Hijack + Explorer invalid syntax error

Question

alexkay 0 Newbie Poster

19 Years Ago

Hi,

For every internet page I open I get the annoying "Invalid Syntax Error", also the address bar changes his text, for example: from http://www.hotmail.com to http:///?%20www.hotmail.com
I scanned my computer with NoAdware, spyware Doctor, Spybot S&D, Norton AntyVirus...
I removed the "hotoffer" annoying thing as posted in this forum, but I still think I have the Isearch on my computer.
Following is the log given by "Hijack This" (downloaded today).

I would very much appreciate your help here,
Thanks is advance,
Alex
----------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 1:59:21 AM, on 3/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\temp\hijackthis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.barak.net.il:8080
R3 - URLSearchHook: (no name) - _{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {4B36E9EF-E531-4355-BED3-1A8549211C50} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4B36E9EF-E531-4355-BED3-1A8549211C50} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {59638158-CB87-4FAB-BF69-99CB03CAF0DD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {59638158-CB87-4FAB-BF69-99CB03CAF0DD} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {82C60785-E1D0-48B0-B860-DD72DE6F5D41} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {82C60785-E1D0-48B0-B860-DD72DE6F5D41} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {FC616025-40DF-4ADB-916B-E17B99C9DFC3} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FC616025-40DF-4ADB-916B-E17B99C9DFC3} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c7.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110634837678
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6CF76AE8-9809-428F-8452-94BCD0E8DB3B}: NameServer = 212.150.49.10 206.49.94.234
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\aza8lgfu1628.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

windows-virus

6 Contributors
25 Replies
686 Views
1 Year Discussion Span
Latest Post 17 Years Ago Latest Post by DMR

All 25 Replies

OurNation 5 Master Poster

19 Years Ago

Please make a file fo Hijack This just for Hijack this not in the temps. Also close all runing programs before scanning with HJT

dlh6213 27 Posting Maven

19 Years Ago

You don't need to, nor should you, stop any processes that are running, just close any open windows.

From your log, it looks like you're running two antivirus programs (Nod32 and Norton); this can cause problems, you should decide which one you prefer (I'd recommend Nod32) and remove the other.

Scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - (no file)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6...e/bridge-c7.cab

Be sure all windows are closed, other the HJT, before hitting the Fix button

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

(Note: if any of these temporary files cannot be deleted while in ‘normal mode,’ try Safe Mode.

Empty your Recycle Bin.

Reboot, close any open browser windows, scan with HJT and post a new log please.

dlh6213 27 Posting Maven

19 Years Ago

Have HJT fix this entry:

O20 - Winlogon Notify: welcome - C:\WINDOWS\system32\s6rslg9716.dll (file missing)

Since you don't have internet access, you will probably need to download these from another computer.

Try IEFix from here:
http://www.majorgeeks.com/download4467.html

Winsockfix may also resolve the problem:
http://www.digitalminds.net/index.pl/downloads

And, you can try Hoster:
http://members.aol.com/toadbee/hoster.zip
Run Hoster and press Restore Original Hosts, OK, and Exit Program.
Note that if you have a custom host file, this will remove it. You can edit the host file with this program too.

Reboot

Close any open browser windows, scan with HJT, and post a new log please.

vx2,enjql1151.dll

dlh6213 27 Posting Maven

19 Years Ago

Something else detected...

Download CWShredder from here:

http://www.intermute.com/spysubtract/cwshredder_download.html

Unzip to your desktop, run it, and then:

1. Click "Check For Update"
(If an update isn't available, skip to step 4)

2. Click "Click here to Download the upate"

3. When the new version has been downloaded, click "Save"

4. Click "Fix"

If it asks you to verify any files to be deleted, either do a Google search for it/them or ask us here before deleting.

Then post a new HJT log.

DMR 152 Wombat At Large

19 Years Ago

You have morphing/changing "O20 - Winlogon Notify:" entries in your log, which indicate an infection that HJT alone isn't going to be able to fix.

Please do the following:

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

alexkay 0 Newbie Poster · Answer 1 · 2005-03-25T14:54:44+00:00

Thanks for the quick reply.

I made a folder under c:/origram files/Hijack This and run it from there.
Also I closed what ever programs I could, inc. disabling Fire Wall and Anty Visurses.

Please see log below, Thx !
---------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:51:44 AM, on 3/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack This\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {4B36E9EF-E531-4355-BED3-1A8549211C50} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4B36E9EF-E531-4355-BED3-1A8549211C50} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {59638158-CB87-4FAB-BF69-99CB03CAF0DD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {59638158-CB87-4FAB-BF69-99CB03CAF0DD} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {82C60785-E1D0-48B0-B860-DD72DE6F5D41} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {82C60785-E1D0-48B0-B860-DD72DE6F5D41} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {FC616025-40DF-4ADB-916B-E17B99C9DFC3} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FC616025-40DF-4ADB-916B-E17B99C9DFC3} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c7.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110634837678
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\enjql1151.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

alexkay 0 Newbie Poster · Answer 2 · 2005-03-26T18:26:03+00:00

Hi,

Thanks for your help and advise.
I did as you instructed, you can see the log below.
I stii cant surf after connecting to the internet, but now I get only blank pages, probably because I deleted all offline and temp etc...
The surfing problem is not only with Explorer, I also have fire fox and can open any page also any update program such as Norton cant establish connection.
Currently only the Norton AV is running, I disabled NOD without uninstaling it yet.

Thanks,

------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 2:18:52 PM, on 3/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack This\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {4B36E9EF-E531-4355-BED3-1A8549211C50} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4B36E9EF-E531-4355-BED3-1A8549211C50} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {59638158-CB87-4FAB-BF69-99CB03CAF0DD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {59638158-CB87-4FAB-BF69-99CB03CAF0DD} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {82C60785-E1D0-48B0-B860-DD72DE6F5D41} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {82C60785-E1D0-48B0-B860-DD72DE6F5D41} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {FC616025-40DF-4ADB-916B-E17B99C9DFC3} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FC616025-40DF-4ADB-916B-E17B99C9DFC3} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110634837678
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: MediaContentIndex - C:\WINDOWS\system32\duvmgr.dll
O20 - Winlogon Notify: welcome - C:\WINDOWS\system32\s6rslg9716.dll (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

alexkay 0 Newbie Poster · Answer 3 · 2005-03-26T18:37:56+00:00

Ok... I unisntaled NAV and reistated NOD, so now I just have one AV program, but still no internet :-(

alexkay 0 Newbie Poster · Answer 4 · 2005-03-27T10:58:16+00:00

Thanks again for your help !
I will try what you suggest in a few days as I am away from home, and I will post the new log... hopefully for the last time.

alexkay 0 Newbie Poster · Answer 5 · 2005-04-07T03:45:48+00:00

Thanks again!

I tried the following:
iefix - didnt help but also made some mess with my internet explorer, couldnt exactly tell what.
Winsocfix - cant run, informs me under the heading "16 bit windows subsystem" that "The system file is not suitable for running MS-DOS and MS windows applications" and 'ignire' doesnt help.
hoster - didnt change anything as well.
SpySubtract - I installed and ran CWShredder from there, but it didnt identify any infection, but the spyware scan did remove 3 items.

See HJT latest log below
---------------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:44:34 AM, on 4/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Hijack This\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {4B36E9EF-E531-4355-BED3-1A8549211C50} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4B36E9EF-E531-4355-BED3-1A8549211C50} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {59638158-CB87-4FAB-BF69-99CB03CAF0DD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {59638158-CB87-4FAB-BF69-99CB03CAF0DD} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {82C60785-E1D0-48B0-B860-DD72DE6F5D41} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {82C60785-E1D0-48B0-B860-DD72DE6F5D41} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {FC616025-40DF-4ADB-916B-E17B99C9DFC3} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FC616025-40DF-4ADB-916B-E17B99C9DFC3} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110634837678
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{12424BE4-9583-41CE-AE5A-62400E63A92B}: NameServer = 192.168.1.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{12424BE4-9583-41CE-AE5A-62400E63A92B}: NameServer = 192.168.1.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\q0ps0a77ed.dll
O20 - Winlogon Notify: welcome - C:\WINDOWS\system32\s6rslg9716.dll (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

alexkay 0 Newbie Poster · Answer 6 · 2005-04-07T03:49:38+00:00

Thank you too!
If you need, see previous post for latest HJT log.
I installed and ran l2mfix (only option 1, as instructed), it also gave the 16 bit windows subsystem error, "the system file is not suitable for running in MS-DOS and MS windows applications...", but clicking "close", gave a log after all, see log.

Thanks,
-------------------------------
L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\q0ps0a77ed.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\welcome]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\s6rslg9716.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{7C67FA79-F027-DBCD-624B-2238B6AB26A1}"=""


**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{C4213067-97B3-4929-9B98-B5600FBBBA13}"="TouchED"
"{ED4CAB89-20EA-40C2-A3DE-63C8A1389619}"=""
"{5BA09F61-CA0D-4FB4-AADE-0264A2E15350}"=""
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{B089FE88-FB52-11d3-BDF1-0050DA34150D}"="NOD32 Context Menu Shell Extension"
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"="SpySubtract Shell Extension"


**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00


[HKEY_CLASSES_ROOT\CLSID\{ED4CAB89-20EA-40C2-A3DE-63C8A1389619}]
@=""


[HKEY_CLASSES_ROOT\CLSID\{ED4CAB89-20EA-40C2-A3DE-63C8A1389619}\Implemented Categories]
@=""


[HKEY_CLASSES_ROOT\CLSID\{ED4CAB89-20EA-40C2-A3DE-63C8A1389619}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""


[HKEY_CLASSES_ROOT\CLSID\{ED4CAB89-20EA-40C2-A3DE-63C8A1389619}\InprocServer32]
@="C:\\WINDOWS\\system32\\mvcans32.dll"
"ThreadingModel"="Apartment"


Windows Registry Editor Version 5.00


[HKEY_CLASSES_ROOT\CLSID\{5BA09F61-CA0D-4FB4-AADE-0264A2E15350}]
@=""


[HKEY_CLASSES_ROOT\CLSID\{5BA09F61-CA0D-4FB4-AADE-0264A2E15350}\Implemented Categories]
@=""


[HKEY_CLASSES_ROOT\CLSID\{5BA09F61-CA0D-4FB4-AADE-0264A2E15350}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""


[HKEY_CLASSES_ROOT\CLSID\{5BA09F61-CA0D-4FB4-AADE-0264A2E15350}\InprocServer32]
@="C:\\WINDOWS\\system32\\muencode.dll"
"ThreadingModel"="Apartment"


**********************************************************************************
Files Found are not all bad files:
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is C0AC-79E0


Directory of C:\WINDOWS\System32


03/21/2021  07:15 AM           235,686 gp2ol3f31.dll
03/21/2021  07:06 AM           234,363 adifil32.dll
03/21/2021  07:06 AM           235,428 ir60l5jm1.dll
03/21/2021  07:01 AM           236,189 m628lgfu1628.dll
03/21/2019  08:52 AM           236,177 l4j8le1u1h.dll
04/07/2005  12:22 AM           236,154 mvcans32.dll
04/07/2005  12:22 AM           233,230 d2j02c1mgf.dll
04/07/2005  12:03 AM           235,384 oktext32.dll
04/07/2005  12:03 AM           236,154 q0ps0a77ed.dll
04/07/2005  12:03 AM    <DIR>          dllcache
04/06/2005  10:37 PM           235,260 qfgr.dll
03/26/2005  03:31 PM           234,059 gdkcsp.dll
03/26/2005  03:06 PM           235,855 muencode.dll
03/26/2005  03:06 PM           232,581 k4js0e17eh.dll
03/26/2005  02:52 PM           235,029 kq1394.dll
03/25/2005  08:52 PM           234,059 wjnmm.dll
03/25/2005  08:29 PM           232,428 mepmsnsv.dll
03/25/2005  08:18 PM           236,056 wrnhttp.dll
03/25/2005  07:47 PM           235,451 jYvaprxy.dll
03/25/2005  03:54 PM           236,056 kadtuf.dll
03/25/2005  01:32 PM           235,451 fisevent.dll
03/25/2005  11:49 AM           232,979 ufildll.dll
03/25/2005  02:51 AM           235,451 lqgif11n.dll
03/25/2005  02:47 AM           233,309 udrcntra.dll
03/25/2005  02:16 AM           232,729 dfvvox.dll
03/25/2005  02:07 AM           233,309 wnpcore.dll
03/25/2005  01:42 AM           232,729 cladmin.dll
03/24/2005  02:43 PM           235,467 nf4_disp.dll
03/24/2005  02:35 PM           235,467 mbdimap.dll
03/24/2005  02:19 PM           232,651 hrn8055ue.dll
03/24/2005  02:05 PM           234,547 wepcore.dll
03/24/2005  01:40 PM           232,816 dhsenh.dll
03/24/2005  01:37 PM           232,816 winotify.dll
03/24/2005  01:37 PM           233,119 fp0o03d3e.dll
03/24/2005  01:30 PM           232,816 vqrsion.dll
03/24/2005  01:30 PM           233,369 fpnq0355e.dll
03/24/2005  01:21 PM           232,816 ncprint.dll
03/24/2005  01:18 PM           232,816 i4nmle511h.dll
03/24/2005  12:58 PM           232,816 dkcompos.dll
03/24/2005  12:58 PM           234,095 mvp2l97o1.dll
03/24/2005  12:41 PM           232,816 mwnsspc.dll
03/24/2005  12:41 PM           234,240 i424lefq1h2e.dll
03/24/2005  11:53 AM           236,144 inwdial.dll
03/24/2005  11:49 AM           234,698 rkpsnd.dll
03/24/2005  11:37 AM           234,698 tpd32.dll
03/24/2005  11:37 AM           234,976 l8p20i7oe8.dll
03/21/2005  03:12 PM           234,698 mtl_hp.dll
03/21/2005  03:12 PM           233,049 n0n6la5s1d.dll
03/21/2005  03:05 PM           233,248 mfexch40.dll
03/21/2005  02:54 PM           233,248 svmpapi.dll
03/21/2005  01:54 PM           233,248 oqbccr32.dll
03/21/2005  01:54 PM           233,248 iwakui.dll
03/21/2005  01:52 PM           236,177 Igetwh32.dll
03/21/2005  01:52 PM           232,595 fp4s03h7e.dll
03/21/2005  06:56 AM           234,363 olbcjt32.dll
03/15/2005  09:01 AM           233,683 s0880aluedq80.dll
03/15/2005  08:01 AM           233,683 mhjetoledb40.dll
03/15/2005  07:47 AM           234,363 kudmlt48.dll
03/14/2005  01:45 PM           233,683 dnmv2clt.dll
03/14/2005  01:22 PM           234,363 mfwdat10.dll
03/14/2005  09:53 AM           233,683 mctext40.dll
03/13/2005  05:08 PM           233,683 kadfi.dll
03/13/2005  04:24 PM           235,139 izrdbg32.dll
03/13/2005  04:10 PM           233,683 ckyptnet.dll
03/13/2005  03:39 PM           234,237 ajifil32.dll
03/13/2005  03:16 PM           233,074 kcdusx.dll
03/13/2005  02:10 PM           233,074 scpblb.dll
03/12/2005  09:08 AM           234,565 mv4sdmod.dll
03/12/2005  07:29 AM           234,124 mvtext40.dll
03/12/2005  03:23 AM           232,736 kldgkl.dll
03/12/2005  03:12 AM           232,736 owesvr32.dll
04/29/2003  10:23 AM    <DIR>          Microsoft
70 File(s)     16,389,122 bytes
2 Dir(s)  33,026,019,328 bytes free

DMR 152 Wombat At Large Team Colleague · Answer 7 · 2005-04-07T04:20:03+00:00

Thanks for the L2M log; it (unfortunately) shows a lot of "nasties". We're going to run L2mFix again, but this time we'll actually have it performs its fixes:

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

alexkay 0 Newbie Poster · Answer 8 · 2005-04-09T02:02:21+00:00

Thanks again for your time and help!

I did as you instructed.
Following are both logs, first the HJT following by L2M log.
Also I tryied connecting the computer to my home network, and when I tried renewing the IP I got the following error, dont know if this helps but here it is:
"C:\Documents and Settings\tmira>ipconfig /renew
Windows IP Configuration
An error occurred while renewing interface Local Area Connection : The requested
service provider could not be loaded or initialized."

Thanks for your time...

--------------------------------------------------------
L2Mfix 1.03


Running From:
C:\Documents and Settings\tmira\Desktop\l2mfix


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read         BUILTIN\Users
(ID-IO) ALLOW  Read         BUILTIN\Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  CREATOR OWNER


Setting registry permissions:



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!



Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry



Registry Permissions set too:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI)    DENY   --C-------       BUILTIN\Administrators
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read         BUILTIN\Users
(ID-IO) ALLOW  Read         BUILTIN\Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  CREATOR OWNER


Setting up for Reboot



Starting Reboot!


C:\Documents and Settings\tmira\Desktop\l2mfix
System Rebooted!


Running From:
C:\Documents and Settings\tmira\Desktop\l2mfix


killing explorer and rundll32.exe


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1560 'explorer.exe'
Killing PID 1560 'explorer.exe'


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 480 'rundll32.exe'


Scanning First Pass. Please Wait!


First Pass Completed


Second Pass Scanning


Second pass Completed!
Backing Up: C:\WINDOWS\system32\adifil32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\afifile.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ajifil32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ckyptnet.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cladmin.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cqyptsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dfvvox.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dhsenh.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dkcompos.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dnmv2clt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fisevent.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp0o03d3e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp4s03h7e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fpnq0355e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gdkcsp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gp2ol3f31.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hr2u05f9e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hrn8055ue.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i424lefq1h2e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i4nmle511h.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\Igetwh32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\inwdial.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir60l5jm1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iwakui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\izrdbg32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jYvaprxy.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k4js0e17eh.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kadfi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kadtuf.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kcdusx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kldgkl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kq1394.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kudmlt48.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l48mlel11hq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l4j8le1u1h.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l8p20i7oe8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lqgif11n.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m628lgfu1628.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mbdimap.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mctext40.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mepmsnsv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mfexch40.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mfwdat10.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mhjetoledb40.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mtl_hp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\muencode.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mv4sdmod.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvcans32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvp2l97o1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvtext40.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mwnsspc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\n0n6la5s1d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ncprint.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nf4_disp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\oktext32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\olbcjt32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\oqbccr32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\owesvr32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\qfgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rkpsnd.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\s0880aluedq80.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\scpblb.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\svmpapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\tpd32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\udrcntra.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ufildll.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\vqrsion.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wepcore.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\winotify.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wjnmm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wnpcore.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wrnhttp.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\adifil32.dll
Successfully Deleted: C:\WINDOWS\system32\adifil32.dll
deleting: C:\WINDOWS\system32\afifile.dll
Successfully Deleted: C:\WINDOWS\system32\afifile.dll
deleting: C:\WINDOWS\system32\ajifil32.dll
Successfully Deleted: C:\WINDOWS\system32\ajifil32.dll
deleting: C:\WINDOWS\system32\ckyptnet.dll
Successfully Deleted: C:\WINDOWS\system32\ckyptnet.dll
deleting: C:\WINDOWS\system32\cladmin.dll
Successfully Deleted: C:\WINDOWS\system32\cladmin.dll
deleting: C:\WINDOWS\system32\cqyptsvc.dll
Successfully Deleted: C:\WINDOWS\system32\cqyptsvc.dll
deleting: C:\WINDOWS\system32\dfvvox.dll
Successfully Deleted: C:\WINDOWS\system32\dfvvox.dll
deleting: C:\WINDOWS\system32\dhsenh.dll
Successfully Deleted: C:\WINDOWS\system32\dhsenh.dll
deleting: C:\WINDOWS\system32\dkcompos.dll
Successfully Deleted: C:\WINDOWS\system32\dkcompos.dll
deleting: C:\WINDOWS\system32\dnmv2clt.dll
Successfully Deleted: C:\WINDOWS\system32\dnmv2clt.dll
deleting: C:\WINDOWS\system32\fisevent.dll
Successfully Deleted: C:\WINDOWS\system32\fisevent.dll
deleting: C:\WINDOWS\system32\fp0o03d3e.dll
Successfully Deleted: C:\WINDOWS\system32\fp0o03d3e.dll
deleting: C:\WINDOWS\system32\fp4s03h7e.dll
Successfully Deleted: C:\WINDOWS\system32\fp4s03h7e.dll
deleting: C:\WINDOWS\system32\fpnq0355e.dll
Successfully Deleted: C:\WINDOWS\system32\fpnq0355e.dll
deleting: C:\WINDOWS\system32\gdkcsp.dll
Successfully Deleted: C:\WINDOWS\system32\gdkcsp.dll
deleting: C:\WINDOWS\system32\gp2ol3f31.dll
Successfully Deleted: C:\WINDOWS\system32\gp2ol3f31.dll
deleting: C:\WINDOWS\system32\hr2u05f9e.dll
Successfully Deleted: C:\WINDOWS\system32\hr2u05f9e.dll
deleting: C:\WINDOWS\system32\hrn8055ue.dll
Successfully Deleted: C:\WINDOWS\system32\hrn8055ue.dll
deleting: C:\WINDOWS\system32\i424lefq1h2e.dll
Successfully Deleted: C:\WINDOWS\system32\i424lefq1h2e.dll
deleting: C:\WINDOWS\system32\i4nmle511h.dll
Successfully Deleted: C:\WINDOWS\system32\i4nmle511h.dll
deleting: C:\WINDOWS\system32\Igetwh32.dll
Successfully Deleted: C:\WINDOWS\system32\Igetwh32.dll
deleting: C:\WINDOWS\system32\inwdial.dll
Successfully Deleted: C:\WINDOWS\system32\inwdial.dll
deleting: C:\WINDOWS\system32\ir60l5jm1.dll
Successfully Deleted: C:\WINDOWS\system32\ir60l5jm1.dll
deleting: C:\WINDOWS\system32\iwakui.dll
Successfully Deleted: C:\WINDOWS\system32\iwakui.dll
deleting: C:\WINDOWS\system32\izrdbg32.dll
Successfully Deleted: C:\WINDOWS\system32\izrdbg32.dll
deleting: C:\WINDOWS\system32\jYvaprxy.dll
Successfully Deleted: C:\WINDOWS\system32\jYvaprxy.dll
deleting: C:\WINDOWS\system32\k4js0e17eh.dll
Successfully Deleted: C:\WINDOWS\system32\k4js0e17eh.dll
deleting: C:\WINDOWS\system32\kadfi.dll
Successfully Deleted: C:\WINDOWS\system32\kadfi.dll
deleting: C:\WINDOWS\system32\kadtuf.dll
Successfully Deleted: C:\WINDOWS\system32\kadtuf.dll
deleting: C:\WINDOWS\system32\kcdusx.dll
Successfully Deleted: C:\WINDOWS\system32\kcdusx.dll
deleting: C:\WINDOWS\system32\kldgkl.dll
Successfully Deleted: C:\WINDOWS\system32\kldgkl.dll
deleting: C:\WINDOWS\system32\kq1394.dll
Successfully Deleted: C:\WINDOWS\system32\kq1394.dll
deleting: C:\WINDOWS\system32\kudmlt48.dll
Successfully Deleted: C:\WINDOWS\system32\kudmlt48.dll
deleting: C:\WINDOWS\system32\l48mlel11hq.dll
Successfully Deleted: C:\WINDOWS\system32\l48mlel11hq.dll
deleting: C:\WINDOWS\system32\l4j8le1u1h.dll
Successfully Deleted: C:\WINDOWS\system32\l4j8le1u1h.dll
deleting: C:\WINDOWS\system32\l8p20i7oe8.dll
Successfully Deleted: C:\WINDOWS\system32\l8p20i7oe8.dll
deleting: C:\WINDOWS\system32\lqgif11n.dll
Successfully Deleted: C:\WINDOWS\system32\lqgif11n.dll
deleting: C:\WINDOWS\system32\m628lgfu1628.dll
Successfully Deleted: C:\WINDOWS\system32\m628lgfu1628.dll
deleting: C:\WINDOWS\system32\mbdimap.dll
Successfully Deleted: C:\WINDOWS\system32\mbdimap.dll
deleting: C:\WINDOWS\system32\mctext40.dll
Successfully Deleted: C:\WINDOWS\system32\mctext40.dll
deleting: C:\WINDOWS\system32\mepmsnsv.dll
Successfully Deleted: C:\WINDOWS\system32\mepmsnsv.dll
deleting: C:\WINDOWS\system32\mfexch40.dll
Successfully Deleted: C:\WINDOWS\system32\mfexch40.dll
deleting: C:\WINDOWS\system32\mfwdat10.dll
Successfully Deleted: C:\WINDOWS\system32\mfwdat10.dll
deleting: C:\WINDOWS\system32\mhjetoledb40.dll
Successfully Deleted: C:\WINDOWS\system32\mhjetoledb40.dll
deleting: C:\WINDOWS\system32\mtl_hp.dll
Successfully Deleted: C:\WINDOWS\system32\mtl_hp.dll
deleting: C:\WINDOWS\system32\muencode.dll
Successfully Deleted: C:\WINDOWS\system32\muencode.dll
deleting: C:\WINDOWS\system32\mv4sdmod.dll
Successfully Deleted: C:\WINDOWS\system32\mv4sdmod.dll
deleting: C:\WINDOWS\system32\mvcans32.dll
Successfully Deleted: C:\WINDOWS\system32\mvcans32.dll
deleting: C:\WINDOWS\system32\mvp2l97o1.dll
Successfully Deleted: C:\WINDOWS\system32\mvp2l97o1.dll
deleting: C:\WINDOWS\system32\mvtext40.dll
Successfully Deleted: C:\WINDOWS\system32\mvtext40.dll
deleting: C:\WINDOWS\system32\mwnsspc.dll
Successfully Deleted: C:\WINDOWS\system32\mwnsspc.dll
deleting: C:\WINDOWS\system32\n0n6la5s1d.dll
Successfully Deleted: C:\WINDOWS\system32\n0n6la5s1d.dll
deleting: C:\WINDOWS\system32\ncprint.dll
Successfully Deleted: C:\WINDOWS\system32\ncprint.dll
deleting: C:\WINDOWS\system32\nf4_disp.dll
Successfully Deleted: C:\WINDOWS\system32\nf4_disp.dll
deleting: C:\WINDOWS\system32\oktext32.dll
Successfully Deleted: C:\WINDOWS\system32\oktext32.dll
deleting: C:\WINDOWS\system32\olbcjt32.dll
Successfully Deleted: C:\WINDOWS\system32\olbcjt32.dll
deleting: C:\WINDOWS\system32\oqbccr32.dll
Successfully Deleted: C:\WINDOWS\system32\oqbccr32.dll
deleting: C:\WINDOWS\system32\owesvr32.dll
Successfully Deleted: C:\WINDOWS\system32\owesvr32.dll
deleting: C:\WINDOWS\system32\qfgr.dll
Successfully Deleted: C:\WINDOWS\system32\qfgr.dll
deleting: C:\WINDOWS\system32\rkpsnd.dll
Successfully Deleted: C:\WINDOWS\system32\rkpsnd.dll
deleting: C:\WINDOWS\system32\s0880aluedq80.dll
Successfully Deleted: C:\WINDOWS\system32\s0880aluedq80.dll
deleting: C:\WINDOWS\system32\scpblb.dll
Successfully Deleted: C:\WINDOWS\system32\scpblb.dll
deleting: C:\WINDOWS\system32\svmpapi.dll
Successfully Deleted: C:\WINDOWS\system32\svmpapi.dll
deleting: C:\WINDOWS\system32\tpd32.dll
Successfully Deleted: C:\WINDOWS\system32\tpd32.dll
deleting: C:\WINDOWS\system32\udrcntra.dll
Successfully Deleted: C:\WINDOWS\system32\udrcntra.dll
deleting: C:\WINDOWS\system32\ufildll.dll
Successfully Deleted: C:\WINDOWS\system32\ufildll.dll
deleting: C:\WINDOWS\system32\vqrsion.dll
Successfully Deleted: C:\WINDOWS\system32\vqrsion.dll
deleting: C:\WINDOWS\system32\wepcore.dll
Successfully Deleted: C:\WINDOWS\system32\wepcore.dll
deleting: C:\WINDOWS\system32\winotify.dll
Successfully Deleted: C:\WINDOWS\system32\winotify.dll
deleting: C:\WINDOWS\system32\wjnmm.dll
Successfully Deleted: C:\WINDOWS\system32\wjnmm.dll
deleting: C:\WINDOWS\system32\wnpcore.dll
Successfully Deleted: C:\WINDOWS\system32\wnpcore.dll
deleting: C:\WINDOWS\system32\wrnhttp.dll
Successfully Deleted: C:\WINDOWS\system32\wrnhttp.dll



Zipping up files for submission:
adding: adifil32.dll (164 bytes security) (deflated 5%)
adding: afifile.dll (164 bytes security) (deflated 5%)
adding: ajifil32.dll (164 bytes security) (deflated 5%)
adding: ckyptnet.dll (164 bytes security) (deflated 5%)
adding: cladmin.dll (164 bytes security) (deflated 4%)
adding: cqyptsvc.dll (164 bytes security) (deflated 5%)
adding: dfvvox.dll (164 bytes security) (deflated 4%)
adding: dhsenh.dll (164 bytes security) (deflated 4%)
adding: dkcompos.dll (164 bytes security) (deflated 4%)
adding: dnmv2clt.dll (164 bytes security) (deflated 5%)
adding: fisevent.dll (164 bytes security) (deflated 5%)
adding: fp0o03d3e.dll (164 bytes security) (deflated 4%)
adding: fp4s03h7e.dll (164 bytes security) (deflated 4%)
adding: fpnq0355e.dll (164 bytes security) (deflated 4%)
adding: gdkcsp.dll (164 bytes security) (deflated 5%)
adding: gp2ol3f31.dll (164 bytes security) (deflated 5%)
adding: hr2u05f9e.dll (164 bytes security) (deflated 5%)
adding: hrn8055ue.dll (164 bytes security) (deflated 4%)
adding: i424lefq1h2e.dll (164 bytes security) (deflated 5%)
adding: i4nmle511h.dll (164 bytes security) (deflated 4%)
adding: Igetwh32.dll (164 bytes security) (deflated 6%)
adding: inwdial.dll (164 bytes security) (deflated 5%)
adding: ir60l5jm1.dll (164 bytes security) (deflated 5%)
adding: iwakui.dll (164 bytes security) (deflated 4%)
adding: izrdbg32.dll (164 bytes security) (deflated 5%)
adding: jYvaprxy.dll (164 bytes security) (deflated 5%)
adding: k4js0e17eh.dll (164 bytes security) (deflated 4%)
adding: kadfi.dll (164 bytes security) (deflated 5%)
adding: kadtuf.dll (164 bytes security) (deflated 6%)
adding: kcdusx.dll (164 bytes security) (deflated 4%)
adding: kldgkl.dll (164 bytes security) (deflated 4%)
adding: kq1394.dll (164 bytes security) (deflated 5%)
adding: kudmlt48.dll (164 bytes security) (deflated 5%)
adding: l48mlel11hq.dll (164 bytes security) (deflated 4%)
adding: l4j8le1u1h.dll (164 bytes security) (deflated 6%)
adding: l8p20i7oe8.dll (164 bytes security) (deflated 5%)
adding: lqgif11n.dll (164 bytes security) (deflated 5%)
adding: m628lgfu1628.dll (164 bytes security) (deflated 6%)
adding: mbdimap.dll (164 bytes security) (deflated 5%)
adding: mctext40.dll (164 bytes security) (deflated 5%)
adding: mepmsnsv.dll (164 bytes security) (deflated 4%)
adding: mfexch40.dll (164 bytes security) (deflated 4%)
adding: mfwdat10.dll (164 bytes security) (deflated 5%)
adding: mhjetoledb40.dll (164 bytes security) (deflated 5%)
adding: mtl_hp.dll (164 bytes security) (deflated 5%)
adding: muencode.dll (164 bytes security) (deflated 6%)
adding: mv4sdmod.dll (164 bytes security) (deflated 5%)
adding: mvcans32.dll (164 bytes security) (deflated 6%)
adding: mvp2l97o1.dll (164 bytes security) (deflated 5%)
adding: mvtext40.dll (164 bytes security) (deflated 5%)
adding: mwnsspc.dll (164 bytes security) (deflated 4%)
adding: n0n6la5s1d.dll (164 bytes security) (deflated 4%)
adding: ncprint.dll (164 bytes security) (deflated 4%)
adding: nf4_disp.dll (164 bytes security) (deflated 5%)
adding: oktext32.dll (164 bytes security) (deflated 5%)
adding: olbcjt32.dll (164 bytes security) (deflated 5%)
adding: oqbccr32.dll (164 bytes security) (deflated 4%)
adding: owesvr32.dll (164 bytes security) (deflated 4%)
adding: qfgr.dll (164 bytes security) (deflated 5%)
adding: rkpsnd.dll (164 bytes security) (deflated 5%)
adding: s0880aluedq80.dll (164 bytes security) (deflated 5%)
adding: scpblb.dll (164 bytes security) (deflated 4%)
adding: svmpapi.dll (164 bytes security) (deflated 4%)
adding: tpd32.dll (164 bytes security) (deflated 5%)
adding: udrcntra.dll (164 bytes security) (deflated 4%)
adding: ufildll.dll (164 bytes security) (deflated 4%)
adding: vqrsion.dll (164 bytes security) (deflated 4%)
adding: wepcore.dll (164 bytes security) (deflated 5%)
adding: winotify.dll (164 bytes security) (deflated 4%)
adding: wjnmm.dll (164 bytes security) (deflated 5%)
adding: wnpcore.dll (164 bytes security) (deflated 4%)
adding: wrnhttp.dll (164 bytes security) (deflated 6%)
adding: clear.reg (164 bytes security) (deflated 37%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 88%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 66%)
adding: test.txt (164 bytes security) (deflated 84%)
adding: test2.txt (164 bytes security) (deflated 16%)
adding: test3.txt (164 bytes security) (deflated 16%)
adding: test5.txt (164 bytes security) (deflated 16%)
adding: xfind.txt (164 bytes security) (deflated 80%)
adding: backregs/5BA09F61-CA0D-4FB4-AADE-0264A2E15350.reg (164 bytes security) (deflated 70%)
adding: backregs/ED4CAB89-20EA-40C2-A3DE-63C8A1389619.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)


Restoring Registry Permissions:



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!



Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!



Registry permissions set too:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read         BUILTIN\Users
(ID-IO) ALLOW  Read         BUILTIN\Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  CREATOR OWNER



Restoring Sedebugprivilege:


Granting SeDebugPrivilege to Administrators   ... successful


deleting local copy: adifil32.dll
deleting local copy: afifile.dll
deleting local copy: ajifil32.dll
deleting local copy: ckyptnet.dll
deleting local copy: cladmin.dll
deleting local copy: cqyptsvc.dll
deleting local copy: dfvvox.dll
deleting local copy: dhsenh.dll
deleting local copy: dkcompos.dll
deleting local copy: dnmv2clt.dll
deleting local copy: fisevent.dll
deleting local copy: fp0o03d3e.dll
deleting local copy: fp4s03h7e.dll
deleting local copy: fpnq0355e.dll
deleting local copy: gdkcsp.dll
deleting local copy: gp2ol3f31.dll
deleting local copy: hr2u05f9e.dll
deleting local copy: hrn8055ue.dll
deleting local copy: i424lefq1h2e.dll
deleting local copy: i4nmle511h.dll
deleting local copy: Igetwh32.dll
deleting local copy: inwdial.dll
deleting local copy: ir60l5jm1.dll
deleting local copy: iwakui.dll
deleting local copy: izrdbg32.dll
deleting local copy: jYvaprxy.dll
deleting local copy: k4js0e17eh.dll
deleting local copy: kadfi.dll
deleting local copy: kadtuf.dll
deleting local copy: kcdusx.dll
deleting local copy: kldgkl.dll
deleting local copy: kq1394.dll
deleting local copy: kudmlt48.dll
deleting local copy: l48mlel11hq.dll
deleting local copy: l4j8le1u1h.dll
deleting local copy: l8p20i7oe8.dll
deleting local copy: lqgif11n.dll
deleting local copy: m628lgfu1628.dll
deleting local copy: mbdimap.dll
deleting local copy: mctext40.dll
deleting local copy: mepmsnsv.dll
deleting local copy: mfexch40.dll
deleting local copy: mfwdat10.dll
deleting local copy: mhjetoledb40.dll
deleting local copy: mtl_hp.dll
deleting local copy: muencode.dll
deleting local copy: mv4sdmod.dll
deleting local copy: mvcans32.dll
deleting local copy: mvp2l97o1.dll
deleting local copy: mvtext40.dll
deleting local copy: mwnsspc.dll
deleting local copy: n0n6la5s1d.dll
deleting local copy: ncprint.dll
deleting local copy: nf4_disp.dll
deleting local copy: oktext32.dll
deleting local copy: olbcjt32.dll
deleting local copy: oqbccr32.dll
deleting local copy: owesvr32.dll
deleting local copy: qfgr.dll
deleting local copy: rkpsnd.dll
deleting local copy: s0880aluedq80.dll
deleting local copy: scpblb.dll
deleting local copy: svmpapi.dll
deleting local copy: tpd32.dll
deleting local copy: udrcntra.dll
deleting local copy: ufildll.dll
deleting local copy: vqrsion.dll
deleting local copy: wepcore.dll
deleting local copy: winotify.dll
deleting local copy: wjnmm.dll
deleting local copy: wnpcore.dll
deleting local copy: wrnhttp.dll


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\welcome]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\s6rslg9716.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001



The following are the files found:
****************************************************************************
C:\WINDOWS\system32\adifil32.dll
C:\WINDOWS\system32\afifile.dll
C:\WINDOWS\system32\ajifil32.dll
C:\WINDOWS\system32\ckyptnet.dll
C:\WINDOWS\system32\cladmin.dll
C:\WINDOWS\system32\cqyptsvc.dll
C:\WINDOWS\system32\dfvvox.dll
C:\WINDOWS\system32\dhsenh.dll
C:\WINDOWS\system32\dkcompos.dll
C:\WINDOWS\system32\dnmv2clt.dll
C:\WINDOWS\system32\fisevent.dll
C:\WINDOWS\system32\fp0o03d3e.dll
C:\WINDOWS\system32\fp4s03h7e.dll
C:\WINDOWS\system32\fpnq0355e.dll
C:\WINDOWS\system32\gdkcsp.dll
C:\WINDOWS\system32\gp2ol3f31.dll
C:\WINDOWS\system32\hr2u05f9e.dll
C:\WINDOWS\system32\hrn8055ue.dll
C:\WINDOWS\system32\i424lefq1h2e.dll
C:\WINDOWS\system32\i4nmle511h.dll
C:\WINDOWS\system32\Igetwh32.dll
C:\WINDOWS\system32\inwdial.dll
C:\WINDOWS\system32\ir60l5jm1.dll
C:\WINDOWS\system32\iwakui.dll
C:\WINDOWS\system32\izrdbg32.dll
C:\WINDOWS\system32\jYvaprxy.dll
C:\WINDOWS\system32\k4js0e17eh.dll
C:\WINDOWS\system32\kadfi.dll
C:\WINDOWS\system32\kadtuf.dll
C:\WINDOWS\system32\kcdusx.dll
C:\WINDOWS\system32\kldgkl.dll
C:\WINDOWS\system32\kq1394.dll
C:\WINDOWS\system32\kudmlt48.dll
C:\WINDOWS\system32\l48mlel11hq.dll
C:\WINDOWS\system32\l4j8le1u1h.dll
C:\WINDOWS\system32\l8p20i7oe8.dll
C:\WINDOWS\system32\lqgif11n.dll
C:\WINDOWS\system32\m628lgfu1628.dll
C:\WINDOWS\system32\mbdimap.dll
C:\WINDOWS\system32\mctext40.dll
C:\WINDOWS\system32\mepmsnsv.dll
C:\WINDOWS\system32\mfexch40.dll
C:\WINDOWS\system32\mfwdat10.dll
C:\WINDOWS\system32\mhjetoledb40.dll
C:\WINDOWS\system32\mtl_hp.dll
C:\WINDOWS\system32\muencode.dll
C:\WINDOWS\system32\mv4sdmod.dll
C:\WINDOWS\system32\mvcans32.dll
C:\WINDOWS\system32\mvp2l97o1.dll
C:\WINDOWS\system32\mvtext40.dll
C:\WINDOWS\system32\mwnsspc.dll
C:\WINDOWS\system32\n0n6la5s1d.dll
C:\WINDOWS\system32\ncprint.dll
C:\WINDOWS\system32\nf4_disp.dll
C:\WINDOWS\system32\oktext32.dll
C:\WINDOWS\system32\olbcjt32.dll
C:\WINDOWS\system32\oqbccr32.dll
C:\WINDOWS\system32\owesvr32.dll
C:\WINDOWS\system32\qfgr.dll
C:\WINDOWS\system32\rkpsnd.dll
C:\WINDOWS\system32\s0880aluedq80.dll
C:\WINDOWS\system32\scpblb.dll
C:\WINDOWS\system32\svmpapi.dll
C:\WINDOWS\system32\tpd32.dll
C:\WINDOWS\system32\udrcntra.dll
C:\WINDOWS\system32\ufildll.dll
C:\WINDOWS\system32\vqrsion.dll
C:\WINDOWS\system32\wepcore.dll
C:\WINDOWS\system32\winotify.dll
C:\WINDOWS\system32\wjnmm.dll
C:\WINDOWS\system32\wnpcore.dll
C:\WINDOWS\system32\wrnhttp.dll


Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{ED4CAB89-20EA-40C2-A3DE-63C8A1389619}"=-
"{5BA09F61-CA0D-4FB4-AADE-0264A2E15350}"=-
[-HKEY_CLASSES_ROOT\CLSID\{ED4CAB89-20EA-40C2-A3DE-63C8A1389619}]
[-HKEY_CLASSES_ROOT\CLSID\{5BA09F61-CA0D-4FB4-AADE-0264A2E15350}]
REGEDIT4


[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


-----------------------------------------------------
-----------------------------------------------------Logfile of HijackThis v1.99.1
Scan saved at 10:54:53 PM, on 4/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijack This\hijackthis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {4B36E9EF-E531-4355-BED3-1A8549211C50} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4B36E9EF-E531-4355-BED3-1A8549211C50} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {59638158-CB87-4FAB-BF69-99CB03CAF0DD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {59638158-CB87-4FAB-BF69-99CB03CAF0DD} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {82C60785-E1D0-48B0-B860-DD72DE6F5D41} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {82C60785-E1D0-48B0-B860-DD72DE6F5D41} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {FC616025-40DF-4ADB-916B-E17B99C9DFC3} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FC616025-40DF-4ADB-916B-E17B99C9DFC3} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110634837678
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{12424BE4-9583-41CE-AE5A-62400E63A92B}: NameServer = 192.168.1.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{12424BE4-9583-41CE-AE5A-62400E63A92B}: NameServer = 192.168.1.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: welcome - C:\WINDOWS\system32\s6rslg9716.dll (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 9 · 2005-04-09T10:04:53+00:00

Have hijackthis fix this line;

O20 - Winlogon Notify: welcome - C:\WINDOWS\system32\s6rslg9716.dll (file missing)

Sometimes qoologic comes with this infection, so we will get you to run a couple more tools to ensure you are clean.

Go here and download FindIt.zip to your Desktop, unzip it and open the FindIt folder and doubleclick on find.bat. Let it run (please be patient, it will take a few minutes) and when it has finished gathering info, it will generate a file called Output.txt. Please copy it and paste it back in this thread.

Please go here and download Find_qoologic.zip by baskar1234. Unzip the folder and go to the new qoologic folder and doubleclick on qoologic.bat to run it. It will take a few minutes to scan your drive so be patient. When it has finished, open My Computer, doubleclick on C: and copy and paste the contents of the below logs in this thread.

C:\log.txt
C:\win.txt
C:\start.txt

Download rkfiles.zip
http://skads.org/special/rkfiles.zip
Unzip the contents to a permanent folder.

Reboot in Safe mode.

Doubleclick rkfiles.bat
It will scan for a while, so please be patient.
Wait till the DOS window closes and reboot back to normal mode.

Post the contents of C:\log.txt in your next reply.

alexkay 0 Newbie Poster · Answer 10 · 2005-04-10T03:41:15+00:00

Thanks again!
I almost started giving up and doing what I am most against... a format... so I am really gratefull for your patience and help.

I did all of what is instructed above, in the order of its appearance, following are the logs, I also added a HJT log although you didnt ask for one.

1 - FIND IT OUTPUT.txt LOG
-------------------------------------
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.


Find.bat is running from: C:\Documents and Settings\tmira\Desktop\Find It NT-2K-XP\Find It NT-2K-XP


------- System Files in System32 Directory -------


Volume in drive C has no label.
Volume Serial Number is C0AC-79E0


Directory of C:\WINDOWS\System32


04/07/2005  12:03 AM    <DIR>          dllcache
04/29/2003  10:23 AM    <DIR>          Microsoft
0 File(s)              0 bytes
2 Dir(s)  33,075,941,376 bytes free


------- Hidden Files in System32 Directory -------


Volume in drive C has no label.
Volume Serial Number is C0AC-79E0


Directory of C:\WINDOWS\System32


04/09/2005  09:33 PM               890 vsconfig.xml
04/07/2005  12:03 AM    <DIR>          dllcache
04/06/2005  11:43 PM               749 wuaucpl.cpl.manifest
04/06/2005  11:43 PM               749 cdplayer.exe.manifest
04/06/2005  11:43 PM               749 nwc.cpl.manifest
04/06/2005  11:43 PM               749 sapi.cpl.manifest
04/06/2005  11:43 PM               749 ncpa.cpl.manifest
03/12/2005  07:47 AM             4,212 zllictbl.dat
04/29/2003  10:06 AM               488 logonui.exe.manifest
04/29/2003  10:06 AM               488 WindowsLogon.manifest
9 File(s)          9,823 bytes
1 Dir(s)  33,075,937,280 bytes free


------------ Files Named "Guard" ---------------


Volume in drive C has no label.
Volume Serial Number is C0AC-79E0


Directory of C:\WINDOWS\System32



------ Temp Files in System32 Directory ------


Volume in drive C has no label.
Volume Serial Number is C0AC-79E0


Directory of C:\WINDOWS\System32



------------------ User Agent ----------------


REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""



------------- Keys Under Notify -------------


REGEDIT4


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001



------------- Locate.com Results -------------


-------- Strings.exe Qoologic Results --------



--------- Strings.exe Aspack Results ---------


C:\WINDOWS\system32\ntdll.dll: .aspack


-------------- HKLM Run Key ----------------


REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"000StTHK"="000StTHK.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"PmProxy"="C:\\Program Files\\Analog Devices\\SoundMAX\\PmProxy.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"TFNF5"="TFNF5.exe"
"Tpwrtray"="TPWRTRAY.EXE"
"TouchED"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe"
"Pinger"="c:\\toshiba\\ivp\\ism\\pinger.exe /run"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"GSICONEXE"="GSICON.EXE"
"DSLAGENTEXE"="dslagent.exe USB"
"00THotkey"="C:\\WINDOWS\\System32\\00THotkey.exe"
"tcactive"="C:\\Program Files\\The Cleaner\\tca.exe"
"tcmonitor"="C:\\Program Files\\The Cleaner\\tcm.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"


--------------------------------------2 - qoologic log.txt LOG
--------------------------------------
C:\Documents and Settings\tmira\Desktop\findqoologic


PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\ntdll.dll: .aspack


Files Found in all users startup Folder............
------------------------


3 - qoologic win.txt LOG
-------------------------------------
C:\WINDOWS\system32\ntdll.dll: .aspack


-------------------------------------


4 - qoologic start.txt


gave an empty log


-------------------------------------5 - rkfiles log.txt LOG
-------------------------------------
C:\Documents and Settings\tmira\Desktop\rkfiles


PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\lpzxcz324534xct.exe: UPX!
C:\WINDOWS\system32\searchdll.dll: UPX!
C:\WINDOWS\system32\us3432xzcb.exe: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213


Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\icont.exe: UPX!
C:\WINDOWS\loadclean.exe: UPX!
C:\WINDOWS\sedjcjp.exe: UPX!
Finished
bye


-------------------------------- HJT hijackthis.log LOG


(I fixed the entry as instructed)
--------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:01:36 AM, on 4/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hijack This\hijackthis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {4B36E9EF-E531-4355-BED3-1A8549211C50} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4B36E9EF-E531-4355-BED3-1A8549211C50} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {59638158-CB87-4FAB-BF69-99CB03CAF0DD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {59638158-CB87-4FAB-BF69-99CB03CAF0DD} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {82C60785-E1D0-48B0-B860-DD72DE6F5D41} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {82C60785-E1D0-48B0-B860-DD72DE6F5D41} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {FC616025-40DF-4ADB-916B-E17B99C9DFC3} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FC616025-40DF-4ADB-916B-E17B99C9DFC3} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110634837678
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 11 · 2005-04-10T07:25:41+00:00

OK. I need you to upload some files to an online scanner.

C:\WINDOWS\loadclean.exe
C:\WINDOWS\sedjcjp.exe
C:\WINDOWS\system32\lpzxcz324534xct.exe
C:\WINDOWS\system32\searchdll.dll
C:\WINDOWS\system32\us3432xzcb.exe

http://virusscan.jotti.org/

If they come back as bad (as I suspect they will), delete them, reboot and rescan with RKfiles and post the log please.

alexkay 0 Newbie Poster · Answer 12 · 2005-04-11T01:02:28+00:00

Thanks for you help and time.
Your suspicions were correct, all the files were infected with Trojans.
They were all removed , I rebooted (NOT in safe mode) and scanned with rkfiles, see log below.

Thanks,

-------------------------------------------
C:\Documents and Settings\tmira\Desktop\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\icont.exe: UPX!
Finished
bye

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 13 · 2005-04-11T03:13:32+00:00

crunchie 990 Most Valuable Poster

19 Years Ago

Looks good :). Please now post a hijackthis log for a final check.

alexkay 0 Newbie Poster · Answer 14 · 2005-04-12T00:38:16+00:00

Thanks! that is good news.
Se below the log of HJT, not to sound like a nag but I am still having problems with the computer... conecting to network, renewing IP...

----------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:23:01 PM, on 4/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hijack This\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {4B36E9EF-E531-4355-BED3-1A8549211C50} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4B36E9EF-E531-4355-BED3-1A8549211C50} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {59638158-CB87-4FAB-BF69-99CB03CAF0DD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {59638158-CB87-4FAB-BF69-99CB03CAF0DD} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {82C60785-E1D0-48B0-B860-DD72DE6F5D41} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {82C60785-E1D0-48B0-B860-DD72DE6F5D41} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {FC616025-40DF-4ADB-916B-E17B99C9DFC3} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FC616025-40DF-4ADB-916B-E17B99C9DFC3} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110634837678
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 15 · 2005-04-12T15:52:58+00:00

There are no nags here :).

Download and run Winsockfix from here http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml

Hopefully that will sort out your connection problems.

alexkay 0 Newbie Poster · Answer 16 · 2005-04-12T23:24:45+00:00

Thanks you all!
You have been a great help.

The winsock utility solved the problem.

Thanks again!

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 17 · 2005-04-13T03:04:24+00:00

crunchie 990 Most Valuable Poster

19 Years Ago

You are welcome :).

amandak 0 Newbie Poster · Answer 18 · 2006-04-29T12:26:32+00:00

Hello,

i have the same problem and ive just downloaded Hijack this...this is what its giving me...what should i do?

Logfile of HijackThis v1.99.1
Scan saved at 2:11:56 AM, on 29/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\sypjp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\MANDY\MYDOCU~1\DOWNLO~1\SOFTWARE\WINZIP\winzip32.exe
C:\Documents and Settings\Mandy\Local Settings\Temp\wz9cb\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Ad-aware] C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe +c
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [aLALGC] C:\WINDOWS\sypjp.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SaferScan] "C:\Program Files\SaferScan\saferscan.exe" /aid:1003830
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Documents and Settings\Mandy\My Documents\DOWNLO~1\SOFTWARE\WINZIP\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm428YYCA
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://staplescanada.webprint.com
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.co.uk/save/makeover.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversFWBInitialSetup1.0.0.15.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay103.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

THNKS FOR YOUR HELP...
AMANDA -

DMR 152 Wombat At Large Team Colleague · Answer 19 · 2006-04-29T13:37:40+00:00

Hello,
i have the same problem

Hi amandak,

First of all- welcome to DaniWeb :)

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your HijackThis log in that thread. The log you posted here does show signs of at least three separate infections, so you should get that thread started ASAP...

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_policies

Thanks for understanding.

DMR 152 Wombat At Large Team Colleague · Answer 20 · 2006-04-29T13:39:35+00:00

Due to the fact that the member who originally started this thread has not responded in over 1 year, this thread is considered abandoned and has been closed.

In accordance with our posting rules, other members having similar problems should start their own threads and post their questions there. In order to help us help you most quickly, please include as much information about your problem as possible in your posts.

If the member who originally started this thread wishes to have the thread reopened, please send your request, including a link to this thread, to one of our moderators via email or Private Message.

Thank you.

Hijack + Explorer invalid syntax error

Recommended Answers Collapse Answers

All 25 Replies

Recommended Answers