PDA

View Full Version : Another Hijackthis to bore you



Darren
2005-11-23, 07:18
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Ocby\Xyfvu.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\sllights.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPRV10.EXE
C:\Documents and Settings\Darren Clarke\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/sport1/hi/football/default.stm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update00.exe
O4 - HKLM\..\Run: [Qmbgfys] C:\Program Files\Ocby\Xyfvu.exe
O4 - HKLM\..\Run: [# *L"h'9Ӝ3rWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\fqaqbw.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBxdm212YYAU
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.thesun.co.uk
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A66DD76-283E-4CE9-A795-F473D8C6AC50}: NameServer = 203.2.75.132 198.142.0.51
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\n02ulaf91d2.dll
O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\jtp2077oe.dll (file missing)
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\guard.tmp (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe

LonnyRJones
2005-11-23, 10:21
Hi Darren

Post the entire log including the header next time

Start Hijackthis and place a check next to these items If there.
Close all browser windows and shut down all other programs that show in the taskbar. (even Folders)
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update00.exe
O4 - HKLM\..\Run: [Qmbgfys] C:\Program Files\Ocby\Xyfvu.exe
O4 - HKLM\..\Run: [# *L"h'9Ӝ3rWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\fqaqbw.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Optionals >
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZBxdm212YYAU
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post a fresh hijackthis log please,

Next: in another post
Download L2mfix from one of these two locations:
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
Note:
If you receive while running option #1, an error similar to: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

Darren
2005-11-23, 14:10
Thanks for the reply
New logfile with headline this time :)

Logfile of HijackThis v1.99.1
Scan saved at 11:04:41 PM, on 23/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Apps\ActivBoard\OSD.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Darren Clarke\My Documents\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/sport1/hi/football/default.stm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.thesun.co.uk
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\jt8s07l7e.dll
O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\jtp2077oe.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe

done the first part of you instructions, now onto the second section

Darren
2005-11-23, 14:21
Now for the "Run Find Log"

PART 1 (TOO LONG FOR ONE POST I'M AFRAID)

L2MFIX find log 1.99
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jt8s07l7e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reinstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jtp2077oe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************

Darren
2005-11-23, 14:24
part 2

useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FBFEC7D0-C884-61A8-8A44-1D969D841839}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace

Darren
2005-11-23, 14:27
L2MFIX find log 1.99
PART 3
Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{A0752120-6D75-D111-B5B1-0800095A2318}"="HandyBits EasyCrypto Shell Extensions"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}"="My Logitech Pictures"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{63542C48-9552-494A-84F7-73AA6A7C99C1}"="OpenOffice Property Sheet Handler"
"{7106CF04-42F8-4314-81C4-2EE07F61962D}"=""
"{5AB035BB-A13F-4045-BDC3-FF4EE13FBF90}"=""
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7106CF04-42F8-4314-81C4-2EE07F61962D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7106CF04-42F8-4314-81C4-2EE07F61962D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7106CF04-42F8-4314-81C4-2EE07F61962D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7106CF04-42F8-4314-81C4-2EE07F61962D}\InprocServer32]
@="C:\\WINDOWS\\system32\\djskcopy.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5AB035BB-A13F-4045-BDC3-FF4EE13FBF90}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{5AB035BB-A13F-4045-BDC3-FF4EE13FBF90}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5AB035BB-A13F-4045-BDC3-FF4EE13FBF90}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5AB035BB-A13F-4045-BDC3-FF4EE13FBF90}\InprocServer32]
@="C:\\WINDOWS\\system32\\LSPCX80N.DLL"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
atmtd.dll Fri 7 Oct 2005 11:24:06 A.... 687,592 671.48 K
browseui.dll Sat 3 Sep 2005 9:52:04 A.... 1,019,904 996.00 K
cdfview.dll Sat 3 Sep 2005 9:52:04 A.... 151,040 147.50 K
cdosys.dll Sat 10 Sep 2005 11:53:42 A.... 2,067,968 1.97 M
danim.dll Sat 3 Sep 2005 9:52:04 A.... 1,053,696 1.00 M
djskcopy.dll Wed 23 Nov 2005 23:02:40 ..... 235,059 229.55 K
dxtrans.dll Sat 3 Sep 2005 9:52:04 A.... 205,312 200.50 K
en6ul1~1.dll Wed 23 Nov 2005 18:56:38 ..S.R 234,607 229.11 K
extmgr.dll Sat 3 Sep 2005 9:52:04 ..... 55,808 54.50 K
fpr403~1.dll Wed 23 Nov 2005 23:02:38 ..S.R 235,552 230.03 K
gdi32.dll Thu 6 Oct 2005 13:09:36 A.... 280,064 273.50 K
gwfspi~1.dll Mon 29 Aug 2005 13:27:06 A.... 23,304 22.76 K
iepeers.dll Sat 3 Sep 2005 9:52:04 A.... 251,392 245.50 K
inseng.dll Sat 3 Sep 2005 9:52:04 A.... 96,256 94.00 K
iwnathlp.dll Wed 23 Nov 2005 12:28:28 ..S.R 234,272 228.78 K
iynathlp.dll Wed 23 Nov 2005 12:28:24 A.... 234,272 228.78 K
j62qlg~1.dll Sat 8 Oct 2005 9:48:42 ..S.R 235,798 230.27 K
jt8s07~1.dll Wed 23 Nov 2005 21:54:44 ..S.R 235,059 229.55 K
ktr4l7~1.dll Wed 23 Nov 2005 9:18:06 ..S.R 234,272 228.78 K
legitc~1.dll Mon 29 Aug 2005 13:27:12 A.... 520,968 508.76 K
linkinfo.dll Thu 1 Sep 2005 11:41:54 A.... 19,968 19.50 K
lmmlmvid.dll Sat 8 Oct 2005 9:48:42 ..S.R 234,272 228.78 K
mshtml.dll Tue 4 Oct 2005 17:26:00 A.... 3,015,168 2.88 M
mshtmled.dll Sat 3 Sep 2005 9:52:06 A.... 448,512 438.00 K
msrating.dll Sat 3 Sep 2005 9:52:06 A.... 146,432 143.00 K
mstime.dll Sat 3 Sep 2005 9:52:06 A.... 530,432 518.00 K
pngfilt.dll Sat 3 Sep 2005 9:52:06 A.... 39,424 38.50 K
quartz.dll Tue 30 Aug 2005 13:54:26 A.... 1,287,168 1.23 M
shdocvw.dll Sat 3 Sep 2005 9:52:06 A.... 1,483,776 1.41 M
shell32.dll Fri 23 Sep 2005 13:05:30 A.... 8,450,560 8.06 M
shlwapi.dll Sat 3 Sep 2005 9:52:06 A.... 473,600 462.50 K
sintf16.dll Thu 27 Oct 2005 12:12:44 A.... 12,067 11.78 K
sintf32.dll Thu 27 Oct 2005 12:12:44 A.... 17,212 16.81 K
sintfnt.dll Thu 27 Oct 2005 12:12:46 A.... 21,840 21.33 K
sirenacm.dll Wed 12 Oct 2005 17:11:06 A.... 118,784 116.00 K
spkit432.dll Fri 7 Oct 2005 20:35:24 ..S.R 234,272 228.78 K
sqtupdll.dll Wed 23 Nov 2005 10:45:14 ..S.R 234,272 228.78 K
urlmon.dll Sat 3 Sep 2005 9:52:06 A.... 608,768 594.50 K
wininet.dll Sat 3 Sep 2005 9:52:06 A.... 658,432 643.00 K
winsrv.dll Thu 1 Sep 2005 11:41:54 A.... 291,840 285.00 K

40 items found: 40 files (9 H/S), 0 directories.
Total of file sizes: 26,618,994 bytes 25.38 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Wed 23 Nov 2005 23:04:40 ..S.R 235,059 229.55 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 235,059 bytes 229.55 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C is HDD
Volume Serial Number is B8A8-8356

Directory of C:\WINDOWS\System32

23/11/2005 11:14 PM <DIR> ..
23/11/2005 11:14 PM <DIR> .
23/11/2005 11:04 PM 235,059 guard.tmp
23/11/2005 11:02 PM 235,552 fpr4039qe.dll
23/11/2005 09:54 PM 235,059 jt8s07l7e.dll
23/11/2005 06:56 PM 234,607 en6ul1j91.dll
23/11/2005 12:28 PM 234,272 iwnathlp.dll
23/11/2005 10:45 AM 234,272 sqtupdll.dll
23/11/2005 09:18 AM 234,272 ktr4l79q1.dll
16/10/2005 03:02 AM <DIR> dllcache
08/10/2005 09:48 AM 234,272 LMMLMVid.dll
08/10/2005 09:48 AM 235,798 j62qlgf5162.dll
07/10/2005 08:35 PM 234,272 SPKIT432.DLL
21/09/2003 12:59 PM <DIR> Microsoft
10 File(s) 2,347,435 bytes
4 Dir(s) 14,264,414,208 bytes free

Darren
2005-11-23, 14:52
this hassle over spyware has taken over my day, no gym, no time with my wife, not even stepped outside the house and it has been a beautiful day here in Queensland Australia

LonnyRJones
2005-11-23, 19:29
Hi

Close any programs you have open since this step requires a reboot.
Close the internet connection, Unplug your modem if on cable or satalite.
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter
at the echo Enter at the following password prompt: bye
type "BYE" and hit enter, you wont see bye display
After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

Darren
2005-11-24, 00:05
Hello again
This is the new hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 9:00:14 AM, on 24/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Darren Clarke\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/sport1/hi/football/default.stm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.thesun.co.uk
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\jtp2077oe.dll (file missing)
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\fpr4039qe.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe

Darren
2005-11-24, 00:12
the l2mfx did not open on reboot with a log, i hope this is the right information it says log but has no data

The user name could not be found.

More help is available by typing NET HELPMSG 2221.

Checking for L2MFix account:
The user name could not be found.

More help is available by typing NET HELPMSG 2221.

Checking for L2MFix account:
The user name could not be found.

More help is available by typing NET HELPMSG 2221.

Checking for L2MFix account:

i have a feeling this is no help to you so just in case i add this as well
Under lo2

Starting Beta Fix 112205
Granting SeDebugPrivilege to L2MFIX ... successful

There is another notepad that was created yesterday titiled 'report' it has more information and i will add this just incase

Darren
2005-11-24, 00:21
Sorry :thud:
that notepad is the one i have already added, i'm starting to lose the plot, is it normal to want to throw you computer off the balconey and into the canal, maybe it is just me, these pop ups send me crazy

I had a major problem with Spyware a few months ago and i found Spybot which promptly cleaned it all up, i love your product and with it your sense of integrity.

Darren
2005-11-24, 01:08
As a after thought, Spybot has not detected anything on it searches for two days now, that in itself is odd as since i have had it, it has always detected

"Rotue"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrantVersion\Uninstall\Rotue

on fresh searches which i delete (a total of 28 times now) only for it to come back.

Also the last thing it detected and the start of my problems was:
"Command Service"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

LonnyRJones
2005-11-24, 01:24
Hi , we will get back to rout and cmdservive later

I had the same thing happen to me using option 2 in l2m fix
i was mistypeing and expecting to see what i had typed displayed on the screen, i wont show. when it prompts for the password simply type
bye
and hit enter
try again please
Question is your account in the administrators group ?

Darren
2005-11-24, 01:40
Still the same

The user name could not be found.

More help is available by typing NET HELPMSG 2221.

Checking for L2MFix account:

i realised my mistake the first time and repeated it a few times as i know it was not the reply you were expecting, anyway i deleted the log and repeated the the procedure.
before where it said to press any key for the reboot it said
"Please fix the missing file 020 with highjackthis after the reboot

LonnyRJones
2005-11-24, 02:19
Hi
Is your pc fat32 or an ntfs system ?

In l2mfix Did you see this screen ?

LonnyRJones
2005-11-24, 02:23
http://forums.subratam.org/uploads/post-15-1132795352.jpg

Darren
2005-11-24, 02:27
Sorry Lonny

fat32 or an ntfs system ? Not sure what that is, how do i find out, sorry to waste time?

In l2mfix Did you see this screen ? Yes just like that screen

LonnyRJones
2005-11-24, 02:30
"Yes just like that screen"

OK, then the pc did restart correct ?
if so open the l2mfix folder and post the log.txt (not report.txt)

Darren
2005-11-24, 02:34
The user name could not be found.

More help is available by typing NET HELPMSG 2221.

Checking for L2MFix account:

:(

LonnyRJones
2005-11-24, 02:48
This is the screen you saw correct ?

did you see this runas error ?
http://forums.subratam.org/uploads/post-15-1132796748.jpg

Darren
2005-11-24, 02:51
No run errors Lonny i kept an eye out for them, the screen was the same as your first one

LonnyRJones
2005-11-24, 02:57
Ok

Shadowwar just released another version
replace your l2mfim and try option 2 again, if you still have a problem and see a screen differant that either of those i posted take a screenshot and post it please.

unrelated to l2mfix >
To find out if your system is fat32 or ntfs open the my computer icon,
near the top should be these fields, name, type, total size, file system
if file system isnt there right click in that area and check it to be shown

Darren
2005-11-24, 03:09
The system is NTFS

Darren
2005-11-24, 03:27
Under lo2 (the only notepad now after doing option 2 again after a reinstall)

Starting Beta Fix 112305
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.

Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Checking for L2MFix account(0=no 1=yes):
0

Darren
2005-11-24, 03:38
╔══════════════════════════════════╗
║ L2MFix Tool By Shadowwar v1.99c ║
╠══════════════════════════════════╣
║ 1. Run Find Log ║
║ 2. Run Fix ║
║ 3. View Readme ║
║ 4. Restore reg perm (obsolete) ║
║ 5. Fix Autoexec.nt/cmd.exe error ║
║ E. Exit ║
╚══════════════════════════════════╝
{1,2,3,4,5,E}2
This fix will reboot automatically.
Enter at the password prompt: bye
it will not display as you type.
Enter the password for L2MFIX:
Attempting to start switch.bat as user "GAM\L2MFIX" ...
Processing Cleanup.
..
The system is ready to reboot now. The log.txt will be in
the l2mfix folder after the reboot if it does not open
on its own. Please fix the missing file 020 with hijackthis.
after the reboot.
Press any key to continue . . .

I don't how to do screenshot so i cut and pasted sorry, i did not even it was possible :)

LonnyRJones
2005-11-24, 03:49
Ok thanks

The developer is watching and may respond if he has time.

Since your system is ntfs We can go at it from another dirrection

Save findl2m.zip to your desktop
(edit: removed URL as its beta)
extract the files inside also to the desktop, open the folder and run findl2m.bat
Post the report text please

shadowwar
2005-11-24, 03:55
and you totally deleted the old l2mfix folder correct?

Darren
2005-11-24, 03:58
yes deleted the old one, but the new one seemed just the same to me

UPX + cryptor (PE) DN6801~1.DLL ....236413 24.11.2005
UPX + cryptor (PE) EN6UL1~1.DLL ....234607 23.11.2005
UPX + cryptor (PE) ENPOL1~1.DLL ....236923 24.11.2005
UPX + cryptor (PE) ENPUL1~1.DLL ....235059 23.11.2005
UPX + cryptor (PE) HR2M05~1.DLL ....235677 24.11.2005
UPX + cryptor (PE) IWNATHLP.DLL ....234272 23.11.2005
UPX + cryptor (PE) IYNATHLP.DLL ....234272 23.11.2005
UPX + cryptor (PE) J62QLG~1.DLL ....235798 08.10.2005
UPX + cryptor (PE) KTR4L7~1.DLL ....234272 23.11.2005
UPX + cryptor (PE) L0N4LA~1.DLL ....235552 24.11.2005
UPX + cryptor (PE) LMMLMVID.DLL ....234272 08.10.2005
UPX + cryptor (PE) P24ULC~1.DLL ....234219 24.11.2005
UPX + cryptor (PE) SIBCSP.DLL ....235552 24.11.2005
UPX + cryptor (PE) SPKIT432.DLL ....234272 07.10.2005
UPX + cryptor (PE) SQTUPDLL.DLL ....234272 23.11.2005
Access denied ..................... CMCUI.DLL ....235552 24.11.2005
Access denied ..................... FPR403~1.DLL ....235552 23.11.2005
Access denied ..................... IR8QL5~1.DLL ....237137 24.11.2005

shadowwar
2005-11-24, 04:02
are you running xp home? if so mulitple users logged in right now?

Darren
2005-11-24, 04:04
it is xp home and i am the only one logged in

Darren
2005-11-24, 04:17
after you mentioning multiple log ons i went to User settings where there was a unknown user account that i deleted, probably nothing but i let you know nonetheless

LonnyRJones
2005-11-24, 05:06
Hi

If you have restarted the pc since running findl2m skip this and run it again
L2m makes new files at each windows startup


Copy the bolded below into a new notepad document (not wordpad).
Click file> save as...> call it batch.bat > file types *all files*> and save it to the findL2M folder.

if not exist "%WinDir%\System32\XCACLS.exe" copy XCACLS.exe "%WinDir%\System32" >nul
cd %windir%\system32
XCACLS CMCUI.DLL /P ADMINISTRATOR:F /Y
XCACLS FPR403~1.DLL /P ADMINISTRATOR:F /Y
XCACLS IR8QL5~1.DLL /P ADMINISTRATOR:F /Y
XCACLS EN6UL1~1.DLL /P ADMINISTRATOR:F /Y
XCACLS ENPOL1~1.DLL /P ADMINISTRATOR:F /Y
XCACLS ENPUL1~1.DLL /P ADMINISTRATOR:F /Y
XCACLS DN6801~1.DLL /P ADMINISTRATOR:F /Y
XCACLS HR2M05~1.DLL /P ADMINISTRATOR:F /Y
XCACLS IWNATHLP.DLL /P ADMINISTRATOR:F /Y
XCACLS IYNATHLP.DLL /P ADMINISTRATOR:F /Y
XCACLS KTR4L7~1.DLL /P ADMINISTRATOR:F /Y
XCACLS L0N4LA~1.DLL /P ADMINISTRATOR:F /Y
XCACLS P24ULC~1.DLL /P ADMINISTRATOR:F /Y
XCACLS SIBCSP.DLL /P ADMINISTRATOR:F /Y
XCACLS SQTUPDLL.DLL /P ADMINISTRATOR:F /Y
echo crappie>guard.tmp
XCACLS guard.tmp /P ADMINISTRATOR:F /Y
echo Finished, restart the PC
pause

Run batch bat then restart the PC
post a new hijackthis log

Darren
2005-11-24, 05:24
Logfile of HijackThis v1.99.1
Scan saved at 2:20:36 PM, on 24/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Darren Clarke\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/sport1/hi/football/default.stm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.thesun.co.uk
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\jtp2077oe.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\ir8ql5l51.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe

LonnyRJones
2005-11-24, 06:04
Start Hijackthis and place a check next to these items If there.
O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\jtp2077oe.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\ir8ql5l51.dll
====================================
Hit fix checked and close Hijackthis.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan again with hiajckthis and post a log if there is a new O20 - Winlogon Notify: entry

Darren
2005-11-24, 06:10
Done, and just as you predicted that 020 has appeared

Logfile of HijackThis v1.99.1
Scan saved at 3:09:03 PM, on 24/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\sllights.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC07.EXE
C:\Documents and Settings\Darren Clarke\My Documents\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/sport1/hi/football/default.stm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.thesun.co.uk
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A66DD76-283E-4CE9-A795-F473D8C6AC50}: NameServer = 203.2.75.132 198.142.0.51
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\ir8ql5l51.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe

LonnyRJones
2005-11-24, 06:17
Hi Darren

remake batch.bat and run it again please. its possible you made it incorrectly or i edited it slightly and you copied the first one.

Darren
2005-11-24, 06:43
Hope i'm doing this right
First i remade the batch.bat notpad and then saved it to FindL2M folder
Then i ran
batch
MS-DOS Batch File
This ran quickily and i noticed some errors beneath the searches
Anyhow i turned the computer off.
On restart it took a extra moment to load my settings then i did a hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 3:36:14 PM, on 24/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Darren Clarke\My Documents\Copy of HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/sport1/hi/football/default.stm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.thesun.co.uk
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\mv4ol9h31.dll
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\WXDRMNet.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe

LonnyRJones
2005-11-24, 06:49
Hi
what errors did you see ?

Lets give it a rest and try again tomarro
at that time post a report from l2mfix, option one and findl2m
once posted dont restart the pc please

Darren
2005-11-24, 06:54
Ok Lonny that sounds good, what time zone you in by the way?

The errors i will try to snapshot :) i think i know how to do them now, not sure how to attach them to the forum posts though

LonnyRJones
2005-11-24, 07:08
In a command prompt you can copy those errors
go file (little black box in upper left corner) edit mark
mark the contents by hilighting them then go file >edit >copy

Im in the usa, in about 8 to ten hours would be a good time to post the logs

Darren
2005-11-24, 07:10
OK nice one
thanks for all you have done so far

Darren
2005-11-24, 07:25
This is inside the FindL2m folder

Darren
2005-11-24, 07:41
After running the batch file
The errors are just below

C:\Documents and Settings\Darren Clarke\Desktop\FindL2M>if not exist "C:\WIN
\System32\XCACLS.exe" copy XCACLS.exe "C:\WINDOWS\System32" 1>nul

C:\Documents and Settings\Darren Clarke\Desktop\FindL2M>cd C:\WINDOWS\system

C:\WINDOWS\system32>XCACLS CMCUI.DLL /P ADMINISTRATOR:F /Y
ERROR: The system cannot find the file specified.

C:\WINDOWS\system32>XCACLS FPR403~1.DLL /P ADMINISTRATOR:F /Y
ERROR: The system cannot find the file specified.

C:\WINDOWS\system32>XCACLS IR8QL5~1.DLL /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\ir8ql5l51.dll

C:\WINDOWS\system32>XCACLS EN6UL1~1.DLL /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\en6ul1j91.dll

C:\WINDOWS\system32>XCACLS ENPOL1~1.DLL /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\enpol1731.dll

C:\WINDOWS\system32>XCACLS ENPUL1~1.DLL /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\enpul1791.dll

C:\WINDOWS\system32>XCACLS DN6801~1.DLL /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\dn6801jue.dll

C:\WINDOWS\system32>XCACLS HR2M05~1.DLL /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\hr2m05f1e.dll

C:\WINDOWS\system32>XCACLS IWNATHLP.DLL /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\iwnathlp.dll

C:\WINDOWS\system32>XCACLS IYNATHLP.DLL /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\iynathlp.dll

C:\WINDOWS\system32>XCACLS KTR4L7~1.DLL /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\ktr4l79q1.dll

C:\WINDOWS\system32>XCACLS L0N4LA~1.DLL /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\l0n4la5q1d.dll

C:\WINDOWS\system32>XCACLS P24ULC~1.DLL /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\p24ulch91f4.dll

C:\WINDOWS\system32>XCACLS SIBCSP.DLL /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\sibcsp.dll

C:\WINDOWS\system32>XCACLS SQTUPDLL.DLL /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\sqtupdll.dll

C:\WINDOWS\system32>echo crappie 1>guard.tmp
Access is denied.

C:\WINDOWS\system32>XCACLS guard.tmp /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\guard.tmp

C:\WINDOWS\system32>echo Finished, restart the PC
Finished, restart the PC

C:\WINDOWS\system32>pause
Press any key to continue . . .

Darren
2005-11-24, 13:52
FindL2M search at log on

C:\Documents and Settings\Darren Clarke\Desktop\FindL2M\FindL2M>if no
\WINDOWS\System32\XCACLS.exe" copy XCACLS.exe "C:\WINDOWS\System32"

C:\Documents and Settings\Darren Clarke\Desktop\FindL2M\FindL2M>cd C:
stem32

C:\WINDOWS\system32>XCACLS CMCUI.DLL /P ADMINISTRATOR:F /Y
ERROR: The system cannot find the file specified.

C:\WINDOWS\system32>XCACLS FPR403~1.DLL /P ADMINISTRATOR:F /Y
ERROR: The system cannot find the file specified.

C:\WINDOWS\system32>XCACLS IR8QL5~1.DLL /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\ir8ql5l51.dll

C:\WINDOWS\system32>XCACLS EN6UL1~1.DLL /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\en6ul1j91.dll

C:\WINDOWS\system32>XCACLS ENPOL1~1.DLL /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\enpol1731.dll

C:\WINDOWS\system32>XCACLS ENPUL1~1.DLL /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\enpul1791.dll

C:\WINDOWS\system32>XCACLS DN6801~1.DLL /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\dn6801jue.dll

C:\WINDOWS\system32>XCACLS HR2M05~1.DLL /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\hr2m05f1e.dll

C:\WINDOWS\system32>XCACLS IWNATHLP.DLL /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\iwnathlp.dll

C:\WINDOWS\system32>XCACLS IYNATHLP.DLL /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\iynathlp.dll

C:\WINDOWS\system32>XCACLS KTR4L7~1.DLL /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\ktr4l79q1.dll

C:\WINDOWS\system32>XCACLS L0N4LA~1.DLL /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\l0n4la5q1d.dll

C:\WINDOWS\system32>XCACLS P24ULC~1.DLL /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\p24ulch91f4.dll

C:\WINDOWS\system32>XCACLS SIBCSP.DLL /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\sibcsp.dll

C:\WINDOWS\system32>XCACLS SQTUPDLL.DLL /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\sqtupdll.dll

C:\WINDOWS\system32>echo crappie 1>guard.tmp

C:\WINDOWS\system32>XCACLS guard.tmp /P ADMINISTRATOR:F /Y
processed file: C:\WINDOWS\system32\guard.tmp

C:\WINDOWS\system32>echo Finished, restart the PC
Finished, restart the PC

C:\WINDOWS\system32>pause
Press any key to continue . . .

Darren
2005-11-24, 13:55
L2MFIX find log 1.99
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ModuleUsage]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\WXDRMNet.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunServices]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hrr6059se.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

Darren
2005-11-24, 13:57
part 2


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FBFEC7D0-C884-61A8-8A44-1D969D841839}"=""

**********************************************************************************

Darren
2005-11-24, 14:01
part 3

Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"

Darren
2005-11-24, 14:03
part 4

"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{A0752120-6D75-D111-B5B1-0800095A2318}"="HandyBits EasyCrypto Shell Extensions"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}"="My Logitech Pictures"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{63542C48-9552-494A-84F7-73AA6A7C99C1}"="OpenOffice Property Sheet Handler"
"{7106CF04-42F8-4314-81C4-2EE07F61962D}"=""
"{5AB035BB-A13F-4045-BDC3-FF4EE13FBF90}"=""
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7106CF04-42F8-4314-81C4-2EE07F61962D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7106CF04-42F8-4314-81C4-2EE07F61962D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7106CF04-42F8-4314-81C4-2EE07F61962D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7106CF04-42F8-4314-81C4-2EE07F61962D}\InprocServer32]
@="C:\\WINDOWS\\system32\\WXDRMNet.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5AB035BB-A13F-4045-BDC3-FF4EE13FBF90}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{5AB035BB-A13F-4045-BDC3-FF4EE13FBF90}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5AB035BB-A13F-4045-BDC3-FF4EE13FBF90}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5AB035BB-A13F-4045-BDC3-FF4EE13FBF90}\InprocServer32]
@="C:\\WINDOWS\\system32\\LSPCX80N.DLL"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
atmtd.dll Fri 7 Oct 2005 11:24:06 A.... 687,592 671.48 K
browseui.dll Sat 3 Sep 2005 9:52:04 A.... 1,019,904 996.00 K
cdfview.dll Sat 3 Sep 2005 9:52:04 A.... 151,040 147.50 K
cdosys.dll Sat 10 Sep 2005 11:53:42 A.... 2,067,968 1.97 M
danim.dll Sat 3 Sep 2005 9:52:04 A.... 1,053,696 1.00 M
dn6801~1.dll Thu 24 Nov 2005 8:55:50 A.S.R 236,413 230.87 K
dxtrans.dll Sat 3 Sep 2005 9:52:04 A.... 205,312 200.50 K
en6ul1~1.dll Wed 23 Nov 2005 18:56:38 A.S.R 234,607 229.11 K
enpol1~1.dll Thu 24 Nov 2005 10:31:50 A.S.R 236,923 231.37 K
enpul1~1.dll Wed 23 Nov 2005 23:04:40 A.S.R 235,059 229.55 K
extmgr.dll Sat 3 Sep 2005 9:52:04 ..... 55,808 54.50 K
gdi32.dll Thu 6 Oct 2005 13:09:36 A.... 280,064 273.50 K
gwfspi~1.dll Mon 29 Aug 2005 13:27:06 A.... 23,304 22.76 K
hr2m05~1.dll Thu 24 Nov 2005 11:56:58 A.S.R 235,677 230.15 K
iepeers.dll Sat 3 Sep 2005 9:52:04 A.... 251,392 245.50 K
inseng.dll Sat 3 Sep 2005 9:52:04 A.... 96,256 94.00 K
ir8ql5~1.dll Thu 24 Nov 2005 12:21:02 A.S.R 237,137 231.58 K
iwnathlp.dll Wed 23 Nov 2005 12:28:28 A.S.R 234,272 228.78 K
iynathlp.dll Wed 23 Nov 2005 12:28:24 A.... 234,272 228.78 K
j62qlg~1.dll Sat 8 Oct 2005 9:48:42 ..S.R 235,798 230.27 K
ktr4l7~1.dll Wed 23 Nov 2005 9:18:06 A.S.R 234,272 228.78 K
l0n4la~1.dll Thu 24 Nov 2005 8:28:22 A.S.R 235,552 230.03 K
legitc~1.dll Mon 29 Aug 2005 13:27:12 A.... 520,968 508.76 K
linkinfo.dll Thu 1 Sep 2005 11:41:54 A.... 19,968 19.50 K
lmmlmvid.dll Sat 8 Oct 2005 9:48:42 ..S.R 234,272 228.78 K
mshtml.dll Tue 4 Oct 2005 17:26:00 A.... 3,015,168 2.88 M
mshtmled.dll Sat 3 Sep 2005 9:52:06 A.... 448,512 438.00 K
msrating.dll Sat 3 Sep 2005 9:52:06 A.... 146,432 143.00 K
mstime.dll Sat 3 Sep 2005 9:52:06 A.... 530,432 518.00 K
p24ulc~1.dll Thu 24 Nov 2005 8:49:30 A.S.R 234,219 228.73 K
piqsp.dll Thu 24 Nov 2005 22:12:08 ..S.R 237,137 231.58 K
pngfilt.dll Sat 3 Sep 2005 9:52:06 A.... 39,424 38.50 K
quartz.dll Tue 30 Aug 2005 13:54:26 A.... 1,287,168 1.23 M
shdocvw.dll Sat 3 Sep 2005 9:52:06 A.... 1,483,776 1.41 M
shell32.dll Fri 23 Sep 2005 13:05:30 A.... 8,450,560 8.06 M
shlwapi.dll Sat 3 Sep 2005 9:52:06 A.... 473,600 462.50 K
sibcsp.dll Thu 24 Nov 2005 8:43:30 A.S.R 235,552 230.03 K
sintf16.dll Thu 27 Oct 2005 12:12:44 A.... 12,067 11.78 K
sintf32.dll Thu 27 Oct 2005 12:12:44 A.... 17,212 16.81 K
sintfnt.dll Thu 27 Oct 2005 12:12:46 A.... 21,840 21.33 K
sirenacm.dll Wed 12 Oct 2005 17:11:06 A.... 118,784 116.00 K
spkit432.dll Fri 7 Oct 2005 20:35:24 ..S.R 234,272 228.78 K
sqtupdll.dll Wed 23 Nov 2005 10:45:14 A.S.R 234,272 228.78 K
urlmon.dll Sat 3 Sep 2005 9:52:06 A.... 608,768 594.50 K
wininet.dll Sat 3 Sep 2005 9:52:06 A.... 658,432 643.00 K
winsrv.dll Thu 1 Sep 2005 11:41:54 A.... 291,840 285.00 K
wxdrmnet.dll Thu 24 Nov 2005 14:19:30 ..S.R 237,137 231.58 K

47 items found: 47 files (17 H/S), 0 directories.
Total of file sizes: 28,274,130 bytes 26.96 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is HDD
Volume Serial Number is B8A8-8356

Directory of C:\WINDOWS\System32

24/11/2005 10:12 PM <DIR> ..
24/11/2005 10:12 PM <DIR> .
24/11/2005 10:12 PM 237,137 pIqsp.dll
24/11/2005 02:19 PM 237,137 WXDRMNet.dll
24/11/2005 12:21 PM 237,137 ir8ql5l51.dll
24/11/2005 11:56 AM 235,677 hr2m05f1e.dll
24/11/2005 10:31 AM 236,923 enpol1731.dll
24/11/2005 08:55 AM 236,413 dn6801jue.dll
24/11/2005 08:49 AM 234,219 p24ulch91f4.dll
24/11/2005 08:43 AM 235,552 sibcsp.dll
24/11/2005 08:28 AM 235,552 l0n4la5q1d.dll
23/11/2005 11:04 PM 235,059 enpul1791.dll
23/11/2005 06:56 PM 234,607 en6ul1j91.dll
23/11/2005 12:28 PM 234,272 iwnathlp.dll
23/11/2005 10:45 AM 234,272 sqtupdll.dll
23/11/2005 09:18 AM 234,272 ktr4l79q1.dll
16/10/2005 03:02 AM <DIR> dllcache
08/10/2005 09:48 AM 234,272 LMMLMVid.dll
08/10/2005 09:48 AM 235,798 j62qlgf5162.dll
07/10/2005 08:35 PM 234,272 SPKIT432.DLL
21/09/2003 12:59 PM <DIR> Microsoft
17 File(s) 4,002,571 bytes
4 Dir(s) 14,216,364,032 bytes free

Darren
2005-11-24, 14:12
There is the stuff Lonny ready for whenever you want to tackle it. Isn't it Thankgiving in America though, did you forget??

shadowwar
2005-11-24, 15:00
Hi.

I updated l2mfix again.. think it might be the space in the username causing the problem. would you mind re downloading it and trying again? be sure to delete the old l2mfix folder please.

run option 2 and let me know if you see any errors and if any other dos windows open after you enter the password and enter.

Thanks

Darren
2005-11-24, 15:16
on it Shadow

i download it from the same link i'm guessing?

Darren
2005-11-24, 15:28
Hi.

I updated l2mfix again.. think it might be the space in the username causing the problem. would you mind re downloading it and trying again? be sure to delete the old l2mfix folder please.

run option 2 and let me know if you see any errors and if any other dos windows open after you enter the password and enter.

Thanks

no errors Shadow, everything the same as before in the window and after reboot

the only notepad was lo2

Starting Beta Fix 112305
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.

Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Checking for L2MFix account(0=no 1=yes):
0

Darren
2005-11-24, 22:38
No luck :(

Darren
2005-11-25, 01:12
I removed and reinstalled all procedures again, no change in results

LonnyRJones
2005-11-25, 02:25
Hi Darren

Delete findl2m and replace with this one

extract then move the findl2m folder to c:\
run the findl2m.bat and post the text that will open.
dont mess with the other files. please

Edit: removed download url .

Darren
2005-11-25, 04:20
I removed the program and reinstalled it saving it this time to the 'C' drive

The type of the file system is NTFS.
C: is not dirty.
C:\WINDOWS\SYSTEM32\DN6801~1.DLL
C:\WINDOWS\SYSTEM32\EN6UL1~1.DLL
C:\WINDOWS\SYSTEM32\ENPOL1~1.DLL
C:\WINDOWS\SYSTEM32\ENPUL1~1.DLL
C:\WINDOWS\SYSTEM32\HR2M05~1.DLL
C:\WINDOWS\SYSTEM32\IR8QL5~1.DLL
C:\WINDOWS\SYSTEM32\IRETMIB1.DLL
C:\WINDOWS\SYSTEM32\IWNATHLP.DLL
C:\WINDOWS\SYSTEM32\IYNATHLP.DLL
C:\WINDOWS\SYSTEM32\KQDNO1.DLL
C:\WINDOWS\SYSTEM32\KTR4L7~1.DLL
C:\WINDOWS\SYSTEM32\L0N4LA~1.DLL
C:\WINDOWS\SYSTEM32\P24ULC~1.DLL
C:\WINDOWS\SYSTEM32\PIQSP.DLL
C:\WINDOWS\SYSTEM32\SIBCSP.DLL
C:\WINDOWS\SYSTEM32\SQTUPDLL.DLL
C:\WINDOWS\SYSTEM32\WXDRMNET.DLL
C:\WINDOWS\SYSTEM32\GUARD.TMP
UPX + cryptor (PE) IRETMIB1.DLL ....237137 25.11.2005
UPX + cryptor (PE) J62QLG~1.DLL ....235798 08.10.2005
UPX + cryptor (PE) LMMLMVID.DLL ....234272 08.10.2005
UPX + cryptor (PE) PIQSP.DLL ....237137 24.11.2005
UPX + cryptor (PE) SPKIT432.DLL ....234272 07.10.2005
Access denied ..................... DN6801~1.DLL ....236413 24.11.2005
Access denied ..................... EN6UL1~1.DLL ....234607 23.11.2005
Access denied ..................... ENPOL1~1.DLL ....236923 24.11.2005
Access denied ..................... ENPUL1~1.DLL ....235059 23.11.2005
Access denied ..................... HR2M05~1.DLL ....235677 24.11.2005
Access denied ..................... IR8QL5~1.DLL ....237137 24.11.2005
Access denied ..................... IWNATHLP.DLL ....234272 23.11.2005
Access denied ..................... IYNATHLP.DLL ....234272 23.11.2005
Access denied ..................... KQDNO1.DLL ....237137 25.11.2005
Access denied ..................... KTR4L7~1.DLL ....234272 23.11.2005
Access denied ..................... L0N4LA~1.DLL ....235552 24.11.2005
Access denied ..................... O4PQLE~1.DLL ....234035 25.11.2005
Access denied ..................... P24ULC~1.DLL ....234219 24.11.2005
Access denied ..................... SIBCSP.DLL ....235552 24.11.2005
Access denied ..................... SQTUPDLL.DLL ....234272 23.11.2005
Access denied ..................... WXDRMNET.DLL ....237137 24.11.2005

LonnyRJones
2005-11-25, 04:36
Hi
Thanks for sticking in there

Download the attached text (badfiles.txt) file to the c:\findl2m folder
replacing the one already there.
run batch.bat and fallow the prompt to restart the pc.
once windows has completly loaded
Run cleanup then post back with the logit.txt please

LonnyRJones
2005-11-25, 04:41
add this to that text also please

C:\WINDOWS\SYSTEM32\O4PQLE~1.DLL

Darren
2005-11-25, 04:55
The type of the file system is NTFS.
C: is not dirty.
UPX + cryptor (PE) O4PQLE~1.DLL ....234035 25.11.2005
Access denied ..................... DN6801~1.DLL ....236413 24.11.2005
Access denied ..................... EN6UL1~1.DLL ....234607 23.11.2005
Access denied ..................... ENPOL1~1.DLL ....236923 24.11.2005
Access denied ..................... ENPUL1~1.DLL ....235059 23.11.2005
Access denied ..................... HR2M05~1.DLL ....235677 24.11.2005
Access denied ..................... IR8QL5~1.DLL ....237137 24.11.2005
Access denied ..................... IRETMIB1.DLL ....237137 25.11.2005
Access denied ..................... IWNATHLP.DLL ....234272 23.11.2005
Access denied ..................... IYNATHLP.DLL ....234272 23.11.2005
Access denied ..................... J62QLG~1.DLL ....235798 08.10.2005
Access denied ..................... KQDNO1.DLL ....237137 25.11.2005
Access denied ..................... KTR4L7~1.DLL ....234272 23.11.2005
Access denied ..................... L0N4LA~1.DLL ....235552 24.11.2005
Access denied ..................... LMMLMVID.DLL ....234272 08.10.2005
Access denied ..................... P24ULC~1.DLL ....234219 24.11.2005
Access denied ..................... PIQSP.DLL ....237137 24.11.2005
Access denied ..................... SIBCSP.DLL ....235552 24.11.2005
Access denied ..................... SPKIT432.DLL ....234272 07.10.2005
Access denied ..................... SQTUPDLL.DLL ....234272 23.11.2005
Access denied ..................... WXDRMNET.DLL ....237137 24.11.2005

Darren
2005-11-25, 04:57
add this to that text also please

C:\WINDOWS\SYSTEM32\O4PQLE~1.DLL


I missed this out do you want me to do it again?

Add this line to the attachment you gave, right at the bottom?

Darren
2005-11-25, 05:15
Hi
Thanks for sticking in there

Download the attached text (badfiles.txt) file to the c:\findl2m folder
replacing the one already there.
run batch.bat and fallow the prompt to restart the pc.
once windows has completly loaded
Run cleanup then post back with the logit.txt please


i added the text and then repeated and when i did the clean up i got this

File not found - C:\WINDOWS\system32\hrr6059se.dll
File not found - C:\WINDOWS\system32\LSPCX80N.DLL
The system cannot find the file specified.
The system cannot find the file specified.
The system cannot find the file specified.
finished
Press any key to continue . . .

this is the logit.text

Locked files
ECHO is off.
ERROR: The system cannot find the file specified.

processed file: C:\WINDOWS\system32\WXDRMNet.dll
ERROR: The system cannot find the file specified.

processed file: C:\WINDOWS\system32\pIqsp.dll
processed file: C:\WINDOWS\system32\ir8ql5l51.dll
processed file: C:\WINDOWS\system32\en6ul1j91.dll
processed file: C:\WINDOWS\system32\enpol1731.dll
processed file: C:\WINDOWS\system32\enpul1791.dll
processed file: C:\WINDOWS\system32\dn6801jue.dll
processed file: C:\WINDOWS\system32\hr2m05f1e.dll
processed file: C:\WINDOWS\system32\iwnathlp.dll
processed file: C:\WINDOWS\system32\iynathlp.dll
processed file: C:\WINDOWS\system32\ktr4l79q1.dll
processed file: C:\WINDOWS\system32\l0n4la5q1d.dll
processed file: C:\WINDOWS\system32\p24ulch91f4.dll
processed file: C:\WINDOWS\system32\sibcsp.dll
processed file: C:\WINDOWS\system32\sqtupdll.dll
processed file: C:\WINDOWS\system32\guard.tmp
processed file: C:\WINDOWS\SYSTEM32\iretmib1.dll
processed file: C:\WINDOWS\SYSTEM32\kqdno1.dll
processed file: C:\WINDOWS\SYSTEM32\guard.tmp
processed file: C:\WINDOWS\SYSTEM32\j62qlgf5162.dll
processed file: C:\WINDOWS\SYSTEM32\LMMLMVid.dll
processed file: C:\WINDOWS\SYSTEM32\SPKIT432.DLL
processed file: C:\WINDOWS\SYSTEM32\o4pqle751h.dll


Files moved to C:\FindL2M\!backups
ECHO is off.
processed file: C:\WINDOWS\system32\WXDRMNet.dll
processed file: C:\WINDOWS\system32\pIqsp.dll
processed file: C:\WINDOWS\system32\ir8ql5l51.dll
processed file: C:\WINDOWS\system32\en6ul1j91.dll
processed file: C:\WINDOWS\system32\enpol1731.dll
processed file: C:\WINDOWS\system32\enpul1791.dll
processed file: C:\WINDOWS\system32\dn6801jue.dll
processed file: C:\WINDOWS\system32\hr2m05f1e.dll
processed file: C:\WINDOWS\system32\iwnathlp.dll
processed file: C:\WINDOWS\system32\iynathlp.dll
processed file: C:\WINDOWS\system32\ktr4l79q1.dll
processed file: C:\WINDOWS\system32\l0n4la5q1d.dll
processed file: C:\WINDOWS\system32\p24ulch91f4.dll
processed file: C:\WINDOWS\system32\sibcsp.dll
processed file: C:\WINDOWS\system32\sqtupdll.dll
processed file: C:\WINDOWS\system32\guard.tmp
processed file: C:\WINDOWS\SYSTEM32\iretmib1.dll
processed file: C:\WINDOWS\SYSTEM32\kqdno1.dll
processed file: C:\WINDOWS\SYSTEM32\guard.tmp
processed file: C:\WINDOWS\SYSTEM32\j62qlgf5162.dll
processed file: C:\WINDOWS\SYSTEM32\LMMLMVid.dll
processed file: C:\WINDOWS\SYSTEM32\SPKIT432.DLL
processed file: C:\WINDOWS\SYSTEM32\o4pqle751h.dll

Darren
2005-11-25, 05:21
Lonny i know it has not been on long enough to be sure but the pop ups have so far stopped, i did a quick surf around my stored sites and still nothing:bigthumb:

If so, now what, should i move to firefox instead of internet explorer, do i need to add anything to keep the malware at bay?

Am i safe to run Skybot now?

LonnyRJones
2005-11-25, 05:39
Hi

Scan with hiajckthis and fix the L2m 020
O20 - Winlogon Notify:
rescan and see if it comes back ?

Replace your hosts file with winhelp2002's
Put in place a good hosts file http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file: http://www.mvps.org/winhelp2002/hosts2.htm
How did that go ?

Darren
2005-11-25, 05:47
There were two 020 - Winogon and both have now gone

LonnyRJones
2005-11-25, 05:53
Great

Some Cleanup:
save http://skads.org/special/shellfilter.vbs to your desktop and run it post the new text that will be created also on the desktop

also run findl2m again please

Darren
2005-11-25, 05:59
Great

Some Cleanup:
save http://skads.org/special/shellfilter.vbs to your desktop and run it post the new text that will be created also on the desktop

also run findl2m again please

Lonny Noton Anti virus comes up saying a malicious script detected
Object FileSystem Object

Shall i still allow it, why did it come up?

LonnyRJones
2005-11-25, 06:06
Yes allow it please, its safe.

Darren
2005-11-25, 06:08
Shell Extensions-Approved SUSPECT list
------------------------------------

HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
{7106CF04-42F8-4314-81C4-2EE07F61962D}=""
CLSID Points to -> C:\WINDOWS\system32\kqdno1.dll

----------------------------------------

HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
{5AB035BB-A13F-4045-BDC3-FF4EE13FBF90}=""
CLSID Points to -> C:\WINDOWS\system32\LSPCX80N.DLL

----------------------------------------

Darren
2005-11-25, 06:10
The FindL2M report

The type of the file system is NTFS.
C: is not dirty.
C:\WINDOWS\SYSTEM32\GUARD.TMP

LonnyRJones
2005-11-25, 06:40
Hi

Can you delete guard.tmp ?

Launch Notepad (not wordpad), and copy and paste the Bolded below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{7106CF04-42F8-4314-81C4-2EE07F61962D}=-
{5AB035BB-A13F-4045-BDC3-FF4EE13FBF90}=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.

Run SpyBot check for and fix any problems found then update and run your antivirus program

Darren
2005-11-25, 06:53
done the first bit, then onto spybot which found nothing, now onto the antivirus which will take some time.

Lonny you are a star, i can not express my gratitude enough, thanks for sticking with me and i apologise if i made mistakes and was a little slow on the uptake, we got there though.

I don't know what more to say, it seems a hollow response after all the help you have given.

Darren
2005-11-25, 06:56
The type of the file system is NTFS.
C: is not dirty.
C:\WINDOWS\SYSTEM32\GUARD.TMP

You said can i delete this? How? Do you mean go into the c drive find it and remove?

If so the answer is no i can not, it reappears

LonnyRJones
2005-11-25, 09:01
Thats odd
edit badfiles.txt to only include
C:\WINDOWS\SYSTEM32\GUARD.TMP
then run cleanup.bat, it should proccess and move it to the backups folder

Can we see on final hijackthis log please

Darren
2005-11-25, 09:54
Logfile of HijackThis v1.99.1
Scan saved at 6:53:37 PM, on 25/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\WINDOWS\sllights.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Darren Clarke\My Documents\Copy of HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/sport1/hi/football/default.stm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.thesun.co.uk
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A66DD76-283E-4CE9-A795-F473D8C6AC50}: NameServer = 203.2.75.132 198.142.0.51
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe

Darren
2005-11-25, 09:55
Thats odd
edit badfiles.txt to only include
C:\WINDOWS\SYSTEM32\GUARD.TMP
then run cleanup.bat, it should proccess and move it to the backups folder

Can we see on final hijackthis log please


did as you said and it will not disappear

LonnyRJones
2005-11-25, 10:35
Hi

Check the files name , open a folder and navigate to the system 32 folder
GUARD.TMP or gaurd.tmp ?
you ran cleanup.bat not batch bat correct ?
delete logit,txt and run cleanup.bat again, post the logit txt please
Im not to concerned about it though

I suggest you turn off nortons script blocking in its options then uninstall nortons antivirus program since you use avg

Are there any current problems ?

Darren
2005-11-26, 00:13
Yes i used the clean up

Files moved to C:\FindL2M\!backups
ECHO is off.
processed file: C:\WINDOWS\SYSTEM32\guard.tmp

Everything seems fine, no spyware on Spybot, one virus in vault, no pop ups

Is there much difference between internet explorer and firefox?

LonnyRJones
2005-11-26, 00:31
Firefox is a great idea. less likely to get hijacked, But do keep Internet explorer up to date, windows to for that matter

If everything is ok after a week or so delete the l2mfix and findl2m folders
and delete/purge the old system restore points.

Purge the old System Restore points
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Then Reboot. < Dont skip that step.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

Regards

Darren
2005-11-26, 00:41
nice one Lonny, thanks for your help again

tashi
2005-12-01, 00:51
As the malware problem appears to be resolved this topic will be archived.
If you need the topic reopened please pm me. Glad we could help. :)