1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

How do I remove CoolWebSearch/VX2 infestation?

Discussion in 'Virus & Other Malware Removal' started by jkrim, Jan 29, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. jkrim

    jkrim Thread Starter

    Joined:
    Jan 29, 2005
    Messages:
    32
    Hello,

    I seem to be infested with the CoolWebSearch and VX2 infestations I cannot seem to get rid of them. Ad-Aware claims I'm clean from VX2 then proceeds to find them, but can't delete the .dll because it is being used. It is a chicken and egg syndrome.
    I am using WinXP and every so often an un-solicited IE pop-up window occurs (sometimes "www.loadingwebsite.com" and sometimes others).

    Thank you,
    Jordan Krim
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,056
    Hi and welcome to TSG,

    Please do this. Click here: http://www.thespykiller.co.uk/files/hijackthis_sfx.exe
    to download Hijack This.

    It’s very important that you save it to its own folder on your hard drive, such as program files (not temporary files or the desktop), so that it can create proper back-ups and be able to restore them if necessary.

    Close all open windows and open Hijack This. Click “Scan”. When the scan is finished (it only takes a second), the scan button will change to “Save Log”. Click on “Save Log” and then save it to NotePad. Click on “Edit” – “Select all” – “copy” and then “paste” into the thread.

    DO NOT FIX ANYTHING YET, most items that appear in the log are harmless or even needed.
     
  3. jkrim

    jkrim Thread Starter

    Joined:
    Jan 29, 2005
    Messages:
    32
    Hello,

    First, thank you very much for replying to my plea for help. Here is my log:

    Logfile of HijackThis v1.99.0
    Scan saved at 8:20:57 AM, on 1/31/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\LDCLIENT\LOCALSCH.EXE
    C:\WINDOWS\system32\cba\pds.exe
    C:\LDCLIENT\QIPCLNT.EXE
    C:\LDClient\tmcsvc.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\mcshield.exe
    C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    C:\Program Files\lotus\notes\ntmulti.exe
    C:\WINDOWS\System32\nvsvc32.exe
    c:\program files\checkpoint\SecuRemote\bin\SR_WatchDog.exe
    C:\LDClient\wuser32.exe
    C:\WINDOWS\system32\cba\xfr.exe
    C:\WINDOWS\system32\MsgSys.EXE
    c:\program files\checkpoint\SecuRemote\bin\SR_Service.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\LDClient\SoftMon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\NWTRAY.EXE
    C:\WINDOWS\System32\pctspk.exe
    C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\wuwiqi.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
    C:\Program Files\Lotus\notes\NLNOTES.EXE
    C:\Program Files\lotus\notes\NCDaemon.exe
    C:\Program Files\Lotus\notes\ntaskldr.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.colo.seagate.com/colohome/index.html
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\LDClient\SoftMon.exe
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [iPCCheck] "C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe" /startup
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [Auto_Inventory] C:\WINDOWS\LDPrimary.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: iPassConnect.lnk = C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O16 - DPF: Ariba Client 6.1 - http://oksun1.okla.seagate.com:10001/ariba-prd/aribaIE4.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14c1aa8cbd78c9e2bb15/netzip/RdxIE601.cab
    O16 - DPF: {5E8FD788-C323-4357-AB76-7CBCEFBA573C} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader.ocx
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = notes.seagate.com,colo.seagate.com,seagate.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = notes.seagate.com,colo.seagate.com,seagate.com
    O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
    O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\LDCLIENT\LOCALSCH.EXE
    O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
    O23 - Service: Intel QIP Client Service - LANDesk® Software Ltd. - C:\LDCLIENT\QIPCLNT.EXE
    O23 - Service: Intel Targeted Multicast - LANDesk® Software Ltd. - C:\LDClient\tmcsvc.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
    O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
    O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Check Point SecuRemote Service - Check Point Software Technologies - c:\program files\checkpoint\SecuRemote\bin\SR_Service.exe
    O23 - Service: Check Point SecuRemote WatchDog - Check Point Software Technologies - c:\program files\checkpoint\SecuRemote\bin\SR_WatchDog.exe
    O23 - Service: Intel Remote Control Service - LANDesk® Software Ltd. - C:\LDClient\wuser32.exe

    Jordan Krim
     
  4. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    First download lspfix.exe from http://www.spyware911.net/downloads/LSPFix.exe. Launch the application, and
    click the "I know what I'm doing" checkbox. and move all instances of dolsp.dll to the remove
    pane(left hand) and click finish.
     
  5. jkrim

    jkrim Thread Starter

    Joined:
    Jan 29, 2005
    Messages:
    32
    Hello,

    I downloaded lspfix.exe and removed dolsp.dll. What next?

    Jordan Krim
     
  6. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    Run Hijackthis and fix the following items. Be sure all windows are closed except for hijackthis.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.colo.seagate.com/colohome/index.html

    R3 - Default URLSearchHook is missing

    Reboot and post a new hijackthis log


    Do not know what this is some program that you use for your work mybe

    O4 - HKLM\..\Run: [Auto_Inventory] C:\WINDOWS\LDPrimary.exe
     
  7. jkrim

    jkrim Thread Starter

    Joined:
    Jan 29, 2005
    Messages:
    32
    Hello,

    I don't know what ldprimary.exe is. My buddy at work has it on his system as well, so maybe it is something I need. I will try to find out.

    In the mean time, here is my hijackthis log:

    Logfile of HijackThis v1.99.0
    Scan saved at 10:32:49 AM, on 1/31/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\LDCLIENT\LOCALSCH.EXE
    C:\WINDOWS\system32\cba\pds.exe
    C:\LDCLIENT\QIPCLNT.EXE
    C:\LDClient\tmcsvc.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\mcshield.exe
    C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    C:\Program Files\lotus\notes\ntmulti.exe
    C:\WINDOWS\System32\nvsvc32.exe
    c:\program files\checkpoint\SecuRemote\bin\SR_WatchDog.exe
    C:\LDClient\wuser32.exe
    C:\WINDOWS\system32\cba\xfr.exe
    C:\WINDOWS\system32\MsgSys.EXE
    c:\program files\checkpoint\SecuRemote\bin\SR_Service.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\LDClient\SoftMon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\NWTRAY.EXE
    C:\WINDOWS\System32\pctspk.exe
    C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\WINDOWS\LDPrimary.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\wuwiqi.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\LDClient\SoftMon.exe
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [iPCCheck] "C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe" /startup
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [Auto_Inventory] C:\WINDOWS\LDPrimary.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: iPassConnect.lnk = C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: Ariba Client 6.1 - http://oksun1.okla.seagate.com:10001/ariba-prd/aribaIE4.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14c1aa8cbd78c9e2bb15/netzip/RdxIE601.cab
    O16 - DPF: {5E8FD788-C323-4357-AB76-7CBCEFBA573C} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader.ocx
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = notes.seagate.com,colo.seagate.com,seagate.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = notes.seagate.com,colo.seagate.com,seagate.com
    O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
    O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\LDCLIENT\LOCALSCH.EXE
    O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
    O23 - Service: Intel QIP Client Service - LANDesk® Software Ltd. - C:\LDCLIENT\QIPCLNT.EXE
    O23 - Service: Intel Targeted Multicast - LANDesk® Software Ltd. - C:\LDClient\tmcsvc.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
    O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
    O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Check Point SecuRemote Service - Check Point Software Technologies - c:\program files\checkpoint\SecuRemote\bin\SR_Service.exe
    O23 - Service: Check Point SecuRemote WatchDog - Check Point Software Technologies - c:\program files\checkpoint\SecuRemote\bin\SR_WatchDog.exe
    O23 - Service: Intel Remote Control Service - LANDesk® Software Ltd. - C:\LDClient\wuser32.exe


    Jordan
     
  8. jkrim

    jkrim Thread Starter

    Joined:
    Jan 29, 2005
    Messages:
    32
    Hello,

    LDPrimary.exe is OK. It is Lan Desk. See last entry of my previous hijackthis log. What do I do next? I am stilll getting pop-ups.

    Jordan Krim
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    OK let's see if it is VX2

    Download L2mfix from one of these two locations:

    http://www.atribune.org/downloads/l2mfix.exe
    http://www.downloads.subratam.org/l2mfix.exe

    Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

    IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
     
  10. jkrim

    jkrim Thread Starter

    Joined:
    Jan 29, 2005
    Messages:
    32
    dvk01,

    I think it is VX2 (and CoolWebSearch). Here is my log.

    L2MFIX find log 1.02a
    These are the registry keys present
    **********************************************************************************
    Winlogon/notify:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
    "Asynchronous"=dword:00000000
    "DllName"=""
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINDOWS\\system32\\e420lefm1h2a.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    **********************************************************************************
    useragent:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "{0947FE56-67CB-4BE1-A164-32A226DDF50A}"=""

    **********************************************************************************
    Shell Extension key:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
    "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
    "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
    "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
    "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
    "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
    "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
    "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
    "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
    "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
    "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
    "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
    "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
    "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
    "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
    "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
    "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
    "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
    "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
    "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
    "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
    "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
    "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
    "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
    "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
    "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
    "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
    "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
    "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
    "{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
    "{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
    "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
    "{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
    "{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
    "{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
    "{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
    "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
    "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
    "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
    "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
    "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
    "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
    "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
    "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
    "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
    "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
    "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
    "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
    "{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
    "{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
    "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
    "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
    "{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
    "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
    "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
    "{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
    "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
    "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
    "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
    "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
    "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
    "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
    "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
    "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
    "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
    "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
    "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
    "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
    "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
    "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
    "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
    "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
    "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
    "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
    "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
    "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
    "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
    "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
    "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
    "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
    "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
    "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
    "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
    "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
    "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
    "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
    "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
    "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
    "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
    "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
    "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
    "{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
    "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
    "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
    "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
    "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
    "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
    "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
    "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
    "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
    "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
    "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
    "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
    "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
    "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
    "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
    "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
    "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
    "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
    "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
    "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
    "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
    "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
    "{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
    "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
    "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
    "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
    "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
    "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
    "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
    "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
    "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
    "{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
    "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
    "{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
    "{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
    "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
    "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
    "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
    "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
    "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
    "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
    "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
    "{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
    "{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
    "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
    "{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
    "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
    "{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
    "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
    "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
    "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
    "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
    "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
    "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
    "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
    "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
    "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
    "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
    "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
    "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
    "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
    "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
    "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
    "{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
    "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
    "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
    "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
    "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
    "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
    "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
    "{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
    "{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
    "{AF8DE18D-9065-4102-BC40-EB294A95BB07}"="Novell Connections"
    "{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
    "{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
    "{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
    "{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
    "{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
    "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
    "{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
    "{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
    "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"="{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
    "{D66DC78C-4F61-447F-942B-3FB6980118CF}"="{D66DC78C-4F61-447F-942B-3FB6980118CF}"
    "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
    "{7AB4AAC7-BA8E-4099-9F81-680E35E65526}"=""
    "{C331E78A-17CC-4C59-8DDA-45B1A4B37E1E}"=""
    "{233D0BC4-CFD8-4A86-8FF2-0E33026B5627}"=""
    "{16BC434A-1B58-4245-894D-8F1D6E4C7F1B}"=""
    "{9C5BD5AF-5018-40F9-A029-1AB2D42FC6EF}"=""
    "{A5D0EA2B-3E56-4AD3-95FD-A2C9D05A75BA}"=""
    "{C02EB115-C1C1-4900-A98F-A594DD632C78}"=""
    "{DCC2CC79-5415-4562-942A-D8580C7AA083}"=""
    "{255F6478-D157-4949-9F91-D4B47DAA5DB8}"=""
    "{ED282CCF-A532-41E6-8155-7207B808797D}"=""
    "{542EBEE1-BBE3-4F2C-9710-7B2E3D321507}"=""

    **********************************************************************************
    HKEY ROOT CLASSIDS:
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{7AB4AAC7-BA8E-4099-9F81-680E35E65526}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{7AB4AAC7-BA8E-4099-9F81-680E35E65526}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{7AB4AAC7-BA8E-4099-9F81-680E35E65526}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{7AB4AAC7-BA8E-4099-9F81-680E35E65526}\InprocServer32]
    @="C:\\WINDOWS\\system32\\rCsmontr.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{C331E78A-17CC-4C59-8DDA-45B1A4B37E1E}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{C331E78A-17CC-4C59-8DDA-45B1A4B37E1E}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{C331E78A-17CC-4C59-8DDA-45B1A4B37E1E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{C331E78A-17CC-4C59-8DDA-45B1A4B37E1E}\InprocServer32]
    @="C:\\WINDOWS\\system32\\wrecedit.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{233D0BC4-CFD8-4A86-8FF2-0E33026B5627}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{233D0BC4-CFD8-4A86-8FF2-0E33026B5627}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{233D0BC4-CFD8-4A86-8FF2-0E33026B5627}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{233D0BC4-CFD8-4A86-8FF2-0E33026B5627}\InprocServer32]
    @="C:\\WINDOWS\\system32\\wystream.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{16BC434A-1B58-4245-894D-8F1D6E4C7F1B}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{16BC434A-1B58-4245-894D-8F1D6E4C7F1B}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{16BC434A-1B58-4245-894D-8F1D6E4C7F1B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{16BC434A-1B58-4245-894D-8F1D6E4C7F1B}\InprocServer32]
    @="C:\\WINDOWS\\system32\\rjgwizc.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{9C5BD5AF-5018-40F9-A029-1AB2D42FC6EF}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{9C5BD5AF-5018-40F9-A029-1AB2D42FC6EF}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{9C5BD5AF-5018-40F9-A029-1AB2D42FC6EF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{9C5BD5AF-5018-40F9-A029-1AB2D42FC6EF}\InprocServer32]
    @="C:\\WINDOWS\\system32\\dk3j.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{A5D0EA2B-3E56-4AD3-95FD-A2C9D05A75BA}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{A5D0EA2B-3E56-4AD3-95FD-A2C9D05A75BA}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{A5D0EA2B-3E56-4AD3-95FD-A2C9D05A75BA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{A5D0EA2B-3E56-4AD3-95FD-A2C9D05A75BA}\InprocServer32]
    @="C:\\WINDOWS\\system32\\kkdbr.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{C02EB115-C1C1-4900-A98F-A594DD632C78}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{C02EB115-C1C1-4900-A98F-A594DD632C78}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{C02EB115-C1C1-4900-A98F-A594DD632C78}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{C02EB115-C1C1-4900-A98F-A594DD632C78}\InprocServer32]
    @="C:\\WINDOWS\\system32\\senike.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{DCC2CC79-5415-4562-942A-D8580C7AA083}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{DCC2CC79-5415-4562-942A-D8580C7AA083}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{DCC2CC79-5415-4562-942A-D8580C7AA083}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{DCC2CC79-5415-4562-942A-D8580C7AA083}\InprocServer32]
    @="C:\\WINDOWS\\system32\\guard.tmp"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{255F6478-D157-4949-9F91-D4B47DAA5DB8}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{255F6478-D157-4949-9F91-D4B47DAA5DB8}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{255F6478-D157-4949-9F91-D4B47DAA5DB8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{255F6478-D157-4949-9F91-D4B47DAA5DB8}\InprocServer32]
    @="C:\\WINDOWS\\system32\\mfxml3.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{ED282CCF-A532-41E6-8155-7207B808797D}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{ED282CCF-A532-41E6-8155-7207B808797D}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{ED282CCF-A532-41E6-8155-7207B808797D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{ED282CCF-A532-41E6-8155-7207B808797D}\InprocServer32]
    @="C:\\WINDOWS\\system32\\kmrberos.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{542EBEE1-BBE3-4F2C-9710-7B2E3D321507}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{542EBEE1-BBE3-4F2C-9710-7B2E3D321507}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{542EBEE1-BBE3-4F2C-9710-7B2E3D321507}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{542EBEE1-BBE3-4F2C-9710-7B2E3D321507}\InprocServer32]
    @="C:\\WINDOWS\\system32\\dsscript.dll"
    "ThreadingModel"="Apartment"

    **********************************************************************************
    Files Found are not all bad files:

    C:\WINDOWS\SYSTEM32\
    cucyiy.dll Tue Jan 25 2005 8:33:22a A.... 5,632 5.50 K
    dk3j.dll Fri Jan 21 2005 4:28:58p ..S.R 224,914 219.64 K
    docore.dll Tue Jan 25 2005 9:27:16a A.... 151,552 148.00 K
    dolsp.dll Tue Jan 25 2005 9:27:16a A.... 139,264 136.00 K
    dosync.dll Tue Jan 25 2005 9:27:14a A.... 114,688 112.00 K
    dsscript.dll Tue Feb 1 2005 6:27:46a ..S.R 223,707 218.46 K
    e420le~1.dll Mon Jan 31 2005 10:27:02a ..S.R 223,707 218.46 K
    enpul1~1.dll Wed Jan 19 2005 3:18:34p ..S.R 226,082 220.78 K
    epeoso.dll Sat Jan 29 2005 12:30:50p A.... 24,576 24.00 K
    fn0021~1.dll Mon Jan 24 2005 6:53:38p ..S.R 223,816 218.57 K
    fpl603~1.dll Wed Jan 19 2005 11:19:06a ..S.R 224,844 219.57 K
    g4400e~1.dll Fri Jan 28 2005 1:51:46p ..S.R 225,761 220.47 K
    g822li~1.dll Sat Jan 29 2005 12:32:00p ..S.R 223,215 217.98 K
    h44mle~1.dll Mon Jan 31 2005 3:52:02p ..S.R 224,358 219.10 K
    hypertrm.dll Wed Nov 17 2004 10:57:02a A.... 493,056 481.50 K
    j42q0e~1.dll Mon Jan 31 2005 9:50:56a ..S.R 223,153 217.92 K
    jt4407~1.dll Wed Jan 19 2005 9:47:50a ..S.R 225,291 220.01 K
    k4no0e~1.dll Fri Jan 21 2005 4:31:50p ..S.R 224,914 219.64 K
    kwdbr.dll Sat Jan 29 2005 10:55:12a ..S.R 224,432 219.17 K
    lv0409~1.dll Tue Jan 25 2005 9:35:42a ..S.R 223,345 218.11 K
    nzprovau.dll Fri Jan 28 2005 3:19:56p A.... 223,117 217.89 K
    pncrt.dll Fri Jan 14 2005 11:08:38a A.... 278,528 272.00 K
    pndx5016.dll Fri Jan 14 2005 11:08:42a A.... 6,656 6.50 K
    pndx5032.dll Fri Jan 14 2005 11:08:42a A.... 5,632 5.50 K
    r0p80a~1.dll Wed Jan 19 2005 9:37:26a ..S.R 224,513 219.25 K
    rmoc3260.dll Fri Jan 14 2005 11:08:58a A.... 176,167 172.04 K
    s4rs0e~1.dll Mon Jan 24 2005 8:19:04a ..S.R 223,730 218.48 K
    shdocvw.dll Thu Nov 11 2004 11:20:56p A.... 1,332,224 1.27 M
    sporder.dll Fri Jan 14 2005 12:41:38p A.... 8,464 8.27 K
    user32.dll Tue Dec 28 2004 6:31:44p A.... 574,464 561.00 K
    wenetmgr.dll Fri Jan 21 2005 8:18:52a ..S.R 224,111 218.86 K
    wzpcd.dll Fri Jan 21 2005 3:59:08p ..S.R 224,914 219.64 K

    32 items found: 32 files (18 H/S), 0 directories.
    Total of file sizes: 7,572,827 bytes 7.22 M
    Locate .tmp files:

    No matches found.
    **********************************************************************************
    Directory Listing of system files:
    Volume in drive C has no label.
    Volume Serial Number is 3C9D-AF8C

    Directory of C:\WINDOWS\System32

    02/01/2005 06:27 AM 223,707 dsscript.dll
    01/31/2005 03:52 PM 224,358 h44mleh11h4.dll
    01/31/2005 10:27 AM 223,707 e420lefm1h2a.dll
    01/31/2005 09:50 AM 223,153 j42q0ef5eh2.dll
    01/29/2005 12:31 PM 223,215 g822lifo182c.dll
    01/29/2005 10:55 AM 224,432 kwdbr.dll
    01/28/2005 01:51 PM 225,761 g4400ehmeh4a0.dll
    01/25/2005 09:35 AM 223,345 lv0409dqe.dll
    01/24/2005 06:53 PM 223,816 fn0021dmg.dll
    01/24/2005 08:19 AM 223,730 s4rs0e97eh.dll
    01/21/2005 04:31 PM 224,914 k4no0e53eh.dll
    01/21/2005 04:28 PM 224,914 dk3j.dll
    01/21/2005 03:59 PM 224,914 wzpcd.dll
    01/21/2005 08:18 AM 224,111 wenetmgr.dll
    01/19/2005 03:18 PM 226,082 enpul1791.dll
    01/19/2005 11:19 AM 224,844 fpl6033se.dll
    01/19/2005 09:47 AM 225,291 jt4407hqe.dll
    01/19/2005 09:38 AM <DIR> dllcache
    01/19/2005 09:37 AM 224,513 r0p80a7ued.dll
    04/01/2004 08:08 AM <DIR> Microsoft
    18 File(s) 4,038,807 bytes
    2 Dir(s) 32,042,311,680 bytes free

    Jordan Krim
     
  11. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    Close any programs you have open since this step requires a reboot.

    From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

    IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!
     
  12. jkrim

    jkrim Thread Starter

    Joined:
    Jan 29, 2005
    Messages:
    32
    Dvk01,

    Here is my l2mfix log:

    ----------------------------------------------------------------------
    L2Mfix 1.02a

    Running From:
    C:\Documents and Settings\krimj\Desktop\l2mfix



    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Read BUILTIN\Power Users
    (ID-IO) ALLOW Read BUILTIN\Power Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER



    Setting registry permissions:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!


    Denying C access for really "Everyone"
    - adding new ACCESS DENY entry


    Registry Permissions set too:

    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
    (CI) DENY --C------- Everyone
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Read BUILTIN\Power Users
    (ID-IO) ALLOW Read BUILTIN\Power Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER



    Setting up for Reboot


    Starting Reboot!

    C:\Documents and Settings\krimj\Desktop\l2mfix
    System Rebooted!

    Running From:
    C:\Documents and Settings\krimj\Desktop\l2mfix

    killing explorer and rundll32.exe

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 [email protected]
    Killing PID 864 'explorer.exe'

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 [email protected]
    Killing PID 1220 'rundll32.exe'

    Scanning First Pass. Please Wait!

    First Pass Completed

    Second Pass Scanning

    Second pass Completed!
    Backing Up: C:\WINDOWS\system32\dcscript.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\dk3j.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\dsscript.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\enpul1791.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\fn0021dmg.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\fpl6033se.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\g4400ehmeh4a0.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\g822lifo182c.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\h44mleh11h4.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\j42q0ef5eh2.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\jt4407hqe.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\k4no0e53eh.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\kwdbr.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\lv0409dqe.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\nzprovau.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\r0p80a7ued.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\s4rs0e97eh.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\wenetmgr.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\wzpcd.dll
    1 file(s) copied.
    deleting: C:\WINDOWS\system32\dcscript.dll
    Successfully Deleted: C:\WINDOWS\system32\dcscript.dll
    deleting: C:\WINDOWS\system32\dk3j.dll
    Successfully Deleted: C:\WINDOWS\system32\dk3j.dll
    deleting: C:\WINDOWS\system32\dsscript.dll
    Successfully Deleted: C:\WINDOWS\system32\dsscript.dll
    deleting: C:\WINDOWS\system32\enpul1791.dll
    Successfully Deleted: C:\WINDOWS\system32\enpul1791.dll
    deleting: C:\WINDOWS\system32\fn0021dmg.dll
    Successfully Deleted: C:\WINDOWS\system32\fn0021dmg.dll
    deleting: C:\WINDOWS\system32\fpl6033se.dll
    Successfully Deleted: C:\WINDOWS\system32\fpl6033se.dll
    deleting: C:\WINDOWS\system32\g4400ehmeh4a0.dll
    Successfully Deleted: C:\WINDOWS\system32\g4400ehmeh4a0.dll
    deleting: C:\WINDOWS\system32\g822lifo182c.dll
    Successfully Deleted: C:\WINDOWS\system32\g822lifo182c.dll
    deleting: C:\WINDOWS\system32\h44mleh11h4.dll
    Successfully Deleted: C:\WINDOWS\system32\h44mleh11h4.dll
    deleting: C:\WINDOWS\system32\j42q0ef5eh2.dll
    Successfully Deleted: C:\WINDOWS\system32\j42q0ef5eh2.dll
    deleting: C:\WINDOWS\system32\jt4407hqe.dll
    Successfully Deleted: C:\WINDOWS\system32\jt4407hqe.dll
    deleting: C:\WINDOWS\system32\k4no0e53eh.dll
    Successfully Deleted: C:\WINDOWS\system32\k4no0e53eh.dll
    deleting: C:\WINDOWS\system32\kwdbr.dll
    Successfully Deleted: C:\WINDOWS\system32\kwdbr.dll
    deleting: C:\WINDOWS\system32\lv0409dqe.dll
    Successfully Deleted: C:\WINDOWS\system32\lv0409dqe.dll
    deleting: C:\WINDOWS\system32\nzprovau.dll
    Successfully Deleted: C:\WINDOWS\system32\nzprovau.dll
    deleting: C:\WINDOWS\system32\r0p80a7ued.dll
    Successfully Deleted: C:\WINDOWS\system32\r0p80a7ued.dll
    deleting: C:\WINDOWS\system32\s4rs0e97eh.dll
    Successfully Deleted: C:\WINDOWS\system32\s4rs0e97eh.dll
    deleting: C:\WINDOWS\system32\wenetmgr.dll
    Successfully Deleted: C:\WINDOWS\system32\wenetmgr.dll
    deleting: C:\WINDOWS\system32\wzpcd.dll
    Successfully Deleted: C:\WINDOWS\system32\wzpcd.dll

    Desktop.ini sucessfully removed

    Zipping up files for submission:
    adding: dcscript.dll (164 bytes security) (deflated 4%)
    adding: dk3j.dll (164 bytes security) (deflated 4%)
    adding: dsscript.dll (164 bytes security) (deflated 4%)
    adding: enpul1791.dll (164 bytes security) (deflated 5%)
    adding: fn0021dmg.dll (164 bytes security) (deflated 4%)
    adding: fpl6033se.dll (164 bytes security) (deflated 4%)
    adding: g4400ehmeh4a0.dll (164 bytes security) (deflated 5%)
    adding: g822lifo182c.dll (164 bytes security) (deflated 4%)
    adding: h44mleh11h4.dll (164 bytes security) (deflated 4%)
    adding: j42q0ef5eh2.dll (164 bytes security) (deflated 4%)
    adding: jt4407hqe.dll (164 bytes security) (deflated 4%)
    adding: k4no0e53eh.dll (164 bytes security) (deflated 4%)
    adding: kwdbr.dll (164 bytes security) (deflated 4%)
    adding: lv0409dqe.dll (164 bytes security) (deflated 4%)
    adding: nzprovau.dll (164 bytes security) (deflated 3%)
    adding: r0p80a7ued.dll (164 bytes security) (deflated 4%)
    adding: s4rs0e97eh.dll (164 bytes security) (deflated 4%)
    adding: wenetmgr.dll (164 bytes security) (deflated 4%)
    adding: wzpcd.dll (164 bytes security) (deflated 4%)
    adding: clear.reg (164 bytes security) (deflated 65%)
    adding: echo.reg (164 bytes security) (deflated 8%)
    adding: desktop.ini (164 bytes security) (deflated 13%)
    adding: direct.txt (164 bytes security) (stored 0%)
    adding: lo2.txt (164 bytes security) (deflated 82%)
    adding: readme.txt (164 bytes security) (deflated 49%)
    adding: report.txt (164 bytes security) (deflated 68%)
    adding: test.txt (164 bytes security) (deflated 77%)
    adding: test2.txt (164 bytes security) (deflated 46%)
    adding: test3.txt (164 bytes security) (deflated 46%)
    adding: test5.txt (164 bytes security) (deflated 46%)
    adding: xfind.txt (164 bytes security) (deflated 72%)
    adding: backregs/16BC434A-1B58-4245-894D-8F1D6E4C7F1B.reg (164 bytes security) (deflated 70%)
    adding: backregs/233D0BC4-CFD8-4A86-8FF2-0E33026B5627.reg (164 bytes security) (deflated 70%)
    adding: backregs/255F6478-D157-4949-9F91-D4B47DAA5DB8.reg (164 bytes security) (deflated 70%)
    adding: backregs/542EBEE1-BBE3-4F2C-9710-7B2E3D321507.reg (164 bytes security) (deflated 70%)
    adding: backregs/7AB4AAC7-BA8E-4099-9F81-680E35E65526.reg (164 bytes security) (deflated 70%)
    adding: backregs/9C5BD5AF-5018-40F9-A029-1AB2D42FC6EF.reg (164 bytes security) (deflated 70%)
    adding: backregs/A5D0EA2B-3E56-4AD3-95FD-A2C9D05A75BA.reg (164 bytes security) (deflated 70%)
    adding: backregs/C02EB115-C1C1-4900-A98F-A594DD632C78.reg (164 bytes security) (deflated 70%)
    adding: backregs/C331E78A-17CC-4C59-8DDA-45B1A4B37E1E.reg (164 bytes security) (deflated 70%)
    adding: backregs/DCC2CC79-5415-4562-942A-D8580C7AA083.reg (164 bytes security) (deflated 70%)
    adding: backregs/ED282CCF-A532-41E6-8155-7207B808797D.reg (164 bytes security) (deflated 70%)
    adding: backregs/shell.reg (164 bytes security) (deflated 73%)

    Restoring Registry Permissions:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!


    Revoking access for really "Everyone"


    Registry permissions set too:

    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Read BUILTIN\Power Users
    (ID-IO) ALLOW Read BUILTIN\Power Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER


    Restoring Sedebugprivilege:

    Granting SeDebugPrivilege to Administrators ... successful

    deleting local copy: dcscript.dll
    deleting local copy: dk3j.dll
    deleting local copy: dsscript.dll
    deleting local copy: enpul1791.dll
    deleting local copy: fn0021dmg.dll
    deleting local copy: fpl6033se.dll
    deleting local copy: g4400ehmeh4a0.dll
    deleting local copy: g822lifo182c.dll
    deleting local copy: h44mleh11h4.dll
    deleting local copy: j42q0ef5eh2.dll
    deleting local copy: jt4407hqe.dll
    deleting local copy: k4no0e53eh.dll
    deleting local copy: kwdbr.dll
    deleting local copy: lv0409dqe.dll
    deleting local copy: nzprovau.dll
    deleting local copy: r0p80a7ued.dll
    deleting local copy: s4rs0e97eh.dll
    deleting local copy: wenetmgr.dll
    deleting local copy: wzpcd.dll

    The following Is the Current Export of the Winlogon notify key:
    ****************************************************************************
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
    "Asynchronous"=dword:00000000
    "DllName"=""
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"


    The following are the files found:
    ****************************************************************************
    C:\WINDOWS\system32\dcscript.dll
    C:\WINDOWS\system32\dk3j.dll
    C:\WINDOWS\system32\dsscript.dll
    C:\WINDOWS\system32\enpul1791.dll
    C:\WINDOWS\system32\fn0021dmg.dll
    C:\WINDOWS\system32\fpl6033se.dll
    C:\WINDOWS\system32\g4400ehmeh4a0.dll
    C:\WINDOWS\system32\g822lifo182c.dll
    C:\WINDOWS\system32\h44mleh11h4.dll
    C:\WINDOWS\system32\j42q0ef5eh2.dll
    C:\WINDOWS\system32\jt4407hqe.dll
    C:\WINDOWS\system32\k4no0e53eh.dll
    C:\WINDOWS\system32\kwdbr.dll
    C:\WINDOWS\system32\lv0409dqe.dll
    C:\WINDOWS\system32\nzprovau.dll
    C:\WINDOWS\system32\r0p80a7ued.dll
    C:\WINDOWS\system32\s4rs0e97eh.dll
    C:\WINDOWS\system32\wenetmgr.dll
    C:\WINDOWS\system32\wzpcd.dll

    Registry Entries that were Deleted:
    Please verify that the listing looks ok.
    If there was something deleted wrongly there are backups in the backreg folder.
    ****************************************************************************
    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{7AB4AAC7-BA8E-4099-9F81-680E35E65526}"=-
    "{C331E78A-17CC-4C59-8DDA-45B1A4B37E1E}"=-
    "{233D0BC4-CFD8-4A86-8FF2-0E33026B5627}"=-
    "{16BC434A-1B58-4245-894D-8F1D6E4C7F1B}"=-
    "{9C5BD5AF-5018-40F9-A029-1AB2D42FC6EF}"=-
    "{A5D0EA2B-3E56-4AD3-95FD-A2C9D05A75BA}"=-
    "{C02EB115-C1C1-4900-A98F-A594DD632C78}"=-
    "{DCC2CC79-5415-4562-942A-D8580C7AA083}"=-
    "{255F6478-D157-4949-9F91-D4B47DAA5DB8}"=-
    "{ED282CCF-A532-41E6-8155-7207B808797D}"=-
    "{542EBEE1-BBE3-4F2C-9710-7B2E3D321507}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{7AB4AAC7-BA8E-4099-9F81-680E35E65526}]
    [-HKEY_CLASSES_ROOT\CLSID\{C331E78A-17CC-4C59-8DDA-45B1A4B37E1E}]
    [-HKEY_CLASSES_ROOT\CLSID\{233D0BC4-CFD8-4A86-8FF2-0E33026B5627}]
    [-HKEY_CLASSES_ROOT\CLSID\{16BC434A-1B58-4245-894D-8F1D6E4C7F1B}]
    [-HKEY_CLASSES_ROOT\CLSID\{9C5BD5AF-5018-40F9-A029-1AB2D42FC6EF}]
    [-HKEY_CLASSES_ROOT\CLSID\{A5D0EA2B-3E56-4AD3-95FD-A2C9D05A75BA}]
    [-HKEY_CLASSES_ROOT\CLSID\{C02EB115-C1C1-4900-A98F-A594DD632C78}]
    [-HKEY_CLASSES_ROOT\CLSID\{DCC2CC79-5415-4562-942A-D8580C7AA083}]
    [-HKEY_CLASSES_ROOT\CLSID\{255F6478-D157-4949-9F91-D4B47DAA5DB8}]
    [-HKEY_CLASSES_ROOT\CLSID\{ED282CCF-A532-41E6-8155-7207B808797D}]
    [-HKEY_CLASSES_ROOT\CLSID\{542EBEE1-BBE3-4F2C-9710-7B2E3D321507}]
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "{0947FE56-67CB-4BE1-A164-32A226DDF50A}"=-
    ****************************************************************************
    Desktop.ini Contents:
    ****************************************************************************
    [.ShellClassInfo]
    CLSID={645FF040-5081-101B-9F08-00AA002F954E}
    <IDone>{0947FE56-67CB-4BE1-A164-32A226DDF50A}</IDone>
    <IDtwo>DS3</IDtwo>
    <VERSION>200</VERSION>
    ****************************************************************************
    
    -------------------------------------------------------------------------

    Here is my hijackthis log:

    --------------------------------------------------------------------------
    Logfile of HijackThis v1.99.0
    Scan saved at 10:00:18 AM, on 2/1/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\LDCLIENT\LOCALSCH.EXE
    C:\WINDOWS\system32\cba\pds.exe
    C:\LDCLIENT\QIPCLNT.EXE
    C:\LDClient\tmcsvc.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\mcshield.exe
    C:\LDClient\SoftMon.exe
    C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    C:\Program Files\lotus\notes\ntmulti.exe
    C:\WINDOWS\System32\nvsvc32.exe
    c:\program files\checkpoint\SecuRemote\bin\SR_WatchDog.exe
    C:\WINDOWS\System32\NWTRAY.EXE
    C:\WINDOWS\System32\pctspk.exe
    C:\LDClient\wuser32.exe
    C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\WINDOWS\system32\cba\xfr.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\wuwiqi.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
    c:\program files\checkpoint\SecuRemote\bin\SR_Service.exe
    C:\WINDOWS\System32\imapi.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Lotus\notes\NLNOTES.EXE
    C:\Program Files\lotus\notes\NCDaemon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Lotus\notes\ntaskldr.EXE
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\LDClient\SoftMon.exe
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [iPCCheck] "C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe" /startup
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [Auto_Inventory] C:\WINDOWS\LDPrimary.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: iPassConnect.lnk = C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: Ariba Client 6.1 - http://oksun1.okla.seagate.com:10001/ariba-prd/aribaIE4.cab
    O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install007.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14c1aa8cbd78c9e2bb15/netzip/RdxIE601.cab
    O16 - DPF: {5E8FD788-C323-4357-AB76-7CBCEFBA573C} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader.ocx
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = notes.seagate.com,colo.seagate.com,seagate.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = notes.seagate.com,colo.seagate.com,seagate.com
    O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
    O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\LDCLIENT\LOCALSCH.EXE
    O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
    O23 - Service: Intel QIP Client Service - LANDesk® Software Ltd. - C:\LDCLIENT\QIPCLNT.EXE
    O23 - Service: Intel Targeted Multicast - LANDesk® Software Ltd. - C:\LDClient\tmcsvc.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
    O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
    O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Check Point SecuRemote Service - Check Point Software Technologies - c:\program files\checkpoint\SecuRemote\bin\SR_Service.exe
    O23 - Service: Check Point SecuRemote WatchDog - Check Point Software Technologies - c:\program files\checkpoint\SecuRemote\bin\SR_WatchDog.exe
    O23 - Service: Intel Remote Control Service - LANDesk® Software Ltd. - C:\LDClient\wuser32.exe
    -------------------------------------------------------------------------

    Jordan Krim
     
  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    Download pocket killbox from Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily


    Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked




    O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install007.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14c1aa8...ip/RdxIE601.cab
    O16 - DPF: {5E8FD788-C323-4357-AB76-7CBCEFBA573C} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader.ocx


    now run killbox and paste each of these lines into the box, select standard file delete then press the red X button,say yes to the prompt then continue to paste the lines in in turn and follow the above procedure every time, If it says file is missing, don't worry, but if it says unable to delete file then select delete on reboot BUT DO NOT let it reboot yet

    C:\WINDOWS\System32\wuwiqi.exe
    c:\windows\system32\dolsp.dll

    then Go to Start > Run and type %temp% in the Run box, press OK . The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of that Temp folder.


    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then
    Reboot & post a new HJT log to check please
     
  14. jkrim

    jkrim Thread Starter

    Joined:
    Jan 29, 2005
    Messages:
    32
    Derek,

    Here is the log.

    -----------------------------------------------------------------------
    Logfile of HijackThis v1.99.0
    Scan saved at 11:59:21 AM, on 2/1/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\LDCLIENT\LOCALSCH.EXE
    C:\WINDOWS\system32\cba\pds.exe
    C:\LDCLIENT\QIPCLNT.EXE
    C:\LDClient\tmcsvc.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\mcshield.exe
    C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    C:\Program Files\lotus\notes\ntmulti.exe
    C:\WINDOWS\System32\nvsvc32.exe
    c:\program files\checkpoint\SecuRemote\bin\SR_WatchDog.exe
    C:\LDClient\wuser32.exe
    C:\WINDOWS\system32\cba\xfr.exe
    C:\WINDOWS\system32\MsgSys.EXE
    c:\program files\checkpoint\SecuRemote\bin\SR_Service.exe
    C:\LDClient\SoftMon.exe
    C:\WINDOWS\system32\userinit.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\NWTRAY.EXE
    C:\WINDOWS\System32\pctspk.exe
    C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\WINDOWS\LDPrimary.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\LDClient\SoftMon.exe
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [iPCCheck] "C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe" /startup
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [Auto_Inventory] C:\WINDOWS\LDPrimary.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\System32\wuwiqi.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: hghufu.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: iPassConnect.lnk = C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: Ariba Client 6.1 - http://oksun1.okla.seagate.com:10001/ariba-prd/aribaIE4.cab
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = notes.seagate.com,colo.seagate.com,seagate.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = notes.seagate.com,colo.seagate.com,seagate.com
    O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
    O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\LDCLIENT\LOCALSCH.EXE
    O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
    O23 - Service: Intel QIP Client Service - LANDesk® Software Ltd. - C:\LDCLIENT\QIPCLNT.EXE
    O23 - Service: Intel Targeted Multicast - LANDesk® Software Ltd. - C:\LDClient\tmcsvc.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
    O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
    O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Check Point SecuRemote Service - Check Point Software Technologies - c:\program files\checkpoint\SecuRemote\bin\SR_Service.exe
    O23 - Service: Check Point SecuRemote WatchDog - Check Point Software Technologies - c:\program files\checkpoint\SecuRemote\bin\SR_WatchDog.exe
    O23 - Service: Intel Remote Control Service - LANDesk® Software Ltd. - C:\LDClient\wuser32.exe
    ---------------------------------------------------------------------

    Jordan Krim
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/324668

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice