tumbledry

Removing Computer Infections: Look2Me adware & Qoologic trojan | A tumbledry guide to protecting yourself from Internet Explorer

Now Mykala said that I was posting this simply to say “look at me, I fixed her computer lalala I am amazing …” However, I am not posting the following log of an actual conversation of an OnStar … shoot wait no it’s not one of those weird commercials … this is a real world example of the badness and goodness of the internet. You see, Mykala’s computer was rather thoroughly infected by some guitar tabbing sites visited through internet explorer. I record the following technical details to help anyone facing a similar situation. First, if you use Internet Explorer, you have to understand that it is so useful for online banking and Outlook Express (what St. Thomas uses) because it is tightly integrated to a core operating system technology called ActiveX (an oversimplification, true). ActiveX, when exploited, gives hackers the ability to install programs on your computer without your consent or knownledge. Answer number (3) on this website will help you safeguard internet explorer from running thing it should not.

3) Go to Internet Options/Security/Internet, press ‘default level’, then OK.

Now press “Custom Level.”

In the ActiveX section, set the first two options (“Download signed and unsigned ActiveX controls) to ‘prompt’, and ‘Initialize and Script ActiveX controls not marked as safe” to ‘disable’.

Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.
Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option/security.

So why is activex so dangerous that you have to increase the security for it?
When your browser runs an activex control, it is running an executable program. It’s no different from doubleclicking an exe file on your hard drive.

Two other blocking solutions iinclude editing your HOSTS file to block content from evil sites (very limited in effectiveness, but blocks many ads), and adding a bunch of sites to your restricted sites list (again a limited bandaid approach, but I would certainly recommend it).

The evil part of the internet is apparent, then. Spyware, adware, and trojans install themselves on our machines without our knowledge. However, unbelievable sites like cybertechhelp.com provide free, nearly instantaneous, personal service. I posted a message asking for help on Mykala’s computer’s infections, and received a reply from a moderator within 5 minutes. The moderator then walked me through the removal process of these really really nasty things (anyone could do it, to reiterate from above, I post this not to brag but to share information about these helpful resources).

ajmicek March 14th, 2005 02:43 AM
VX2 problems, help with L2MFIX

Alright. Usually I have been able to fix this malware/spyware/adware stuff on my own, but these urllogic popups seem to be very persistent, and the removal tools I have tried so far have not quite been successful. I ran hijackthis, and saw these entries:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

which seem to indicate the presence of VX2, as I have read elsewhere. SO, I ran L2MFIX, option 1, and then 2, but the “cleanup.reg” file that is suppose to appear in the l2mfix folder never appeared. Frankly, I am feeling a little swamped here, and would appreciate any guidance that you all could offer. Here is the hijack this logfile:

Logfile of HijackThis v1.99.1
Scan saved at 7:35:56 PM, on 3/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\yguuyr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mykala Lind\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_…ount_id=1002245
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_…ount_id=1002245
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stthomas.edu/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_…ount_id=1002245
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.stthomas.edu/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM..\Run: [DeadAIM] rundll32.exe “C:\Program Files\AIM\DeadAIM.ocm”,ExportedCheckODLs
O4 - HKLM..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM..\RunServices: [LSASS Authority] lshosts32.exe
O4 - HKCU..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Post-it ® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra ‘Tools’ menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://mail.stthomas.edu
O15 - Trusted Zone: *.wellsfargo.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/Bridge-c135.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_1002245.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50212/QDow_AS2.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\jtp6077se.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Help please. I’ve got GMail invites to give out for anyone who helps get this stuff off the computer, but those are pretty worthless now anyhow. Thanks.

AnnMarie March 14th, 2005 02:46 AM
Welcome to CTH ajmicek. I would like to see another log before we start cleaning up your PC please. Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.

Transferring to the Cyber Safety Forum.

ajmicek March 14th, 2005 02:52 AM
Hello. Thanks for the lightning fast reply and moving this to a more appropriate forum (I missed this one on first look). I did not use the -all parameter, here is the log:

“Silent Runners.vbs”, revision 32, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
AIM” = “C:\Program Files\AIM\aim.exe -cnetwait.odl” [“America Online, Inc.”

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
“ccApp” = “”C:\Program Files\Common Files\Symantec Shared\ccApp.exe”” [“Symantec Corporation”
URLLSTCK.exe” = “C:\Program Files\Norton Internet Security\UrlLstCk.exe” [“Symantec Corporation”
“DeadAIM” = “rundll32.exe “C:\Program Files\AIM\DeadAIM.ocm”,ExportedCheckODLs” [MS]
“Symantec NetDriver Monitor” = “C:\PROGRA~1\SYMNET~1\SNDMon.exe” [“Symantec Corporation”
“QuickTime Task” = “”C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”
“Narrator” = “C:\WINDOWS\system32\yguuyr.exe” [null data]
“TkBellExe” = “”C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot” [“RealNetworks, Inc.”
“iTunesHelper” = “C:\Program Files\iTunes\iTunesHelper.exe” [“Apple Computer, Inc.”

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Display Panning CPL Extension”
-] {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found]
“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “HyperTerminal Icon Ext”
-] {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”
“{DEE12703-6333-4D4E-8F34-738C4DCC2E04}” = “RecordNow! SendToExt”
-] {CLSID}\InProcServer32(Default) = “C:\Program Files\Sonic\RecordNow!\shlext.dll” [null data]
“{5CA3D70E-1895-11CF-8E15-001234567890}” = “DriveLetterAccess”
-] {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\dla\tfswshx.dll” [“Sonic Solutions”
“{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player”
-] {CLSID}\InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”
“{e57ce731-33e8-4c51-8354-bb4de9d215d1}” = “Universal Plug and Play Devices”
-] {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\upnpui.dll” [MS]
“{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices”
-] {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS]
“{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu”
-] {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS]
“{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes”
-] {CLSID}\InProcServer32(Default) = “C:\Program Files\iTunes\iTunesMiniPlayer.dll” [“Apple Computer, Inc.”
“{d0e04dfd-9185-49bd-b3a8-cdefa63f810a}” = “Philips RUSH Audio Player (128 MB)Shell Hook”
-] {CLSID}\InProcServer32(Default) = “PHIL16Ah.dll” [“Copyright (c) 2003, Koninklijke Philips”
“{CE78ADB9-BF14-45F4-88F4-6E910ACF9DE3}” = (no title provided)
-] {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\guard.tmp” [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = “igfxsrvc.dll” [“Intel Corporation”
INFECTION WARNING! Setup\DLLName = “C:\WINDOWS\system32\jtp6077se.dll” [null data]

Enabled Screen Saver:

HKCU\Control Panel\Desktop\
SCRNSAVE.EXE” = “C:\WINDOWS\System32\ssmarque.scr” [MS]

Startup items in “Mykala Lind” & “All Users” startup folders:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
“Post-it ® Software Notes Lite” -] shortcut to: “C:\Program Files\3M\PSNLite\PsnLite.exe -RegRun” [“3M”

Enabled Scheduled Tasks:

“Norton AntiVirus - Scan my computer - Administrator” -] launches: “C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.EXE /task:”C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca”” [“Symantec Corporation”
“Norton AntiVirus - Scan my computer - Mykala Lind” -] launches: “C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.EXE /task:”C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca”” [“Symantec Corporation”
“Norton AntiVirus - Scan my computer” -] launches: “C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:”C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca”” [“Symantec Corporation”

Running Services (Display Name, Service Name, Path {Service DLL}):

iPod Service, iPodService, “”C:\Program Files\iPod\bin\iPodService.exe”” [“Apple Computer, Inc.”
IPv6 Helper Service, 6to4, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\6to4svc.dll” [MS]}
LexBce Server, LexBceS, “C:\WINDOWS\system32\LEXBCES.EXE” [“Lexmark International, Inc.”
Norton AntiVirus Auto Protect Service, navapsvc, “”C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe”” [“Symantec Corporation”
RIP Listener, Iprip, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\iprip.dll” [MS]}
Simple TCP/IP Services, SimpTcp, “C:\WINDOWS\System32\tcpsvcs.exe” [MS]
Symantec Event Manager, ccEvtMgr, “”C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe”” [“Symantec Corporation”
Symantec Network Drivers Service, SNDSrvc, “”C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe”” [“Symantec Corporation”
Symantec Network Proxy, ccProxy, “”C:\Program Files\Common Files\Symantec Shared\ccProxy.exe”” [“Symantec Corporation”
Symantec Settings Manager, ccSetMgr, “”C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe”” [“Symantec Corporation”
SymWMI Service, SymWSC, “”C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe”” [“Symantec Corporation”
Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]
000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
000000000004\LibraryPath = “C:\WINDOWS\system32\pnrpnsp.dll” [MS]
000000000005\LibraryPath = “C:\WINDOWS\system32\pnrpnsp.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

This report excludes default entries except where indicated.
To see everywhere the script checks and everything it finds,
launch it from a command prompt or a shortcut with the -all parameter.

AnnMarie March 14th, 2005 03:20 AM
Ok, we are looking at two different infections. Look2Me and the Qoologic trojan. We will get rid of Look2Me first. Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

ajmicek March 14th, 2005 03:24 AM
L2MFIX find log 1.02b
These are the registry keys present

Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
“Asynchronous”=dword:00000000
“Impersonate”=dword:00000000
“DllName”=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00, 2e,00,64,00,6c,00,\
6c,00,00,00
“Logoff”=”ChainWlxLogoffEvent”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
“Asynchronous”=dword:00000000
“Impersonate”=dword:00000000
“DllName”=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00, 74,00,2e,00,64,00,\
6c,00,6c,00,00,00
“Logoff”=”CryptnetWlxLogoffEvent”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
“DLLName”=”cscdll.dll”
“Logon”=”WinlogonLogonEvent”
“Logoff”=”WinlogonLogoffEvent”
“ScreenSaver”=”WinlogonScreenSaverEvent”
“Startup”=”WinlogonStartupEvent”
“Shutdown”=”WinlogonShutdownEvent”
“StartShell”=”WinlogonStartShellEvent”
“Impersonate”=dword:00000000
“Asynchronous”=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=”“
“DLLName”=”igfxsrvc.dll”
“Asynchronous”=dword:00000001
“Impersonate”=dword:00000001
“Unlock”=”WinlogonUnlockEvent”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
“DLLName”=”wlnotify.dll”
“Logon”=”SCardStartCertProp”
“Logoff”=”SCardStopCertProp”
“Lock”=”SCardSuspendCertProp”
“Unlock”=”SCardResumeCertProp”
“Enabled”=dword:00000001
“Impersonate”=dword:00000001
“Asynchronous”=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
“Asynchronous”=dword:00000000
“DllName”=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00, 79,00,2e,00,64,00,\
6c,00,6c,00,00,00
“Impersonate”=dword:00000000
“StartShell”=”SchedStartShell”
“Logoff”=”SchedEventLogOff”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
“Logoff”=”WLEventLogoff”
“Impersonate”=dword:00000000
“Asynchronous”=dword:00000001
“DllName”=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00, 79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
“DLLName”=”WlNotify.dll”
“Lock”=”SensLockEvent”
“Logon”=”SensLogonEvent”
“Logoff”=”SensLogoffEvent”
“Safe”=dword:00000001
“MaxWait”=dword:00000258
“StartScreenSaver”=”SensStartScreenSaverEvent”
“StopScreenSaver”=”SensStopScreenSaverEvent”
“Startup”=”SensStartupEvent”
“Shutdown”=”SensShutdownEvent”
“StartShell”=”SensStartShellEvent”
“PostShell”=”SensPostShellEvent”
“Disconnect”=”SensDisconnectEvent”
“Reconnect”=”SensReconnectEvent”
“Unlock”=”SensUnlockEvent”
“Impersonate”=dword:00000001
“Asynchronous”=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]
“Asynchronous”=dword:00000000
“DllName”=”C:\WINDOWS\system32\jtp6077se.dll”
“Impersonate”=dword:00000000
“Logon”=”WinLogon”
“Logoff”=”WinLogoff”
“Shutdown”=”WinShutdown”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
“Asynchronous”=dword:00000000
“DllName”=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00, 79,00,2e,00,64,00,\
6c,00,6c,00,00,00
“Impersonate”=dword:00000000
“Logoff”=”TSEventLogoff”
“Logon”=”TSEventLogon”
“PostShell”=”TSEventPostShell”
“Shutdown”=”TSEventShutdown”
“StartShell”=”TSEventStartShell”
“Startup”=”TSEventStartup”
“MaxWait”=dword:00000258
“Reconnect”=”TSEventReconnect”
“Disconnect”=”TSEventDisconnect”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
“DLLName”=”wlnotify.dll”
“Logon”=”RegisterTicketExpiredNotificationEvent”
“Logoff”=”UnregisterTicketExpiredNotificationEvent”
“Impersonate”=dword:00000001
“Asynchronous”=dword:00000001

useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]
“{F0260AC3-46A4-4D19-95CA-3F88D413DB2D}”=”“

Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved]
“{00022613-0000-0000-C000-000000000046}”=”Multimedia File Property Sheet”
“{176d6597-26d3-11d1-b350-080036a75b03}”=”ICM Scanner Management”
“{1F2E5C40-9550-11CE-99D2-00AA006E086C}”=”NTFS Security Page”
“{3EA48300-8CF6-101B-84FB-666CCB9BCD32}”=”OLE Docfile Property Page”
“{40dd6e20-7c17-11ce-a804-00aa003ca9f6}”=”Shell extensions for sharing”
“{41E300E0-78B6-11ce-849B-444553540000}”=”PlusPack CPL Extension”
“{42071712-76d4-11d1-8b24-00a0c9068ff3}”=”Display Adapter CPL Extension”
“{42071713-76d4-11d1-8b24-00a0c9068ff3}”=”Display Monitor CPL Extension”
“{42071714-76d4-11d1-8b24-00a0c9068ff3}”=”Display Panning CPL Extension”
“{4E40F770-369C-11d0-8922-00A024AB2DBB}”=”DS Security Page”
“{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}”=”Compatibility Page”
“{56117100-C0CD-101B-81E2-00AA004AE837}”=”Shell Scrap DataHandler”
“{59099400-57FF-11CE-BD94-0020AF85B590}”=”Disk Copy Extension”
“{59be4990-f85c-11ce-aff7-00aa003ca9f6}”=”Shell extensions for Microsoft Windows Network objects”
“{5DB2625A-54DF-11D0-B6C4-0800091AA605}”=”ICM Monitor Management”
“{675F097E-4C4D-11D0-B6C1-0800091AA605}”=”ICM Printer Management”
“{764BF0E1-F219-11ce-972D-00AA00A14F56}”=”Shell extensions for file compression”
“{77597368-7b15-11d0-a0c2-080036af3f03}”=”Web Printer Shell Extension”
“{7988B573-EC89-11cf-9C00-00AA00A14F56}”=”Disk Quota UI
“{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}”=”Encryption Context Menu”
“{85BBD920-42A0-1069-A2E4-08002B30309D}”=”Briefcase”
“{88895560-9AA2-1069-930E-00AA0030EBC8}”=”HyperTerminal Icon Ext”
“{BD84B380-8CA2-1069-AB1D-08000948F534}”=”Fonts”
“{DBCE2480-C732-101B-BE72-BA78E9AD5B27}”=”ICC Profile”
“{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}”=”Printers Security Page”
“{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}”=”Shell extensions for sharing”
“{f92e8c40-3d33-11d2-b1aa-080036a75b03}”=”Display TroubleShoot CPL Extension”
“{7444C717-39BF-11D1-8CD9-00C04FC29D45}”=”Crypto PKO Extension”
“{7444C719-39BF-11D1-8CD9-00C04FC29D45}”=”Crypto Sign Extension”
“{7007ACC7-3202-11D1-AAD2-00805FC1270E}”=”Network Connections”
“{992CFFA0-F557-101A-88EC-00DD010CCC48}”=”Network Connections”
“{E211B736-43FD-11D1-9EFB-0000F8757FCD}”=”Scanners & Cameras”
“{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}”=”Scanners & Cameras”
“{905667aa-acd6-11d2-8080-00805f6596d2}”=”Scanners & Cameras”
“{3F953603-1008-4f6e-A73A-04AAC7A992F1}”=”Scanners & Cameras”
“{83bbcbf3-b28a-4919-a5aa-73027445d672}”=”Scanners & Cameras”
“{F0152790-D56E-4445-850E-4F3117DB740C}”=”Remote Sessions CPL Extension”
“{5F327514-6C5E-4d60-8F16-D07FA08A78ED}”=”Auto Update Property Sheet Extension”
“{60254CA5-953B-11CF-8C96-00AA00B8708C}”=”Shell extensions for Windows Script Host”
“{2206CDB2-19C1-11D1-89E0-00C04FD7A829}”=”Microsoft Data Link”
“{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}”=”Tasks Folder Icon Handler”
“{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}”=”Tasks Folder Shell Extension”
“{D6277990-4C6A-11CF-8D87-00AA0060F5BF}”=”Scheduled Tasks”
“{0DF44EAA-FF21-4412-828E-260A8728E7F1}”=”Taskbar and Start Menu”
“{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}”=”Search”
“{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}”=”Help and Support”
“{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}”=”Help and Support”
“{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}”=”Run…”
“{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}”=”Internet”
“{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}”=”E-mail”
“{D20EA4E1-3957-11d2-A40B-0C5020524152}”=”Fonts”
“{D20EA4E1-3957-11d2-A40B-0C5020524153}”=”Administrative Tools”
“{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}”=”Audio Media Properties Handler”
“{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}”=”Video Media Properties Handler”
“{E4B29F9D-D390-480b-92FD-7DDB47101D71}”=”Wav Properties Handler”
“{87D62D94-71B3-4b9a-9489-5FE6850DC73E}”=”Avi Properties Handler”
“{A6FD9E45-6E44-43f9-8644-08598F5A74D9}”=”Midi Properties Handler”
“{c5a40261-cd64-4ccf-84cb-c394da41d590}”=”Video Thumbnail Extractor”
“{5E6AB780-7743-11CF-A12B-00AA004AE837}”=”Microsoft Internet Toolbar”
“{22BF0C20-6DA7-11D0-B373-00A0C9034938}”=”Download Status”
“{91EA3F8B-C99B-11d0-9815-00C04FD91972}”=”Augmented Shell Folder”
“{6413BA2C-B461-11d1-A18A-080036B11A03}”=”Augmented Shell Folder 2”
“{F61FFEC1-754F-11d0-80CA-00AA005B4383}”=”BandProxy”
“{7BA4C742-9E81-11CF-99D3-00AA004AE837}”=”Microsoft BrowserBand”
“{30D02401-6A81-11d0-8274-00C04FD5AE38}”=”Search Band”
“{32683183-48a0-441b-a342-7c2a440a9478}”=”Media Band”
“{169A0691-8DF9-11d1-A1C4-00C04FD75D13}”=”In-pane search”
“{07798131-AF23-11d1-9111-00A0C98BA67D}”=”Web Search”
“{AF4F6510-F982-11d0-8595-00AA004CD6D8}”=”Registry Tree Options Utility”
“{01E04581-4EEE-11d0-BFE9-00AA005B4383}”=”&Address”
“{A08C11D2-A228-11d0-825B-00AA005B4383}”=”Address EditBox”
“{00BB2763-6A77-11D0-A535-00C04FD7D062}”=”Microsoft AutoComplete”
“{7376D660-C583-11d0-A3A5-00C04FD706EC}”=”TridentImageExtractor”
“{6756A641-DE71-11d0-831B-00AA005B4383}”=”MRU AutoComplete List”
“{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}”=”Custom MRU AutoCompleted List”
“{7e653215-fa25-46bd-a339-34a2790f3cb7}”=”Accessible”
“{acf35015-526e-4230-9596-becbe19f0ac9}”=”Track Popup Bar”
“{E0E11A09-5CB8-4B6C-8332-E00720A168F2}”=”Address Bar Parser”
“{00BB2764-6A77-11D0-A535-00C04FD7D062}”=”Microsoft History AutoComplete List”
“{03C036F1-A186-11D0-824A-00AA005B4383}”=”Microsoft Shell Folder AutoComplete List”
“{00BB2765-6A77-11D0-A535-00C04FD7D062}”=”Microsoft Multiple AutoComplete List Container”
“{ECD4FC4E-521C-11D0-B792-00A0C90312E1}”=”Shell Band Site Menu”
“{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}”=”Shell DeskBarApp”
“{ECD4FC4C-521C-11D0-B792-00A0C90312E1}”=”Shell DeskBar”
“{ECD4FC4D-521C-11D0-B792-00A0C90312E1}”=”Shell Rebar BandSite”
“{DD313E04-FEFF-11d1-8ECD-0000F87A470C}”=”User Assist”
“{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}”=”Global Folder Settings”
“{EFA24E61-B078-11d0-89E4-00C04FC9E26E}”=”Favorites Band”
“{0A89A860-D7B1-11CE-8350-444553540000}”=”Shell Automation Inproc Service”
“{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}”=”Shell DocObject Viewer”
“{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}”=”Microsoft Browser Architecture”
“{FBF23B40-E3F0-101B-8488-00AA003E56F8}”=”InternetShortcut”
“{3C374A40-BAE4-11CF-BF7D-00AA006946EE}”=”Microsoft Url History Service”
“{FF393560-C2A7-11CF-BFF4-444553540000}”=”History”
“{7BD29E00-76C1-11CF-9DD0-00A0C9034933}”=”Temporary Internet Files”
“{7BD29E01-76C1-11CF-9DD0-00A0C9034933}”=”Temporary Internet Files”
“{CFBFAE00-17A6-11D0-99CB-00C04FD64497}”=”Microsoft Url Search Hook”
“{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}”=”IE4 Suite Splash Screen”
“{67EA19A0-CCEF-11d0-8024-00C04FD75D13}”=”CDF Extension Copy Hook”
“{131A6951-7F78-11D0-A979-00C04FD705A2}”=”ISFBand OC
“{9461b922-3c5a-11d2-bf8b-00c04fb93661}”=”Search Assistant OC
“{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}”=”The Internet”
“{871C5380-42A0-1069-A2EA-08002B30309D}”=”Internet Name Space”
“{EFA24E64-B078-11d0-89E4-00C04FC9E26E}”=”Explorer Band”
“{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}”=”Sendmail service”
“{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}”=”Sendmail service”
“{88C6C381-2E85-11D0-94DE-444553540000}”=”ActiveX Cache Folder”
“{E6FB5E20-DE35-11CF-9C87-00AA005127ED}”=”WebCheck”
“{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}”=”Subscription Mgr”
“{F5175861-2688-11d0-9C5E-00AA00A45957}”=”Subscription Folder”
“{08165EA0-E946-11CF-9C87-00AA005127ED}”=”WebCheckWebCrawler”
“{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}”=”WebCheckChannelAgent”
“{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}”=”TrayAgent”
“{7D559C10-9FE9-11d0-93F7-00AA0059CE02}”=”Code Download Agent”
“{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}”=”ConnectionAgent”
“{D8BD2030-6FC9-11D0-864F-00AA006809D9}”=”PostAgent”
“{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}”=”WebCheck SyncMgr Handler”
“{352EC2B7-8B9A-11D1-B8AE-006008059382}”=”Shell Application Manager”
“{0B124F8F-91F0-11D1-B8B5-006008059382}”=”Installed Apps Enumerator”
“{CFCCC7A0-A282-11D1-9082-006008059382}”=”Darwin App Publisher”
“{e84fda7c-1d6a-45f6-b725-cb260c236066}”=”Shell Image Verbs”
“{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}”=”Shell Image Data Factory”
“{3F30C968-480A-4C6C-862D-EFC0897BB84B}”=”GDI+ file thumbnail extractor”
“{9DBD2C50-62AD-11d0-B806-00C04FD706EC}”=”Summary Info Thumbnail handler (DOCFILES)”
“{EAB841A0-9550-11cf-8C16-00805F1408F3}”=”HTML Thumbnail Extractor”
“{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}”=”Shell Image Property Handler”
“{CC6EEFFB-43F6-46c5-9619-51D571967F7D}”=”Web Publishing Wizard”
“{add36aa8-751a-4579-a266-d66f5202ccbb}”=”Print Ordering via the Web”
“{6b33163c-76a5-4b6c-bf21-45de9cd503a1}”=”Shell Publishing Wizard Object”
“{58f1f272-9240-4f51-b6d4-fd63d1618591}”=”Get a Passport Wizard”
“{7A9D77BD-5403-11d2-8785-2E0420524153}”=”User Accounts”
“{BD472F60-27FA-11cf-B8B4-444553540000}”=”Compressed (zipped) Folder Right Drag Handler”
“{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}”=”Compressed (zipped) Folder SendTo Target”
“{f39a0dc0-9cc8-11d0-a599-00c04fd64433}”=”Channel File”
“{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}”=”Channel Shortcut”
“{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}”=”Channel Handler Object”
“{f3da0dc0-9cc8-11d0-a599-00c04fd64437}”=”Channel Menu”
“{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}”=”Channel Properties”
“{63da6ec0-2e98-11cf-8d82-444553540000}”=”FTP Folders Webview”
“{883373C3-BF89-11D1-BE35-080036B11A03}”=”Microsoft DocProp Shell Ext”
“{A9CF0EAE-901A-4739-A481-E35B73E47F6D}”=”Microsoft DocProp Inplace Edit Box Control”
“{8EE97210-FD1F-4B19-91DA-67914005F020}”=”Microsoft DocProp Inplace ML Edit Box Control”
“{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}”=”Microsoft DocProp Inplace Droplist Combo Control”
“{6A205B57-2567-4A2C-B881-F787FAB579A3}”=”Microsoft DocProp Inplace Calendar Control”
“{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}”=”Microsoft DocProp Inplace Time Control”
“{8A23E65E-31C2-11d0-891C-00A024AB2DBB}”=”Directory Query UI
“{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}”=”Shell properties for a DS object”
“{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}”=”Directory Object Find”
“{F020E586-5264-11d1-A532-0000F8757D7E}”=”Directory Start/Search Find”
“{0D45D530-764B-11d0-A1CA-00AA00C16E65}”=”Directory Property UI
“{62AE1F9A-126A-11D0-A14B-0800361B1103}”=”Directory Context Menu Verbs”
“{ECF03A33-103D-11d2-854D-006008059367}”=”MyDocs Copy Hook”
“{ECF03A32-103D-11d2-854D-006008059367}”=”MyDocs Drop Target”
“{4a7ded0a-ad25-11d0-98a8-0800361b1103}”=”MyDocs Properties”
“{750fdf0e-2a26-11d1-a3ea-080036587f03}”=”Offline Files Menu”
“{10CFC467-4392-11d2-8DB4-00C04FA31A66}”=”Offline Files Folder Options”
“{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}”=”Offline Files Folder”
“{143A62C8-C33B-11D1-84FE-00C04FA34A14}”=”Microsoft Agent Character Property Sheet Handler”
“{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}”=”DfsShell”
“{60fd46de-f830-4894-a628-6fa81bc0190d}”=”%DESC_PublishDropTarget%”
“{7A80E4A8-8005-11D2-BCF8-00C04F72C717}”=”MMC Icon Handler”
“{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}”=”.CAB file viewer”
“{32714800-2E5F-11d0-8B85-00AA0044F941}”=”For &People…”
“{8DD448E6-C188-4aed-AF92-44956194EB1F}”=”Windows Media Player Play as Playlist Context Menu Handler”
“{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}”=”Windows Media Player Burn Audio CD Context Menu Handler”
“{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}”=”Windows Media Player Add to Playlist Context Menu Handler”
“{1D2680C9-0E2A-469d-B787-065558BC7D43}”=”Fusion Cache”
“{DEE12703-6333-4D4E-8F34-738C4DCC2E04}”=”RecordNow! SendToExt”
“{5CA3D70E-1895-11CF-8E15-001234567890}”=”DriveLetterAccess”
“{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}”=”Set Program Access and Defaults”
“{596AB062-B4D2-4215-9F74-E9109B0A8153}”=”Previous Versions Property Page”
“{9DB7A13C-F208-4981-8353-73CC61AE2783}”=”Previous Versions”
“{692F0339-CBAA-47e6-B5B5-3B84DB604E87}”=”Extensions Manager Folder”
“{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}”=”Shell Extensions for RealOne Player”
“{e57ce731-33e8-4c51-8354-bb4de9d215d1}”=”Universal Plug and Play Devices”
“{640167b4-59b0-47a6-b335-a6b3c0695aea}”=”Portable Media Devices”
“{cc86590a-b60a-48e6-996b-41d25ed39a1e}”=”Portable Media Devices Menu”
“{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}”=”iTunes”
“{d0e04dfd-9185-49bd-b3a8-cdefa63f810a}”=”Philips RUSH Audio Player (128 MB)Shell Hook”
“{CE78ADB9-BF14-45F4-88F4-6E910ACF9DE3}”=”“

HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID{CE78ADB9-BF14-45F4-88F4-6E910ACF9DE3}]
@=”“

[HKEY_CLASSES_ROOT\CLSID{CE78ADB9-BF14-45F4-88F4-6E910ACF9DE3}\Implemented Categories]
@=”“

[HKEY_CLASSES_ROOT\CLSID{CE78ADB9-BF14-45F4-88F4-6E910ACF9DE3}\Implemented Categories{00021492-0000-0000-C000-000000000046}]
@=”“

[HKEY_CLASSES_ROOT\CLSID{CE78ADB9-BF14-45F4-88F4-6E910ACF9DE3}\InprocServer32]
@=”C:\WINDOWS\system32\guard.tmp”
“ThreadingModel”=”Apartment”

Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Thu Jan 27 2005 11:13:16a A…. 1,016,832 993.00 K
capicom.dll Tue Dec 14 2004 12:24:42p A…. 466,944 456.00 K
cdfview.dll Thu Jan 27 2005 11:13:16a A…. 151,040 147.50 K
gquugo.dll Sat Mar 5 2005 4:59:54p A…. 5,632 5.50 K
iepeers.dll Thu Jan 27 2005 11:13:16a A…. 249,856 244.00 K
inseng.dll Thu Jan 27 2005 11:13:16a A…. 96,256 94.00 K
jtp607~1.dll Fri Mar 11 2005 4:39:04p ..S.R 229,069 223.70 K
kedne.dll Sun Mar 13 2005 6:24:06p ..S.R 232,736 227.28 K
mshtml.dll Thu Jan 27 2005 11:13:18a A…. 3,006,976 2.87 M
ole32.dll Fri Jan 14 2005 2:55:50a A…. 1,285,120 1.22 M
olecli32.dll Fri Jan 14 2005 2:55:50a A…. 74,752 73.00 K
olecnv32.dll Fri Jan 14 2005 2:55:50a A…. 37,888 37.00 K
qh4mkbv9.dll Thu Jan 27 2005 11:33:28a A…. 73,728 72.00 K
r68s0g~1.dll Sun Mar 13 2005 7:16:20p ..S.R 229,855 224.46 K
rpcss.dll Fri Jan 14 2005 2:55:50a A…. 395,776 386.50 K
s32evnt1.dll Mon Dec 20 2004 6:58:18p A…. 83,664 81.70 K
shdocvw.dll Thu Jan 27 2005 11:13:18a A…. 1,483,264 1.41 M
shell32.dll Tue Dec 21 2004 2:49:36p A…. 8,450,048 8.06 M
shlwapi.dll Thu Jan 27 2005 11:13:18a A…. 473,600 462.50 K
symneti.dll Fri Jan 21 2005 10:31:54p A…. 513,752 501.71 K
symredir.dll Fri Jan 21 2005 10:31:52p A…. 141,016 137.71 K
urlmon.dll Thu Jan 27 2005 11:13:18a A…. 607,744 593.50 K
wininet.dll Thu Jan 27 2005 11:13:18a A…. 656,896 641.50 K
znppzb.dll Sat Mar 5 2005 4:59:50p A…. 24,576 24.00 K

24 items found: 24 files (3 H/S), 0 directories.
Total of file sizes: 19,987,020 bytes 19.06 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Sun Mar 13 2005 7:17:20p A…. 229,069 223.70 K

1 item found: 1 file, 0 directories.
Total of file sizes: 229,069 bytes 223.70 K

Directory Listing of system files:
Volume in drive C is Mykala Drive
Volume Serial Number is A0F2-8DA5

Directory of C:\WINDOWS\System32

03/13/2005 07:16 PM 229,855 r68s0gl7e6q.dll
03/13/2005 06:24 PM 232,736 KEDNE.DLL
03/11/2005 04:39 PM 229,069 jtp6077se.dll
12/08/2004 02:40 AM 848 KGyGaAvL.sys
11/22/2004 12:53 PM [DIR] DLLCACHE
08/23/2004 11:26 AM [DIR] Microsoft
4 File(s) 692,508 bytes
2 Dir(s) 62,584,819,712 bytes free

AnnMarie March 14th, 2005 03:39 AM
Ok, close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it’s finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Next go here and download the standalone verson of CWShredder but do not run it yet.

Boot into Safe Mode, run CWShredder and click the fix button. Allow it to fix all that it finds.

Still in Safe Mode, run Hijack This again. Check the below entries and click on Fix Checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_…ount_id=1002245

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_…ount_id=1002245

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_…ount_id=1002245

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM..\RunServices: [LSASS Authority] lshosts32.exe

O15 - Trusted Zone: http://mail.stthomas.edu (do not fix this if you placed it in your trusted zone)
O15 - Trusted Zone: *.wellsfargo.com (do not fix this if you placed it in your trusted zone)

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/C…Bridge-c135.cab

O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares…ysb_1002245.cab

O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softw…006_regular.cab

O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50212/QDow_AS2.cab

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\jtp6077se.dll

Make sure that you can view hidden files and folders (and System Files)and run a search for and delete lshosts32.exe.

Reboot and post a new Hijack This log along with the log created by L2mfix. Also post a new Silent Runners log.

ajmicek March 14th, 2005 04:24 AM
Logfile of HijackThis v1.99.1
Scan saved at 9:22:07 PM, on 3/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\yguuyr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stthomas.edu/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.stthomas.edu/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM..\Run: [DeadAIM] rundll32.exe “C:\Program Files\AIM\DeadAIM.ocm”,ExportedCheckODLs
O4 - HKLM..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Post-it ® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra ‘Tools’ menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://mail.stthomas.edu
O15 - Trusted Zone: *.wellsfargo.com
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

L2Mfix 1.02b

Running From:
C:\Documents and Settings\Mykala Lind\Desktop\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C access for really “Everyone”
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY C Everyone
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Mykala Lind\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Mykala Lind\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1500 ‘explorer.exe’
Killing PID 1500 ‘explorer.exe’
Killing PID 1500 ‘explorer.exe’

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 612 ‘rundll32.exe’
Killing PID 1840 ‘rundll32.exe’

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\r68s0gl7e6q.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\UPRV42A.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\r68s0gl7e6q.dll
Successfully Deleted: C:\WINDOWS\system32\r68s0gl7e6q.dll
deleting: C:\WINDOWS\system32\UPRV42A.DLL
Successfully Deleted: C:\WINDOWS\system32\UPRV42A.DLL
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: r68s0gl7e6q.dll (164 bytes security) (deflated 5%)
adding: UPRV42A.DLL (164 bytes security) (deflated 4%)
updating: guard.tmp (164 bytes security) (deflated 4%)
updating: clear.reg (164 bytes security) (deflated 37%)
updating: echo.reg (164 bytes security) (deflated 9%)
updating: desktop.ini (164 bytes security) (deflated 14%)
updating: direct.txt (164 bytes security) (stored 0%)
updating: lo2.txt (164 bytes security) (deflated 75%)
updating: readme.txt (164 bytes security) (deflated 49%)
updating: report.txt (164 bytes security) (deflated 64%)
updating: test.txt (164 bytes security) (deflated 53%)
updating: test2.txt (164 bytes security) (deflated 16%)
updating: test3.txt (164 bytes security) (deflated 16%)
updating: test5.txt (164 bytes security) (deflated 16%)
updating: xfind.txt (164 bytes security) (deflated 36%)
adding: log.txt (164 bytes security) (deflated 79%)
updating: backregs/CE54EEE6-8DE4-434D-8BBE-50910D4D6CC6.reg (164 bytes security) (deflated 70%)
updating: backregs/shell.reg (164 bytes security) (deflated 73%)
adding: backregs/7EAFE8C8-7CC9-43FC-96D4-3262DEA2CEDF.reg (164 bytes security) (deflated 70%)
adding: backregs/CE78ADB9-BF14-45F4-88F4-6E910ACF9DE3.reg (164 bytes security) (deflated 70%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for really “Everyone”

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators … successful

deleting local copy: r68s0gl7e6q.dll
deleting local copy: UPRV42A.DLL
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
“Asynchronous”=dword:00000000
“Impersonate”=dword:00000000
“DllName”=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00, 2e,00,64,00,6c,00,\
6c,00,00,00
“Logoff”=”ChainWlxLogoffEvent”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
“Asynchronous”=dword:00000000
“Impersonate”=dword:00000000
“DllName”=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00, 74,00,2e,00,64,00,\
6c,00,6c,00,00,00
“Logoff”=”CryptnetWlxLogoffEvent”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
“DLLName”=”cscdll.dll”
“Logon”=”WinlogonLogonEvent”
“Logoff”=”WinlogonLogoffEvent”
“ScreenSaver”=”WinlogonScreenSaverEvent”
“Startup”=”WinlogonStartupEvent”
“Shutdown”=”WinlogonShutdownEvent”
“StartShell”=”WinlogonStartShellEvent”
“Impersonate”=dword:00000000
“Asynchronous”=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=”“
“DLLName”=”igfxsrvc.dll”
“Asynchronous”=dword:00000001
“Impersonate”=dword:00000001
“Unlock”=”WinlogonUnlockEvent”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
“DLLName”=”wlnotify.dll”
“Logon”=”SCardStartCertProp”
“Logoff”=”SCardStopCertProp”
“Lock”=”SCardSuspendCertProp”
“Unlock”=”SCardResumeCertProp”
“Enabled”=dword:00000001
“Impersonate”=dword:00000001
“Asynchronous”=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
“Asynchronous”=dword:00000000
“DllName”=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00, 79,00,2e,00,64,00,\
6c,00,6c,00,00,00
“Impersonate”=dword:00000000
“StartShell”=”SchedStartShell”
“Logoff”=”SchedEventLogOff”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
“Logoff”=”WLEventLogoff”
“Impersonate”=dword:00000000
“Asynchronous”=dword:00000001
“DllName”=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00, 79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
“DLLName”=”WlNotify.dll”
“Lock”=”SensLockEvent”
“Logon”=”SensLogonEvent”
“Logoff”=”SensLogoffEvent”
“Safe”=dword:00000001
“MaxWait”=dword:00000258
“StartScreenSaver”=”SensStartScreenSaverEvent”
“StopScreenSaver”=”SensStopScreenSaverEvent”
“Startup”=”SensStartupEvent”
“Shutdown”=”SensShutdownEvent”
“StartShell”=”SensStartShellEvent”
“PostShell”=”SensPostShellEvent”
“Disconnect”=”SensDisconnectEvent”
“Reconnect”=”SensReconnectEvent”
“Unlock”=”SensUnlockEvent”
“Impersonate”=dword:00000001
“Asynchronous”=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
“Asynchronous”=dword:00000000
“DllName”=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00, 79,00,2e,00,64,00,\
6c,00,6c,00,00,00
“Impersonate”=dword:00000000
“Logoff”=”TSEventLogoff”
“Logon”=”TSEventLogon”
“PostShell”=”TSEventPostShell”
“Shutdown”=”TSEventShutdown”
“StartShell”=”TSEventStartShell”
“Startup”=”TSEventStartup”
“MaxWait”=dword:00000258
“Reconnect”=”TSEventReconnect”
“Disconnect”=”TSEventDisconnect”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
“DLLName”=”wlnotify.dll”
“Logon”=”RegisterTicketExpiredNotificationEvent”
“Logoff”=”UnregisterTicketExpiredNotificationEvent”
“Impersonate”=dword:00000001
“Asynchronous”=dword:00000001

The following are the files found:

C:\WINDOWS\system32\r68s0gl7e6q.dll
C:\WINDOWS\system32\UPRV42A.DLL
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved]
“{CE78ADB9-BF14-45F4-88F4-6E910ACF9DE3}”=-
“{7EAFE8C8-7CC9-43FC-96D4-3262DEA2CEDF}”=-
[-HKEY_CLASSES_ROOT\CLSID{CE78ADB9-BF14-45F4-88F4-6E910ACF9DE3}]
[-HKEY_CLASSES_ROOT\CLSID{7EAFE8C8-7CC9-43FC-96D4-3262DEA2CEDF}]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]
“{7CEE4BE2-09F8-4CFF-A8AC-E680DE6122ED}”=-
SV1”=””

Desktop.ini Contents:

[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
[IDone]{7CEE4BE2-09F8-4CFF-A8AC-E680DE6122ED}[/IDone]
[IDtwo]AD[/IDtwo]
[VERSION]200[/VERSION]

ajmicek March 14th, 2005 04:25 AM
final log. deleted all instances of lshosts32.exe in safe mode, ran programs as instructed.

“Silent Runners.vbs”, revision 32, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
AIM” = “C:\Program Files\AIM\aim.exe -cnetwait.odl” [“America Online, Inc.”

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
“ccApp” = “”C:\Program Files\Common Files\Symantec Shared\ccApp.exe”” [“Symantec Corporation”
URLLSTCK.exe” = “C:\Program Files\Norton Internet Security\UrlLstCk.exe” [“Symantec Corporation”
“DeadAIM” = “rundll32.exe “C:\Program Files\AIM\DeadAIM.ocm”,ExportedCheckODLs” [MS]
“Symantec NetDriver Monitor” = “C:\PROGRA~1\SYMNET~1\SNDMon.exe” [“Symantec Corporation”
“QuickTime Task” = “”C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”
“Narrator” = “C:\WINDOWS\system32\yguuyr.exe” [null data]
“TkBellExe” = “”C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot” [“RealNetworks, Inc.”
“iTunesHelper” = “C:\Program Files\iTunes\iTunesHelper.exe” [“Apple Computer, Inc.”

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Display Panning CPL Extension”
-] {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found]
“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “HyperTerminal Icon Ext”
-] {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”
“{DEE12703-6333-4D4E-8F34-738C4DCC2E04}” = “RecordNow! SendToExt”
-] {CLSID}\InProcServer32(Default) = “C:\Program Files\Sonic\RecordNow!\shlext.dll” [null data]
“{5CA3D70E-1895-11CF-8E15-001234567890}” = “DriveLetterAccess”
-] {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\dla\tfswshx.dll” [“Sonic Solutions”
“{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player”
-] {CLSID}\InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”
“{e57ce731-33e8-4c51-8354-bb4de9d215d1}” = “Universal Plug and Play Devices”
-] {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\upnpui.dll” [MS]
“{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices”
-] {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS]
“{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu”
-] {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS]
“{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes”
-] {CLSID}\InProcServer32(Default) = “C:\Program Files\iTunes\iTunesMiniPlayer.dll” [“Apple Computer, Inc.”
“{d0e04dfd-9185-49bd-b3a8-cdefa63f810a}” = “Philips RUSH Audio Player (128 MB)Shell Hook”
-] {CLSID}\InProcServer32(Default) = “PHIL16Ah.dll” [“Copyright (c) 2003, Koninklijke Philips”

Enabled Screen Saver:

HKCU\Control Panel\Desktop\
SCRNSAVE.EXE” = “C:\WINDOWS\System32\ssmarque.scr” [MS]

Startup items in “Mykala Lind” & “All Users” startup folders:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
“Post-it ® Software Notes Lite” -] shortcut to: “C:\Program Files\3M\PSNLite\PsnLite.exe -RegRun” [“3M”

Enabled Scheduled Tasks:

“Norton AntiVirus - Scan my computer - Administrator” -] launches: “C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.EXE /task:”C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca”” [“Symantec Corporation”
“Norton AntiVirus - Scan my computer - Mykala Lind” -] launches: “C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.EXE /task:”C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca”” [“Symantec Corporation”
“Norton AntiVirus - Scan my computer” -] launches: “C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:”C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca”” [“Symantec Corporation”

Running Services (Display Name, Service Name, Path {Service DLL}):

iPod Service, iPodService, “”C:\Program Files\iPod\bin\iPodService.exe”” [“Apple Computer, Inc.”
IPv6 Helper Service, 6to4, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\6to4svc.dll” [MS]}
LexBce Server, LexBceS, “C:\WINDOWS\system32\LEXBCES.EXE” [“Lexmark International, Inc.”
Norton AntiVirus Auto Protect Service, navapsvc, “”C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe”” [“Symantec Corporation”
RIP Listener, Iprip, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\iprip.dll” [MS]}
Simple TCP/IP Services, SimpTcp, “C:\WINDOWS\System32\tcpsvcs.exe” [MS]
Symantec Event Manager, ccEvtMgr, “”C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe”” [“Symantec Corporation”
Symantec Network Drivers Service, SNDSrvc, “”C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe”” [“Symantec Corporation”
Symantec Network Proxy, ccProxy, “”C:\Program Files\Common Files\Symantec Shared\ccProxy.exe”” [“Symantec Corporation”
Symantec Settings Manager, ccSetMgr, “”C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe”” [“Symantec Corporation”
SymWMI Service, SymWSC, “”C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe”” [“Symantec Corporation”
Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]
000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
000000000004\LibraryPath = “C:\WINDOWS\system32\pnrpnsp.dll” [MS]
000000000005\LibraryPath = “C:\WINDOWS\system32\pnrpnsp.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

This report excludes default entries except where indicated.
To see everywhere the script checks and everything it finds,
launch it from a command prompt or a shortcut with the -all parameter.

AnnMarie March 14th, 2005 04:35 AM
Good, that got rid of Look2Me, just Qoologic left.

Next, please go here and download Find_qoologic.zip by baskar1234. Unzip the folder and go to the new qoologic folder and doubleclick on qoologic.bat to run it. It will take a few minutes to scan your drive so be patient. When it has finished, open My Computer, doubleclick on C: and copy and paste the contents of the below logs in this thread.

C:\log.txt,
C:\win.txt
C:\start.txt

ajmicek March 14th, 2005 05:18 AM
log.txt ::

C:\Documents and Settings\Mykala Lind\Desktop\qoologic

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder…………
C:\WINDOWS\SYSTEM32\gquugo.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\pauupw.exe: updates.qoologic.com
C:\WINDOWS\SYSTEM32\znppzb.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\qkuuqb.dat: .aspack
C:\WINDOWS\SYSTEM32\yguuyr.exe: .aspack

Files Found in all users startup Folder…………
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\yiggyt.exe: .aspack
Files Found in all users windows Folder…………
Finished

win.txt ::

C:\WINDOWS\SYSTEM32\gquugo.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\pauupw.exe: updates.qoologic.com
C:\WINDOWS\SYSTEM32\znppzb.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\qkuuqb.dat: .aspack
C:\WINDOWS\SYSTEM32\yguuyr.exe: .aspack

start.txt ::

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\yiggyt.exe: .aspack

AnnMarie March 14th, 2005 05:30 AM
Download Pocket Killbox from here. Copy and paste the full file path (see below) in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying “File with be deleted on next reboot, Process and Reboot now?” Click “Yes” only after entering the last file and post a new Hijack This log when you have rebooted.

C:\WINDOWS\SYSTEM32\gquugo.dll
C:\WINDOWS\SYSTEM32\pauupw.exe
C:\WINDOWS\SYSTEM32\znppzb.dll
C:\WINDOWS\SYSTEM32\qkuuqb.dat
C:\WINDOWS\SYSTEM32\yguuyr.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\yiggyt.exe

ajmicek March 14th, 2005 05:48 AM
Used pocketkillbox successfully. here’s the newest hijack this file ::

Logfile of HijackThis v1.99.1
Scan saved at 10:47:26 PM, on 3/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stthomas.edu/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.stthomas.edu/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM..\Run: [DeadAIM] rundll32.exe “C:\Program Files\AIM\DeadAIM.ocm”,ExportedCheckODLs
O4 - HKLM..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [Narrator] C:\WINDOWS\system32\yguuyr.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Post-it ® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra ‘Tools’ menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://mail.stthomas.edu
O15 - Trusted Zone: *.wellsfargo.com
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

AnnMarie March 14th, 2005 09:34 PM
Yep, your log is fine now. Fix the below entry with Hijack This:

O4 - HKLM..\Run: [Narrator] C:\WINDOWS\system32\yguuyr.exe

Reboot and if you have no further problems, you are good to go. :)

ajmicek March 14th, 2005 09:47 PM
Alright it is all fixed now. Thank you very very much for your help! Cleaning this would have been impossible otherwise.

AnnMarie March 14th, 2005 09:56 PM
You are very welcome ajmicek. :)

A rather epic missive, true, but there you have it - they helped me step-by-step remove something that would have taken days for me to do on my own. Modern technology seems to be quite the two-edged sword - capable of infecting and fixing with equally stunning efficiency.

1 comment left

Comments

mykala

It makes me sad that your potentially longest post ever is robot talk. Beep Beep Bop Bo Dee Dat Deedle… blah blah blah. Robot Schmobot, get a soul.

(Thank you for fixing my computer… again. You can brag about it, it’s cool. I promise to use stupid Firefox that crashes more often than IE and that doesn’t let me view some harmless things on my own PC, but I will not be happy about it.)

Also, I think you should post about my English major/futur career bragging rights. :)

Essays Nearby