1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: HJT for review and advice

Discussion in 'Virus & Other Malware Removal' started by HOBOcs, Jan 28, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. HOBOcs

    HOBOcs Thread Starter

    Joined:
    Jan 5, 2004
    Messages:
    8,642
    First Name:
    Jim
    Cleaning up once again....
    Ran the usual, spybots, adaware, loaded Spyware Blaster, Ran AVG Anti-Virus (lots still to clean-up, .. I will access internet and online virus - "House Call" once I've determined my network is safe)

    Trying this stuff on my own.. getting better at it...
    but would like to have someone review.

    Fixing stuff in Red as well as removing folders/files insafe mode.

    Logfile of HijackThis v1.99.0
    Scan saved at 10:04:13 AM, on 01/28/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT2\System32\smss.exe
    C:\WINNT2\system32\winlogon.exe
    C:\WINNT2\system32\services.exe
    C:\WINNT2\system32\lsass.exe
    C:\WINNT2\system32\svchost.exe
    C:\WINNT2\system32\LEXBCES.EXE
    C:\WINNT2\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINNT2\SYSTEM32\DNTUS26.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINNT2\System32\svchost.exe
    C:\WINNT2\system32\hidserv.exe
    C:\WINNT2\system32\rundll32.exe
    C:\WINNT2\Explorer.EXE
    D:\Program Files\navapsvc.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\WINNT2\system32\regsvc.exe
    C:\winnt\system32\dllcache\FireDaemon.EXE
    C:\WINNT\system32\dllcache\runbatch.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT2\system32\jberia.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\WINNT2\System32\WBEM\WinMgmt.exe
    C:\WINNT2\System32\mspmspsv.exe
    C:\WINNT2\system32\svchost.exe
    C:\Program Files\Wwphwy\Pqbo.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINNT2\system32\??xplore.exe
    C:\Documents and Settings\ultinet\Application Data\euse.exe
    C:\lotus\wordpro\ltsstart.exe
    C:\WINNT2\system32\cleanmgr.exe
    C:\Utilities\hijack this\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.8/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.8/

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.8/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
    O1 - Hosts: 69.20.16.183 #earch.netscape.com
    O1 - Hosts: 69.20.16.183 #eautosearch
    O1 - Hosts: 69.20.16.183 #earch.netscape.com
    O1 - Hosts: 69.20.16.183 #eautosearch
    O1 - Hosts: 69.20.16.183 #eautosearch
    O1 - Hosts: 69.20.16.183 #earch.netscape.com
    O1 - Hosts: 69.20.16.183 #eautosearch
    O1 - Hosts: 69.20.16.183 #eautosearch
    O1 - Hosts: 69.20.16.183 #earch.netscape.com
    O1 - Hosts: 69.20.16.183 #eautosearch
    O1 - Hosts: 69.20.16.183 #eautosearch
    O1 - Hosts: 69.20.16.183 #earch.netscape.com
    O1 - Hosts: 69.20.16.183 #eautosearch
    O1 - Hosts: 69.20.16.183 #eautosearch
    O1 - Hosts: 69.20.16.183 #eautosearch
    O1 - Hosts: 69.20.16.183 #earch.netscape.com
    O1 - Hosts: 69.20.16.183 #eautosearch
    O1 - Hosts: 69.20.16.183 #eautosearch
    O1 - Hosts: 69.20.16.183 #earch.netscape.com
    O1 - Hosts: 69.20.16.183 #eautosearch
    O1 - Hosts: 69.20.16.183 #eautosearch
    O1 - Hosts: 69.20.16.183 #earch.netscape.com
    O1 - Hosts: 69.20.16.183 #uto.search.msn.com
    O1 - Hosts: 69.20.16.183 #eautosearch
    O1 - Hosts: 69.20.16.183 #uto.search.msn.com
    O1 - Hosts: 69.20.16.183 #earch.netscape.com
    O1 - Hosts: 69.20.16.183 #eautosearch
    O1 - Hosts: 69.20.16.183 #eautosearch
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch

    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O3 - Toolbar: Oemji - {804DB5C7-31E6-4885-850A-F1941B58A4C7} - C:\Program Files\Oemji\Toolbar\OemjiSearch.dll (file missing)
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT2\system32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ureinyooihtb] C:\WINNT2\system32\jberia.exe

    O4 - HKLM\..\Run: [CXMon] "d:\new folder\Photo Imaging\Hpi_Monitor.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] d:\new folder\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [sstata] C:\WINNT\SYSTEM32\ethetdp.exe
    O4 - HKLM\..\Run: [dasxdads] fsdqd.exe
    O4 - HKLM\..\Run: [Microsoft OfficeXP] vcvsdf.exe
    O4 - HKLM\..\Run: [Configuration Loader] msgfix.exe
    O4 - HKLM\..\Run: [ASX] C:\WINNT\SYSTEM32\nghj.exe

    O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    O4 - HKLM\..\Run: [qfqeqfss] kusrs.exe
    O4 - HKLM\..\Run: [SATA Corporation Data] C:\WINNT\SYSTEM32\dgndp.exe
    O4 - HKLM\..\Run: [ffqvss] grwfsrs.exe
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [bGDABDcaxcX] C:\WINNT\SYSTEM32\tuhe.exe
    O4 - HKLM\..\Run: [cxbvsavs] fxpflashfix.exe

    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [VBcxaasdfxcX] C:\WINNT\SYSTEM32\fgsn.exe
    O4 - HKLM\..\Run: [Diomacd] C:\winnt\system32\fdafbfd.exe
    O4 - HKLM\..\Run: [wqdfadads] sdqdad.exe
    O4 - HKLM\..\Run: [vcxcxvxcX] C:\WINNT\SYSTEM32\vhdfs.exe
    O4 - HKLM\..\Run: [Fwr Command Module] fwr.exe
    O4 - HKLM\..\Run: [bbdjmrxcX] C:\WINNT\SYSTEM32\hfdga.exe
    O4 - HKLM\..\Run: [Microsoft Buffer App] msbuffer.exe
    O4 - HKLM\..\Run: [ioroxxo microsoft sux] system32,1.exe
    O4 - HKLM\..\Run: [vDSAGGQEvbA ASDAS dqdw] C:\WINNT\SYSTEM32\gsdgfw.exe
    O4 - HKLM\..\Run: [2fqqfck] C:\WINNT\SYSTEM32\fabbwq.exe

    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [vxcxcvfck] C:\WINNT\SYSTEM32\sbsvsd.exe
    O4 - HKLM\..\Run: [genserv path] sdqdqg.exe
    O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
    O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe
    O4 - HKLM\..\Run: [UltimateCleanerMonitor] "C:\Program Files\Ultimate Cleaner\UltimateCleaner.exe" monitor
    O4 - HKLM\..\Run: [UltimateCleanerUpdate] "C:\Program Files\Ultimate Cleaner\AutoUpdate.exe" silent
    O4 - HKLM\..\Run: [Wfdsct] C:\Program Files\Ofufx\Dqmkay.exe
    O4 - HKLM\..\Run: [Jhqlagq] C:\Program Files\Wwphwy\Pqbo.exe

    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\RunServices: [dasxdads] fsdqd.exe
    O4 - HKLM\..\RunServices: [qfqeqfss] kusrs.exe
    O4 - HKLM\..\RunServices: [ffqvss] grwfsrs.exe
    O4 - HKLM\..\RunServices: [cxbvsavs] fxpflashfix.exe
    O4 - HKLM\..\RunServices: [wqdfadads] sdqdad.exe
    O4 - HKLM\..\RunServices: [Fwr Command Module] fwr.exe
    O4 - HKLM\..\RunServices: [Microsoft Buffer App] msbuffer.exe
    O4 - HKLM\..\RunServices: [ioroxxo microsoft sux] system32,1.exe
    O4 - HKLM\..\RunServices: [genserv path] sdqdqg.exe

    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [WinAgent] C:\Program Files\Standard Life\Wealth\WinAgent.exe
    O4 - HKCU\..\Run: [qfqeqfss] kusrs.exe
    O4 - HKCU\..\Run: [ffqvss] grwfsrs.exe
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [cxbvsavs] fxpflashfix.exe
    O4 - HKCU\..\Run: [Configuration Loader] msgfix.exe
    O4 - HKCU\..\Run: [wqdfadads] sdqdad.exe
    O4 - HKCU\..\Run: [Microsoft Buffer App] msbuffer.exe
    O4 - HKCU\..\Run: [ioroxxo microsoft sux] system32,1.exe
    O4 - HKCU\..\Run: [genserv path] sdqdqg.exe
    O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
    O4 - HKCU\..\Run: [Vig] C:\WINNT2\system32\??xplore.exe
    O4 - HKCU\..\Run: [Sedu] C:\Documents and Settings\ultinet\Application Data\euse.exe

    O4 - Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
    O4 - Startup: Lotus SmartCenter 97.lnk = C:\lotus\smartctr\smartctr.exe
    O4 - Startup: Lotus SuiteStart 97.lnk = C:\lotus\smartctr\suitest.exe
    O4 - Global Startup: Canon MultiPASS Status Monitor.lnk = C:\Program Files\Canon\MultiPASS\monitr32.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT2\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O10 - Unknown file in Winsock LSP: c:\program files\oemji\oemjisearchplus\sfbnsp.dll
    O10 - Broken Internet access because of LSP provider 'c:\winnt2\system32\aklsp.dll' missing

    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gampr-ca/cap/games13.cab
    O16 - DPF: {C40F8F85-3FC3-4C0C-AD91-6A204FAAD59F} (UCInstall Class) - http://ultimatecleaner.com/install/UCInst.cab
    O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.22opt/SpySpotterInstall.cab

    ??? O20 - AppInit_DLLs: c:\winnt2\system32\kbdjod.dll
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT2\System32\dmadmin.exe
    O23 - Service: DameWare NT Utilities 2.6 - DameWare Development LLC - C:\WINNT2\SYSTEM32\DNTUS26.EXE
    O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: FireDaemon Service: FTASK - Unknown - d:\winnt\system32\root\FireDaemon.EXE
    O23 - Service: fxSVC - Unknown - C:\WINNT2\fxsvc.exe (file missing)

    O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT2\system32\LEXBCES.EXE
    O23 - Service: Microsoft NetWork FireWall Services - Unknown - NetServices.exe (file missing)
    O23 - Service: MPService - Unknown - C:\Program Files\Canon\MultiPASS\mpservic.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - D:\Program Files\navapsvc.exe
    O23 - Service: FireDaemon Service: ntsysvers - Unknown - C:\winnt\system32\dllcache\FireDaemon.EXE
    O23 - Service: FireDaemon Service: runbatch - Unknown - C:\winnt\system32\dllcache\FireDaemon.EXE

    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
  2. gjw

    gjw

    Joined:
    Nov 14, 2004
    Messages:
    192
    there are enough threads on this site regarding ??xplore.exe to warrant looking at

    C:\WINNT2\system32\??xplore.exe
     
  3. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    hi,


    These two lines are bad:

    C:\WINNT2\system32\??xplore.exe
    C:\Documents and Settings\ultinet\Application Data\euse.exe


    You probably will not get rid of your about:blank/CWS infection by just removing those entries with HJT and deleting files...it takes some special tools. You have an APP_init variety that takes some work....

    What do you plan for the BLUE flagged items?

    You want to uninstall MessgengerPlus3, if you have not already, the full install of that program comes with the LOP malware that you have showing.

    You also should uninstall LOP with these tools:

    http://lop.com/new_uninstall.exe

    http://www.thespykiller.co.uk/downloads.htm


    Click here to download the LOP uninstaller.
    Here are more, in case security settings won't let you get to the first site: Here

    here
    here2

    Close all browser windows and run the uninstaller.

    When it is finished restart your computer.


    Next, I would clean up with an online scan, try Panda first

    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    and Housecall second...Panda will let you save a Report when it is done that you should save, the report is called Activescan.txt, save it to your desktop. Very handy to refer to for file names, trojan names, locations etc.
    Note the date the files came onto the system for later, you can find a lot with just that information and using Google to search the filenams found corresponding to the date.

    Not every file from the date will be bad of course...but the bad ones will be dated then so you have a way to filter them> do not delete because something "looks" funny, find out what they may be first.

    Of course, use AAW and SpyBot, fully updated, and your antivirus program.

    Stinger by McAfee may find something that does not show in logs, with that much malware anything could be on there. Stinger is very good with email worms and the newest and stubbornest exploits.

    http://vil.nai.com/vil/stinger/

    You will need some other tools, here are some I would get right away to have handy:

    LSPFix--to repair the Winsock network layer ( (remove only the one file >>>>aklsp.dll with LSPFix))

    http://www.spychecker.com/program/lspfix.html

    Hoster---to replace what you have with a default HOSTS file.

    http://members.aol.com/toadbee/hoster.zip

    AboutBuster----you should have help when you use this!
    Just download it to have handy!

    http://www.spychecker.com/program/aboutbuster.html

    And there will be more to get. I think if you clean up what you can, you will get some help with the CWS/about:blank if it remains.
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    Firstly beore wasting your time removing all the rubish for it to be immediately reinstalled we need to fix the hidden problem which is a VX2 hijacker which downloads most of this crap
    this will take a few stages so be prepared for a bit of work
    Also you have several other backdoor trojans and hackers as well

    before we start though we need to fix the LSP chain

    Download LSPfix here: http://www.cexx.org/lspfix.htm
    run the LSPFIX application that you downloaded earlier. You will see a list of files in the left hand pane and possibly some in the right hand pane. Tick the"I know what i'm doing" box & select any instances of sfbnsp.dll and aklsp.dll that are in the left hand keep pane and move them to the right hand remove pane, DO NOT MOVE ANY OTHER FILES, press finish and the program will do anything necessary

    once that is done then

    Warning DO NOT REBOOT or close down the computer until told to once the log has been run

    You have the latest version of VX2. Download L2mfix from one of these two locations:

    http://www.atribune.org/downloads/l2mfix.exe
    http://www.downloads.subratam.org/l2mfix.exe

    Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

    IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
     
  5. HOBOcs

    HOBOcs Thread Starter

    Joined:
    Jan 5, 2004
    Messages:
    8,642
    First Name:
    Jim
    Ok, guys... ran the virus scanners and lots came up. irc/backdoor.flood and many more. Ran the lspfix yesterday and removed sfbnsp.dll

    Following DVK01's route now...
    L2mfix report..
    L2MFIX find log 1.02
    These are the registry keys present
    **********************************************************************************
    Winlogon/notify:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
    6c,00,00,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ExtShellViews]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINNT2\\system32\\gp4ul3h91.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
    "DLLName"="wzcdlg.dll"
    "Logon"="WZCEventLogon"
    "Logoff"="WZCEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000000

    **********************************************************************************
    useragent:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "{1E7A22D2-ABBE-4499-8320-97A69EDA70E4}"=""

    **********************************************************************************
    Shell Extension key:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
    "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
    "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
    "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
    "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
    "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
    "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
    "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
    "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
    "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
    "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
    "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
    "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
    "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
    "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
    "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
    "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
    "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
    "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
    "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
    "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
    "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
    "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
    "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
    "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
    "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
    "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
    "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
    "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
    "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
    "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
    "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
    "{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
    "{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
    "{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
    "{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
    "{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
    "{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
    "{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
    "{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
    "{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
    "{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
    "{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
    "{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
    "{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
    "{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
    "{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
    "{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
    "{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
    "{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
    "{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
    "{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
    "{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
    "{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
    "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
    "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
    "{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
    "{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
    "{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
    "{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
    "{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
    "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
    "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
    "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
    "{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
    "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
    "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
    "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
    "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
    "{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
    "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
    "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
    "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
    "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
    "{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
    "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
    "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
    "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
    "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
    "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
    "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
    "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
    "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
    "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
    "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
    "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
    "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
    "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
    "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
    "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
    "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
    "{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
    "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
    "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
    "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
    "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
    "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
    "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
    "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
    "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
    "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
    "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
    "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
    "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
    "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
    "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
    "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
    "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
    "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
    "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
    "{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
    "{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
    "{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
    "{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
    "{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
    "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
    "{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
    "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
    "{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
    "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
    "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
    "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
    "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
    "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
    "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
    "{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
    "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
    "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
    "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
    "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
    "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
    "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
    "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
    "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
    "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
    "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
    "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
    "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
    "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
    "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
    "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
    "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
    "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
    "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
    "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
    "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
    "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
    "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
    "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
    "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
    "{A4DF5659-0801-4A60-9607-1C48695EFDA9}"="Share-to-Web Upload Folder"
    "{C122CFF4-EAA4-4B7D-A14E-6EC312ABBA62}"=""
    "{BF724B39-32A0-4850-99EA-A63E1BFA1613}"=""
    "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
    "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
    "{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
    "{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
    "{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
    "{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
    "{1FE1943F-C88B-4C28-B528-DA9F8111FF8E}"=""
    "{5AA6B670-E8C5-4D10-8C24-F7456176B0AA}"=""

    **********************************************************************************
    HKEY ROOT CLASSIDS:
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{C122CFF4-EAA4-4B7D-A14E-6EC312ABBA62}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{C122CFF4-EAA4-4B7D-A14E-6EC312ABBA62}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{C122CFF4-EAA4-4B7D-A14E-6EC312ABBA62}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{C122CFF4-EAA4-4B7D-A14E-6EC312ABBA62}\InprocServer32]
    @="C:\\WINNT2\\system32\\mLpi32.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{BF724B39-32A0-4850-99EA-A63E1BFA1613}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{BF724B39-32A0-4850-99EA-A63E1BFA1613}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{BF724B39-32A0-4850-99EA-A63E1BFA1613}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{BF724B39-32A0-4850-99EA-A63E1BFA1613}\InprocServer32]
    @="C:\\WINNT2\\system32\\guard.tmp"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{1FE1943F-C88B-4C28-B528-DA9F8111FF8E}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{1FE1943F-C88B-4C28-B528-DA9F8111FF8E}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{1FE1943F-C88B-4C28-B528-DA9F8111FF8E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{1FE1943F-C88B-4C28-B528-DA9F8111FF8E}\InprocServer32]
    @="C:\\WINNT2\\system32\\lmtmb12n.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{5AA6B670-E8C5-4D10-8C24-F7456176B0AA}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{5AA6B670-E8C5-4D10-8C24-F7456176B0AA}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{5AA6B670-E8C5-4D10-8C24-F7456176B0AA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{5AA6B670-E8C5-4D10-8C24-F7456176B0AA}\InprocServer32]
    @="C:\\WINNT2\\system32\\mddex.dll"
    "ThreadingModel"="Apartment"

    **********************************************************************************
    Files Found are not all bad files:

    C:\WINNT2\SYSTEM32\
    akcore.dll Tue Dec 7 2004 12:37:56p A.... 188,416 184.00 K
    aza2lc~1.dll Sat Jan 1 2005 11:40:22a ..S.R 224,442 219.18 K
    cacore.dll Tue Jan 25 2005 10:30:42a A.... 151,552 148.00 K
    carules.dll Tue Dec 7 2004 4:52:16p A.... 45,056 44.00 K
    casync.dll Tue Dec 7 2004 4:52:12p A.... 114,688 112.00 K
    cib.dll Fri Jan 14 2005 12:17:18p ..S.R 224,430 219.17 K
    clsutil.dll Fri Jan 28 2005 3:17:56p ..S.R 225,193 219.91 K
    cynsole.dll Tue Jan 11 2005 9:50:30a ..S.R 222,778 217.55 K
    dlcprop2.dll Thu Jan 27 2005 10:14:16p ..S.R 223,760 218.52 K
    dn0401~1.dll Fri Jan 21 2005 10:12:52p ..S.R 222,408 217.20 K
    dn4401~1.dll Tue Jan 18 2005 9:32:44a ..... 224,430 219.17 K
    dnrs01~1.dll Wed Jan 19 2005 12:00:54p ..S.R 224,430 219.17 K
    en4ql1~1.dll Tue Jan 25 2005 10:50:10p ..... 223,844 218.60 K
    ennql1~1.dll Tue Jan 25 2005 2:59:40p ..S.R 225,395 220.11 K
    enpsl1~1.dll Sat Jan 22 2005 3:58:32p ..... 223,093 217.86 K
    fpr803~1.dll Sun Dec 26 2004 12:07:00a ..S.R 224,926 219.65 K
    g0402a~1.dll Sun Jan 2 2005 2:20:20a ..S.R 222,904 217.68 K
    g222lc~1.dll Tue Dec 28 2004 11:33:24a ..S.R 226,293 220.99 K
    g2lm0c~1.dll Fri Dec 31 2004 9:06:28p ..S.R 225,071 219.79 K
    gp4ul3~1.dll Sat Jan 29 2005 1:55:40a ..S.R 223,179 217.95 K
    gp8ql3~1.dll Sat Jan 22 2005 3:23:28p ..S.R 222,999 217.77 K
    gplsl3~1.dll Thu Jan 6 2005 5:25:42p ..S.R 222,437 217.22 K
    gppsl3~1.dll Mon Jan 10 2005 2:14:06p ..S.R 222,778 217.55 K
    h04m0a~1.dll Wed Jan 19 2005 11:24:42a ..S.R 224,430 219.17 K
    h40q0e~1.dll Tue Dec 28 2004 12:53:56a ..S.R 226,193 220.89 K
    h62o0g~1.dll Tue Dec 21 2004 9:51:42a ..S.R 224,926 219.65 K
    h64m0g~1.dll Sat Dec 11 2004 8:01:52p ..S.R 224,660 219.39 K
    hr0205~1.dll Mon Jan 10 2005 11:19:32p ..S.R 222,983 217.75 K
    hr2005~1.dll Sun Jan 9 2005 3:18:04p ..S.R 222,437 217.22 K
    hr2m05~1.dll Fri Jan 21 2005 1:17:00p ..S.R 224,430 219.17 K
    hr6o05~1.dll Wed Jan 5 2005 2:00:24p ..S.R 226,068 220.77 K
    hrije.dll Tue Jan 11 2005 9:09:30a A.... 172,032 168.00 K
    hrl005~1.dll Fri Jan 21 2005 6:45:00a ..S.R 224,430 219.17 K
    hypertrm.dll Tue Nov 16 2004 5:47:02a A.... 576,784 563.27 K
    i6060g~1.dll Sat Dec 11 2004 12:04:52p ..S.R 224,660 219.39 K
    i842li~1.dll Mon Dec 13 2004 12:56:18p ..S.R 224,660 219.39 K
    ids.dll Fri Jan 28 2005 11:09:58a ..S.R 222,523 217.30 K
    j06m0a~1.dll Thu Dec 9 2004 10:51:10a ..S.R 224,820 219.55 K
    j2n2lc~1.dll Tue Dec 7 2004 12:20:02p ..S.R 224,484 219.22 K
    j40sle~1.dll Wed Dec 15 2004 11:19:40p ..S.R 224,660 219.39 K
    j4n20e~1.dll Fri Jan 14 2005 11:32:20p ..S.R 224,430 219.17 K
    j62q0g~1.dll Sat Jan 22 2005 3:43:20p ..S.R 222,471 217.25 K
    jtl807~1.dll Thu Dec 9 2004 11:06:24a ..S.R 225,497 220.21 K
    jtpq07~1.dll Sat Jan 29 2005 9:15:18a ..S.R 223,756 218.51 K
    jtpu07~1.dll Tue Jan 11 2005 9:19:34p ..S.R 222,778 217.55 K
    jtr807~1.dll Sat Jan 22 2005 4:08:48p ..... 223,990 218.74 K
    kt20l7~1.dll Mon Jan 24 2005 11:48:16a ..S.R 223,990 218.74 K
    kt4ml7~1.dll Tue Jan 25 2005 10:20:54a ..S.R 223,093 217.86 K
    ktr2l7~1.dll Sat Dec 11 2004 11:30:36p ..S.R 224,660 219.39 K
    lmtmb12n.dll Fri Jan 28 2005 2:25:40p A.... 222,523 217.30 K
    lv4009~1.dll Thu Jan 27 2005 12:36:24a ..S.R 223,844 218.60 K
    m2polc~1.dll Fri Jan 7 2005 10:56:40a ..S.R 222,437 217.22 K
    mddex.dll Sat Jan 29 2005 9:15:18a ..S.R 223,179 217.95 K
    mjjint40.dll Tue Dec 14 2004 7:35:42a ..S.R 224,660 219.39 K
    mmimrt.dll Thu Jan 27 2005 1:27:08p ..S.R 222,523 217.30 K
    mnnetobj.dll Fri Jan 28 2005 4:24:56p ..S.R 225,540 220.25 K
    mpvbvm60.dll Sat Jan 29 2005 1:55:42a ..S.R 225,826 220.53 K
    msvcp71.dll Thu Jan 27 2005 10:25:46p A.... 499,712 488.00 K
    msvcr71.dll Thu Jan 27 2005 10:25:46p A.... 348,160 340.00 K
    mv40l9~1.dll Mon Jan 3 2005 1:16:42a ..S.R 224,551 219.29 K
    mvlul9~1.dll Wed Dec 15 2004 12:11:46a ..S.R 224,660 219.39 K
    mzpistub.dll Fri Jan 28 2005 6:38:14a ..S.R 222,523 217.30 K
    n2r2lc~1.dll Thu Jan 13 2005 2:02:26p ..S.R 224,430 219.17 K
    ncdsxds.dll Fri Jan 28 2005 12:14:04p ..S.R 223,693 218.45 K
    noevent.dll Sat Jan 22 2005 3:43:22p ..S.R 225,917 220.62 K
    o2rolc~1.dll Mon Jan 10 2005 12:58:30p ..S.R 222,437 217.22 K
    o6ns0g~1.dll Tue Jan 25 2005 10:26:04p ..S.R 224,600 219.34 K
    ogbcinst.dll Sat Jan 1 2005 10:09:20p ..S.R 222,904 217.68 K
    osecli.dll Thu Jan 27 2005 8:48:56p ..S.R 222,523 217.30 K
    p66s0g~1.dll Sat Jan 22 2005 1:48:18p ..S.R 225,917 220.62 K
    p84uli~1.dll Mon Jan 10 2005 1:53:18p ..S.R 222,778 217.55 K
    phwrprof.dll Fri Jan 28 2005 4:40:18p ..S.R 225,826 220.53 K
    psrfdisk.dll Fri Jan 28 2005 2:47:32p ..S.R 223,916 218.67 K
    q0ps0a~1.dll Wed Jan 19 2005 7:17:56p ..S.R 224,430 219.17 K
    q0psla~1.dll Sat Dec 11 2004 2:17:42a ..S.R 225,121 219.84 K
    sporder.dll Tue Dec 7 2004 12:37:58p A.... 8,464 8.27 K
    suimgvw.dll Thu Dec 9 2004 12:15:36p ..S.R 224,660 219.39 K
    sworage.dll Tue Jan 4 2005 1:13:20p ..S.R 226,068 220.77 K
    tbrmmgr.dll Mon Dec 20 2004 1:25:04p ..S.R 224,926 219.65 K
    uberenv.dll Fri Jan 28 2005 10:53:08a ..S.R 223,710 218.46 K
    vxa256.dll Fri Jan 28 2005 3:02:56p ..S.R 224,401 219.14 K
    wxnsta.dll Sat Jan 29 2005 1:43:56a ..S.R 223,202 217.97 K
    xdnroll.dll Wed Dec 15 2004 12:39:34p ..S.R 224,660 219.39 K

    83 items found: 83 files (69 H/S), 0 directories.
    Total of file sizes: 18,689,068 bytes 17.82 M
    Locate .tmp files:

    No matches found.
    **********************************************************************************
    Directory Listing of system files:
    Volume in drive C has no label.
    Volume Serial Number is 843A-1423

    Directory of C:\WINNT2\System32

    01/29/2005 09:15a 223,179 mddex.dll
    01/29/2005 09:15a 223,756 jtpq0775e.dll
    01/29/2005 01:55a 225,826 MPVBVM60.DLL
    01/29/2005 01:55a 223,179 gp4ul3h91.dll
    01/29/2005 01:43a 223,202 wxnsta.dll
    01/28/2005 04:40p 225,826 phwrprof.dll
    01/28/2005 04:24p 225,540 mnnetobj.dll
    01/28/2005 03:17p 225,193 Clsutil.dll
    01/28/2005 03:02p 224,401 vxa256.dll
    01/28/2005 02:47p 223,916 psrfdisk.dll
    01/28/2005 12:14p 223,693 ncdsxds.dll
    01/28/2005 11:09a 222,523 ids.dll
    01/28/2005 10:53a 223,710 UBERENV.DLL
    01/28/2005 06:38a 222,523 mZpistub.dll
    01/27/2005 10:14p 223,760 dlcprop2.dll
    01/27/2005 08:48p 222,523 osecli.dll
    01/27/2005 01:27p 222,523 MMIMRT.DLL
    01/27/2005 12:36a 223,844 lv4009hme.dll
    01/25/2005 10:26p 224,600 o6ns0g57e6.dll
    01/25/2005 02:59p 225,395 ennql1551.dll
    01/25/2005 10:20a 223,093 kt4ml7h11.dll
    01/24/2005 11:48a 223,990 kt20l7fm1.dll
    01/22/2005 03:43p 225,917 noevent.dll
    01/22/2005 03:43p 222,471 j62q0gf5e62.dll
    01/22/2005 03:23p 222,999 gp8ql3l51.dll
    01/22/2005 01:48p 225,917 p66s0gj7e6o.dll
    01/21/2005 10:12p 222,408 dn0401dqe.dll
    01/21/2005 01:16p 224,430 hr2m05f1e.dll
    01/21/2005 06:44a 224,430 hrl0053me.dll
    01/19/2005 07:17p 224,430 q0ps0a77ed.dll
    01/19/2005 12:00p 224,430 dnrs0197e.dll
    01/19/2005 11:24a 224,430 h04m0ah1ed4.dll
    01/14/2005 11:32p 224,430 j4n20e5oeh.dll
    01/14/2005 12:17p 224,430 cib.dll
    01/13/2005 02:02p 224,430 n2r2lc9o1f.dll
    01/11/2005 09:19p 222,778 jtpu0779e.dll
    01/11/2005 09:50a 222,778 cynsole.dll
    01/11/2005 09:10a 401,408 ??xplore.exe
    01/10/2005 11:19p 222,983 hr0205doe.dll
    01/10/2005 02:14p 222,778 gppsl3771.dll
    01/10/2005 01:53p 222,778 p84ulih9184.dll
    01/10/2005 12:58p 222,437 o2rolc931f.dll
    01/09/2005 03:18p 222,437 hr2005fme.dll
    01/07/2005 10:56a 222,437 m2polc731f.dll
    01/06/2005 05:25p 222,437 gplsl3371.dll
    01/05/2005 02:00p 226,068 hr6o05j3e.dll
    01/04/2005 01:13p 226,068 sworage.dll
    01/03/2005 01:16a 224,551 mv40l9hm1.dll
    01/03/2005 01:09a <DIR> dllcache
    01/02/2005 02:20a 222,904 g0402ahmgd4a2.dll
    01/01/2005 10:09p 222,904 OGBCINST.DLL
    01/01/2005 11:40a 224,442 aza2lcfo1f2c.dll
    12/31/2004 09:06p 225,071 g2lm0c31ef.dll
    12/28/2004 11:33a 226,293 g222lcfo1f2c.dll
    12/28/2004 12:53a 226,193 h40q0ed5eh0.dll
    12/26/2004 12:06a 224,926 fpr8039ue.dll
    12/21/2004 09:51a 224,926 h62o0gf3e62.dll
    12/20/2004 01:25p 224,926 tbrmmgr.dll
    12/15/2004 11:19p 224,660 j40sled71h0.dll
    12/15/2004 12:39p 224,660 XDNROLL.DLL
    12/15/2004 12:11a 224,660 mvlul9391.dll
    12/14/2004 07:35a 224,660 mjjint40.dll
    12/13/2004 12:56p 224,660 i842liho184c.dll
    12/11/2004 11:30p 224,660 ktr2l79o1.dll
    12/11/2004 08:01p 224,660 h64m0gh1e64.dll
    12/11/2004 12:04p 224,660 i6060gdse6060.dll
    12/11/2004 02:17a 225,121 q0psla771d.dll
    12/09/2004 12:15p 224,660 suimgvw.dll
    12/09/2004 11:06a 225,497 jtl8073ue.dll
    12/09/2004 10:51a 224,820 j06m0aj1edo.dll
    12/07/2004 12:20p 224,484 j2n2lc5o1f.dll
    10/19/2004 09:53a 380,928 ??rvices.exe
    06/19/2003 02:05p 286,773 msvcrt.dll
    06/19/2003 02:05p 1,015,859 mfc42.dll
    06/19/2003 02:05p 11,024 REGSVR32.EXE
    05/08/2001 07:00a 77,878 msvcirt.dll
    08/29/2000 03:00a 401,462 msvcp60.dll
    76 File(s) 18,041,656 bytes
    1 Dir(s) 373,854,208 bytes free
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    OK then quite a few dodgy files there so let's see if this gets them all
    We will need to do a manual clear up of the other rubbish anyway afterwards, but one step at a time

    Close any programs you have open since this step requires a reboot.

    From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

    IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!
     
  7. HOBOcs

    HOBOcs Thread Starter

    Joined:
    Jan 5, 2004
    Messages:
    8,642
    First Name:
    Jim
    L2Mfix 1.02

    Running From:
    C:\Utilities\vx2\l2mfix

    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Read BUILTIN\Power Users
    (ID-IO) ALLOW Read BUILTIN\Power Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER

    Setting registry permissions:

    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!


    Denying C access for really "Everyone"
    - adding new ACCESS DENY entry


    Registry Permissions set too:

    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
    (CI) DENY --C------- Everyone
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Read BUILTIN\Power Users
    (ID-IO) ALLOW Read BUILTIN\Power Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER

    Setting up for Reboot

    Starting Reboot!

    C:\Utilities\vx2\l2mfix
    System Rebooted!

    Running From:
    C:\Utilities\vx2\l2mfix

    killing explorer and rundll32.exe

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 [email protected]
    Killing PID 772 'explorer.exe'
    Killing PID 772 'explorer.exe'
    Error 0x5 : Access is denied.
    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 [email protected]
    Killing PID 948 'rundll32.exe'

    Scanning First Pass. Please Wait!

    First Pass Completed

    Second Pass Scanning

    Second pass Completed!
    Backing Up: C:\WINNT2\system32\aza2lcfo1f2c.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\cib.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\Clsutil.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\cynsole.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\dlcprop2.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\dn0401dqe.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\dn4401hqe.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\dnrs0197e.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\en4ql1h51.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\ennql1551.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\enpsl1771.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\fpr8039ue.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\g0402ahmgd4a2.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\g222lcfo1f2c.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\g2lm0c31ef.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\gp8ql3l51.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\gplsl3371.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\gppsl3771.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\h04m0ah1ed4.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\h40q0ed5eh0.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\h62o0gf3e62.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\h64m0gh1e64.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\hr0205doe.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\hr2005fme.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\hr2m05f1e.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\hr6o05j3e.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\i6060gdse6060.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\i842liho184c.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\ids.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\j06m0aj1edo.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\j2n2lc5o1f.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\j40sled71h0.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\j4n20e5oeh.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\j62q0gf5e62.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\jtl8073ue.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\jtpq0775e.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\jtpu0779e.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\jtr8079ue.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\kt20l7fm1.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\kt4ml7h11.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\ktr2l79o1.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\lmtmb12n.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\lv4009hme.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\m2polc731f.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\mddex.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\mjjint40.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\MMIMRT.DLL
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\mnnetobj.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\MPVBVM60.DLL
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\muhtmler.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\mv40l9hm1.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\mvlul9391.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\mZpistub.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\n2r2lc9o1f.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\ncdsxds.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\noevent.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\o2rolc931f.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\o6ns0g57e6.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\OGBCINST.DLL
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\osecli.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\p66s0gj7e6o.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\p84ulih9184.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\phwrprof.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\psrfdisk.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\q0ps0a77ed.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\q0psla771d.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\suimgvw.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\sworage.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\tbrmmgr.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\UBERENV.DLL
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\vxa256.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\wxnsta.dll
    1 file(s) copied.
    Backing Up: C:\WINNT2\system32\XDNROLL.DLL
    1 file(s) copied.
    deleting: C:\WINNT2\system32\aza2lcfo1f2c.dll
    Successfully Deleted: C:\WINNT2\system32\aza2lcfo1f2c.dll
    deleting: C:\WINNT2\system32\cib.dll
    Successfully Deleted: C:\WINNT2\system32\cib.dll
    deleting: C:\WINNT2\system32\Clsutil.dll
    Successfully Deleted: C:\WINNT2\system32\Clsutil.dll
    deleting: C:\WINNT2\system32\cynsole.dll
    Successfully Deleted: C:\WINNT2\system32\cynsole.dll
    deleting: C:\WINNT2\system32\dlcprop2.dll
    Successfully Deleted: C:\WINNT2\system32\dlcprop2.dll
    deleting: C:\WINNT2\system32\dn0401dqe.dll
    Successfully Deleted: C:\WINNT2\system32\dn0401dqe.dll
    deleting: C:\WINNT2\system32\dn4401hqe.dll
    Successfully Deleted: C:\WINNT2\system32\dn4401hqe.dll
    deleting: C:\WINNT2\system32\dnrs0197e.dll
    Successfully Deleted: C:\WINNT2\system32\dnrs0197e.dll
    deleting: C:\WINNT2\system32\en4ql1h51.dll
    Successfully Deleted: C:\WINNT2\system32\en4ql1h51.dll
    deleting: C:\WINNT2\system32\ennql1551.dll
    Successfully Deleted: C:\WINNT2\system32\ennql1551.dll
    deleting: C:\WINNT2\system32\enpsl1771.dll
    Successfully Deleted: C:\WINNT2\system32\enpsl1771.dll
    deleting: C:\WINNT2\system32\fpr8039ue.dll
    Successfully Deleted: C:\WINNT2\system32\fpr8039ue.dll
    deleting: C:\WINNT2\system32\g0402ahmgd4a2.dll
    Successfully Deleted: C:\WINNT2\system32\g0402ahmgd4a2.dll
    deleting: C:\WINNT2\system32\g222lcfo1f2c.dll
    Successfully Deleted: C:\WINNT2\system32\g222lcfo1f2c.dll
    deleting: C:\WINNT2\system32\g2lm0c31ef.dll
    Successfully Deleted: C:\WINNT2\system32\g2lm0c31ef.dll
    deleting: C:\WINNT2\system32\gp8ql3l51.dll
    Successfully Deleted: C:\WINNT2\system32\gp8ql3l51.dll
    deleting: C:\WINNT2\system32\gplsl3371.dll
    Successfully Deleted: C:\WINNT2\system32\gplsl3371.dll
    deleting: C:\WINNT2\system32\gppsl3771.dll
    Successfully Deleted: C:\WINNT2\system32\gppsl3771.dll
    deleting: C:\WINNT2\system32\h04m0ah1ed4.dll
    Successfully Deleted: C:\WINNT2\system32\h04m0ah1ed4.dll
    deleting: C:\WINNT2\system32\h40q0ed5eh0.dll
    Successfully Deleted: C:\WINNT2\system32\h40q0ed5eh0.dll
    deleting: C:\WINNT2\system32\h62o0gf3e62.dll
    Successfully Deleted: C:\WINNT2\system32\h62o0gf3e62.dll
    deleting: C:\WINNT2\system32\h64m0gh1e64.dll
    Successfully Deleted: C:\WINNT2\system32\h64m0gh1e64.dll
    deleting: C:\WINNT2\system32\hr0205doe.dll
    Successfully Deleted: C:\WINNT2\system32\hr0205doe.dll
    deleting: C:\WINNT2\system32\hr2005fme.dll
    Successfully Deleted: C:\WINNT2\system32\hr2005fme.dll
    deleting: C:\WINNT2\system32\hr2m05f1e.dll
    Successfully Deleted: C:\WINNT2\system32\hr2m05f1e.dll
    deleting: C:\WINNT2\system32\hr6o05j3e.dll
    Successfully Deleted: C:\WINNT2\system32\hr6o05j3e.dll
    deleting: C:\WINNT2\system32\i6060gdse6060.dll
    Successfully Deleted: C:\WINNT2\system32\i6060gdse6060.dll
    deleting: C:\WINNT2\system32\i842liho184c.dll
    Successfully Deleted: C:\WINNT2\system32\i842liho184c.dll
    deleting: C:\WINNT2\system32\ids.dll
    Successfully Deleted: C:\WINNT2\system32\ids.dll
    deleting: C:\WINNT2\system32\j06m0aj1edo.dll
    Successfully Deleted: C:\WINNT2\system32\j06m0aj1edo.dll
    deleting: C:\WINNT2\system32\j2n2lc5o1f.dll
    Successfully Deleted: C:\WINNT2\system32\j2n2lc5o1f.dll
    deleting: C:\WINNT2\system32\j40sled71h0.dll
    Successfully Deleted: C:\WINNT2\system32\j40sled71h0.dll
    deleting: C:\WINNT2\system32\j4n20e5oeh.dll
    Successfully Deleted: C:\WINNT2\system32\j4n20e5oeh.dll
    deleting: C:\WINNT2\system32\j62q0gf5e62.dll
    Successfully Deleted: C:\WINNT2\system32\j62q0gf5e62.dll
    deleting: C:\WINNT2\system32\jtl8073ue.dll
    Successfully Deleted: C:\WINNT2\system32\jtl8073ue.dll
    deleting: C:\WINNT2\system32\jtpq0775e.dll
    Successfully Deleted: C:\WINNT2\system32\jtpq0775e.dll
    deleting: C:\WINNT2\system32\jtpu0779e.dll
    Successfully Deleted: C:\WINNT2\system32\jtpu0779e.dll
    deleting: C:\WINNT2\system32\jtr8079ue.dll
    Successfully Deleted: C:\WINNT2\system32\jtr8079ue.dll
    deleting: C:\WINNT2\system32\kt20l7fm1.dll
    Successfully Deleted: C:\WINNT2\system32\kt20l7fm1.dll
    deleting: C:\WINNT2\system32\kt4ml7h11.dll
    Successfully Deleted: C:\WINNT2\system32\kt4ml7h11.dll
    deleting: C:\WINNT2\system32\ktr2l79o1.dll
    Successfully Deleted: C:\WINNT2\system32\ktr2l79o1.dll
    deleting: C:\WINNT2\system32\lmtmb12n.dll
    Successfully Deleted: C:\WINNT2\system32\lmtmb12n.dll
    deleting: C:\WINNT2\system32\lv4009hme.dll
    Successfully Deleted: C:\WINNT2\system32\lv4009hme.dll
    deleting: C:\WINNT2\system32\m2polc731f.dll
    Successfully Deleted: C:\WINNT2\system32\m2polc731f.dll
    deleting: C:\WINNT2\system32\mddex.dll
    Successfully Deleted: C:\WINNT2\system32\mddex.dll
    deleting: C:\WINNT2\system32\mjjint40.dll
    Successfully Deleted: C:\WINNT2\system32\mjjint40.dll
    deleting: C:\WINNT2\system32\MMIMRT.DLL
    Successfully Deleted: C:\WINNT2\system32\MMIMRT.DLL
    deleting: C:\WINNT2\system32\mnnetobj.dll
    Successfully Deleted: C:\WINNT2\system32\mnnetobj.dll
    deleting: C:\WINNT2\system32\MPVBVM60.DLL
    Successfully Deleted: C:\WINNT2\system32\MPVBVM60.DLL
    deleting: C:\WINNT2\system32\muhtmler.dll
    Successfully Deleted: C:\WINNT2\system32\muhtmler.dll
    deleting: C:\WINNT2\system32\mv40l9hm1.dll
    Successfully Deleted: C:\WINNT2\system32\mv40l9hm1.dll
    deleting: C:\WINNT2\system32\mvlul9391.dll
    Successfully Deleted: C:\WINNT2\system32\mvlul9391.dll
    deleting: C:\WINNT2\system32\mZpistub.dll
    Successfully Deleted: C:\WINNT2\system32\mZpistub.dll
    deleting: C:\WINNT2\system32\n2r2lc9o1f.dll
    Successfully Deleted: C:\WINNT2\system32\n2r2lc9o1f.dll
    deleting: C:\WINNT2\system32\ncdsxds.dll
    Successfully Deleted: C:\WINNT2\system32\ncdsxds.dll
    deleting: C:\WINNT2\system32\noevent.dll
    Successfully Deleted: C:\WINNT2\system32\noevent.dll
    deleting: C:\WINNT2\system32\o2rolc931f.dll
    Successfully Deleted: C:\WINNT2\system32\o2rolc931f.dll
    deleting: C:\WINNT2\system32\o6ns0g57e6.dll
    Successfully Deleted: C:\WINNT2\system32\o6ns0g57e6.dll
    deleting: C:\WINNT2\system32\OGBCINST.DLL
    Successfully Deleted: C:\WINNT2\system32\OGBCINST.DLL
    deleting: C:\WINNT2\system32\osecli.dll
    Successfully Deleted: C:\WINNT2\system32\osecli.dll
    deleting: C:\WINNT2\system32\p66s0gj7e6o.dll
    Successfully Deleted: C:\WINNT2\system32\p66s0gj7e6o.dll
    deleting: C:\WINNT2\system32\p84ulih9184.dll
    Successfully Deleted: C:\WINNT2\system32\p84ulih9184.dll
    deleting: C:\WINNT2\system32\phwrprof.dll
    Successfully Deleted: C:\WINNT2\system32\phwrprof.dll
    deleting: C:\WINNT2\system32\psrfdisk.dll
    Successfully Deleted: C:\WINNT2\system32\psrfdisk.dll
    deleting: C:\WINNT2\system32\q0ps0a77ed.dll
    Successfully Deleted: C:\WINNT2\system32\q0ps0a77ed.dll
    deleting: C:\WINNT2\system32\q0psla771d.dll
    Successfully Deleted: C:\WINNT2\system32\q0psla771d.dll
    deleting: C:\WINNT2\system32\suimgvw.dll
    Successfully Deleted: C:\WINNT2\system32\suimgvw.dll
    deleting: C:\WINNT2\system32\sworage.dll
    Successfully Deleted: C:\WINNT2\system32\sworage.dll
    deleting: C:\WINNT2\system32\tbrmmgr.dll
    Successfully Deleted: C:\WINNT2\system32\tbrmmgr.dll
    deleting: C:\WINNT2\system32\UBERENV.DLL
    Successfully Deleted: C:\WINNT2\system32\UBERENV.DLL
    deleting: C:\WINNT2\system32\vxa256.dll
    Successfully Deleted: C:\WINNT2\system32\vxa256.dll
    deleting: C:\WINNT2\system32\wxnsta.dll
    Successfully Deleted: C:\WINNT2\system32\wxnsta.dll
    deleting: C:\WINNT2\system32\XDNROLL.DLL
    Successfully Deleted: C:\WINNT2\system32\XDNROLL.DLL

    Desktop.ini sucessfully removed

    Zipping up files for submission:
    adding: aza2lcfo1f2c.dll (92 bytes security) (deflated 4%)
    adding: cib.dll (92 bytes security) (deflated 4%)
    adding: Clsutil.dll (92 bytes security) (deflated 5%)
    adding: cynsole.dll (92 bytes security) (deflated 3%)
    adding: dlcprop2.dll (92 bytes security) (deflated 4%)
    adding: dn0401dqe.dll (92 bytes security) (deflated 3%)
    adding: dn4401hqe.dll (92 bytes security) (deflated 4%)
    adding: dnrs0197e.dll (92 bytes security) (deflated 4%)
    adding: en4ql1h51.dll (92 bytes security) (deflated 4%)
    adding: ennql1551.dll (92 bytes security) (deflated 5%)
    adding: enpsl1771.dll (92 bytes security) (deflated 4%)
    adding: fpr8039ue.dll (92 bytes security) (deflated 4%)
    adding: g0402ahmgd4a2.dll (92 bytes security) (deflated 3%)
    adding: g222lcfo1f2c.dll (92 bytes security) (deflated 5%)
    adding: g2lm0c31ef.dll (92 bytes security) (deflated 4%)
    adding: gp8ql3l51.dll (92 bytes security) (deflated 4%)
    adding: gplsl3371.dll (92 bytes security) (deflated 3%)
    adding: gppsl3771.dll (92 bytes security) (deflated 3%)
    adding: h04m0ah1ed4.dll (92 bytes security) (deflated 4%)
    adding: h40q0ed5eh0.dll (92 bytes security) (deflated 5%)
    adding: h62o0gf3e62.dll (92 bytes security) (deflated 4%)
    adding: h64m0gh1e64.dll (92 bytes security) (deflated 4%)
    adding: hr0205doe.dll (92 bytes security) (deflated 4%)
    adding: hr2005fme.dll (92 bytes security) (deflated 3%)
    adding: hr2m05f1e.dll (92 bytes security) (deflated 4%)
    adding: hr6o05j3e.dll (92 bytes security) (deflated 5%)
    adding: i6060gdse6060.dll (92 bytes security) (deflated 4%)
    adding: i842liho184c.dll (92 bytes security) (deflated 4%)
    adding: ids.dll (92 bytes security) (deflated 3%)
    adding: j06m0aj1edo.dll (92 bytes security) (deflated 4%)
    adding: j2n2lc5o1f.dll (92 bytes security) (deflated 4%)
    adding: j40sled71h0.dll (92 bytes security) (deflated 4%)
    adding: j4n20e5oeh.dll (92 bytes security) (deflated 4%)
    adding: j62q0gf5e62.dll (92 bytes security) (deflated 3%)
    adding: jtl8073ue.dll (92 bytes security) (deflated 4%)
    adding: jtpq0775e.dll (92 bytes security) (deflated 4%)
    adding: jtpu0779e.dll (92 bytes security) (deflated 3%)
    adding: jtr8079ue.dll (92 bytes security) (deflated 4%)
    adding: kt20l7fm1.dll (92 bytes security) (deflated 4%)
    adding: kt4ml7h11.dll (92 bytes security) (deflated 4%)
    adding: ktr2l79o1.dll (92 bytes security) (deflated 4%)
    adding: lmtmb12n.dll (92 bytes security) (deflated 3%)
    adding: lv4009hme.dll (92 bytes security) (deflated 4%)
    adding: m2polc731f.dll (92 bytes security) (deflated 3%)
    adding: mddex.dll (92 bytes security) (deflated 4%)
    adding: mjjint40.dll (92 bytes security) (deflated 4%)
    adding: MMIMRT.DLL (92 bytes security) (deflated 3%)
    adding: mnnetobj.dll (92 bytes security) (deflated 5%)
    adding: MPVBVM60.DLL (92 bytes security) (deflated 5%)
    adding: muhtmler.dll (92 bytes security) (deflated 4%)
    adding: mv40l9hm1.dll (92 bytes security) (deflated 4%)
    adding: mvlul9391.dll (92 bytes security) (deflated 4%)
    adding: mZpistub.dll (92 bytes security) (deflated 3%)
    adding: n2r2lc9o1f.dll (92 bytes security) (deflated 4%)
    adding: ncdsxds.dll (92 bytes security) (deflated 4%)
    adding: noevent.dll (92 bytes security) (deflated 5%)
    adding: o2rolc931f.dll (92 bytes security) (deflated 3%)
    adding: o6ns0g57e6.dll (92 bytes security) (deflated 4%)
    adding: OGBCINST.DLL (92 bytes security) (deflated 3%)
    adding: osecli.dll (92 bytes security) (deflated 3%)
    adding: p66s0gj7e6o.dll (92 bytes security) (deflated 5%)
    adding: p84ulih9184.dll (92 bytes security) (deflated 3%)
    adding: phwrprof.dll (92 bytes security) (deflated 5%)
    adding: psrfdisk.dll (92 bytes security) (deflated 4%)
    adding: q0ps0a77ed.dll (92 bytes security) (deflated 4%)
    adding: q0psla771d.dll (92 bytes security) (deflated 4%)
    adding: suimgvw.dll (92 bytes security) (deflated 4%)
    adding: sworage.dll (92 bytes security) (deflated 5%)
    adding: tbrmmgr.dll (92 bytes security) (deflated 4%)
    adding: UBERENV.DLL (92 bytes security) (deflated 4%)
    adding: vxa256.dll (92 bytes security) (deflated 4%)
    adding: wxnsta.dll (92 bytes security) (deflated 4%)
    adding: XDNROLL.DLL (92 bytes security) (deflated 4%)
    adding: clear.reg (92 bytes security) (deflated 51%)
    adding: echo.reg (92 bytes security) (deflated 5%)
    adding: desktop.ini (92 bytes security) (deflated 14%)
    adding: direct.txt (92 bytes security) (stored 0%)
    adding: lo2.txt (92 bytes security) (deflated 87%)
    adding: readme.txt (92 bytes security) (deflated 49%)
    adding: report.txt (92 bytes security) (deflated 69%)
    adding: test.txt (92 bytes security) (deflated 83%)
    adding: test2.txt (92 bytes security) (deflated 34%)
    adding: xfind.txt (92 bytes security) (deflated 77%)
    adding: backregs/1FE1943F-C88B-4C28-B528-DA9F8111FF8E.reg (92 bytes security) (deflated 70%)
    adding: backregs/5AA6B670-E8C5-4D10-8C24-F7456176B0AA.reg (92 bytes security) (deflated 70%)
    adding: backregs/BF724B39-32A0-4850-99EA-A63E1BFA1613.reg (92 bytes security) (deflated 70%)
    adding: backregs/C122CFF4-EAA4-4B7D-A14E-6EC312ABBA62.reg (92 bytes security) (deflated 70%)
    adding: backregs/shell.reg (92 bytes security) (deflated 75%)

    Restoring Registry Permissions:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Revoking access for really "Everyone"

    Registry permissions set too:

    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Read BUILTIN\Power Users
    (ID-IO) ALLOW Read BUILTIN\Power Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER


    Restoring Sedebugprivilege:

    Granting SeDebugPrivilege to Administrators ... successful

    deleting local copy: aza2lcfo1f2c.dll
    deleting local copy: cib.dll
    deleting local copy: Clsutil.dll
    deleting local copy: cynsole.dll
    deleting local copy: dlcprop2.dll
    deleting local copy: dn0401dqe.dll
    deleting local copy: dn4401hqe.dll
    deleting local copy: dnrs0197e.dll
    deleting local copy: en4ql1h51.dll
    deleting local copy: ennql1551.dll
    deleting local copy: enpsl1771.dll
    deleting local copy: fpr8039ue.dll
    deleting local copy: g0402ahmgd4a2.dll
    deleting local copy: g222lcfo1f2c.dll
    deleting local copy: g2lm0c31ef.dll
    deleting local copy: gp8ql3l51.dll
    deleting local copy: gplsl3371.dll
    deleting local copy: gppsl3771.dll
    deleting local copy: h04m0ah1ed4.dll
    deleting local copy: h40q0ed5eh0.dll
    deleting local copy: h62o0gf3e62.dll
    deleting local copy: h64m0gh1e64.dll
    deleting local copy: hr0205doe.dll
    deleting local copy: hr2005fme.dll
    deleting local copy: hr2m05f1e.dll
    deleting local copy: hr6o05j3e.dll
    deleting local copy: i6060gdse6060.dll
    deleting local copy: i842liho184c.dll
    deleting local copy: ids.dll
    deleting local copy: j06m0aj1edo.dll
    deleting local copy: j2n2lc5o1f.dll
    deleting local copy: j40sled71h0.dll
    deleting local copy: j4n20e5oeh.dll
    deleting local copy: j62q0gf5e62.dll
    deleting local copy: jtl8073ue.dll
    deleting local copy: jtpq0775e.dll
    deleting local copy: jtpu0779e.dll
    deleting local copy: jtr8079ue.dll
    deleting local copy: kt20l7fm1.dll
    deleting local copy: kt4ml7h11.dll
    deleting local copy: ktr2l79o1.dll
    deleting local copy: lmtmb12n.dll
    deleting local copy: lv4009hme.dll
    deleting local copy: m2polc731f.dll
    deleting local copy: mddex.dll
    deleting local copy: mjjint40.dll
    deleting local copy: MMIMRT.DLL
    deleting local copy: mnnetobj.dll
    deleting local copy: MPVBVM60.DLL
    deleting local copy: muhtmler.dll
    deleting local copy: mv40l9hm1.dll
    deleting local copy: mvlul9391.dll
    deleting local copy: mZpistub.dll
    deleting local copy: n2r2lc9o1f.dll
    deleting local copy: ncdsxds.dll
    deleting local copy: noevent.dll
    deleting local copy: o2rolc931f.dll
    deleting local copy: o6ns0g57e6.dll
    deleting local copy: OGBCINST.DLL
    deleting local copy: osecli.dll
    deleting local copy: p66s0gj7e6o.dll
    deleting local copy: p84ulih9184.dll
    deleting local copy: phwrprof.dll
    deleting local copy: psrfdisk.dll
    deleting local copy: q0ps0a77ed.dll
    deleting local copy: q0psla771d.dll
    deleting local copy: suimgvw.dll
    deleting local copy: sworage.dll
    deleting local copy: tbrmmgr.dll
    deleting local copy: UBERENV.DLL
    deleting local copy: vxa256.dll
    deleting local copy: wxnsta.dll
    deleting local copy: XDNROLL.DLL

    The following Is the Current Export of the Winlogon notify key:
    ****************************************************************************
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
    6c,00,00,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
    "DLLName"="wzcdlg.dll"
    "Logon"="WZCEventLogon"
    "Logoff"="WZCEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000000
     
  8. HOBOcs

    HOBOcs Thread Starter

    Joined:
    Jan 5, 2004
    Messages:
    8,642
    First Name:
    Jim
    Continued

    The following are the files found:
    ****************************************************************************
    C:\WINNT2\system32\aza2lcfo1f2c.dll
    C:\WINNT2\system32\cib.dll
    C:\WINNT2\system32\Clsutil.dll
    C:\WINNT2\system32\cynsole.dll
    C:\WINNT2\system32\dlcprop2.dll
    C:\WINNT2\system32\dn0401dqe.dll
    C:\WINNT2\system32\dn4401hqe.dll
    C:\WINNT2\system32\dnrs0197e.dll
    C:\WINNT2\system32\en4ql1h51.dll
    C:\WINNT2\system32\ennql1551.dll
    C:\WINNT2\system32\enpsl1771.dll
    C:\WINNT2\system32\fpr8039ue.dll
    C:\WINNT2\system32\g0402ahmgd4a2.dll
    C:\WINNT2\system32\g222lcfo1f2c.dll
    C:\WINNT2\system32\g2lm0c31ef.dll
    C:\WINNT2\system32\gp8ql3l51.dll
    C:\WINNT2\system32\gplsl3371.dll
    C:\WINNT2\system32\gppsl3771.dll
    C:\WINNT2\system32\h04m0ah1ed4.dll
    C:\WINNT2\system32\h40q0ed5eh0.dll
    C:\WINNT2\system32\h62o0gf3e62.dll
    C:\WINNT2\system32\h64m0gh1e64.dll
    C:\WINNT2\system32\hr0205doe.dll
    C:\WINNT2\system32\hr2005fme.dll
    C:\WINNT2\system32\hr2m05f1e.dll
    C:\WINNT2\system32\hr6o05j3e.dll
    C:\WINNT2\system32\i6060gdse6060.dll
    C:\WINNT2\system32\i842liho184c.dll
    C:\WINNT2\system32\ids.dll
    C:\WINNT2\system32\j06m0aj1edo.dll
    C:\WINNT2\system32\j2n2lc5o1f.dll
    C:\WINNT2\system32\j40sled71h0.dll
    C:\WINNT2\system32\j4n20e5oeh.dll
    C:\WINNT2\system32\j62q0gf5e62.dll
    C:\WINNT2\system32\jtl8073ue.dll
    C:\WINNT2\system32\jtpq0775e.dll
    C:\WINNT2\system32\jtpu0779e.dll
    C:\WINNT2\system32\jtr8079ue.dll
    C:\WINNT2\system32\kt20l7fm1.dll
    C:\WINNT2\system32\kt4ml7h11.dll
    C:\WINNT2\system32\ktr2l79o1.dll
    C:\WINNT2\system32\lmtmb12n.dll
    C:\WINNT2\system32\lv4009hme.dll
    C:\WINNT2\system32\m2polc731f.dll
    C:\WINNT2\system32\mddex.dll
    C:\WINNT2\system32\mjjint40.dll
    C:\WINNT2\system32\MMIMRT.DLL
    C:\WINNT2\system32\mnnetobj.dll
    C:\WINNT2\system32\MPVBVM60.DLL
    C:\WINNT2\system32\muhtmler.dll
    C:\WINNT2\system32\mv40l9hm1.dll
    C:\WINNT2\system32\mvlul9391.dll
    C:\WINNT2\system32\mZpistub.dll
    C:\WINNT2\system32\n2r2lc9o1f.dll
    C:\WINNT2\system32\ncdsxds.dll
    C:\WINNT2\system32\noevent.dll
    C:\WINNT2\system32\o2rolc931f.dll
    C:\WINNT2\system32\o6ns0g57e6.dll
    C:\WINNT2\system32\OGBCINST.DLL
    C:\WINNT2\system32\osecli.dll
    C:\WINNT2\system32\p66s0gj7e6o.dll
    C:\WINNT2\system32\p84ulih9184.dll
    C:\WINNT2\system32\phwrprof.dll
    C:\WINNT2\system32\psrfdisk.dll
    C:\WINNT2\system32\q0ps0a77ed.dll
    C:\WINNT2\system32\q0psla771d.dll
    C:\WINNT2\system32\suimgvw.dll
    C:\WINNT2\system32\sworage.dll
    C:\WINNT2\system32\tbrmmgr.dll
    C:\WINNT2\system32\UBERENV.DLL
    C:\WINNT2\system32\vxa256.dll
    C:\WINNT2\system32\wxnsta.dll
    C:\WINNT2\system32\XDNROLL.DLL

    Registry Entries that were Deleted:
    Please verify that the listing looks ok.
    If there was something deleted wrongly there are backups in the backreg folder.
    ****************************************************************************
    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{C122CFF4-EAA4-4B7D-A14E-6EC312ABBA62}"=-
    "{BF724B39-32A0-4850-99EA-A63E1BFA1613}"=-
    "{1FE1943F-C88B-4C28-B528-DA9F8111FF8E}"=-
    "{5AA6B670-E8C5-4D10-8C24-F7456176B0AA}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{C122CFF4-EAA4-4B7D-A14E-6EC312ABBA62}]
    [-HKEY_CLASSES_ROOT\CLSID\{BF724B39-32A0-4850-99EA-A63E1BFA1613}]
    [-HKEY_CLASSES_ROOT\CLSID\{1FE1943F-C88B-4C28-B528-DA9F8111FF8E}]
    [-HKEY_CLASSES_ROOT\CLSID\{5AA6B670-E8C5-4D10-8C24-F7456176B0AA}]
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "{1E7A22D2-ABBE-4499-8320-97A69EDA70E4}"=-
    ****************************************************************************
    Desktop.ini Contents:
    ****************************************************************************
    [.ShellClassInfo]
    CLSID={645FF040-5081-101B-9F08-00AA002F954E}
    <IDone>{1E7A22D2-ABBE-4499-8320-97A69EDA70E4}</IDone>
    <IDtwo>VT00</IDtwo>
    <VERSION>200</VERSION>
    ****************************************************************************
    
     
  9. HOBOcs

    HOBOcs Thread Starter

    Joined:
    Jan 5, 2004
    Messages:
    8,642
    First Name:
    Jim
    HiJack this log

    Logfile of HijackThis v1.99.0
    Scan saved at 10:48:33 AM, on 01/29/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT2\System32\smss.exe
    C:\WINNT2\system32\winlogon.exe
    C:\WINNT2\system32\services.exe
    C:\WINNT2\system32\lsass.exe
    C:\WINNT2\system32\svchost.exe
    C:\WINNT2\system32\LEXBCES.EXE
    C:\WINNT2\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINNT2\System32\svchost.exe
    C:\WINNT2\system32\hidserv.exe
    C:\WINNT2\system32\regsvc.exe
    C:\WINNT2\System32\WBEM\WinMgmt.exe
    C:\WINNT2\System32\mspmspsv.exe
    C:\WINNT2\system32\svchost.exe
    C:\WINNT2\SOUNDMAN.EXE
    C:\Program Files\ahead\InCD\InCD.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\lotus\wordpro\ltsstart.exe
    C:\WINNT2\explorer.exe
    C:\Utilities\hijack this\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT2\system32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [CXMon] "d:\new folder\Photo Imaging\Hpi_Monitor.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
    O4 - Startup: Lotus SmartCenter 97.lnk = C:\lotus\smartctr\smartctr.exe
    O4 - Startup: Lotus SuiteStart 97.lnk = C:\lotus\smartctr\suitest.exe
    O4 - Global Startup: Canon MultiPASS Status Monitor.lnk = C:\Program Files\Canon\MultiPASS\monitr32.exe
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT2\System32\dmadmin.exe
    O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT2\system32\LEXBCES.EXE
    O23 - Service: MPService - Unknown - C:\Program Files\Canon\MultiPASS\mpservic.exe
     
  10. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    That looks remarkably like it got it all

    did yoou fix all the things in red yourself and if so did you just fix them with HJT or did you delete the files & folders
     
  11. HOBOcs

    HOBOcs Thread Starter

    Joined:
    Jan 5, 2004
    Messages:
    8,642
    First Name:
    Jim
    Used HJT to fix all
     
  12. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    In that case give me an hoiur or so and I'll draw up a alist of files & folders to be deleted

    and as some of them were pretty nasty backdoors I would suggest you run an anti trojan

    in fact it's probably best to run the AT first and let it fix e=waht we didn't see in the hjt log

    the antitrojan that I use for dealing with them is

    TDS3 from http://tds.diamondcs.com.au/

    download & install the 30 day free trial, update it manually as described here http://tds.diamondcs.com.au/index.php?page=update as the trial version doesn't have auto update enabled

    then press scan control & tick all the little boxes in the bottom part of that window, press save configuration and then close that window by pressing the red X in top right corner, then select system testing and select full system scan

    sit back with a cup of coffee and watch what it finds

    NOTE:

    Unlike set and forget av's TDS works with you, it doesn't auto delete anything but puts a list of found suspect files in the bottom window

    right click any file it finds and it gives you options on dealing with it, the normal selection would be delete , but first select "save as text", that will create a logfile of all the found suspect files and put it in the TDS directory called scandump.txt.

    post back with the tds log after running please, just copy & paste the entries from the scandump.txt
     
  13. HOBOcs

    HOBOcs Thread Starter

    Joined:
    Jan 5, 2004
    Messages:
    8,642
    First Name:
    Jim
    I've been running AVG on this one for the last two hours.. so far it has found over 36 virus (mostly the IRC/Backdoor.flood and BAT/Generic) but is unable to fix them. I was about to see if I can attach to the internet on it and run House Call. I'll try your TDS3 first.

    As for the coffee... had too much already.. time for a beer.
     
  14. HOBOcs

    HOBOcs Thread Starter

    Joined:
    Jan 5, 2004
    Messages:
    8,642
    First Name:
    Jim
    Ok, after a couple of beers.....
    FYI.. I'm unable to connect the troubled PC to the internet.
    maybe a winsock corruption or something related to this stuff.

    Scan Control Dumped @ 17:01:59 29-01-05
    File Trace: Default trojan filename: Worm.Mofeir (log)
    File: C:\WINNT2\System32\MoFei.ver

    File Trace: Default trojan filename: Worm.Randex please submit
    File: C:\WINNT2\System32\msgfix.exe

    RegVal Trace: DDoS.RAT.SDBot: HKEY_USERS
    File: .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run [Configuration Loader=msgfix.exe

    Positive identification: Riskware.Firedaemon
    File: d:\winnt\system32\root\firedaemon.exe

    Positive identification: Adware.PurityScan.w1
    File: c:\documents and settings\default user.winnt2\application data\scno.exe

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 8524 bytes
    File: c:\documents and settings\sean\my documents\my pictures\blackmonkies.jpg:q30lsldxjoudresxaaaqpcawxc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 4592 bytes
    File: c:\documents and settings\sean\my documents\my pictures\sample.jpg:q30lsldxjoudresxaaaqpcawxc

    Positive identification: Adware.LOP.a
    File: c:\documents and settings\ultinet\application data\lfwpkoci.exe

    Positive identification: Adware.LOP.a
    File: c:\documents and settings\ultinet\application data\qwpwhmob.exe

    Positive identification: Adware.LOP.a
    File: c:\documents and settings\ultinet\application data\riggucyh.exe

    Positive identification: Adware.PurityScan.w1
    File: c:\documents and settings\ultinet\application data\scno.exe

    Positive identification: TrojanDropper.Win32.SurfSide.a
    File: c:\winnt2\ssk_b5.exe

    Positive identification (embedded in file): DDoS.RAT.SDBot.qg
    File: c:\winnt2\backup\tb041019.dat

    Positive identification (DLL): Adware.ToolBar.SBSoft.g (dll)
    File: c:\winnt2\downloaded program files\webdlg32.dll

    Positive identification (DLL): HackTool.NTPass 1.0 (dll)
    File: c:\winnt2\system32\090-ntpass.xpn

    Positive identification (DLL): Adware.Coreak (dll)
    File: c:\winnt2\system32\akcore.dll

    Positive identification (DLL): TrojanDownloader.Win32.PurityScan.l (dll)
    File: c:\winnt2\system32\szwwed.dll

    Positive identification: Riskware.Firedaemon
    File: c:\winnt2\tmpd\o\firedaemon.exe

    Trojan Client\EditServer found: Netcat 1.10 (Utility)
    File: c:\winnt_sav\system32\ncp.exe

    Positive identification: Riskware.Firedaemon
    File: c:\winnt_sav\system32\dllcache\firedaemon.exe

    Positive identification: Riskware.Firedaemon
    File: d:\winnt\system32\root\firedaemon.exe
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    Ok you can ignore these 2
    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 8524 bytes
    File: c:\documents and settings\sean\my documents\my pictures\blackmonkies.jpg:q30lsldxjoudresxaaaqpcawxc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 4592 bytes
    File: c:\documents and settings\sean\my documents\my pictures\sample.jpg:q30lsldxjoudresxaaaqpcawxc

    let TDS fix all the rest by right clicking each in turn and select delete or whichever option it gives

    First please copy these folders and zip them ( if they still exist)
    d:\winnt\system32\root\
    c:\winnt2\tmpd
    c:\program files\oemji
    C:\Program Files\Wwphwy\
    C:\Program Files\Ofufx


    Download pocket killbox from Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

    now run killbox and paste each of these lines into the box, select standard file delete then press the red X button,say yes to the prompt then continue to paste the lines in in turn and follow the above procedure every time, If it says file is missing, don't worry, but if it says unable to delete file then select delete on reboot BUT DO NOT let it reboot yet


    C:\Documents and Settings\ultinet\Application Data\euse.exe
    C:\WINNT2\system32\jberia.exe
    C:\WINNT\SYSTEM32\ethetdp.exe
    C:\WINNT\SYSTEM32\nghj.exe
    C:\WINNT\SYSTEM32\dgndp.exe
    C:\WINNT\SYSTEM32\tuhe.exe
    C:\WINNT\SYSTEM32\fgsn.exe
    C:\winnt\system32\fdafbfd.exe
    C:\WINNT\SYSTEM32\vhdfs.exe
    C:\WINNT\SYSTEM32\hfdga.exe
    C:\WINNT\SYSTEM32\gsdgfw.exe
    C:\WINNT\SYSTEM32\fabbwq.exe
    C:\WINNT\SYSTEM32\sbsvsd.exe
    C:\WINNT2\system32\??xplore.exe
    C:\winnt\system32\dllcache\FireDaemon.EXE
    C:\WINNT2\system32fsdqd.exe
    C:\WINNT2\system32vcvsdf.exe
    C:\WINNT2\system32kusrs.exe
    C:\WINNT2\system32grwfsrs.exe
    C:\WINNT2\system32fxpflashfix.exe
    C:\WINNT2\system32sdqdad.exe
    C:\WINNT2\system32fwr.exe
    C:\WINNT2\system32msbuffer.exe
    C:\WINNT2\system32system32,1.exe
    C:\WINNT2\system32sdqdqg.exe



    Then delete these folders

    d:\winnt\system32\root\
    c:\winnt2\tmpd
    c:\program files\oemji
    C:\Program Files\SurfSideKick 2\
    C:\Program Files\Messenger Plus! 3
    C:\Program Files\Wwphwy\
    C:\Program Files\Ofufx
    C:\PROGRAM FILES\SPYSPOTTER

    Then please go to C:\!submit which is where killbox will have made copies of all the files you have deleted, zip up the folder and send it to me along with the zipped copies of the other folders mentioned to [email protected] so I can get all these copies off to the antivirus/antitrojan developers
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/324351

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice