surfsidekicks and other stuff on my comp, need help

**illukka** · 2006-03-21, 06:52

hi

huh there is still loads of nasties :(

lets try this utility in safe mode

download doctor webs cureit utility from here:

ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe

once saved right click it to extract it to its own folder

then reboot to safe mode

open the folder where you extracted cureit and doubleclick on drweb32w.exe
once its initial startup scan is over, click file> scan path. browse to your c:\ drive and click OK

the scan will launch
allow it to clean all infections
the report will be at your documents and settings\your userprofile\localsettings\drweb folder. id like to see its contents if possible
after scan is finished and all viruses are cleaned reboot back to normal mode, post the cureit report and a fresh hjt log

also i need these other logs:

1.) Download Blacklight Beta from here:

http://www.f-secure.com/blacklight/try.shtml

Accept agreement which takes you to download page.
Save the file to your desktop.
Close all browser windows and any open programs/folders.
Double click blbeta.exe
Wait a few seconds.....
Check the "I agree"
Click "scan"
Wait for scan to finish
Once done; hit "next" then "close"
Do not use this app to rename files! Sometimes there are legit hidden items.

Post results of log file on desktop called fsbl***.txt (*** is numbers)

2.) Download WinPFind from here:

http://www.bleepingcomputer.com/file...r/WinPFind.zip

Save file and unzip it to C:\

Restart to SAFE mode
Log into your account.

Open c:\WinPFind folder and double click WinPFind.exe
click "configure scan options"
Under "Run ad-ons" checkmark:

"Qoologic.def"

Hit "Apply"

Click "start scan"

This will take a while so please be patient.
It may appear to hang at times cus it is scanning several folders. As long as the hdd light is still flashing....app is working OK.

Once done (it will tell you) a log is created in WinPFind folder called WinPFind.txt

Boot back up to normal windows and post result of log.

Thanks

3.) Prepare for next step:

Download Pocket Killbox from here:

http://www.bleepingcomputer.com/file...re/KillBox.zip

Unzip it to a convenient location.

Don't do anything with it yet. I'll let you what next when you post logs.

good luck

**sunikun** · 2006-03-23, 00:10

I couldn' get the black light beta to work. Whenever i click on it it says it was unable to acquire the necessary priviliges (debugpriviliges) anyway, i have the HJT log and the log from cureit. I'll get the other log and post it as well

**sunikun** · 2006-03-23, 00:13

Logfile of HijackThis v1.99.1
Scan saved at 6:11:05 PM, on 3/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\EQAdvice\EQAdvice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Joe\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\foxdu.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,pkfhfnm.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE77-288B1E346E99} - C:\Program Files\FCAdvice\FCAdvice.dll
O20 - AppInit_DLLs: Runner.dll
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\en2sl1f71.dll (file missing)
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\l48mlel11hq.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\dsmap.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Microsoft Startup Manager. (Microsoft Startup Manager) - Unknown owner - C:\WINDOWS\msput.exe (file missing)

**sunikun** · 2006-03-23, 01:09

i can't fit the drweb log file on here. Its too large.

**sunikun** · 2006-03-23, 06:15

i attached the WinPFind log

**illukka** · 2006-03-23, 10:59

hi

for the drweb log could you upload it to here:
http://www.thespykiller.co.uk/forum/index.php?board=1.0
put logfile for illukka as the threads title, then attach the log to your reply
also include a link to this thread into your message. thx in advance

for the blacklight error we first need ot get rid of look2me which has taken away some of your admin privileges:

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! This Fix must NOT be run in safe mode for it to work.

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

to prepare for the fix check these things:

click start > run > type services.msc and hit enter
locate service called seclogon , or secondary logon service
doubleclick it, and make sure its startup type is set to automatic
exit services.msc

also before attempting the fix be sure to disable all security programs

and finally tell me if your version of windows is not an english language version

**sunikun** · 2006-03-24, 03:54

I believe my windows language is an English language version

**sunikun** · 2006-03-24, 03:59

can i run option 2 yet or am i supposed to wait?

**illukka** · 2006-03-24, 08:50

hi

i assume that your seclogon is now running automatically, the fix will fail if not
also disable your security programs and disconnect the network cables

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Do Not run in safe mode!!
If after the reboot the log does not open double click on it in the l2mfix folder.

**sunikun** · 2006-03-25, 02:22

Logfile of HijackThis v1.99.1
Scan saved at 8:21:10 PM, on 3/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EQAdvice\EQAdvice.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Joe\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\foxdu.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,pkfhfnm.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [mousepad] C:\\mousepad3.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\pwinrrag.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE77-288B1E346E99} - C:\Program Files\FCAdvice\FCAdvice.dll
O20 - AppInit_DLLs: Runner.dll
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\en2sl1f71.dll (file missing)
O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\r8p8li7u18.dll (file missing)
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\dsmap.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Microsoft Startup Manager. (Microsoft Startup Manager) - Unknown owner - C:\WINDOWS\msput.exe (file missing)

==============================================================================================

L2mfix 032106
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 580 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 656 'winlogon.exe'
Killing PID 656 'winlogon.exe'
Killing PID 656 'winlogon.exe'
Killing PID 656 'winlogon.exe'
Killing PID 656 'winlogon.exe'
Killing PID 656 'winlogon.exe'
Killing PID 656 'winlogon.exe'
Killing PID 656 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 764 'explorer.exe'
Killing PID 764 'explorer.exe'
Killing PID 764 'explorer.exe'
Killing PID 764 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 800 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
0 file(s) copied.
0 file(s) copied.
0 file(s) copied.
0 file(s) copied.
0 file(s) copied.
0 file(s) copied.
0 file(s) copied.
Deleting: C:\WINDOWS\system32\ir6ol5j31.dll
Successfully Deleted: C:\WINDOWS\system32\ir6ol5j31.dll
Deleting: C:\WINDOWS\system32\kmdmon.dll
Successfully Deleted: C:\WINDOWS\system32\kmdmon.dll
Deleting: C:\WINDOWS\system32\lv2209foe.dll
Successfully Deleted: C:\WINDOWS\system32\lv2209foe.dll
Deleting: C:\WINDOWS\system32\lvr4099qe.dll
Successfully Deleted: C:\WINDOWS\system32\lvr4099qe.dll
Deleting: C:\WINDOWS\system32\lvr6099se.dll
Successfully Deleted: C:\WINDOWS\system32\lvr6099se.dll
Deleting: C:\WINDOWS\system32\qdartz.dll
Successfully Deleted: C:\WINDOWS\system32\qdartz.dll
Deleting: C:\WINDOWS\system32\r8p8li7u18.dll
Successfully Deleted: C:\WINDOWS\system32\r8p8li7u18.dll

msg11?.dll
0 file(s) copied.

Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ModuleUsage]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en2sl1f71.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDLLs]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\r8p8li7u18.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\dsmap.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\ir6ol5j31.dll
C:\WINDOWS\system32\kmdmon.dll
C:\WINDOWS\system32\lv2209foe.dll
C:\WINDOWS\system32\lvr4099qe.dll
C:\WINDOWS\system32\lvr6099se.dll
C:\WINDOWS\system32\qdartz.dll
C:\WINDOWS\system32\r8p8li7u18.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{12693F16-C4C6-4519-BBD3-2A7C7D5BB183}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{12693F16-C4C6-4519-BBD3-2A7C7D5BB183}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{12693F16-C4C6-4519-BBD3-2A7C7D5BB183}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{12693F16-C4C6-4519-BBD3-2A7C7D5BB183}\InprocServer32]
@="C:\\WINDOWS\\system32\\dbsrslvr.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B6C5A021-23C3-47C6-96D3-5D46B6B394B2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B6C5A021-23C3-47C6-96D3-5D46B6B394B2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B6C5A021-23C3-47C6-96D3-5D46B6B394B2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B6C5A021-23C3-47C6-96D3-5D46B6B394B2}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{93C56005-9E81-45D6-B2D2-BE6E0AF85EAB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{93C56005-9E81-45D6-B2D2-BE6E0AF85EAB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{93C56005-9E81-45D6-B2D2-BE6E0AF85EAB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{93C56005-9E81-45D6-B2D2-BE6E0AF85EAB}\InprocServer32]
@="C:\\WINDOWS\\system32\\qdartz.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7F2D7C19-DF8B-432B-8F1F-7FF4F740DEA3}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{7F2D7C19-DF8B-432B-8F1F-7FF4F740DEA3}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7F2D7C19-DF8B-432B-8F1F-7FF4F740DEA3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7F2D7C19-DF8B-432B-8F1F-7FF4F740DEA3}\InprocServer32]
@="C:\\WINDOWS\\system32\\pcofmap.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{AE4F7461-560E-4AAD-89F1-B9003A3A07BB}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{AE4F7461-560E-4AAD-89F1-B9003A3A07BB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AE4F7461-560E-4AAD-89F1-B9003A3A07BB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AE4F7461-560E-4AAD-89F1-B9003A3A07BB}\InprocServer32]
@="C:\\WINDOWS\\system32\\wbssvc.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A0123F70-A3E3-4D62-9A04-24E12F04C8DC}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{A0123F70-A3E3-4D62-9A04-24E12F04C8DC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A0123F70-A3E3-4D62-9A04-24E12F04C8DC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A0123F70-A3E3-4D62-9A04-24E12F04C8DC}\InprocServer32]
@="C:\\WINDOWS\\system32\\dsmap.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7F8FDDC2-E94F-4E58-A8A9-7F85C5C07F8F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7F8FDDC2-E94F-4E58-A8A9-7F85C5C07F8F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7F8FDDC2-E94F-4E58-A8A9-7F85C5C07F8F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7F8FDDC2-E94F-4E58-A8A9-7F85C5C07F8F}\InprocServer32]
@="C:\\WINDOWS\\system32\\kmdmon.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{12693F16-C4C6-4519-BBD3-2A7C7D5BB183}"=-
"{B6C5A021-23C3-47C6-96D3-5D46B6B394B2}"=-
"{93C56005-9E81-45D6-B2D2-BE6E0AF85EAB}"=-
"{7F2D7C19-DF8B-432B-8F1F-7FF4F740DEA3}"=-
"{AE4F7461-560E-4AAD-89F1-B9003A3A07BB}"=-
"{A0123F70-A3E3-4D62-9A04-24E12F04C8DC}"=-
"{7F8FDDC2-E94F-4E58-A8A9-7F85C5C07F8F}"=-
[-HKEY_CLASSES_ROOT\CLSID\{12693F16-C4C6-4519-BBD3-2A7C7D5BB183}]
[-HKEY_CLASSES_ROOT\CLSID\{B6C5A021-23C3-47C6-96D3-5D46B6B394B2}]
[-HKEY_CLASSES_ROOT\CLSID\{93C56005-9E81-45D6-B2D2-BE6E0AF85EAB}]
[-HKEY_CLASSES_ROOT\CLSID\{7F2D7C19-DF8B-432B-8F1F-7FF4F740DEA3}]
[-HKEY_CLASSES_ROOT\CLSID\{AE4F7461-560E-4AAD-89F1-B9003A3A07BB}]
[-HKEY_CLASSES_ROOT\CLSID\{A0123F70-A3E3-4D62-9A04-24E12F04C8DC}]
[-HKEY_CLASSES_ROOT\CLSID\{7F8FDDC2-E94F-4E58-A8A9-7F85C5C07F8F}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/12693F16-C4C6-4519-BBD3-2A7C7D5BB183.reg (212 bytes security) (deflated 69%)
adding: backregs/7F2D7C19-DF8B-432B-8F1F-7FF4F740DEA3.reg (212 bytes security) (deflated 69%)
adding: backregs/7F8FDDC2-E94F-4E58-A8A9-7F85C5C07F8F.reg (212 bytes security) (deflated 71%)
adding: backregs/93C56005-9E81-45D6-B2D2-BE6E0AF85EAB.reg (212 bytes security) (deflated 70%)
adding: backregs/A0123F70-A3E3-4D62-9A04-24E12F04C8DC.reg (212 bytes security) (deflated 69%)
adding: backregs/AE4F7461-560E-4AAD-89F1-B9003A3A07BB.reg (212 bytes security) (deflated 69%)
adding: backregs/B6C5A021-23C3-47C6-96D3-5D46B6B394B2.reg (212 bytes security) (deflated 70%)
adding: backregs/notibac.reg (140 bytes security) (deflated 88%)

Thread: surfsidekicks and other stuff on my comp, need help

Thread Tools

Display

Posting Permissions