Jump to content
Sign in to follow this  
WingsFan

[Solved]HJT Log

Recommended Posts

AND THE REST OF THE LOG:

 

HKEY ROOT CLASSIDS:

Windows Registry Editor Version 5.00

 

[HKEY_CLASSES_ROOT\CLSID\{DAFF17C2-7AE4-4560-8D49-4243C0A6DDF5}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{DAFF17C2-7AE4-4560-8D49-4243C0A6DDF5}\Implemented Categories]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{DAFF17C2-7AE4-4560-8D49-4243C0A6DDF5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{DAFF17C2-7AE4-4560-8D49-4243C0A6DDF5}\InprocServer32]

@="C:\\WINDOWS\\system32\\fcswzrd.dll"

"ThreadingModel"="Apartment"

 

Windows Registry Editor Version 5.00

 

[HKEY_CLASSES_ROOT\CLSID\{C6C97C75-B8E1-4288-A16D-C7C3A2C5BCD6}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{C6C97C75-B8E1-4288-A16D-C7C3A2C5BCD6}\Implemented Categories]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{C6C97C75-B8E1-4288-A16D-C7C3A2C5BCD6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{C6C97C75-B8E1-4288-A16D-C7C3A2C5BCD6}\InprocServer32]

@="C:\\WINDOWS\\system32\\hmp95en.dll"

"ThreadingModel"="Apartment"

 

**********************************************************************************

Files Found are not all bad files:

Locate .tmp files:

**********************************************************************************

Directory Listing of system files:

Volume in drive C is HP_PAVILION

Volume Serial Number is 5005-56DA

 

Directory of C:\WINDOWS\System32

 

09/29/2005 11:04 AM 417,792 fcswzrd.dll

09/28/2005 11:54 PM 417,792 hmp95en.dll

09/28/2005 11:23 PM 417,792 mfmefilt.dll

09/28/2005 11:16 PM 417,792 krdfc.dll

09/28/2005 11:10 PM 417,792 kjdtuq.dll

09/26/2005 02:10 AM 417,792 sfclogon.dll

09/26/2005 01:48 AM 417,792 lPngwrbk.dll

09/26/2005 01:29 AM 417,792 mcdtcprx.dll

09/26/2005 01:25 AM <DIR> dllcache

09/24/2005 12:53 PM 417,792 wknnls.dll

09/24/2005 08:08 AM 417,792 rlcns4.dll

09/24/2005 02:19 AM 417,792 guard.tmp

09/24/2005 01:17 AM 417,792 sopshftr.dll

09/08/2005 09:47 AM 401,408 r?ndll.exe

04/25/2002 10:39 PM <DIR> Microsoft

08/18/2001 08:00 AM 9,728 regsvr32.exe

08/18/2001 08:00 AM 322,560 msvcrt.dll

08/18/2001 08:00 AM 401,462 msvcp60.dll

08/18/2001 08:00 AM 995,383 mfc42.dll

08/18/2001 08:00 AM 106,496 olepro32.dll

08/18/2001 08:00 AM 569,344 oleaut32.dll

08/18/2001 08:00 AM 50,688 msvcirt.dll

20 File(s) 7,870,573 bytes

2 Dir(s) 64,396,767,232 bytes free

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 11:29:10 AM, on 9/29/2005

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINDOWS\System32\S3apphk.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\dinst.exe

C:\WINDOWS\ms052719413425.exe

C:\WINDOWS\Sys98.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\System32\wintask.exe

C:\WINDOWS\System32\ifs139.exe

C:\WINDOWS\System32\xjyupp.exe

C:\WINDOWS\System32\ifs139.exe

C:\WINDOWS\Sys98.exe

C:\Program Files\ewido\security suite\ewidoctrl.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

 

O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll

O2 - BHO: (no name) - {72E534C4-29C6-6D7F-B7AE-B7975456F0D5} - C:\WINDOWS\Uswywcvw.dll

O2 - BHO: AdCom - {D7950AB4-67F5-458e-A37D-9F2DE7F250AC} - C:\WINDOWS\system32\AdCom.dll

O3 - Toolbar: Search - {0316E09A-F7F4-3371-36F9-56A779C0E25D} - C:\WINDOWS\Uswywcvw.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [s3apphk] S3apphk.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe

O4 - HKLM\..\Run: [ms052719413425] C:\WINDOWS\ms052719413425.exe

O4 - HKLM\..\Run: [YourMonitor] C:\WINDOWS\Sys98

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe

O4 - HKLM\..\Run: [bpaadb] C:\WINDOWS\System32\xjyupp.exe r

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [CustomHK] C:\WINDOWS\System32\sgenie.exe

O4 - HKCU\..\Run: [ifs139] C:\WINDOWS\System32\ifs139.exe

O4 - HKCU\..\Run: [sys98] C:\WINDOWS\Sys98.exe

O4 - HKCU\..\RunOnce: [ifs139] C:\WINDOWS\System32\ifs139.exe

O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1127194252445

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\sopshftr.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Share this post


Link to post
Share on other sites

The easiest way to take care of the AUTOEXEC.NT problem:

Go to the following website: http://www.visualtour.com/downloads/

Scroll down to: 07/29/2004 XP_FIX.EXE (140kb)

 

Reboot

 

Go back to the L2MFix folder[/b, double click L2MFix.bat and select option #2 for Run Fix by typing 2 and then pressing: Enter.

Then, press any key to reboot the computer.

 

After a reboot, the Desktop and icons appear, then disappear (this is normal).

L2MFix continues to scan the computer and when it's finished, notepad will open with a log.

 

Copy the contents of the L2MFix log and provide it in your response, along with a new HijackThis log.

 

We understand that this is not your computer, and it is commendable that you are trying to clean it up. It is one heck of a mess.

 

Can you tell us what kind of computer is this, and can you find out where your girlfriend’s parents obtained the computer?

 

If they bought it at a retail store, that is fine, however, if it is a machine that was obtained from someone else, in the current scenario there is reason to be concerned, and you are wasting your precious time.

 

For the sake of having peace of mind, see if XP validates. It is information you need to know, and it is one of the first things I do, even when buying a brand new computer!! If they bought it at a retail store, it should validate. If so, we understand the fact that some people just do not know about Windows updates, and that explains why there are none.

 

If you get an error messages doing the following, let us know what it is.

 

Please do the following:

 

Using Internet Explorer, go to:

http://www.microsoft.com/resources/howtote...ws/default.mspx

 

Go to Item 1: Run the Windows Validation Assistant

Click on Validate Now

 

While the ActiveX loads, do not click on any links.

 

You will be prompted to install - click YES.

 

You may need to enter the XP product key, and click: Continue

 

When it says Validation Complete, copy what the Assistant reports, and provide it in your reply.

 

Thanks, WingsFan

Share this post


Link to post
Share on other sites

It's an HP Pavilion 762n that was bought at Best Buy. I have a feeling one of the reasons they never did updates was because they have dial-up and it took too long and they didn't understand the importance of it. The windows validation site comes up and says "please wait" for a really long time and nothing else ever comes up. meanwhile, it's once again infected with nail and some sidesearch. i'll get a new scan to you soon. i'll be around more this weekend - sorry for the delays in responses lately.

Share this post


Link to post
Share on other sites

Thanks for the attempt, WingsFan.

 

If the PC is an HP bought at Best Buy, and has not been in anyone else's possesion, I think we are safe.

 

If they have dial-up, it will take forever to do the updates. Another option is, if the PC has a network card, connect it to temporarily to a network and download the updates.

 

We'll just have to go at it a step at a time and see what we can get rid of.

Share this post


Link to post
Share on other sites

Yeah - they had dial-up so they never updated. I have it at my apartment with high-speed now, so we got no issues with that (although i sometimes question the actual speed of my "high speed internet". but i'm getting to fixing a few things and then i'll post the new log. i've just been trying to get school work done on mine and then switch the monitor over to theirs, lol. thanks again for the help

Share this post


Link to post
Share on other sites

Ok here's the latest log. I also ran that l2mfix option 2 and it rebooted, but no log came up. There's a report in the file, but it looks like it's from the last time I ran it with option 1. Also, I ran it in regular mode, I wasn't sure if maybe it was supposed to be safe mode. Anyhow, here's the new log. I'm staying off of IE and yet this crap keep scoming back. Do we have any hope of cleaning this off?

 

Logfile of HijackThis v1.99.1

Scan saved at 3:50:03 PM, on 10/1/2005

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINDOWS\System32\S3apphk.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\dinst.exe

C:\WINDOWS\ms052719413425.exe

C:\WINDOWS\Sys98.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\System32\ifs139.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\WINDOWS\System32\ifs139.exe

C:\WINDOWS\Sys98.exe

C:\Program Files\ewido\security suite\ewidoctrl.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)

O2 - BHO: (no name) - {72E534C4-29C6-6D7F-B7AE-B7975456F0D5} - C:\WINDOWS\Uswywcvw.dll

O2 - BHO: AdCom - {D7950AB4-67F5-458e-A37D-9F2DE7F250AC} - C:\WINDOWS\system32\AdCom.dll

O3 - Toolbar: Search - {0316E09A-F7F4-3371-36F9-56A779C0E25D} - C:\WINDOWS\Uswywcvw.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [s3apphk] S3apphk.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe

O4 - HKLM\..\Run: [ms052719413425] C:\WINDOWS\ms052719413425.exe

O4 - HKLM\..\Run: [YourMonitor] C:\WINDOWS\Sys98

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [nrufvri] C:\WINDOWS\System32\csckii.exe r

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [CustomHK] C:\WINDOWS\System32\sgenie.exe

O4 - HKCU\..\Run: [ifs139] C:\WINDOWS\System32\ifs139.exe

O4 - HKCU\..\Run: [sys98] C:\WINDOWS\Sys98.exe

O4 - HKCU\..\RunOnce: [ifs139] C:\WINDOWS\System32\ifs139.exe

O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1127194252445

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\sopshftr.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Share this post


Link to post
Share on other sites

Ok, more updates from me. I'm sorry to post so many times in a row. I was able to get some updates done on this computer. Everything up until SP1 is on the computer. I dl'ed SP1 and attempted to install but it failed. It opened the wizard then closed it and a window came up saying "Access is denied". I'm guessing some malware on the system is preventing it from running, so if you have any idea what process I can stop or what has to be removed let me know? Any info i can give you to help out, just let me know.

Share this post


Link to post
Share on other sites

WingsFan,

 

Use an account that has administrative rights to log on to Windows XP

Go to: Start>Run, and then type the following command: regedit

Click OK.

 

Locate the following key in the Registry:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

WindowsUpdate\Auto Update

 

Right-click the Auto Update folder on the left pane

Select: Permissions

 

Does the Administrators group have Full Control?

 

If so, there may be ‘something’ interfering with the install of SP1...

 

Try the above. If you succeed, post a new HJT log.

Will get back with you a little later.

 

Are you runnning XP Home, or XP Pro?

Share this post


Link to post
Share on other sites

On the log,

 

An L2M entry is still there :

O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\sopshftr.dll

 

It is a bummer. Let’s give it another round of bullets.

 

While running L2MFix option #1, you received an error : ''C:\windows\system32\cmd.exe

C:\windows\system32\autoexec.nt. The system file is not suitable for running MS-DOS and Microsoft windows applications. Choose close to terminate the application"

 

Run L2MFix again, and use option 5 to solve this error condition.

Reboot.

 

Go back to the L2MFix folder, double click L2MFix.bat and select option #2 for Run Fix by typing 2 and then pressing: Enter

 

See if now you get the L2MFix log and provide it in your response.

Share this post


Link to post
Share on other sites

Alright - The computer is running XP Home Edition. I checked the permissions and full control was allowed on that folder. Then I ran the l2mfix option 5, rebooted and ran option 2. it rebooted the computer, but again no log. i had run that xp.exe file or something to fix the autoexec problem earlier. I'm just confused as to what is going on. I continue to thank you. I'm sorry for throwing this mess at you.

 

Logfile of HijackThis v1.99.1

Scan saved at 1:02:03 AM, on 10/2/2005

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\System32\mqzuqtq.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINDOWS\System32\S3apphk.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\ms052719413425.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\WINDOWS\Sys98.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\System32\NEWADP~2.exe

C:\WINDOWS\System32\ifs139.exe

C:\WINDOWS\System32\ifs139.exe

C:\WINDOWS\Sys98.exe

C:\WINDOWS\system32\ngpw38.exe

C:\Program Files\ewido\security suite\ewidoctrl.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)

O2 - BHO: (no name) - {72E534C4-29C6-6D7F-B7AE-B7975456F0D5} - C:\WINDOWS\Uswywcvw.dll

O2 - BHO: ngsh33.clsIS - {941CA48C-3984-4E7D-AAF8-8755ED76EB50} - C:\WINDOWS\system32\ngsh33.dll

O2 - BHO: AdCom - {D7950AB4-67F5-458e-A37D-9F2DE7F250AC} - C:\WINDOWS\system32\AdCom.dll

O3 - Toolbar: Search - {0316E09A-F7F4-3371-36F9-56A779C0E25D} - C:\WINDOWS\Uswywcvw.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [s3apphk] S3apphk.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe

O4 - HKLM\..\Run: [ms052719413425] C:\WINDOWS\ms052719413425.exe

O4 - HKLM\..\Run: [YourMonitor] C:\WINDOWS\Sys98

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [inwmg] C:\WINDOWS\system32\w130713.Stub.EXE

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\lsdk4k.exe reg_run

O4 - HKLM\..\Run: [adprot] C:\WINDOWS\System32\NEWADP~2.EXE

O4 - HKLM\..\Run: [NEWADP~2] C:\WINDOWS\System32\NEWADP~2.exe

O4 - HKLM\..\Run: [eupjxun] C:\WINDOWS\System32\mqzuqtq.exe r

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [CustomHK] C:\WINDOWS\System32\sgenie.exe

O4 - HKCU\..\Run: [ifs139] C:\WINDOWS\System32\ifs139.exe

O4 - HKCU\..\Run: [sys98] C:\WINDOWS\Sys98.exe

O4 - HKCU\..\RunOnce: [ifs139] C:\WINDOWS\System32\ifs139.exe

O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe

O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\System32\wuauclt.dll

O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\System32\wuauclt.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1127194252445

O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\sopshftr.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Share this post


Link to post
Share on other sites

We'll go at it the old way...

 

Please download FindIt NT-2K-XP:

http://lineofire.geekstogo.com/

 

Place it in a folder of its own on the Desktop

Unzip the contents of Finditnt2000xp.zip

Double-click on FindVX2.bat

A command prompt opens and it searches your computer for malicious files (may take a few minutes).

Once finished, Notepad displays a FindVX2 log.

 

Copy/paste the FindVX2 log to your reply.

 

Next, in the folder where you placed FindIt NT-2K-XP, double click FindNarrator.bat to produce a FindNarrator log.

 

Also, copy/paste the FindNarrator log to your reply..

Share this post


Link to post
Share on other sites

---------------- FindVX2 NT-2K-XP ----------------

 

Warning! This utility will find legitimate files in addition to malware.

Do not remove anything unless you are sure you know what you're doing.

 

***** Operating System *****

 

Microsoft Windows XP Home Edition 5.1 (Build 2600)

 

********* Date/Time ********

 

Sunday, October 02, 2005 (10/2/2005)

5:03 PM, Eastern Daylight Time

 

*********** Path ***********

 

FindVX2.bat is running from: C:\Documents and Settings\Owner\Desktop\FindIt NT-2K-XP

 

------- System Files in System32 Directory -------

 

Volume in drive C is HP_PAVILION

Volume Serial Number is 5005-56DA

 

Directory of C:\WINDOWS\System32

 

10/02/2005 04:59 PM 417,792 cBmocx.dll

10/02/2005 12:49 AM 417,792 beowser.dll

10/01/2005 09:49 PM 417,792 dtcpcsvc.dll

10/01/2005 04:54 PM <DIR> dllcache

10/01/2005 03:32 PM 417,792 phlstore.dll

10/01/2005 03:28 PM 417,792 dgrgui.dll

10/01/2005 03:11 PM 417,792 mqrecr40.dll

10/01/2005 03:05 PM 417,792 nuinstnt.dll

10/01/2005 02:56 PM 417,792 szclogon.dll

10/01/2005 03:04 AM 417,792 dssetup.dll

10/01/2005 02:51 AM 417,792 fosroute.dll

09/30/2005 06:02 PM 417,792 aul70.dll

09/30/2005 05:58 PM 417,792 MYHTML.DLL

09/29/2005 11:24 AM 417,792 kmdcan.dll

09/28/2005 11:54 PM 417,792 hmp95en.dll

09/28/2005 11:23 PM 417,792 mfmefilt.dll

09/28/2005 11:16 PM 417,792 krdfc.dll

09/28/2005 11:10 PM 417,792 kjdtuq.dll

09/26/2005 02:10 AM 417,792 sfclogon.dll

09/26/2005 01:48 AM 417,792 lPngwrbk.dll

09/26/2005 01:29 AM 417,792 mcdtcprx.dll

09/24/2005 12:53 PM 417,792 wknnls.dll

09/24/2005 08:08 AM 417,792 rlcns4.dll

09/24/2005 02:19 AM 417,792 guard.tmp

09/24/2005 01:17 AM 417,792 sopshftr.dll

09/08/2005 09:47 AM 401,408 r?ndll.exe

04/25/2002 10:39 PM <DIR> Microsoft

08/18/2001 08:00 AM 50,688 msvcirt.dll

08/18/2001 08:00 AM 106,496 olepro32.dll

08/18/2001 08:00 AM 995,383 mfc42.dll

08/18/2001 08:00 AM 569,344 oleaut32.dll

08/18/2001 08:00 AM 401,462 msvcp60.dll

08/18/2001 08:00 AM 322,560 msvcrt.dll

08/18/2001 08:00 AM 9,728 regsvr32.exe

32 File(s) 12,884,077 bytes

2 Dir(s) 64,024,018,944 bytes free

 

------- Hidden Files in System32 Directory -------

 

Volume in drive C is HP_PAVILION

Volume Serial Number is 5005-56DA

 

Directory of C:\WINDOWS\System32

 

10/02/2005 05:00 PM 31,767 vsconfig.xml

10/01/2005 04:54 PM <DIR> dllcache

09/29/2005 12:28 AM 4,212 zllictbl.dat

09/08/2005 09:47 AM 401,408 r?ndll.exe

02/13/2005 10:35 PM <DIR> vmss

04/20/2002 12:15 AM 488 logonui.exe.manifest

04/20/2002 12:15 AM 488 WindowsLogon.manifest

04/20/2002 12:15 AM 749 nwc.cpl.manifest

04/20/2002 12:15 AM 749 cdplayer.exe.manifest

04/20/2002 12:15 AM 749 sapi.cpl.manifest

04/20/2002 12:15 AM 749 ncpa.cpl.manifest

04/20/2002 12:15 AM 749 wuaucpl.cpl.manifest

08/18/2001 08:00 AM 106,496 olepro32.dll

08/18/2001 08:00 AM 322,560 msvcrt.dll

08/18/2001 08:00 AM 401,462 msvcp60.dll

08/18/2001 08:00 AM 50,688 msvcirt.dll

08/18/2001 08:00 AM 995,383 mfc42.dll

08/18/2001 08:00 AM 569,344 oleaut32.dll

08/18/2001 08:00 AM 9,728 regsvr32.exe

17 File(s) 2,897,769 bytes

2 Dir(s) 64,024,014,848 bytes free

 

--------------- Files Named "Guard" --------------

 

Volume in drive C is HP_PAVILION

Volume Serial Number is 5005-56DA

 

Directory of C:\WINDOWS\System32

 

09/24/2005 02:19 AM 417,792 guard.tmp

1 File(s) 417,792 bytes

0 Dir(s) 64,024,014,848 bytes free

 

-------- Temp Files in System32 Directory --------

 

Volume in drive C is HP_PAVILION

Volume Serial Number is 5005-56DA

 

Directory of C:\WINDOWS\System32

 

09/24/2005 02:19 AM 417,792 guard.tmp

09/19/2005 04:58 PM 0 ~GLH0018.TMP

09/19/2005 04:50 PM 0 ~GLH0016.TMP

09/06/2005 10:10 PM 0 ~GLH0015.TMP

06/07/2005 12:38 PM 0 ~GLH0014.TMP

05/04/2005 02:08 PM 0 ~GLH0013.TMP

04/05/2005 06:32 PM 0 ~GLH001c.TMP

04/05/2005 06:32 PM 0 ~GLH0017.TMP

08/18/2001 03:00 PM 2,577 CONFIG.TMP

9 File(s) 420,369 bytes

0 Dir(s) 64,024,014,848 bytes free

 

------------------- User Agent -------------------

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"{4FE91C84-7FC3-CC0E-6652-F49DFD6937E1}"=""

 

--------------- Keys Under Notify ----------------

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00

"Logoff"="ChainWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00

"Logoff"="CryptnetWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]

@=""

"DLLName"="igfxsrvc.dll"

"Asynchronous"=dword:00000001

"Impersonate"=dword:00000001

"Unlock"="WinlogonUnlockEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Unimodem]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINDOWS\\system32\\sopshftr.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]

"DLLName"="wzcdlg.dll"

"Logon"="WZCEventLogon"

"Logoff"="WZCEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000000

 

------------ Shell Extensions Approved -----------

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{DAFF17C2-7AE4-4560-8D49-4243C0A6DDF5}"=""

"{C6C97C75-B8E1-4288-A16D-C7C3A2C5BCD6}"=""

"{18684CBF-8C99-4A79-8B92-F3EAD75B3E4E}"=""

 

--------------- Locate.com Results ---------------

 

C:\WINDOWS\SYSTEM32\

aul70.dll Fri Sep 30 2005 6:02:16p ..S.R 417,792 408.00 K

beowser.dll Sun Oct 2 2005 12:49:26a ..S.R 417,792 408.00 K

cbmocx.dll Sun Oct 2 2005 4:59:44p ..S.R 417,792 408.00 K

dgrgui.dll Sat Oct 1 2005 3:28:22p ..S.R 417,792 408.00 K

dssetup.dll Sat Oct 1 2005 3:04:12a ..S.R 417,792 408.00 K

dtcpcsvc.dll Sat Oct 1 2005 9:49:26p ..S.R 417,792 408.00 K

fosroute.dll Sat Oct 1 2005 2:51:34a ..S.R 417,792 408.00 K

guard.tmp Sat Sep 24 2005 2:19:30a ..S.R 417,792 408.00 K

hmp95en.dll Wed Sep 28 2005 11:54:46p ..S.R 417,792 408.00 K

kjdtuq.dll Wed Sep 28 2005 11:10:16p ..S.R 417,792 408.00 K

kmdcan.dll Thu Sep 29 2005 11:24:38a ..S.R 417,792 408.00 K

krdfc.dll Wed Sep 28 2005 11:16:32p ..S.R 417,792 408.00 K

lpngwrbk.dll Mon Sep 26 2005 1:48:50a ..S.R 417,792 408.00 K

mcdtcprx.dll Mon Sep 26 2005 1:30:00a ..S.R 417,792 408.00 K

mfmefilt.dll Wed Sep 28 2005 11:23:44p ..S.R 417,792 408.00 K

mqrecr40.dll Sat Oct 1 2005 3:11:26p ..S.R 417,792 408.00 K

myhtml.dll Fri Sep 30 2005 5:58:50p ..S.R 417,792 408.00 K

nuinstnt.dll Sat Oct 1 2005 3:05:24p ..S.R 417,792 408.00 K

phlstore.dll Sat Oct 1 2005 3:32:14p ..S.R 417,792 408.00 K

rlcns4.dll Sat Sep 24 2005 8:08:46a ..S.R 417,792 408.00 K

rndll~1.exe Thu Sep 8 2005 9:47:48a ..SHR 401,408 392.00 K

sfclogon.dll Mon Sep 26 2005 2:10:48a ..S.R 417,792 408.00 K

sopshftr.dll Sat Sep 24 2005 1:17:36a ..S.R 417,792 408.00 K

szclogon.dll Sat Oct 1 2005 2:56:40p ..S.R 417,792 408.00 K

vsconfig.xml Sun Oct 2 2005 5:00:28p A..H. 31,767 31.02 K

wknnls.dll Sat Sep 24 2005 12:53:40p ..S.R 417,792 408.00 K

zllictbl.dat Thu Sep 29 2005 12:28:40a ...H. 4,212 4.11 K

 

27 items found: 27 files, 0 directories.

Total of file sizes: 10,464,395 bytes 9.98 M

 

---------------- FindVX2 NT-2K-XP ----------------

Share this post


Link to post
Share on other sites

---------------- FindNarrator NT-2K-XP ----------------

 

Warning! This utility will find legitimate files in addition to malware.

Do not remove anything unless you are sure you know what you're doing.

 

***** Operating System *****

 

Microsoft Windows XP Home Edition 5.1 (Build 2600)

 

********* Date/Time ********

 

Sunday, October 02, 2005 (10/2/2005)

5:04 PM, Eastern Daylight Time

 

*********** Path ***********

 

FindNarrator.bat is running from: C:\Documents and Settings\Owner\Desktop\FindIt NT-2K-XP

 

---------------- Strings.exe Qoologic Results ----------------

 

 

---------------- Strings.exe Aspack Results ----------------

 

C:\WINDOWS\system32\MRT.exe: (ASPack)

C:\WINDOWS\system32\MRT.exe: (AsPack2k)

C:\WINDOWS\system32\MRT.exe: (ASPack 1.00b)

C:\WINDOWS\system32\MRT.exe: (ASPack 2.1)

C:\WINDOWS\system32\MRT.exe: (ASPack 2.12)

C:\WINDOWS\system32\MRT.exe: (ASPack 2.11)

C:\WINDOWS\system32\MRT.exe: (ASPack 2.000)

C:\WINDOWS\system32\MRT.exe: (ASPack 2.001)

C:\WINDOWS\system32\MRT.exe: (ASPack 2.11x)

C:\WINDOWS\system32\MRT.exe: ASPack2000

C:\WINDOWS\system32\MRT.exe: ASPack 1.61

C:\WINDOWS\system32\MRT.exe: ASPack 1.084

C:\WINDOWS\system32\MRT.exe: ASPack 1.083

C:\WINDOWS\system32\MRT.exe: ASPack 1.08.02b

C:\WINDOWS\system32\MRT.exe: ASPack 1.07b

C:\WINDOWS\system32\MRT.exe: ASPack 1.05b

C:\WINDOWS\system32\MRT.exe: ASPack 1.02

C:\WINDOWS\system32\MRT.exe: ASPACK

 

---------------- Active Setup Installed Components ----------------

 

! REG.EXE VERSION 3.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{10072CEC-8CC1-11D1-986E-00A0C955B42F}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{283807B5-2C60-11D0-A31D-00AA00B92C03}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2eac6a2d-57a8-44d4-96f7-e32bab40ca5f}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{36f8ec70-c29a-11d1-b5c7-0000f8051515}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3bf42070-b3b1-11d1-b5c5-0000f8051515}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3e7bb08a-a7a3-4692-8eac-ac5e7895755b}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4278c270-a269-11d1-b5bf-0000f8051515}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f216970-c90c-11d1-b5c7-0000f8051515}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5f3c70b3-ac2f-432c-8f9c-1624df61f54f}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{73FA19D0-2D75-11D2-995D-00C04F98BBC9}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8b15971b-5355-4c82-8c07-7e181ea07608}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{94de52c8-2d59-4f1b-883e-79663d2d9a8c}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CC2A9BA0-3BDD-11D0-821E-444553540000}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11cf-96B8-444553540000}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{f5173cf0-1dfb-4978-8e50-a90169ee7ca9}

 

---------------- Context Menu Handlers ----------------

REGEDIT4

 

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

 

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fmqgtgxf]

@="{f4ab7ff2-a15c-469f-b55b-fc3b42ae1079}"

 

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files]

@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

 

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]

@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

 

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]

@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

 

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu]

@="{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"

 

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}]

@="Start Menu Pin"

 

---------------- Run Key ----------------

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""

"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"

"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"

"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"

"S3apphk"="S3apphk.exe"

"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"

"PreloadApp"="c:\\hp\\drivers\\printers\\photosmart\\hphprld.exe c:\\hp\\drivers\\printers\\photosmart\\setup.exe -d"

"nwiz"="nwiz.exe /install"

"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"

"KBD"="C:\\HP\\KBD\\KBD.EXE"

"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"

"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"

"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"

"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""

"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""

"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"

"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"

"suqarxh"="c:\\windows\\system32\\suqarxh.exe -start"

"Dinst"="C:\\WINDOWS\\dinst.exe"

"ms052719413425"="C:\\WINDOWS\\ms052719413425.exe"

"YourMonitor"="C:\\WINDOWS\\Sys98"

"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"

"WinTask driver"="C:\\WINDOWS\\System32\\wintask.exe"

"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\

65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

"inwmg"="C:\\WINDOWS\\system32\\w130713.Stub.EXE"

"winsync"="C:\\WINDOWS\\System32\\lsdk4k.exe reg_run"

"adprot"=hex(7):43,3a,5c,57,49,4e,44,4f,57,53,5c,53,79,73,74,65,6d,33,32,5c,4e,\

45,57,41,44,50,7e,32,2e,45,58,45,00,00

"NEWADP~2"="C:\\WINDOWS\\System32\\NEWADP~2.exe"

"xjkytg"="C:\\WINDOWS\\System32\\bjmtjcl.exe r"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

"Installed"="1"

 

---------------- FindNarrator NT-2K-XP ----------------

Share this post


Link to post
Share on other sites

Got a few thing to get rid of in those logs!!

 

Apparently there is something hanging up L2MFix. However the above does show some of the hidden stuff bogging the PC down.

 

We'll just have to tackle this the old way...

 

Going out for a while, but will get back with you later this evening.

Share this post


Link to post
Share on other sites

Let’s take care of the L2M malware first.

 

Please download Pocket Killbox:

http://www.downloads.subratam.org/KillBox.zip

Place it in a folder on your Desktop.

Do not run it yet.

 

Disconnect from the Internet and close all running programs!!

 

Copy these instructions to Notepad for copy/paste use, since you will be off the Internet and cannot open this window.

 

Extract Pocket KillBox from the zip file and double-click on Killbox.exe to run it.

In the main screen of Pocket KillBox, go to Tools in the top menu bar, and select: Delete Temp Files

 

When done, and back at the main screen of KillBox, select the option: Delete on Reboot

 

Highlight all the entries below and press the Ctrl and the C key at the same time to copy them to the clipboard:

 

C:\WINDOWS\System32\cBmocx.dll

C:\WINDOWS\System32\beowser.dll

C:\WINDOWS\System32\dtcpcsvc.dll

C:\WINDOWS\System32\phlstore.dll

C:\WINDOWS\System32\dgrgui.dll

C:\WINDOWS\System32\mqrecr40.dll

C:\WINDOWS\System32\nuinstnt.dll

C:\WINDOWS\System32\szclogon.dll

C:\WINDOWS\System32\dssetup.dll

C:\WINDOWS\System32\fosroute.dll

C:\WINDOWS\System32\aul70.dll

C:\WINDOWS\System32\MYHTML.DLL

C:\WINDOWS\System32\kmdcan.dll

C:\WINDOWS\System32\hmp95en.dll

C:\WINDOWS\System32\mfmefilt.dll

C:\WINDOWS\System32\krdfc.dll

C:\WINDOWS\System32\kjdtuq.dll

C:\WINDOWS\System32\sfclogon.dll

C:\WINDOWS\System32\lPngwrbk.dll

C:\WINDOWS\System32\mcdtcprx.dll

C:\WINDOWS\System32\wknnls.dll

C:\WINDOWS\System32\rlcns4.dll

C:\WINDOWS\System32\sopshftr.dll

C:\WINDOWS\System32\r?ndll.exe

C:\WINDOWS\System32\guard.tmp

 

Click on the File menu of Pocket KillBox and select: Paste from Clipboard

 

In the Full Path of File to Delete box you should see the first entry.

If you use the down arrow you should see the rest of the files.

Make sure all entries are there.

 

Press the button with a red circle and a white X (Delete File button)

 

When asked to Reboot, select Yes!!

 

Run HijackThis and Scan.

Check box for:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

 

O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)

O2 - BHO: (no name) - {72E534C4-29C6-6D7F-B7AE-B7975456F0D5} - C:\WINDOWS\Uswywcvw.dll

O2 - BHO: ngsh33.clsIS - {941CA48C-3984-4E7D-AAF8-8755ED76EB50} - C:\WINDOWS\system32\ngsh33.dll

O2 - BHO: AdCom - {D7950AB4-67F5-458e-A37D-9F2DE7F250AC} - C:\WINDOWS\system32\AdCom.dll

 

O3 - Toolbar: Search - {0316E09A-F7F4-3371-36F9-56A779C0E25D} - C:\WINDOWS\Uswywcvw.dll

 

O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe

O4 - HKLM\..\Run: [ms052719413425] C:\WINDOWS\ms052719413425.exe

O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe

O4 - HKLM\..\Run: [inwmg] C:\WINDOWS\system32\w130713.Stub.EXE

O4 - HKLM\..\Run: [adprot] C:\WINDOWS\System32\NEWADP~2.EXE

O4 - HKLM\..\Run: [NEWADP~2] C:\WINDOWS\System32\NEWADP~2.exe

O4 - HKCU\..\Run: [ifs139] C:\WINDOWS\System32\ifs139.exe

O4 - HKCU\..\RunOnce: [ifs139] C:\WINDOWS\System32\ifs139.exe

 

O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\sopshftr.dll

 

Select: Fix Checked:

 

Next, launch Notepad (Start>All Programs>Accessories), and copy/paste all the blue REGEDIT below to it

Save in: Desktop

File Name: fixme.reg

Save as Type: All files

Click: Save

 

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\Unimodem]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"{4FE91C84-7FC3-CC0E-6652-F49DFD6937E1}"=-

 

Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.

 

Once again, double-click on FindVX2.bat

Copy/paste the FindVX2 log to your reply.

 

Run EWIDO, and perform a Complete System Scan

Copy/paste the EWIDO report to your reply.

 

In summary, need the following:

FindVX2 log

EWIDO Report

New HijackThis log

 

Once you post the logs, please do not reboot, restart/shutdown the computer. Just leave it on. If you restart, any information you provide may change, and any guidance offered is useless.

Share this post


Link to post
Share on other sites

WingsFan,

 

Try running L2MFix again using Option#2

After the reboot, IF the Desktop icons do not dissappear or the log does not show up then:

 

Go to the L2Mfix folder and double click second.bat to continue with the fix

 

See if that produces a Notepad log.

 

Until we remove L2M we don't stand much of a chance of cleaning up anything else on that log.

Edited by FZWG

Share this post


Link to post
Share on other sites

Couple things: I tried running that KillBox program and when I clicked ok for it to reboot after doing all previous steps but it never rebooted the computer. A message came up that said "PendingFileRenameOperations Registry Data has been Removed by external process!" Also, the r?ndll.exe refused to add to the list.

 

Which did you want me to do now? That l2mfix that you said above or something with killbox?

Share this post


Link to post
Share on other sites

L2Mfix 1.04a

 

Running From:

C:\Documents and Settings\Owner\Desktop\l2mfix

 

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

 

 

Setting registry permissions:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

 

Denying C(CI) access for predefined group "Administrators"

- adding new ACCESS DENY entry

 

 

Registry Permissions set too:

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:

(CI) DENY --C------- BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

 

 

Setting up for Reboot

 

 

Starting Reboot!

 

Setting Directory

C:\Documents and Settings\Owner\Desktop\l2mfix

System Rebooted!

 

Running From:

C:\Documents and Settings\Owner\Desktop\l2mfix

 

killing explorer and rundll32.exe

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 1696 'explorer.exe'

Killing PID 1696 'explorer.exe'

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 1064 'rundll32.exe'

 

Scanning First Pass. Please Wait!

 

First Pass Completed

 

Second Pass Scanning

 

Second pass Completed!

Backing Up: C:\WINDOWS\system32\aul70.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\aul70.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\axmtd.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\axmtd.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\beowser.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\beowser.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\cBmocx.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\cBmocx.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\dgrgui.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\dgrgui.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\dssetup.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\dssetup.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\dtcpcsvc.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\dtcpcsvc.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\fosroute.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\fosroute.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\hmp95en.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\hmp95en.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\kjdtuq.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\kjdtuq.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\kmdcan.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\kmdcan.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\krdfc.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\krdfc.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\lPngwrbk.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\lPngwrbk.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\mcdtcprx.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\mcdtcprx.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\mfmefilt.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\mfmefilt.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\mqrecr40.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\mqrecr40.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\MYHTML.DLL

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\MYHTML.DLL

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\nuinstnt.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\nuinstnt.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\phlstore.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\phlstore.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\rlcns4.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\rlcns4.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\sfclogon.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\sfclogon.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\szclogon.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\szclogon.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\wknnls.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\wknnls.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\wkock32.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\wkock32.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\guard.tmp

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\guard.tmp

1 file(s) copied.

deleting: C:\WINDOWS\system32\aul70.dll

Successfully Deleted: C:\WINDOWS\system32\aul70.dll

deleting: C:\WINDOWS\system32\aul70.dll

Successfully Deleted: C:\WINDOWS\system32\aul70.dll

deleting: C:\WINDOWS\system32\axmtd.dll

Successfully Deleted: C:\WINDOWS\system32\axmtd.dll

deleting: C:\WINDOWS\system32\axmtd.dll

Successfully Deleted: C:\WINDOWS\system32\axmtd.dll

deleting: C:\WINDOWS\system32\beowser.dll

Successfully Deleted: C:\WINDOWS\system32\beowser.dll

deleting: C:\WINDOWS\system32\beowser.dll

Successfully Deleted: C:\WINDOWS\system32\beowser.dll

deleting: C:\WINDOWS\system32\cBmocx.dll

Successfully Deleted: C:\WINDOWS\system32\cBmocx.dll

deleting: C:\WINDOWS\system32\cBmocx.dll

Successfully Deleted: C:\WINDOWS\system32\cBmocx.dll

deleting: C:\WINDOWS\system32\dgrgui.dll

Successfully Deleted: C:\WINDOWS\system32\dgrgui.dll

deleting: C:\WINDOWS\system32\dgrgui.dll

Successfully Deleted: C:\WINDOWS\system32\dgrgui.dll

deleting: C:\WINDOWS\system32\dssetup.dll

Successfully Deleted: C:\WINDOWS\system32\dssetup.dll

deleting: C:\WINDOWS\system32\dssetup.dll

Successfully Deleted: C:\WINDOWS\system32\dssetup.dll

deleting: C:\WINDOWS\system32\dtcpcsvc.dll

Successfully Deleted: C:\WINDOWS\system32\dtcpcsvc.dll

deleting: C:\WINDOWS\system32\dtcpcsvc.dll

Successfully Deleted: C:\WINDOWS\system32\dtcpcsvc.dll

deleting: C:\WINDOWS\system32\fosroute.dll

Successfully Deleted: C:\WINDOWS\system32\fosroute.dll

deleting: C:\WINDOWS\system32\fosroute.dll

Successfully Deleted: C:\WINDOWS\system32\fosroute.dll

deleting: C:\WINDOWS\system32\hmp95en.dll

Successfully Deleted: C:\WINDOWS\system32\hmp95en.dll

deleting: C:\WINDOWS\system32\hmp95en.dll

Successfully Deleted: C:\WINDOWS\system32\hmp95en.dll

deleting: C:\WINDOWS\system32\kjdtuq.dll

Successfully Deleted: C:\WINDOWS\system32\kjdtuq.dll

deleting: C:\WINDOWS\system32\kjdtuq.dll

Successfully Deleted: C:\WINDOWS\system32\kjdtuq.dll

deleting: C:\WINDOWS\system32\kmdcan.dll

Successfully Deleted: C:\WINDOWS\system32\kmdcan.dll

deleting: C:\WINDOWS\system32\kmdcan.dll

Successfully Deleted: C:\WINDOWS\system32\kmdcan.dll

deleting: C:\WINDOWS\system32\krdfc.dll

Successfully Deleted: C:\WINDOWS\system32\krdfc.dll

deleting: C:\WINDOWS\system32\krdfc.dll

Successfully Deleted: C:\WINDOWS\system32\krdfc.dll

deleting: C:\WINDOWS\system32\lPngwrbk.dll

Successfully Deleted: C:\WINDOWS\system32\lPngwrbk.dll

deleting: C:\WINDOWS\system32\lPngwrbk.dll

Successfully Deleted: C:\WINDOWS\system32\lPngwrbk.dll

deleting: C:\WINDOWS\system32\mcdtcprx.dll

Successfully Deleted: C:\WINDOWS\system32\mcdtcprx.dll

deleting: C:\WINDOWS\system32\mcdtcprx.dll

Successfully Deleted: C:\WINDOWS\system32\mcdtcprx.dll

deleting: C:\WINDOWS\system32\mfmefilt.dll

Successfully Deleted: C:\WINDOWS\system32\mfmefilt.dll

deleting: C:\WINDOWS\system32\mfmefilt.dll

Successfully Deleted: C:\WINDOWS\system32\mfmefilt.dll

deleting: C:\WINDOWS\system32\mqrecr40.dll

Successfully Deleted: C:\WINDOWS\system32\mqrecr40.dll

deleting: C:\WINDOWS\system32\mqrecr40.dll

Successfully Deleted: C:\WINDOWS\system32\mqrecr40.dll

deleting: C:\WINDOWS\system32\MYHTML.DLL

Successfully Deleted: C:\WINDOWS\system32\MYHTML.DLL

deleting: C:\WINDOWS\system32\MYHTML.DLL

Successfully Deleted: C:\WINDOWS\system32\MYHTML.DLL

deleting: C:\WINDOWS\system32\nuinstnt.dll

Successfully Deleted: C:\WINDOWS\system32\nuinstnt.dll

deleting: C:\WINDOWS\system32\nuinstnt.dll

Successfully Deleted: C:\WINDOWS\system32\nuinstnt.dll

deleting: C:\WINDOWS\system32\phlstore.dll

Successfully Deleted: C:\WINDOWS\system32\phlstore.dll

deleting: C:\WINDOWS\system32\phlstore.dll

Successfully Deleted: C:\WINDOWS\system32\phlstore.dll

deleting: C:\WINDOWS\system32\rlcns4.dll

Successfully Deleted: C:\WINDOWS\system32\rlcns4.dll

deleting: C:\WINDOWS\system32\rlcns4.dll

Successfully Deleted: C:\WINDOWS\system32\rlcns4.dll

deleting: C:\WINDOWS\system32\sfclogon.dll

Successfully Deleted: C:\WINDOWS\system32\sfclogon.dll

deleting: C:\WINDOWS\system32\sfclogon.dll

Successfully Deleted: C:\WINDOWS\system32\sfclogon.dll

deleting: C:\WINDOWS\system32\szclogon.dll

Successfully Deleted: C:\WINDOWS\system32\szclogon.dll

deleting: C:\WINDOWS\system32\szclogon.dll

Successfully Deleted: C:\WINDOWS\system32\szclogon.dll

deleting: C:\WINDOWS\system32\wknnls.dll

Successfully Deleted: C:\WINDOWS\system32\wknnls.dll

deleting: C:\WINDOWS\system32\wknnls.dll

Successfully Deleted: C:\WINDOWS\system32\wknnls.dll

deleting: C:\WINDOWS\system32\wkock32.dll

Successfully Deleted: C:\WINDOWS\system32\wkock32.dll

deleting: C:\WINDOWS\system32\wkock32.dll

Successfully Deleted: C:\WINDOWS\system32\wkock32.dll

deleting: C:\WINDOWS\system32\guard.tmp

Successfully Deleted: C:\WINDOWS\system32\guard.tmp

deleting: C:\WINDOWS\system32\guard.tmp

Successfully Deleted: C:\WINDOWS\system32\guard.tmp

 

 

Zipping up files for submission:

adding: aul70.dll (188 bytes security) (deflated 48%)

adding: axmtd.dll (188 bytes security) (deflated 48%)

adding: beowser.dll (188 bytes security) (deflated 48%)

adding: cBmocx.dll (188 bytes security) (deflated 48%)

adding: dgrgui.dll (188 bytes security) (deflated 48%)

adding: dssetup.dll (188 bytes security) (deflated 48%)

adding: dtcpcsvc.dll (188 bytes security) (deflated 48%)

adding: fosroute.dll (188 bytes security) (deflated 48%)

adding: hmp95en.dll (188 bytes security) (deflated 48%)

adding: kjdtuq.dll (188 bytes security) (deflated 48%)

adding: kmdcan.dll (188 bytes security) (deflated 48%)

adding: krdfc.dll (188 bytes security) (deflated 48%)

adding: lPngwrbk.dll (188 bytes security) (deflated 48%)

adding: mcdtcprx.dll (188 bytes security) (deflated 48%)

adding: mfmefilt.dll (188 bytes security) (deflated 48%)

adding: mqrecr40.dll (188 bytes security) (deflated 48%)

adding: MYHTML.DLL (188 bytes security) (deflated 48%)

adding: nuinstnt.dll (188 bytes security) (deflated 48%)

adding: phlstore.dll (188 bytes security) (deflated 48%)

adding: rlcns4.dll (188 bytes security) (deflated 48%)

adding: sfclogon.dll (188 bytes security) (deflated 48%)

adding: szclogon.dll (188 bytes security) (deflated 48%)

adding: wknnls.dll (188 bytes security) (deflated 48%)

adding: wkock32.dll (188 bytes security) (deflated 48%)

adding: guard.tmp (188 bytes security) (deflated 48%)

adding: clear.reg (188 bytes security) (deflated 46%)

adding: echo.reg (188 bytes security) (deflated 12%)

adding: direct.txt (188 bytes security) (stored 0%)

adding: lo2.txt (188 bytes security) (deflated 89%)

adding: readme.txt (188 bytes security) (deflated 52%)

adding: report.txt (188 bytes security) (deflated 65%)

adding: test.txt (188 bytes security) (deflated 89%)

adding: test2.txt (188 bytes security) (deflated 26%)

adding: test3.txt (188 bytes security) (deflated 26%)

adding: test5.txt (188 bytes security) (deflated 26%)

adding: xfind.txt (188 bytes security) (deflated 86%)

adding: backregs/18684CBF-8C99-4A79-8B92-F3EAD75B3E4E.reg (188 bytes security) (deflated 70%)

adding: backregs/C6C97C75-B8E1-4288-A16D-C7C3A2C5BCD6.reg (188 bytes security) (deflated 70%)

adding: backregs/DAFF17C2-7AE4-4560-8D49-4243C0A6DDF5.reg (188 bytes security) (deflated 70%)

adding: backregs/notibac.reg (188 bytes security) (deflated 87%)

adding: backregs/shell.reg (188 bytes security) (deflated 73%)

Share this post


Link to post
Share on other sites

Restoring Registry Permissions:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

 

Revoking access for predefined group "Administrators"

Inherited ACE can not be revoked here!

Inherited ACE can not be revoked here!

Warning (option /rga:(ci)) - There is no ACE to remove!

 

 

Registry permissions set too:

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

 

Restoring Sedebugprivilege:

 

Granting SeDebugPrivilege to Administrators ... successful

 

Restoring Windows Update Certificates.:

 

deleting local copy: aul70.dll

deleting local copy: aul70.dll

deleting local copy: axmtd.dll

deleting local copy: axmtd.dll

deleting local copy: beowser.dll

deleting local copy: beowser.dll

deleting local copy: cBmocx.dll

deleting local copy: cBmocx.dll

deleting local copy: dgrgui.dll

deleting local copy: dgrgui.dll

deleting local copy: dssetup.dll

deleting local copy: dssetup.dll

deleting local copy: dtcpcsvc.dll

deleting local copy: dtcpcsvc.dll

deleting local copy: fosroute.dll

deleting local copy: fosroute.dll

deleting local copy: hmp95en.dll

deleting local copy: hmp95en.dll

deleting local copy: kjdtuq.dll

deleting local copy: kjdtuq.dll

deleting local copy: kmdcan.dll

deleting local copy: kmdcan.dll

deleting local copy: krdfc.dll

deleting local copy: krdfc.dll

deleting local copy: lPngwrbk.dll

deleting local copy: lPngwrbk.dll

deleting local copy: mcdtcprx.dll

deleting local copy: mcdtcprx.dll

deleting local copy: mfmefilt.dll

deleting local copy: mfmefilt.dll

deleting local copy: mqrecr40.dll

deleting local copy: mqrecr40.dll

deleting local copy: MYHTML.DLL

deleting local copy: MYHTML.DLL

deleting local copy: nuinstnt.dll

deleting local copy: nuinstnt.dll

deleting local copy: phlstore.dll

deleting local copy: phlstore.dll

deleting local copy: rlcns4.dll

deleting local copy: rlcns4.dll

deleting local copy: sfclogon.dll

deleting local copy: sfclogon.dll

deleting local copy: szclogon.dll

deleting local copy: szclogon.dll

deleting local copy: wknnls.dll

deleting local copy: wknnls.dll

deleting local copy: wkock32.dll

deleting local copy: wkock32.dll

deleting local copy: guard.tmp

deleting local copy: guard.tmp

 

The following Is the Current Export of the Winlogon notify key:

****************************************************************************

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]

@=""

"DLLName"="igfxsrvc.dll"

"Asynchronous"=dword:00000001

"Impersonate"=dword:00000001

"Unlock"="WinlogonUnlockEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Syncmgr]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINDOWS\\system32\\sopshftr.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]

"DLLName"="wzcdlg.dll"

"Logon"="WZCEventLogon"

"Logoff"="WZCEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000000

 

 

The following are the files found:

****************************************************************************

C:\WINDOWS\system32\aul70.dll

C:\WINDOWS\system32\aul70.dll

C:\WINDOWS\system32\axmtd.dll

C:\WINDOWS\system32\axmtd.dll

C:\WINDOWS\system32\beowser.dll

C:\WINDOWS\system32\beowser.dll

C:\WINDOWS\system32\cBmocx.dll

C:\WINDOWS\system32\cBmocx.dll

C:\WINDOWS\system32\dgrgui.dll

C:\WINDOWS\system32\dgrgui.dll

C:\WINDOWS\system32\dssetup.dll

C:\WINDOWS\system32\dssetup.dll

C:\WINDOWS\system32\dtcpcsvc.dll

C:\WINDOWS\system32\dtcpcsvc.dll

C:\WINDOWS\system32\fosroute.dll

C:\WINDOWS\system32\fosroute.dll

C:\WINDOWS\system32\hmp95en.dll

C:\WINDOWS\system32\hmp95en.dll

C:\WINDOWS\system32\kjdtuq.dll

C:\WINDOWS\system32\kjdtuq.dll

C:\WINDOWS\system32\kmdcan.dll

C:\WINDOWS\system32\kmdcan.dll

C:\WINDOWS\system32\krdfc.dll

C:\WINDOWS\system32\krdfc.dll

C:\WINDOWS\system32\lPngwrbk.dll

C:\WINDOWS\system32\lPngwrbk.dll

C:\WINDOWS\system32\mcdtcprx.dll

C:\WINDOWS\system32\mcdtcprx.dll

C:\WINDOWS\system32\mfmefilt.dll

C:\WINDOWS\system32\mfmefilt.dll

C:\WINDOWS\system32\mqrecr40.dll

C:\WINDOWS\system32\mqrecr40.dll

C:\WINDOWS\system32\MYHTML.DLL

C:\WINDOWS\system32\MYHTML.DLL

C:\WINDOWS\system32\nuinstnt.dll

C:\WINDOWS\system32\nuinstnt.dll

C:\WINDOWS\system32\phlstore.dll

C:\WINDOWS\system32\phlstore.dll

C:\WINDOWS\system32\rlcns4.dll

C:\WINDOWS\system32\rlcns4.dll

C:\WINDOWS\system32\sfclogon.dll

C:\WINDOWS\system32\sfclogon.dll

C:\WINDOWS\system32\szclogon.dll

C:\WINDOWS\system32\szclogon.dll

C:\WINDOWS\system32\wknnls.dll

C:\WINDOWS\system32\wknnls.dll

C:\WINDOWS\system32\wkock32.dll

C:\WINDOWS\system32\wkock32.dll

C:\WINDOWS\system32\guard.tmp

C:\WINDOWS\system32\guard.tmp

 

Registry Entries that were Deleted:

Please verify that the listing looks ok.

If there was something deleted wrongly there are backups in the backreg folder.

****************************************************************************

REGEDIT4

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{DAFF17C2-7AE4-4560-8D49-4243C0A6DDF5}"=-

"{C6C97C75-B8E1-4288-A16D-C7C3A2C5BCD6}"=-

"{18684CBF-8C99-4A79-8B92-F3EAD75B3E4E}"=-

[-HKEY_CLASSES_ROOT\CLSID\{DAFF17C2-7AE4-4560-8D49-4243C0A6DDF5}]

[-HKEY_CLASSES_ROOT\CLSID\{C6C97C75-B8E1-4288-A16D-C7C3A2C5BCD6}]

[-HKEY_CLASSES_ROOT\CLSID\{18684CBF-8C99-4A79-8B92-F3EAD75B3E4E}]

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

****************************************************************************

Desktop.ini Contents:

****************************************************************************

****************************************************************************

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 1:24:41 AM, on 10/3/2005

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ewido\security suite\ewidoctrl.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\gegxrth.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINDOWS\System32\S3apphk.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\dinst.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\WINDOWS\ms052719413425.exe

C:\WINDOWS\Sys98.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\System32\NEWADP~2.exe

C:\WINDOWS\System32\ifs139.exe

C:\WINDOWS\System32\ifs139.exe

C:\WINDOWS\Sys98.exe

C:\WINDOWS\system32\ngpw38.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)

O2 - BHO: (no name) - {72E534C4-29C6-6D7F-B7AE-B7975456F0D5} - C:\WINDOWS\Uswywcvw.dll

O2 - BHO: ngsh33.clsIS - {941CA48C-3984-4E7D-AAF8-8755ED76EB50} - C:\WINDOWS\system32\ngsh33.dll

O2 - BHO: AdCom - {D7950AB4-67F5-458e-A37D-9F2DE7F250AC} - C:\WINDOWS\system32\AdCom.dll

O3 - Toolbar: Search - {0316E09A-F7F4-3371-36F9-56A779C0E25D} - C:\WINDOWS\Uswywcvw.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [s3apphk] S3apphk.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe

O4 - HKLM\..\Run: [ms052719413425] C:\WINDOWS\ms052719413425.exe

O4 - HKLM\..\Run: [YourMonitor] C:\WINDOWS\Sys98

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [inwmg] C:\WINDOWS\system32\w130713.Stub.EXE

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\lsdk4k.exe reg_run

O4 - HKLM\..\Run: [adprot] C:\WINDOWS\System32\NEWADP~2.EXE

O4 - HKLM\..\Run: [NEWADP~2] C:\WINDOWS\System32\NEWADP~2.exe

O4 - HKLM\..\Run: [dcxzxjr] C:\WINDOWS\System32\gegxrth.exe r

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [CustomHK] C:\WINDOWS\System32\sgenie.exe

O4 - HKCU\..\Run: [ifs139] C:\WINDOWS\System32\ifs139.exe

O4 - HKCU\..\Run: [sys98] C:\WINDOWS\Sys98.exe

O4 - HKCU\..\RunOnce: [ifs139] C:\WINDOWS\System32\ifs139.exe

O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe

O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\System32\wuauclt.dll

O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\System32\wuauclt.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1127194252445

O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\sopshftr.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Share this post


Link to post
Share on other sites
Sign in to follow this  

Click here to Read Amazon Reviews!



×