-B08C-1F1CAF7D2531}"=""

********************************************************************************
**
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Egenskapsside for multimediefil"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM skannerbehandling"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS-sikkerhetsside"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Egenskapsside for OLE DOC-fil"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Skallutvidelse for deling"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Kontrollpanelsutvidelse for skjermkort"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Kontrollpanelsutvidelse for skjermtype"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Kontrollpanelsutvidelse for skjermpanorering"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS-sikkerhetsside"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Kompatibilitetsside"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Diskkopieringsutvidelse"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Skallutvidelser for Microsoft Windows-nettverksobjekter"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM skjermbehandling"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM skriverbehandling"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Skallutvidelser for filkomprimering"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Skallutvidelse for Web-skriver"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Hurtigmeny for kryptering"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Koffert"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Ikonutvidelse for HyperTerminal"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Skrifter"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-profil"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Skriversikkerhetsside"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Skallutvidelse for deling"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO-utvidelse"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign-utvidelse"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Nettverkstilkoblinger"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Nettverkstilkoblinger"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Skannere og kameraer"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Skannere og kameraer"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Skannere og kameraer"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Skannere og kameraer"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Skannere og kameraer"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Skallutvidelser for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft-datakobling"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Planlagte oppgaver"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Oppgavelinje og Start-meny"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="S›k"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Hjelp og st›tte"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Hjelp og st›tte"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Kj›r..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internett"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-post"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative verkt›y"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internett-verkt›ylinje"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Nedlastingsstatus"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="B†ndproxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft-tjeneste for tidligere URL-adresser"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Logg"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Midlertidige Internett-filer"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Midlertidige Internett-filer"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft-binding for URL-s›k"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Velkomstbilde for Internet Explorer 4.0"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internett"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer-b†nd"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="Mappe for ActiveX-hurtigbuffer"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Abonnementsmappe"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Behandling av skallprogrammer"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Enumerator for installerte programmer"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin Programpubliserer"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Uttrekking av miniatyrbilder i GDI+-filer"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Behandling av informasjon om miniatyrbilder"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Uttrekking av HTML-miniatyrbilder"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Veiviser for Web-publisering"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Bestille utskrifter via Weben"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Veiviserobjekt for skallpublisering"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="F† en passport-veiviser"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Brukerkontoer"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Kanalfil"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Kanalsnarvei"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Kanalbehandlingsobjekt"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Mappe for Frakoblede filer"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="Etter &personer..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{950FF917-7A57-46BC-8017-59D9BF474000}"="Shell Extension for CDRW"
"{BB7DF450-F119-11CD-8465-00AA00425D90}"="Microsoft Access Custom Icon Handler"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Oppl›s dokumentordner."
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{B4579AA5-E3A0-49A1-AC0B-5112AFBD215B}"="iSQL*Plus Servers"
"{2F603045-309F-11CF-9774-0020AFD0CFF6}"="Synaptics Control Panel"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{56BEA948-21E6-4F9E-A876-12E3720D4EC5}"=""
"{37E85524-33B5-4533-ADBC-6B514F7D90AD}"=""
"{0647DB30-8C15-408E-83F3-E5596575C72F}"=""

********************************************************************************
**
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{56BEA948-21E6-4F9E-A876-12E3720D4EC5}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{56BEA948-21E6-4F9E-A876-12E3720D4EC5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{56BEA948-21E6-4F9E-A876-12E3720D4EC5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{56BEA948-21E6-4F9E-A876-12E3720D4EC5}\InprocServer32]
@="C:\\WINDOWS\\system32\\eqexch32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{37E85524-33B5-4533-ADBC-6B514F7D90AD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{37E85524-33B5-4533-ADBC-6B514F7D90AD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{37E85524-33B5-4533-ADBC-6B514F7D90AD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{37E85524-33B5-4533-ADBC-6B514F7D90AD}\InprocServer32]
@="C:\\WINDOWS\\system32\\euentlog.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0647DB30-8C15-408E-83F3-E5596575C72F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0647DB30-8C15-408E-83F3-E5596575C72F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0647DB30-8C15-408E-83F3-E5596575C72F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0647DB30-8C15-408E-83F3-E5596575C72F}\InprocServer32]
@="C:\\WINDOWS\\system32\\simedia.dll"
"ThreadingModel"="Apartment"

********************************************************************************
**
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Thu 24 Nov 2005 1:39:22 A.... 1 022 464 998,50 K
danim.dll Sat 5 Nov 2005 4:20:34 A.... 1 054 720 1,00 M
enp4l1~1.dll Mon 23 Jan 2006 15:47:40 ..S.R 236 138 230,60 K
euentlog.dll Sun 22 Jan 2006 20:51:44 ..S.R 235 023 229,51 K
gdi32.dll Thu 29 Dec 2005 3:56:08 A.... 280 064 273,50 K
mshtml.dll Thu 24 Nov 2005 1:39:24 A.... 3 013 632 2,87 M
n6l8lg~1.dll Mon 23 Jan 2006 15:33:20 ..S.R 234 166 228,68 K
shdocvw.dll Thu 1 Dec 2005 4:33:22 A.... 1 492 480 1,42 M
simedia.dll Mon 23 Jan 2006 16:00:18 ..S.R 234 166 228,68 K
sirenacm.dll Wed 14 Dec 2005 0:24:42 A.... 118 784 116,00 K
urlmon.dll Sat 5 Nov 2005 4:20:40 A.... 604 160 590,00 K

11 items found: 11 files (4 H/S), 0 directories.
Total of file sizes: 8 525 797 bytes 8,13 M
Locate .tmp files:

No matches found.
********************************************************************************
**
Directory Listing of system files:
Volumet i stasjon C er uten navn.
Volumserienummeret er 0C66-D8B2

Innhold i C:\WINDOWS\System32

23.01.2006 16:00 234ÿ166 simedia.dll
23.01.2006 15:47 236ÿ138 enp4l17q1.dll
23.01.2006 15:33 234ÿ166 n6l8lg3u16.dll
22.01.2006 20:51 235ÿ023 euentlog.dll
20.01.2006 22:50 <DIR> dllcache
08.11.2004 09:56 <DIR> Microsoft
4 fil(er) 939ÿ493 byte
2 mappe® 32ÿ431ÿ054ÿ848 byte ledig

guestolo · « **Reply #3 on:** January 23, 2006, 05:26:18 PM »

Log off all other users on your machine

Close all other open windows
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log.
Post this log back here please, along with a fresh hijackthis log

Hauken · « **Reply #4 on:** January 24, 2006, 07:10:51 AM »

L2mfix 010406
Creating Account.
Kommandoen er fullf›rt.

Adding Administrative privleges.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/notibac.reg (164 bytes security) (deflated 88%)

Logfile of HijackThis v1.99.1
Scan saved at 13:06:52, on 24.01.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programfiler\Ahead\InCD\InCD.exe
C:\OfficeScan NT\pccntmon.exe
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\OfficeScan NT\ClnScUpd.exe
C:\Programfiler\ewido anti-malware\ewidoctrl.exe
C:\Programfiler\ewido anti-malware\ewidoguard.exe
C:\Programfiler\Ahead\InCD\InCDsrv.exe
C:\OfficeScan NT\ntrtscan.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\OfficeScan NT\tmlisten.exe
C:\OfficeScan NT\ofcdog.exe
C:\OfficeScan NT\pccntupd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Documents and Settings\Idrett\Skrivebord\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.no
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.no
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Programfiler\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programfiler\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\out\Office\OSA9.EXE
O4 - Global Startup: Snarvei til ClnScUpd.lnk = C:\OfficeScan NT\ClnScUpd.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c32.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = haugesund.kommune.no
O17 - HKLM\Software\..\Telephony: DomainName = haugesund.kommune.no
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = haugesund.kommune.no
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\hr6805jue.dll
O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\e4200efmeh2a0.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programfiler\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programfiler\ewido anti-malware\ewidoguard.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Programfiler\Ahead\InCD\InCDsrv.exe
O23 - Service: Network Monitor - Unknown owner - C:\Programfiler\Network Monitor\netmon.exe (file missing)
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\OfficeScan NT\tmlisten.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Programfiler\TightVNC\WinVNC.exe" -service (file missing)

I think that the alcan.a worm is gone now, because it does'nt apeer in the anti-virus program anymore, but i keep getting all this advertisments popups in internet explorer.. and the ewido program is telling me that i'm affected with some spyware cald look2me.

guestolo · « **Reply #5 on:** January 24, 2006, 10:03:14 AM »

Quote

and the ewido program is telling me that i'm affected with some spyware cald look2me.

Yup, that's what we're after with L2Mfix, but it didn't run properly
Can you do the following please.
Open Ewido, under the Main screen>>Under Additional
Remove the GUARD please
It may be interfering
Reboot the computer if prompted

Back in Windows

Again, do the following
Close all other open windows
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log.
Post this log back here please, along with a fresh hijackthis log

NOTE: Don't press any keys when it's prompting for a Password when running the fix
You should only have to press a key when it asks to reboot

Can you give me the official spelling of
administrators in your language please
I want to make sure L2MFix has been updated to apply to your spelling, thanks
If not, we'll work around it

Hauken · « **Reply #6 on:** February 12, 2006, 08:43:41 AM »

ok, here i the log from the l2mfix:

L2MFIX find log 010406
These are the registry keys present
********************************************************************************
**
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\n6l8lg3u16.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDLLs]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\e4200efmeh2a0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

********************************************************************************
**
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{B4DF9F27-197C-8036-B08C-1F1CAF7D2531}"=""

********************************************************************************
**
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Egenskapsside for multimediefil"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM skannerbehandling"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS-sikkerhetsside"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Egenskapsside for OLE DOC-fil"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Skallutvidelse for deling"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Kontrollpanelsutvidelse for skjermkort"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Kontrollpanelsutvidelse for skjermtype"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Kontrollpanelsutvidelse for skjermpanorering"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS-sikkerhetsside"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Kompatibilitetsside"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Diskkopieringsutvidelse"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Skallutvidelser for Microsoft Windows-nettverksobjekter"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM skjermbehandling"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM skriverbehandling"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Skallutvidelser for filkomprimering"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Skallutvidelse for Web-skriver"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Hurtigmeny for kryptering"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Koffert"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Ikonutvidelse for HyperTerminal"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Skrifter"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-profil"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Skriversikkerhetsside"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Skallutvidelse for deling"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO-utvidelse"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign-utvidelse"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Nettverkstilkoblinger"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Nettverkstilkoblinger"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Skannere og kameraer"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Skannere og kameraer"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Skannere og kameraer"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Skannere og kameraer"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Skannere og kameraer"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Skallutvidelser for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft-datakobling"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Planlagte oppgaver"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Oppgavelinje og Start-meny"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="S›k"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Hjelp og st›tte"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Hjelp og st›tte"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Kj›r..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internett"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-post"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative verkt›y"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internett-verkt›ylinje"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Nedlastingsstatus"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="B†ndproxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft-tjeneste for tidligere URL-adresser"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Logg"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Midlertidige Internett-filer"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Midlertidige Internett-filer"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft-binding for URL-s›k"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Velkomstbilde for Internet Explorer 4.0"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internett"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer-b†nd"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="Mappe for ActiveX-hurtigbuffer"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Abonnementsmappe"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Behandling av skallprogrammer"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Enumerator for installerte programmer"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin Programpubliserer"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Uttrekking av miniatyrbilder i GDI+-filer"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Behandling av informasjon om miniatyrbilder"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Uttrekking av HTML-miniatyrbilder"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Veiviser for Web-publisering"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Bestille utskrifter via Weben"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Veiviserobjekt for skallpublisering"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="F† en passport-veiviser"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Brukerkontoer"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Kanalfil"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Kanalsnarvei"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Kanalbehandlingsobjekt"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Mappe for Frakoblede filer"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="Etter &personer..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{950FF917-7A57-46BC-8017-59D9BF474000}"="Shell Extension for CDRW"
"{BB7DF450-F119-11CD-8465-00AA00425D90}"="Microsoft Access Custom Icon Handler"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Oppl›s dokumentordner."
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{B4579AA5-E3A0-49A1-AC0B-5112AFBD215B}"="iSQL*Plus Servers"
"{2F603045-309F-11CF-9774-0020AFD0CFF6}"="Synaptics Control Panel"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{56BEA948-21E6-4F9E-A876-12E3720D4EC5}"=""
"{37E85524-33B5-4533-ADBC-6B514F7D90AD}"=""
"{0647DB30-8C15-408E-83F3-E5596575C72F}"=""

********************************************************************************
**
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{56BEA948-21E6-4F9E-A876-12E3720D4EC5}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{56BEA948-21E6-4F9E-A876-12E3720D4EC5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{56BEA948-21E6-4F9E-A876-12E3720D4EC5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{56BEA948-21E6-4F9E-A876-12E3720D4EC5}\InprocServer32]
@="C:\\WINDOWS\\system32\\eqexch32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{37E85524-33B5-4533-ADBC-6B514F7D90AD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{37E85524-33B5-4533-ADBC-6B514F7D90AD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{37E85524-33B5-4533-ADBC-6B514F7D90AD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{37E85524-33B5-4533-ADBC-6B514F7D90AD}\InprocServer32]
@="C:\\WINDOWS\\system32\\euentlog.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0647DB30-8C15-408E-83F3-E5596575C72F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0647DB30-8C15-408E-83F3-E5596575C72F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0647DB30-8C15-408E-83F3-E5596575C72F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0647DB30-8C15-408E-83F3-E5596575C72F}\InprocServer32]
@="C:\\WINDOWS\\system32\\simedia.dll"
"ThreadingModel"="Apartment"

********************************************************************************
**
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Thu 24 Nov 2005 1:39:22 A.... 1 022 464 998,50 K
danim.dll Sat 5 Nov 2005 4:20:34 A.... 1 054 720 1,00 M
enp4l1~1.dll Mon 23 Jan 2006 15:47:40 ..S.R 236 138 230,60 K
euentlog.dll Sun 22 Jan 2006 20:51:44 ..S.R 235 023 229,51 K
gdi32.dll Thu 29 Dec 2005 3:56:08 A.... 280 064 273,50 K
mshtml.dll Thu 24 Nov 2005 1:39:24 A.... 3 013 632 2,87 M
n6l8lg~1.dll Mon 23 Jan 2006 15:33:20 ..S.R 234 166 228,68 K
shdocvw.dll Thu 1 Dec 2005 4:33:22 A.... 1 492 480 1,42 M
simedia.dll Mon 23 Jan 2006 16:00:18 ..S.R 234 166 228,68 K
sirenacm.dll Wed 14 Dec 2005 0:24:42 A.... 118 784 116,00 K
urlmon.dll Sat 5 Nov 2005 4:20:40 A.... 604 160 590,00 K

11 items found: 11 files (4 H/S), 0 directories.
Total of file sizes: 8 525 797 bytes 8,13 M
Locate .tmp files:

No matches found.
********************************************************************************
**
Directory Listing of system files:
Volumet i stasjon C er uten navn.
Volumserienummeret er 0C66-D8B2

Innhold i C:\WINDOWS\System32

23.01.2006 16:00 234ÿ166 simedia.dll
23.01.2006 15:47 236ÿ138 enp4l17q1.dll
23.01.2006 15:33 234ÿ166 n6l8lg3u16.dll
22.01.2006 20:51 235ÿ023 euentlog.dll
20.01.2006 22:50 <DIR> dllcache
08.11.2004 09:56 <DIR> Microsoft
4 fil(er) 939ÿ493 byte
2 mappe® 32ÿ431ÿ054ÿ848 byte ledig

And administrators is spelled "administratorer" in my language.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #7 on:** February 12, 2006, 02:46:55 PM »

Too much time has passed since your last post
Can I please see a fresh hijackthis log
By the way
Administrators, is it spelled like this
Administratörer<<--notice the o

Hauken · « **Reply #8 on:** February 14, 2006, 07:17:56 AM »

yes, here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 13:14:15, on 14.02.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programfiler\Ahead\InCD\InCD.exe
C:\OfficeScan NT\pccntmon.exe
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\OfficeScan NT\ClnScUpd.exe
C:\Programfiler\ewido anti-malware\ewidoctrl.exe
C:\Programfiler\Ahead\InCD\InCDsrv.exe
C:\OfficeScan NT\ntrtscan.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINDOWS\system32\userinit.exe
C:\OfficeScan NT\tmlisten.exe
C:\OfficeScan NT\ofcdog.exe
C:\OfficeScan NT\pccntupd.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Idrett\Skrivebord\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.no
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.no
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Programfiler\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programfiler\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\out\Office\OSA9.EXE
O4 - Global Startup: Snarvei til ClnScUpd.lnk = C:\OfficeScan NT\ClnScUpd.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c32.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = haugesund.kommune.no
O17 - HKLM\Software\..\Telephony: DomainName = haugesund.kommune.no
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = haugesund.kommune.no
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\m0ls0a37ed.dll
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\hr6805jue.dll (file missing)
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\hr6805jue.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programfiler\ewido anti-malware\ewidoctrl.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Programfiler\Ahead\InCD\InCDsrv.exe
O23 - Service: Network Monitor - Unknown owner - C:\Programfiler\Network Monitor\netmon.exe (file missing)
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\OfficeScan NT\tmlisten.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Programfiler\TightVNC\WinVNC.exe" -service (file missing)

and administrators is spelled "administratorer", with an o, not an ö or ø.

guestolo · « **Reply #9 on:** February 14, 2006, 11:54:38 AM »

Can you do the following please

Do a "System scan only" with Hijackthis and put a check next to these entries:

O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c32.cab

O20 - Winlogon Notify: Run - C:\WINDOWS\system32\hr6805jue.dll (file missing)
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\hr6805jue.dll (file missing)

O23 - Service: Network Monitor - Unknown owner - C:\Programfiler\Network Monitor\netmon.exe (file missing)

After you have ticked the above entry, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer

Back in windows,
Can you delete your copies of 'L2mfix' folder and l2mfix.exe
If Trend Micro's officescan has any spyware realtime protections or script blocking abilities enabled
It's important that you temporarily disable these before running the below
It may, and probably will interfere with the next steps

Download from below L2Mfix.zip, UNZIP this to your desktop so you now have a new 'l2mfix' folder extracted to desktop
Log Off any other users on the machine

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing Enter on the keyboard.
It will process then start.
Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log.

[color=\"red\"]IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Do Not run in safe mode!![/color]
If after the reboot the log does not open double click on it in the l2mfix folder.

1. Copy the contents of that log and paste it back into this thread
2. Post a fresh hijackthis log

IMPORTANT NOTE: When running L2Mfix.bat you should only have to press 2 and Enter
And any key again after the fix
No additional steps are required
If you get any error messages on screen when running the fix, let me know about it
It's very important so that we can do alternate procedures

<Attachment removed>

Hauken · « **Reply #10 on:** February 15, 2006, 09:33:36 AM »

here is the l2mfix log:
L2mfix 010406
Creating Account.
Kommandoen er fullf›rt.

Adding Administrative privleges.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 732 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 828 'winlogon.exe'
Killing PID 828 'winlogon.exe'
Killing PID 828 'winlogon.exe'
Killing PID 828 'winlogon.exe'
Killing PID 828 'winlogon.exe'
Killing PID 828 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 564 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1952 'rundll32.exe'
Killing PID 1952 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administratorer ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 fil(er) ble kopiert.
1 fil(er) ble kopiert.
1 fil(er) ble kopiert.
1 fil(er) ble kopiert.
1 fil(er) ble kopiert.
1 fil(er) ble kopiert.
1 fil(er) ble kopiert.
Deleting: C:\WINDOWS\system32\dDnim.dll
Successfully Deleted: C:\WINDOWS\system32\dDnim.dll
Deleting: C:\WINDOWS\system32\g040lahm1d4a.dll
Successfully Deleted: C:\WINDOWS\system32\g040lahm1d4a.dll
Deleting: C:\WINDOWS\system32\itfgnt5.dll
Successfully Deleted: C:\WINDOWS\system32\itfgnt5.dll
Deleting: C:\WINDOWS\system32\k4800elmehqa0.dll
Successfully Deleted: C:\WINDOWS\system32\k4800elmehqa0.dll
Deleting: C:\WINDOWS\system32\otfox32.dll
Successfully Deleted: C:\WINDOWS\system32\otfox32.dll
Deleting: C:\WINDOWS\system32\OUBCSTF.DLL
Successfully Deleted: C:\WINDOWS\system32\OUBCSTF.DLL
Deleting: C:\WINDOWS\system32\wherrNOR.dll
Successfully Deleted: C:\WINDOWS\system32\wherrNOR.dll

msg11?.dll
0 fil(er) ble kopiert.

Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Telephony]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\k4800elmehqa0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,d8,6f,eb,1b,da,cd,2b,46,84,20,e3,42,55,72,cc,ef,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,57,38,b2,d8,63,e8,de,fa,\
3f,d6,ad,34,4d,04,86,cf,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,61,\
49,cc,39,8d,24,04,40,ea,b3,62,a2,4a,30,c6,97,38,03,00,00,67,03,23,c7,6a,09,\
1a,4b,47,08,39,2a,09,33,f6,97,98,76,ec,b5,8b,89,13,42,38,ea,3b,aa,10,5d,59,\
ef,d6,d1,40,b4,04,35,e9,e2,d4,87,d4,6b,82,f0,26,00,a1,38,df,01,8d,b3,c8,6b,\
d0,b2,d8,e4,ec,e8,2d,d7,4b,ed,31,61,5c,a3,fd,60,de,89,30,7e,ad,9d,49,cd,0f,\
ae,8b,b2,e4,73,4f,3b,0c,1a,75,f3,b3,85,17,7b,19,dc,f3,89,34,1b,41,e1,e5,42,\
64,e7,13,0d,fa,01,1e,27,05,8a,1e,8d,0b,a2,ba,02,aa,94,ae,18,c1,94,c1,a3,20,\
ba,a3,28,1a,0f,be,41,d6,ea,9d,f8,47,02,8b,57,9c,f9,e1,89,27,51,c9,77,b9,66,\
69,7a,e6,16,ce,3d,af,67,39,3b,29,49,72,56,27,56,62,7f,07,ea,bb,02,20,03,aa,\
cc,94,9c,b2,be,61,e6,b8,a3,c6,7a,6e,27,ff,a3,51,12,cf,60,9b,ff,78,99,eb,90,\
4e,e2,28,ec,a2,c3,78,95,d7,91,06,2a,93,61,94,c5,e9,33,e2,3c,ab,fe,54,f2,a7,\
78,bf,00,f5,2e,16,90,1e,e1,c5,5c,dd,5d,c6,cc,c4,16,e9,a9,6e,05,16,dc,39,f7,\
56,0e,1f,d5,bf,41,f1,9d,d9,26,fe,8b,88,4c,44,90,a1,e0,c5,4b,1d,5f,4e,0d,b8,\
ab,90,e2,93,d4,f3,dd,02,b1,1e,24,72,14,5e,fc,b8,9a,ee,10,9f,bf,35,56,97,f4,\
8a,8c,60,7e,4d,b3,14,ce,f0,31,eb,0e,a0,a5,79,e1,78,66,8a,0d,eb,f7,86,68,bf,\
90,89,0b,d9,b3,ab,a0,f4,e5,b4,6a,93,f5,0d,4f,1e,a1,be,6b,05,f0,94,d0,54,3c,\
67,d2,2c,0f,19,68,d7,e6,8f,b9,4e,50,71,4f,84,2b,88,2f,fb,6e,df,f8,a5,64,ef,\
70,c3,9b,7a,3f,d0,a5,a8,64,3f,ff,65,62,e9,3f,55,a9,fa,90,f2,b1,40,c9,25,70,\
17,13,cb,13,a4,de,69,30,fd,d3,b2,4d,32,b0,d3,7a,dc,98,f5,85,1e,c6,d0,b6,45,\
df,c7,03,45,bc,df,a4,ec,73,f3,e7,13,86,68,44,87,38,98,46,b1,76,13,44,0f,8c,\
09,c6,f5,99,98,04,e6,cd,eb,96,9a,2e,c8,36,48,f1,ce,a5,e4,3b,4f,e6,fe,6a,da,\
c1,ca,66,2b,8b,68,e3,8f,4c,2b,7e,c1,c7,2b,ba,66,39,ec,8b,85,9f,de,89,5d,cc,\
48,9d,1c,b8,29,47,ec,e9,2b,55,6f,48,80,18,3d,38,d0,c8,80,19,81,02,3d,30,b3,\
a5,d2,c3,e9,b4,ba,c7,9f,f8,f3,16,15,ae,4d,76,e2,fe,b9,e1,38,9d,9c,45,32,e8,\
bf,15,ed,84,b4,f5,84,08,19,2f,59,11,e8,b7,8c,cf,c1,52,e0,ca,c6,39,8b,eb,3d,\
5e,fe,ab,a7,00,bf,90,ab,1c,36,a4,ae,73,e6,06,be,c5,c9,86,00,a0,64,fe,fe,c0,\
f9,1e,8e,12,18,9a,74,59,8b,1b,68,a3,1a,6f,f9,bd,6d,21,6f,1a,47,ad,da,11,ae,\
fa,31,68,17,1f,a1,4d,5b,43,8b,de,5e,3e,12,a8,77,3a,34,6c,aa,7a,40,4f,3f,6c,\
3d,df,9a,0f,08,70,9f,01,c7,34,04,e9,d5,b3,81,a7,71,3f,f4,42,9c,ff,35,d6,1c,\
e2,f7,e2,cd,ba,41,c5,d9,24,5a,1d,2c,aa,08,43,af,d1,2a,c4,2f,98,80,02,66,b3,\
9a,1b,5f,63,fd,00,cd,ce,90,70,c9,e0,4b,bb,42,25,c9,86,34,91,dc,d9,f9,26,09,\
7c,5e,7b,65,bc,79,dc,fb,86,71,6c,2f,ba,21,12,e8,ac,5b,ef,79,bc,4f,98,a6,b2,\
85,56,84,20,a6,2d,f1,56,d2,89,85,ee,35,a4,9f,07,ce,3e,31,1b,34,fc,af,da,e9,\
f8,9d,e6,13,91,58,85,c4,81,18,52,da,33,7f,fc,f8,6f,f4,24,e0,a4,1e,47,b7,db,\
2c,a8,64,22,3a,a0,fc,8e,42,2e,77,f8,90,7d,33,fe,85,8f,14,00,00,00,8d,a8,25,\
e3,b7,c7,b1,a8,52,8e,50,cc,c4,29,7d,2a,bc,35,6f,70

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\dDnim.dll
C:\WINDOWS\system32\g040lahm1d4a.dll
C:\WINDOWS\system32\itfgnt5.dll
C:\WINDOWS\system32\k4800elmehqa0.dll
C:\WINDOWS\system32\otfox32.dll
C:\WINDOWS\system32\OUBCSTF.DLL
C:\WINDOWS\system32\wherrNOR.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{56BEA948-21E6-4F9E-A876-12E3720D4EC5}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{56BEA948-21E6-4F9E-A876-12E3720D4EC5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{56BEA948-21E6-4F9E-A876-12E3720D4EC5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{56BEA948-21E6-4F9E-A876-12E3720D4EC5}\InprocServer32]
@="C:\\WINDOWS\\system32\\eqexch32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{37E85524-33B5-4533-ADBC-6B514F7D90AD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{37E85524-33B5-4533-ADBC-6B514F7D90AD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{37E85524-33B5-4533-ADBC-6B514F7D90AD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{37E85524-33B5-4533-ADBC-6B514F7D90AD}\InprocServer32]
@="C:\\WINDOWS\\system32\\euentlog.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0647DB30-8C15-408E-83F3-E5596575C72F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0647DB30-8C15-408E-83F3-E5596575C72F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0647DB30-8C15-408E-83F3-E5596575C72F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0647DB30-8C15-408E-83F3-E5596575C72F}\InprocServer32]
@="C:\\WINDOWS\\system32\\itfgnt5.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{56BEA948-21E6-4F9E-A876-12E3720D4EC5}"=-
"{37E85524-33B5-4533-ADBC-6B514F7D90AD}"=-
"{0647DB30-8C15-408E-83F3-E5596575C72F}"=-
[-HKEY_CLASSES_ROOT\CLSID\{56BEA948-21E6-4F9E-A876-12E3720D4EC5}]
[-HKEY_CLASSES_ROOT\CLSID\{37E85524-33B5-4533-ADBC-6B514F7D90AD}]
[-HKEY_CLASSES_ROOT\CLSID\{0647DB30-8C15-408E-83F3-E5596575C72F}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/dDnim.dll (164 bytes security) (deflated 4%)
adding: dlls/g040lahm1d4a.dll (164 bytes security) (deflated 5%)
adding: dlls/itfgnt5.dll (164 bytes security) (deflated 4%)
adding: dlls/k4800elmehqa0.dll (164 bytes security) (deflated 4%)
adding: dlls/otfox32.dll (164 bytes security) (deflated 6%)
adding: dlls/OUBCSTF.DLL (164 bytes security) (deflated 5%)
adding: dlls/wherrNOR.dll (164 bytes security) (deflated 5%)
adding: backregs/0647DB30-8C15-408E-83F3-E5596575C72F.reg (212 bytes security) (deflated 70%)
adding: backregs/37E85524-33B5-4533-ADBC-6B514F7D90AD.reg (212 bytes security) (deflated 70%)
adding: backregs/56BEA948-21E6-4F9E-A876-12E3720D4EC5.reg (212 bytes security) (deflated 69%)
adding: backregs/notibac.reg (164 bytes security) (deflated 81%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

here is the highjack report..

Logfile of HijackThis v1.99.1
Scan saved at 15:25:40, on 15.02.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programfiler\Ahead\InCD\InCD.exe
C:\OfficeScan NT\pccntmon.exe
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\Programfiler\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\OfficeScan NT\ClnScUpd.exe
C:\Programfiler\ewido anti-malware\ewidoctrl.exe
C:\Programfiler\Ahead\InCD\InCDsrv.exe
C:\OfficeScan NT\ntrtscan.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINDOWS\system32\userinit.exe
C:\OfficeScan NT\tmlisten.exe
C:\OfficeScan NT\ofcdog.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\OfficeScan NT\pccntupd.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Idrett\Skrivebord\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.no
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.no
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Programfiler\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programfiler\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\out\Office\OSA9.EXE
O4 - Global Startup: Snarvei til ClnScUpd.lnk = C:\OfficeScan NT\ClnScUpd.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = haugesund.kommune.no
O17 - HKLM\Software\..\Telephony: DomainName = haugesund.kommune.no
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = haugesund.kommune.no
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\k4800elmehqa0.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programfiler\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Programfiler\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\OfficeScan NT\tmlisten.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Programfiler\TightVNC\WinVNC.exe" -service (file missing)

guestolo · « **Reply #11 on:** February 15, 2006, 11:01:33 PM »

That looks better
Please go back and reenable any realtime protections or script blocking with Trend Micro's officescan
If they were disabled earlier

Can you do the following please
Do a "System scan only" with Hijackthis and put a check next to these entries:

O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\k4800elmehqa0.dll (file missing)

After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer
Back in Windows

*If everything is running better
Final Cleanup
We should clear all your restore points to ensure you don't restore any nasties that may be sitting idle

msconfig
Click OK
Click the "Launch System Restore" button
On the Left hand side click on "System Restore Settings"
Put a Check in "Turn off System Restore"
Apply it and OK out of there>>Reboot your computer
[/list]
Back in Windows, Go back and take the check out of "Turn off system restore"
This will reenable the System Restore feature and creates a new restore point

[indent][color=\"#CC0000\"]Protect yourself against Future Attacks[/color][/i][/b][/indent]
*Install SpywareBlaster 3.5.1 by JavaCool[/url]

After installation, Check for updates and then click the "Enable all protection"
Check for updates every couple of weeks
after every update just simply click the "enable protection on all unprotected items"

*Keep up to date on Windows updates
Keeping up on all latest High Priority updates with Windows Updates is one of the most important steps in keeping your system secure
If you don't have your computer set to check for Autoupdates
Make a habit every month of checking for High Priority updates

*Check for updates with your anti-spyware programs and run a scan on a regular basis
In addition>>Open Spybot 1.4
Click the "Immunize" button on the left>>>OK at the prompt>>Immunzine at the top green cross
Please Immunize after every update
A great compliment to Spybot 1.4 is Ad-Aware SE Personal 1.06
If you don't have this anti-spware program installed I recommend you install it an run it also on a regular basis
Here's a direct download link
Ad-Aware SE Personal 1.06

You may also choose to hold onto Ewido
Ewido will become a Limited version in a couple weeks after installation
It's still a very good scanner to update and run once a month
Please make sure that XP's firewall is enabled if you have no other firewall software on your computer

Stay safe Hauken

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />
I hope everything is well now?

Hauken · « **Reply #12 on:** February 23, 2006, 12:13:49 PM »

yes, it seems to work well now:) Thank you so much for your help:)

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #13 on:** February 23, 2006, 08:26:12 PM »

Glad to help, I'll lock this topic as your problems appear resolved
Take care

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

TheTechGuide Forum

News:

Author Topic: alcan.a worm wont remove! (Read 2570 times)

Hauken

alcan.a worm wont remove!

guestolo

alcan.a worm wont remove!

Hauken

alcan.a worm wont remove!

guestolo

alcan.a worm wont remove!

Hauken

alcan.a worm wont remove!

guestolo

alcan.a worm wont remove!

Hauken

alcan.a worm wont remove!

guestolo

alcan.a worm wont remove!

Hauken

alcan.a worm wont remove!

guestolo

alcan.a worm wont remove!

Hauken

alcan.a worm wont remove!

guestolo

alcan.a worm wont remove!

Hauken

alcan.a worm wont remove!

guestolo

alcan.a worm wont remove!