Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Search fix problems, Nightowl sent me <<VX2>>>
Goto page 1, 2  Next
 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics
View previous topic :: View next topic  
Author Message
RexatorBirdo
Junior Member


Joined: 12 Mar 2005
Last Visit: 17 May 2006
Posts: 39
PostPosted: Sat Mar 12, 2005 12:27 am    Post subject: Search fix problems, Nightowl sent me <<VX2>>> Reply with quote
Logfile of HijackThis v1.99.1
Scan saved at 3:25:58 AM, on 3/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\AIM95\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Soulseek2\slsk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Johnathan Cruz\Desktop\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo.com/mmviewer_ic13.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0010.exe
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\l4n40e5qeh.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: FireDaemon Service: IRoffer (IRoffer) - Sublime Solutions Pty Ltd - C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: FireDaemon Service: ServU (ServU) - Sublime Solutions Pty Ltd - C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe


O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

Nightowl said these are hard to kill, I know little to nothing about these kind of things, but I've been also having problems with a trogan, under exes as "AppWrap[X]" (replacing the X with numbers from 1 to 12.), if anybody could help, many thanks.
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Sat Mar 12, 2005 11:20 pm    Post subject: Reply with quote
Hello and welcome to Spyware Warrior forums.


You have the latest version of VX2. Download L2mfix from one of these two locations:

L2MFixAtrib
L2MFixSub
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
RexatorBirdo
Junior Member


Joined: 12 Mar 2005
Last Visit: 17 May 2006
Posts: 39
PostPosted: Sun Mar 13, 2005 8:01 pm    Post subject: Reply with quote
Thanks for your help so far, heres the log.

L2MFIX find log 1.02b
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\gp8ql3l51.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{ACEDD8E1-A61C-946F-45F8-55B93F706D9D}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{F82662B1-7A1E-4A9F-9806-B3F92AA994A0}"=""
"{68418E51-CEB1-4F5E-B8D8-4D9A37E0F3F5}"=""
"{E165FC37-D4F2-4825-B9E9-A9B1D8D47A0F}"=""
"{DB068B9B-7AE7-4157-9104-F9FF092284A4}"=""
"{ADCCD04B-DD1F-4FED-BE7E-22B41A721640}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E165FC37-D4F2-4825-B9E9-A9B1D8D47A0F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E165FC37-D4F2-4825-B9E9-A9B1D8D47A0F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E165FC37-D4F2-4825-B9E9-A9B1D8D47A0F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E165FC37-D4F2-4825-B9E9-A9B1D8D47A0F}\InprocServer32]
@="C:\\WINDOWS\\system32\\pUp6lc7s1f.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DB068B9B-7AE7-4157-9104-F9FF092284A4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DB068B9B-7AE7-4157-9104-F9FF092284A4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DB068B9B-7AE7-4157-9104-F9FF092284A4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DB068B9B-7AE7-4157-9104-F9FF092284A4}\InprocServer32]
@="C:\\WINDOWS\\system32\\DWRGRES.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{ADCCD04B-DD1F-4FED-BE7E-22B41A721640}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ADCCD04B-DD1F-4FED-BE7E-22B41A721640}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ADCCD04B-DD1F-4FED-BE7E-22B41A721640}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ADCCD04B-DD1F-4FED-BE7E-22B41A721640}\InprocServer32]
@="C:\\WINDOWS\\system32\\osepro32.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is E405-31D5

Directory of C:\WINDOWS\System32

03/13/2005 03:10 PM 232,997 osepro32.dll
03/13/2005 03:10 PM 233,560 fp6q03j5e.dll
03/13/2005 02:53 PM 233,138 dn4m01h1e.dll
03/13/2005 02:45 PM 233,998 k2lq0c35ef.dll
03/13/2005 01:41 PM 232,997 gp8ql3l51.dll
03/12/2005 04:20 PM 232,997 iqagr5.dll
03/11/2005 12:42 PM 234,889 l02s0af7ed2.dll
03/10/2005 04:35 PM 232,997 dykquota.dll
03/10/2005 02:15 PM 236,261 DWRGRES.DLL
03/08/2005 10:28 PM 236,261 midtctm.dll
03/08/2005 07:59 PM 236,261 dddmo.dll
03/08/2005 07:55 PM 235,340 pUp6lc7s1f.dll
03/08/2005 07:52 PM 233,059 dhus10.dll
03/08/2005 07:06 PM 234,716 MEC71CHS.DLL
03/08/2005 06:38 PM 232,736 s6rs0g97e6.dll
03/08/2005 06:05 PM 232,736 nbtcfgx.dll
03/08/2005 04:05 PM 232,736 MUAATEXT.DLL
03/08/2005 04:05 PM 232,736 MXC71CHT.DLL
03/08/2005 12:49 PM 10,906 KGyGaAvL.sys
03/06/2005 06:01 PM 230,033 q0nu0a59ed.dll
03/06/2005 05:47 PM 230,033 p2p6lc7s1f.dll
03/06/2005 04:14 PM 230,033 jt0207doe.dll
02/20/2005 01:25 AM 230,033 g8040idqe80e0.dll
02/20/2005 01:02 AM 230,033 hrn4055qe.dll
02/19/2005 10:26 PM 230,033 mvlul9391.dll
02/16/2005 08:43 PM 230,033 fp4o03h3e.dll
02/14/2005 09:03 PM 230,033 fpr0039me.dll
02/14/2005 08:42 PM 230,033 fp8s03l7e.dll
02/14/2005 08:40 PM 231,144 gp8sl3l71.dll
02/04/2005 11:58 AM 231,833 k008ladu1d08.dll
02/04/2005 11:38 AM 230,832 lvrs0997e.dll
02/04/2005 11:31 AM <DIR> DLLCACHE
02/04/2005 11:26 AM 230,033 i424lefq1h2e.dll
02/04/2005 02:44 AM 230,033 r6p8lg7u16.dll
01/27/2005 06:32 AM 230,033 lv2o09f3e.dll
01/25/2005 11:13 AM 229,736 l88mlil118q.dll
03/16/2004 06:58 PM <DIR> Microsoft
35 File(s) 7,905,262 bytes
2 Dir(s) 16,785,448,960 bytes free


AntiVir told me it had some signature. o_O

Also, could you please explain whats VX2?

One last thing, what the hell are these AppWrap viruses? They don't stop...
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Sun Mar 13, 2005 10:04 pm    Post subject: Reply with quote
VX2 is one of the nastiest infections currently on the net. It was created a by a group known as The Transponder Gang.

This variant has just been tweaked, but I won't know which variant you ahve, until the next step. If it removes things, fine, if not, we may be in a bit of trouble, keep your fingers crossed.

The experts are working on this fix as we speak.

Exclamation Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

Note: once the pc has restarted if a text does not open run the "second.bat" located inside the L2mfix folder.
IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
RexatorBirdo
Junior Member


Joined: 12 Mar 2005
Last Visit: 17 May 2006
Posts: 39
PostPosted: Sun Mar 13, 2005 10:24 pm    Post subject: Reply with quote
Alright. Here are the logs.

L2Mfix 1.02b

Running From:
C:\Documents and Settings\Johnathan Cruz\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C access for really "Everyone"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Johnathan Cruz\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Johnathan Cruz\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2012 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1440 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\fp4o03h3e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp8s03l7e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fpr0039me.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\g8040idqe80e0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gp8sl3l71.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hrn4055qe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i424lefq1h2e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jt0207doe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k008ladu1d08.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l88mlil118q.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv2o09f3e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvrs0997e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvlul9391.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p2p6lc7s1f.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\q0nu0a59ed.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\r6p8lg7u16.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\TGAFFIC.DLL
1 file(s) copied.
deleting: C:\WINDOWS\system32\fp4o03h3e.dll
Successfully Deleted: C:\WINDOWS\system32\fp4o03h3e.dll
deleting: C:\WINDOWS\system32\fp8s03l7e.dll
Successfully Deleted: C:\WINDOWS\system32\fp8s03l7e.dll
deleting: C:\WINDOWS\system32\fpr0039me.dll
Successfully Deleted: C:\WINDOWS\system32\fpr0039me.dll
deleting: C:\WINDOWS\system32\g8040idqe80e0.dll
Successfully Deleted: C:\WINDOWS\system32\g8040idqe80e0.dll
deleting: C:\WINDOWS\system32\gp8sl3l71.dll
Successfully Deleted: C:\WINDOWS\system32\gp8sl3l71.dll
deleting: C:\WINDOWS\system32\hrn4055qe.dll
Successfully Deleted: C:\WINDOWS\system32\hrn4055qe.dll
deleting: C:\WINDOWS\system32\i424lefq1h2e.dll
Successfully Deleted: C:\WINDOWS\system32\i424lefq1h2e.dll
deleting: C:\WINDOWS\system32\jt0207doe.dll
Successfully Deleted: C:\WINDOWS\system32\jt0207doe.dll
deleting: C:\WINDOWS\system32\k008ladu1d08.dll
Successfully Deleted: C:\WINDOWS\system32\k008ladu1d08.dll
deleting: C:\WINDOWS\system32\l88mlil118q.dll
Successfully Deleted: C:\WINDOWS\system32\l88mlil118q.dll
deleting: C:\WINDOWS\system32\lv2o09f3e.dll
Successfully Deleted: C:\WINDOWS\system32\lv2o09f3e.dll
deleting: C:\WINDOWS\system32\lvrs0997e.dll
Successfully Deleted: C:\WINDOWS\system32\lvrs0997e.dll
deleting: C:\WINDOWS\system32\mvlul9391.dll
Successfully Deleted: C:\WINDOWS\system32\mvlul9391.dll
deleting: C:\WINDOWS\system32\p2p6lc7s1f.dll
Successfully Deleted: C:\WINDOWS\system32\p2p6lc7s1f.dll
deleting: C:\WINDOWS\system32\q0nu0a59ed.dll
Successfully Deleted: C:\WINDOWS\system32\q0nu0a59ed.dll
deleting: C:\WINDOWS\system32\r6p8lg7u16.dll
Successfully Deleted: C:\WINDOWS\system32\r6p8lg7u16.dll
deleting: C:\WINDOWS\system32\TGAFFIC.DLL
Successfully Deleted: C:\WINDOWS\system32\TGAFFIC.DLL

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: fp4o03h3e.dll (140 bytes security) (deflated 5%)
adding: fp8s03l7e.dll (140 bytes security) (deflated 5%)
adding: fpr0039me.dll (140 bytes security) (deflated 5%)
adding: g8040idqe80e0.dll (140 bytes security) (deflated 5%)
adding: gp8sl3l71.dll (140 bytes security) (deflated 5%)
adding: hrn4055qe.dll (140 bytes security) (deflated 5%)
adding: i424lefq1h2e.dll (140 bytes security) (deflated 5%)
adding: jt0207doe.dll (140 bytes security) (deflated 5%)
adding: k008ladu1d08.dll (140 bytes security) (deflated 5%)
adding: l88mlil118q.dll (140 bytes security) (deflated 5%)
adding: lv2o09f3e.dll (140 bytes security) (deflated 5%)
adding: lvrs0997e.dll (140 bytes security) (deflated 5%)
adding: mvlul9391.dll (140 bytes security) (deflated 5%)
adding: p2p6lc7s1f.dll (140 bytes security) (deflated 5%)
adding: q0nu0a59ed.dll (140 bytes security) (deflated 5%)
adding: r6p8lg7u16.dll (140 bytes security) (deflated 5%)
adding: TGAFFIC.DLL (140 bytes security) (deflated 5%)
adding: clear.reg (140 bytes security) (deflated 55%)
adding: echo.reg (140 bytes security) (deflated 10%)
adding: desktop.ini (140 bytes security) (deflated 13%)
adding: direct.txt (140 bytes security) (stored 0%)
adding: lo2.txt (140 bytes security) (deflated 82%)
adding: readme.txt (140 bytes security) (deflated 49%)
adding: report.txt (140 bytes security) (deflated 76%)
adding: test.txt (140 bytes security) (deflated 80%)
adding: test2.txt (140 bytes security) (deflated 37%)
adding: test3.txt (140 bytes security) (deflated 37%)
adding: test5.txt (140 bytes security) (deflated 37%)
adding: xfind.txt (140 bytes security) (deflated 69%)
adding: backregs/ADCCD04B-DD1F-4FED-BE7E-22B41A721640.reg (140 bytes security) (deflated 70%)
adding: backregs/DB068B9B-7AE7-4157-9104-F9FF092284A4.reg (140 bytes security) (deflated 70%)
adding: backregs/E165FC37-D4F2-4825-B9E9-A9B1D8D47A0F.reg (140 bytes security) (deflated 69%)
adding: backregs/shell.reg (140 bytes security) (deflated 51%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for really "Everyone"
Warning (option /rge) - There is no ACE to remove!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: fp4o03h3e.dll
deleting local copy: fp8s03l7e.dll
deleting local copy: fpr0039me.dll
deleting local copy: g8040idqe80e0.dll
deleting local copy: gp8sl3l71.dll
deleting local copy: hrn4055qe.dll
deleting local copy: i424lefq1h2e.dll
deleting local copy: jt0207doe.dll
deleting local copy: k008ladu1d08.dll
deleting local copy: l88mlil118q.dll
deleting local copy: lv2o09f3e.dll
deleting local copy: lvrs0997e.dll
deleting local copy: mvlul9391.dll
deleting local copy: p2p6lc7s1f.dll
deleting local copy: q0nu0a59ed.dll
deleting local copy: r6p8lg7u16.dll
deleting local copy: TGAFFIC.DLL

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Controls Folder]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\fp6q03j5e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\fp4o03h3e.dll
C:\WINDOWS\system32\fp8s03l7e.dll
C:\WINDOWS\system32\fpr0039me.dll
C:\WINDOWS\system32\g8040idqe80e0.dll
C:\WINDOWS\system32\gp8sl3l71.dll
C:\WINDOWS\system32\hrn4055qe.dll
C:\WINDOWS\system32\i424lefq1h2e.dll
C:\WINDOWS\system32\jt0207doe.dll
C:\WINDOWS\system32\k008ladu1d08.dll
C:\WINDOWS\system32\l88mlil118q.dll
C:\WINDOWS\system32\lv2o09f3e.dll
C:\WINDOWS\system32\lvrs0997e.dll
C:\WINDOWS\system32\mvlul9391.dll
C:\WINDOWS\system32\p2p6lc7s1f.dll
C:\WINDOWS\system32\q0nu0a59ed.dll
C:\WINDOWS\system32\r6p8lg7u16.dll
C:\WINDOWS\system32\TGAFFIC.DLL

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{F82662B1-7A1E-4A9F-9806-B3F92AA994A0}"=-
"{68418E51-CEB1-4F5E-B8D8-4D9A37E0F3F5}"=-
"{E165FC37-D4F2-4825-B9E9-A9B1D8D47A0F}"=-
"{DB068B9B-7AE7-4157-9104-F9FF092284A4}"=-
"{ADCCD04B-DD1F-4FED-BE7E-22B41A721640}"=-
[-HKEY_CLASSES_ROOT\CLSID\{F82662B1-7A1E-4A9F-9806-B3F92AA994A0}]
[-HKEY_CLASSES_ROOT\CLSID\{68418E51-CEB1-4F5E-B8D8-4D9A37E0F3F5}]
[-HKEY_CLASSES_ROOT\CLSID\{E165FC37-D4F2-4825-B9E9-A9B1D8D47A0F}]
[-HKEY_CLASSES_ROOT\CLSID\{DB068B9B-7AE7-4157-9104-F9FF092284A4}]
[-HKEY_CLASSES_ROOT\CLSID\{ADCCD04B-DD1F-4FED-BE7E-22B41A721640}]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D6AAEA8B-AAFB-4977-8C13-E9BCFD8F09F8}"=-
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{D6AAEA8B-AAFB-4977-8C13-E9BCFD8F09F8}</IDone>
<IDtwo>BM2</IDtwo>
<VERSION>200</VERSION>
****************************************************************************









Logfile of HijackThis v1.99.1
Scan saved at 1:23:26 AM, on 3/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\AIM95\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Soulseek2\slsk.exe
C:\Program Files\Winamp\Winamp.exe
C:\Documents and Settings\Johnathan Cruz\Desktop\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo.com/mmviewer_ic13.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0010.exe
O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\fp6q03j5e.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: FireDaemon Service: IRoffer (IRoffer) - Sublime Solutions Pty Ltd - C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: FireDaemon Service: ServU (ServU) - Sublime Solutions Pty Ltd - C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Sun Mar 13, 2005 10:59 pm    Post subject: Reply with quote
I am going to do some investigating into this. I am not that great with these infections. And with a new variant running around, I want to be sure on things, plese be patient.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Tue Mar 15, 2005 7:39 am    Post subject: Reply with quote
We are still waiting for the creator of this tool to update it. It seems he has been having connection problem and has been offline some.

I check the forums he works at several times a day, be patient, sorry for delay.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
RexatorBirdo
Junior Member


Joined: 12 Mar 2005
Last Visit: 17 May 2006
Posts: 39
PostPosted: Tue Mar 15, 2005 9:45 pm    Post subject: Reply with quote
No problem. Do you know what these AppWrap viruses are though?
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Tue Mar 15, 2005 10:00 pm    Post subject: Reply with quote
OK, I am pretty sure your still infected, based on a c ouple of things in your log.

The new tool is up, but I want to confirm its the same link DL, before I have you run it.

As far as AppWrap, which of the vendors is calling it that? It could be just another name for VX2\Look2Me. Seems the vendors have to create their own stamp of things, LOL
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
RexatorBirdo
Junior Member


Joined: 12 Mar 2005
Last Visit: 17 May 2006
Posts: 39
PostPosted: Wed Mar 16, 2005 2:21 am    Post subject: Reply with quote
TeMerc wrote:
OK, I am pretty sure your still infected, based on a c ouple of things in your log.

The new tool is up, but I want to confirm its the same link DL, before I have you run it.

As far as AppWrap, which of the vendors is calling it that? It could be just another name for VX2\Look2Me. Seems the vendors have to create their own stamp of things, LOL


The name of the files are "AppWrap[X].exe", the X represents numbers from 1 to around 12 now.
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Wed Mar 16, 2005 1:17 pm    Post subject: Reply with quote
OK, can you please run the app again, as the tool has finally been updated, and the links are proper as well.

Run it the same as instructed originally please.

Thanks for being patient on this one.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
RexatorBirdo
Junior Member


Joined: 12 Mar 2005
Last Visit: 17 May 2006
Posts: 39
PostPosted: Thu Mar 17, 2005 12:03 am    Post subject: Reply with quote
Ok, hold on.

Heres the log? (I used Option 1)

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\axifil32.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{368324C7-85B3-3479-222A-6FFE6995871A}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{FD427683-3C90-446A-A9E4-4211C3B57AE9}"=""
"{FA6288BC-6CF2-459F-A73B-DD264CE3DE8B}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{FD427683-3C90-446A-A9E4-4211C3B57AE9}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FD427683-3C90-446A-A9E4-4211C3B57AE9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FD427683-3C90-446A-A9E4-4211C3B57AE9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FD427683-3C90-446A-A9E4-4211C3B57AE9}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{FA6288BC-6CF2-459F-A73B-DD264CE3DE8B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FA6288BC-6CF2-459F-A73B-DD264CE3DE8B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FA6288BC-6CF2-459F-A73B-DD264CE3DE8B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FA6288BC-6CF2-459F-A73B-DD264CE3DE8B}\InprocServer32]
@="C:\\WINDOWS\\system32\\DZMAP.DLL"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is E405-31D5

Directory of C:\WINDOWS\System32

03/15/2005 11:26 PM 233,248 DZMAP.DLL
03/15/2005 11:26 PM 234,904 n6n6lg5s16.dll
03/15/2005 11:25 PM 233,248 beowser.dll
03/15/2005 10:25 PM 233,248 mgieftp.dll
03/15/2005 10:25 PM 233,248 MVRMSG.DLL
03/15/2005 09:25 PM 233,248 TQPIUI.DLL
03/15/2005 09:25 PM 233,248 SimNeti.dll
03/15/2005 08:25 PM 233,248 dfdmo.dll
03/15/2005 08:25 PM 233,248 DDLAY.DLL
03/15/2005 07:25 PM 233,248 pedx5032.dll
03/15/2005 07:25 PM 233,248 plwrprof.dll
03/15/2005 06:25 PM 233,248 blhci.dll
03/15/2005 06:25 PM 233,248 AYTODISC.DLL
03/15/2005 05:25 PM 233,248 iyengine.dll
03/15/2005 05:25 PM 233,248 irsecsnp.dll
03/15/2005 04:25 PM 233,248 WG2TOPL.DLL
03/15/2005 04:24 PM 233,248 USILDLL.DLL
03/15/2005 03:24 PM 233,248 dflayx.dll
03/15/2005 03:24 PM 233,248 dxloader.dll
03/15/2005 02:25 PM 233,248 lwhsvc.dll
03/15/2005 02:24 PM 233,248 KQDMAC.DLL
03/14/2005 03:24 PM 233,560 pkcParse.dll
03/14/2005 03:07 PM 235,417 dnn2015oe.dll
03/14/2005 01:36 AM 233,560 r28s0cl7efq.dll
03/14/2005 01:19 AM 233,560 f62m0gf1e62.dll
03/14/2005 01:18 AM 233,560 csyptui.dll
03/14/2005 01:17 AM 232,997 k6260gfse6260.dll
03/13/2005 03:10 PM 232,997 osepro32.dll
03/13/2005 02:53 PM 233,138 dn4m01h1e.dll
03/13/2005 02:45 PM 233,998 k2lq0c35ef.dll
03/12/2005 04:20 PM 232,997 iqagr5.dll
03/11/2005 12:42 PM 234,889 l02s0af7ed2.dll
03/10/2005 04:35 PM 232,997 dykquota.dll
03/10/2005 02:15 PM 236,261 DWRGRES.DLL
03/08/2005 10:28 PM 236,261 midtctm.dll
03/08/2005 07:59 PM 236,261 dddmo.dll
03/08/2005 07:55 PM 235,340 pUp6lc7s1f.dll
03/08/2005 07:52 PM 233,059 dhus10.dll
03/08/2005 07:06 PM 234,716 MEC71CHS.DLL
03/08/2005 06:38 PM 232,736 s6rs0g97e6.dll
03/08/2005 06:05 PM 232,736 nbtcfgx.dll
03/08/2005 04:05 PM 232,736 MUAATEXT.DLL
03/08/2005 04:05 PM 232,736 MXC71CHT.DLL
03/08/2005 12:49 PM 10,906 KGyGaAvL.sys
02/04/2005 11:31 AM <DIR> DLLCACHE
03/16/2004 06:58 PM <DIR> Microsoft
44 File(s) 10,057,282 bytes
2 Dir(s) 18,972,418,048 bytes free
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Thu Mar 17, 2005 7:28 am    Post subject: Reply with quote
Ah, I was correct, you were still infected.

OK, now please use the second part of the fix, as insturcted previously.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
RexatorBirdo
Junior Member


Joined: 12 Mar 2005
Last Visit: 17 May 2006
Posts: 39
PostPosted: Thu Mar 17, 2005 12:19 pm    Post subject: Reply with quote
L2Mfix 1.03

Running From:
C:\Documents and Settings\Johnathan Cruz\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Johnathan Cruz\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Johnathan Cruz\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1520 'explorer.exe'
Killing PID 1520 'explorer.exe'
Killing PID 1520 'explorer.exe'
Killing PID 1520 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1736 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\AYTODISC.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\beowser.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\blhci.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\csyptui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dddmo.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\DDLAY.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dfdmo.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dflayx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dhus10.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dn4m01h1e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dnn2015oe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\DWRGRES.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dxloader.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dykquota.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\DZMAP.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\f62m0gf1e62.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iqagr5.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\irsecsnp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iyengine.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k2lq0c35ef.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k6260gfse6260.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\KQDMAC.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l02s0af7ed2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lwhsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MEC71CHS.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mgieftp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\midtctm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MUAATEXT.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MVRMSG.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MXC71CHT.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\n6n6lg5s16.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nbtcfgx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\osepro32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pedx5032.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pkcParse.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\plwrprof.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pUp6lc7s1f.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\r28s0cl7efq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\s6rs0g97e6.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\SimNeti.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\TQPIUI.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\USILDLL.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\WG2TOPL.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wnweb.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\AYTODISC.DLL
Successfully Deleted: C:\WINDOWS\system32\AYTODISC.DLL
deleting: C:\WINDOWS\system32\beowser.dll
Successfully Deleted: C:\WINDOWS\system32\beowser.dll
deleting: C:\WINDOWS\system32\blhci.dll
Successfully Deleted: C:\WINDOWS\system32\blhci.dll
deleting: C:\WINDOWS\system32\csyptui.dll
Successfully Deleted: C:\WINDOWS\system32\csyptui.dll
deleting: C:\WINDOWS\system32\dddmo.dll
Successfully Deleted: C:\WINDOWS\system32\dddmo.dll
deleting: C:\WINDOWS\system32\DDLAY.DLL
Successfully Deleted: C:\WINDOWS\system32\DDLAY.DLL
deleting: C:\WINDOWS\system32\dfdmo.dll
Successfully Deleted: C:\WINDOWS\system32\dfdmo.dll
deleting: C:\WINDOWS\system32\dflayx.dll
Successfully Deleted: C:\WINDOWS\system32\dflayx.dll
deleting: C:\WINDOWS\system32\dhus10.dll
Successfully Deleted: C:\WINDOWS\system32\dhus10.dll
deleting: C:\WINDOWS\system32\dn4m01h1e.dll
Successfully Deleted: C:\WINDOWS\system32\dn4m01h1e.dll
deleting: C:\WINDOWS\system32\dnn2015oe.dll
Successfully Deleted: C:\WINDOWS\system32\dnn2015oe.dll
deleting: C:\WINDOWS\system32\DWRGRES.DLL
Successfully Deleted: C:\WINDOWS\system32\DWRGRES.DLL
deleting: C:\WINDOWS\system32\dxloader.dll
Successfully Deleted: C:\WINDOWS\system32\dxloader.dll
deleting: C:\WINDOWS\system32\dykquota.dll
Successfully Deleted: C:\WINDOWS\system32\dykquota.dll
deleting: C:\WINDOWS\system32\DZMAP.DLL
Successfully Deleted: C:\WINDOWS\system32\DZMAP.DLL
deleting: C:\WINDOWS\system32\f62m0gf1e62.dll
Successfully Deleted: C:\WINDOWS\system32\f62m0gf1e62.dll
deleting: C:\WINDOWS\system32\iqagr5.dll
Successfully Deleted: C:\WINDOWS\system32\iqagr5.dll
deleting: C:\WINDOWS\system32\irsecsnp.dll
Successfully Deleted: C:\WINDOWS\system32\irsecsnp.dll
deleting: C:\WINDOWS\system32\iyengine.dll
Successfully Deleted: C:\WINDOWS\system32\iyengine.dll
deleting: C:\WINDOWS\system32\k2lq0c35ef.dll
Successfully Deleted: C:\WINDOWS\system32\k2lq0c35ef.dll
deleting: C:\WINDOWS\system32\k6260gfse6260.dll
Successfully Deleted: C:\WINDOWS\system32\k6260gfse6260.dll
deleting: C:\WINDOWS\system32\KQDMAC.DLL
Successfully Deleted: C:\WINDOWS\system32\KQDMAC.DLL
deleting: C:\WINDOWS\system32\l02s0af7ed2.dll
Successfully Deleted: C:\WINDOWS\system32\l02s0af7ed2.dll
deleting: C:\WINDOWS\system32\lwhsvc.dll
Successfully Deleted: C:\WINDOWS\system32\lwhsvc.dll
deleting: C:\WINDOWS\system32\MEC71CHS.DLL
Successfully Deleted: C:\WINDOWS\system32\MEC71CHS.DLL
deleting: C:\WINDOWS\system32\mgieftp.dll
Successfully Deleted: C:\WINDOWS\system32\mgieftp.dll
deleting: C:\WINDOWS\system32\midtctm.dll
Successfully Deleted: C:\WINDOWS\system32\midtctm.dll
deleting: C:\WINDOWS\system32\MUAATEXT.DLL
Successfully Deleted: C:\WINDOWS\system32\MUAATEXT.DLL
deleting: C:\WINDOWS\system32\MVRMSG.DLL
Successfully Deleted: C:\WINDOWS\system32\MVRMSG.DLL
deleting: C:\WINDOWS\system32\MXC71CHT.DLL
Successfully Deleted: C:\WINDOWS\system32\MXC71CHT.DLL
deleting: C:\WINDOWS\system32\n6n6lg5s16.dll
Successfully Deleted: C:\WINDOWS\system32\n6n6lg5s16.dll
deleting: C:\WINDOWS\system32\nbtcfgx.dll
Successfully Deleted: C:\WINDOWS\system32\nbtcfgx.dll
deleting: C:\WINDOWS\system32\osepro32.dll
Successfully Deleted: C:\WINDOWS\system32\osepro32.dll
deleting: C:\WINDOWS\system32\pedx5032.dll
Successfully Deleted: C:\WINDOWS\system32\pedx5032.dll
deleting: C:\WINDOWS\system32\pkcParse.dll
Successfully Deleted: C:\WINDOWS\system32\pkcParse.dll
deleting: C:\WINDOWS\system32\plwrprof.dll
Successfully Deleted: C:\WINDOWS\system32\plwrprof.dll
deleting: C:\WINDOWS\system32\pUp6lc7s1f.dll
Successfully Deleted: C:\WINDOWS\system32\pUp6lc7s1f.dll
deleting: C:\WINDOWS\system32\r28s0cl7efq.dll
Successfully Deleted: C:\WINDOWS\system32\r28s0cl7efq.dll
deleting: C:\WINDOWS\system32\s6rs0g97e6.dll
Successfully Deleted: C:\WINDOWS\system32\s6rs0g97e6.dll
deleting: C:\WINDOWS\system32\SimNeti.dll
Successfully Deleted: C:\WINDOWS\system32\SimNeti.dll
deleting: C:\WINDOWS\system32\TQPIUI.DLL
Successfully Deleted: C:\WINDOWS\system32\TQPIUI.DLL
deleting: C:\WINDOWS\system32\USILDLL.DLL
Successfully Deleted: C:\WINDOWS\system32\USILDLL.DLL
deleting: C:\WINDOWS\system32\WG2TOPL.DLL
Successfully Deleted: C:\WINDOWS\system32\WG2TOPL.DLL
deleting: C:\WINDOWS\system32\wnweb.dll
Successfully Deleted: C:\WINDOWS\system32\wnweb.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: AYTODISC.DLL (140 bytes security) (deflated 4%)
adding: beowser.dll (140 bytes security) (deflated 4%)
adding: blhci.dll (140 bytes security) (deflated 4%)
adding: csyptui.dll (140 bytes security) (deflated 5%)
adding: dddmo.dll (140 bytes security) (deflated 6%)
adding: DDLAY.DLL (140 bytes security) (deflated 4%)
adding: dfdmo.dll (140 bytes security) (deflated 4%)
adding: dflayx.dll (140 bytes security) (deflated 4%)
adding: dhus10.dll (140 bytes security) (deflated 4%)
adding: dn4m01h1e.dll (140 bytes security) (deflated 4%)
adding: dnn2015oe.dll (140 bytes security) (deflated 5%)
adding: DWRGRES.DLL (140 bytes security) (deflated 6%)
adding: dxloader.dll (140 bytes security) (deflated 4%)
adding: dykquota.dll (140 bytes security) (deflated 4%)
adding: DZMAP.DLL (140 bytes security) (deflated 4%)
adding: f62m0gf1e62.dll (140 bytes security) (deflated 5%)
adding: iqagr5.dll (140 bytes security) (deflated 4%)
adding: irsecsnp.dll (140 bytes security) (deflated 4%)
adding: iyengine.dll (140 bytes security) (deflated 4%)
adding: k2lq0c35ef.dll (140 bytes security) (deflated 5%)
adding: k6260gfse6260.dll (140 bytes security) (deflated 4%)
adding: KQDMAC.DLL (140 bytes security) (deflated 4%)
adding: l02s0af7ed2.dll (140 bytes security) (deflated 5%)
adding: lwhsvc.dll (140 bytes security) (deflated 4%)
adding: MEC71CHS.DLL (140 bytes security) (deflated 5%)
adding: mgieftp.dll (140 bytes security) (deflated 4%)
adding: midtctm.dll (140 bytes security) (deflated 6%)
adding: MUAATEXT.DLL (140 bytes security) (deflated 4%)
adding: MVRMSG.DLL (140 bytes security) (deflated 4%)
adding: MXC71CHT.DLL (140 bytes security) (deflated 4%)
adding: n6n6lg5s16.dll (140 bytes security) (deflated 5%)
adding: nbtcfgx.dll (140 bytes security) (deflated 4%)
adding: osepro32.dll (140 bytes security) (deflated 4%)
adding: pedx5032.dll (140 bytes security) (deflated 4%)
adding: pkcParse.dll (140 bytes security) (deflated 5%)
adding: plwrprof.dll (140 bytes security) (deflated 4%)
adding: pUp6lc7s1f.dll (140 bytes security) (deflated 5%)
adding: r28s0cl7efq.dll (140 bytes security) (deflated 5%)
adding: s6rs0g97e6.dll (140 bytes security) (deflated 4%)
adding: SimNeti.dll (140 bytes security) (deflated 4%)
adding: TQPIUI.DLL (140 bytes security) (deflated 4%)
adding: USILDLL.DLL (140 bytes security) (deflated 4%)
adding: WG2TOPL.DLL (140 bytes security) (deflated 4%)
adding: wnweb.dll (140 bytes security) (deflated 4%)
adding: guard.tmp (140 bytes security) (deflated 4%)
updating: clear.reg (140 bytes security) (deflated 37%)
updating: echo.reg (140 bytes security) (deflated 10%)
updating: direct.txt (140 bytes security) (stored 0%)
updating: lo2.txt (140 bytes security) (deflated 86%)
updating: readme.txt (140 bytes security) (deflated 49%)
updating: report.txt (140 bytes security) (deflated 77%)
updating: test.txt (140 bytes security) (deflated 81%)
updating: test2.txt (140 bytes security) (deflated 16%)
updating: test3.txt (140 bytes security) (deflated 16%)
updating: test5.txt (140 bytes security) (deflated 16%)
updating: xfind.txt (140 bytes security) (deflated 76%)
adding: log.txt (140 bytes security) (deflated 81%)
updating: backregs/ADCCD04B-DD1F-4FED-BE7E-22B41A721640.reg (140 bytes security) (deflated 70%)
updating: backregs/DB068B9B-7AE7-4157-9104-F9FF092284A4.reg (140 bytes security) (deflated 70%)
updating: backregs/E165FC37-D4F2-4825-B9E9-A9B1D8D47A0F.reg (140 bytes security) (deflated 69%)
updating: backregs/shell.reg (140 bytes security) (deflated 43%)
adding: backregs/FA6288BC-6CF2-459F-A73B-DD264CE3DE8B.reg (140 bytes security) (deflated 70%)
adding: backregs/FD427683-3C90-446A-A9E4-4211C3B57AE9.reg (140 bytes security) (deflated 70%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: AYTODISC.DLL
deleting local copy: beowser.dll
deleting local copy: blhci.dll
deleting local copy: csyptui.dll
deleting local copy: dddmo.dll
deleting local copy: DDLAY.DLL
deleting local copy: dfdmo.dll
deleting local copy: dflayx.dll
deleting local copy: dhus10.dll
deleting local copy: dn4m01h1e.dll
deleting local copy: dnn2015oe.dll
deleting local copy: DWRGRES.DLL
deleting local copy: dxloader.dll
deleting local copy: dykquota.dll
deleting local copy: DZMAP.DLL
deleting local copy: f62m0gf1e62.dll
deleting local copy: iqagr5.dll
deleting local copy: irsecsnp.dll
deleting local copy: iyengine.dll
deleting local copy: k2lq0c35ef.dll
deleting local copy: k6260gfse6260.dll
deleting local copy: KQDMAC.DLL
deleting local copy: l02s0af7ed2.dll
deleting local copy: lwhsvc.dll
deleting local copy: MEC71CHS.DLL
deleting local copy: mgieftp.dll
deleting local copy: midtctm.dll
deleting local copy: MUAATEXT.DLL
deleting local copy: MVRMSG.DLL
deleting local copy: MXC71CHT.DLL
deleting local copy: n6n6lg5s16.dll
deleting local copy: nbtcfgx.dll
deleting local copy: osepro32.dll
deleting local copy: pedx5032.dll
deleting local copy: pkcParse.dll
deleting local copy: plwrprof.dll
deleting local copy: pUp6lc7s1f.dll
deleting local copy: r28s0cl7efq.dll
deleting local copy: s6rs0g97e6.dll
deleting local copy: SimNeti.dll
deleting local copy: TQPIUI.DLL
deleting local copy: USILDLL.DLL
deleting local copy: WG2TOPL.DLL
deleting local copy: wnweb.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\AYTODISC.DLL
C:\WINDOWS\system32\beowser.dll
C:\WINDOWS\system32\blhci.dll
C:\WINDOWS\system32\csyptui.dll
C:\WINDOWS\system32\dddmo.dll
C:\WINDOWS\system32\DDLAY.DLL
C:\WINDOWS\system32\dfdmo.dll
C:\WINDOWS\system32\dflayx.dll
C:\WINDOWS\system32\dhus10.dll
C:\WINDOWS\system32\dn4m01h1e.dll
C:\WINDOWS\system32\dnn2015oe.dll
C:\WINDOWS\system32\DWRGRES.DLL
C:\WINDOWS\system32\dxloader.dll
C:\WINDOWS\system32\dykquota.dll
C:\WINDOWS\system32\DZMAP.DLL
C:\WINDOWS\system32\f62m0gf1e62.dll
C:\WINDOWS\system32\iqagr5.dll
C:\WINDOWS\system32\irsecsnp.dll
C:\WINDOWS\system32\iyengine.dll
C:\WINDOWS\system32\k2lq0c35ef.dll
C:\WINDOWS\system32\k6260gfse6260.dll
C:\WINDOWS\system32\KQDMAC.DLL
C:\WINDOWS\system32\l02s0af7ed2.dll
C:\WINDOWS\system32\lwhsvc.dll
C:\WINDOWS\system32\MEC71CHS.DLL
C:\WINDOWS\system32\mgieftp.dll
C:\WINDOWS\system32\midtctm.dll
C:\WINDOWS\system32\MUAATEXT.DLL
C:\WINDOWS\system32\MVRMSG.DLL
C:\WINDOWS\system32\MXC71CHT.DLL
C:\WINDOWS\system32\n6n6lg5s16.dll
C:\WINDOWS\system32\nbtcfgx.dll
C:\WINDOWS\system32\osepro32.dll
C:\WINDOWS\system32\pedx5032.dll
C:\WINDOWS\system32\pkcParse.dll
C:\WINDOWS\system32\plwrprof.dll
C:\WINDOWS\system32\pUp6lc7s1f.dll
C:\WINDOWS\system32\r28s0cl7efq.dll
C:\WINDOWS\system32\s6rs0g97e6.dll
C:\WINDOWS\system32\SimNeti.dll
C:\WINDOWS\system32\TQPIUI.DLL
C:\WINDOWS\system32\USILDLL.DLL
C:\WINDOWS\system32\WG2TOPL.DLL
C:\WINDOWS\system32\wnweb.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{FD427683-3C90-446A-A9E4-4211C3B57AE9}"=-
"{FA6288BC-6CF2-459F-A73B-DD264CE3DE8B}"=-
[-HKEY_CLASSES_ROOT\CLSID\{FD427683-3C90-446A-A9E4-4211C3B57AE9}]
[-HKEY_CLASSES_ROOT\CLSID\{FA6288BC-6CF2-459F-A73B-DD264CE3DE8B}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Thu Mar 17, 2005 9:42 pm    Post subject: Reply with quote
OK, everything looks good regarding VX2, lets get a fresh HJT log please.

Thanks for your patience.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
RexatorBirdo
Junior Member


Joined: 12 Mar 2005
Last Visit: 17 May 2006
Posts: 39
PostPosted: Thu Mar 17, 2005 10:34 pm    Post subject: Reply with quote
Woohoo! Thanks so much for your help so far. Heres the log.

Logfile of HijackThis v1.99.1
Scan saved at 1:33:48 AM, on 3/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Winamp\Winamp.exe
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ZDaemon\zlauncher.exe
C:\Documents and Settings\Johnathan Cruz\Desktop\HijackThis\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo.com/mmviewer_ic13.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0010.exe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: FireDaemon Service: IRoffer (IRoffer) - Sublime Solutions Pty Ltd - C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: FireDaemon Service: ServU (ServU) - Sublime Solutions Pty Ltd - C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

^ Nightowl told me to come here to get rid of those. And I haven't gotten any warnings for those Appwrap viruses, but I still would like to know more about them, on how to keep them out, or get rid of em...
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Thu Mar 17, 2005 10:48 pm    Post subject: Reply with quote
OK, almost done now.

Question Did you install these items:
O23 - Service: FireDaemon Service: IRoffer (IRoffer) - Sublime Solutions Pty Ltd - C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe

O23 - Service: FireDaemon Service: ServU (ServU) - Sublime Solutions Pty Ltd - C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe

Let me know please.

Arrow Run HJT, and place a check next to the following lines, then, with all browsers and windows closed, hit 'Fix checked':

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch


O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u


O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0010.exe

Arrow Reboot Post a new HJT log please.

We will work on prevention once your all cleaned up.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
RexatorBirdo
Junior Member


Joined: 12 Mar 2005
Last Visit: 17 May 2006
Posts: 39
PostPosted: Fri Mar 18, 2005 12:03 am    Post subject: Reply with quote
No, I did not install those.

Heres log!

Logfile of HijackThis v1.99.1
Scan saved at 5:47:55 AM, on 3/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\Documents and Settings\Johnathan Cruz\Desktop\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo.com/mmviewer_ic13.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: FireDaemon Service: IRoffer (IRoffer) - Sublime Solutions Pty Ltd - C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: FireDaemon Service: ServU (ServU) - Sublime Solutions Pty Ltd - C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Fri Mar 18, 2005 6:50 am    Post subject: Reply with quote
OK, we need to dig deeper here.

I need you to do is download the file from here:

Getservice

Extract the file to the c:\ drive. Then navigate to the c:\getservices and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad as a reply to this post.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
RexatorBirdo
Junior Member


Joined: 12 Mar 2005
Last Visit: 17 May 2006
Posts: 39
PostPosted: Fri Mar 18, 2005 12:19 pm    Post subject: Reply with quote
TeMerc wrote:
OK, we need to dig deeper here.

I need you to do is download the file from here:

Getservice

Extract the file to the c:\ drive. Then navigate to the c:\getservices and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad as a reply to this post.



PsService v1.1 - local and remote services viewer/controller
Copyright (C) 2001-2003 Mark Russinovich
Sysinternals - www.sysinternals.com

SERVICE_NAME: Alerter
Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Alerter
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: ALG
Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\alg.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Application Layer Gateway Service
DEPENDENCIES :
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: AntiVirService
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\AVPersonal\AVGUARD.EXE
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : AntiVir Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: AppMgmt
Provides software installation services such as Assign, Publish, and Remove.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Application Management
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: aspnet_state
Provides support for out-of-process session states for ASP.NET. If this service is stopped, out-of-process requests will not be processed. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ASP.NET State Service
DEPENDENCIES :
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: AudioSrv
Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : AudioGroup
TAG : 0
DISPLAY_NAME : Windows Audio
DEPENDENCIES : PlugPlay
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Avg7Alrt
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : AVG7 Alert Manager Server
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Avg7UpdSvc
(null)
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : AVG7 Update Service
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: AVWUpSrv
Helpservice of AntiVir Personal Edition.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\AVPersonal\AVWUPSRV.EXE"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : AntiVir Update
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: BITS
Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Background Intelligent Transfer Service
DEPENDENCIES : Rpcss
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds

SERVICE_NAME: Browser
Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Computer Browser
DEPENDENCIES : LanmanWorkstation
: LanmanServer
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: CiSvc
Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\cisvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Indexing Service
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ClipSrv
Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\clipsrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ClipBook
DEPENDENCIES : NetDDE
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: COMSysApp
Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : COM+ System Application
DEPENDENCIES : rpcss
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 30 seconds
FAILURE_ACTIONS : Restart DELAY: 1000 seconds
: Restart DELAY: 5000 seconds
: None DELAY: 1000 seconds

SERVICE_NAME: CryptSvc
Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Cryptographic Services
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: DcomLaunch
Provides launch functionality for DCOM services.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k DcomLaunch
LOAD_ORDER_GROUP : Event Log
TAG : 0
DISPLAY_NAME : DCOM Server Process Launcher
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : Reboot DELAY: 60000 seconds

SERVICE_NAME: Dhcp
Manages network configuration by registering and updating IP addresses and DNS names.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DHCP Client
DEPENDENCIES : Tcpip
: Afd
: NetBT
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmadmin
Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\dmadmin.exe /com
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Logical Disk Manager Administrative Service
DEPENDENCIES : RpcSs
: PlugPlay
: DmServer
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmserver
Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Logical Disk Manager
DEPENDENCIES : RpcSs
: PlugPlay
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dnscache
Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k NetworkService
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DNS Client
DEPENDENCIES : Tcpip
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: ERSvc
Allows error reporting for services and applictions running in non-standard environments.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Error Reporting Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Eventlog
Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
LOAD_ORDER_GROUP : Event log
TAG : 0
DISPLAY_NAME : Event Log
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: EventSystem
Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : COM+ Event System
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: FastUserSwitchingCompatibility
Provides management for applications that require assistance in a multiple user environment.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Fast User Switching Compatibility
DEPENDENCIES : TermService
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: helpsvc
Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Help and Support
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 100 seconds
: Restart DELAY: 100 seconds
: None DELAY: 100 seconds

SERVICE_NAME: HidServ
Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Human Interface Device Access
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: HTTPFilter
This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k HTTPFilter
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HTTP SSL
DEPENDENCIES : HTTP
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ImapiService
Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\imapi.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IMAPI CD-Burning COM Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: IRoffer
IRoffer Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe -s
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : FireDaemon Service: IRoffer
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanserver
Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Server
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanworkstation
Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : NetworkProvider
TAG : 0
DISPLAY_NAME : Workstation
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: LmHosts
Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : TCP/IP NetBIOS Helper
DEPENDENCIES : NetBT
: Afd
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: Messenger
Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Messenger
DEPENDENCIES : LanmanWorkstation
: NetBIOS
: PlugPlay
: RpcSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: mnmsrvc
Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\mnmsrvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NetMeeting Remote Desktop Sharing
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSDTC
Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\msdtc.exe
LOAD_ORDER_GROUP : MS Transactions
TAG : 0
DISPLAY_NAME : Distributed Transaction Coordinator
DEPENDENCIES : RPCSS
: SamSS
SERVICE_START_NAME: NT Authority\NetworkService

SERVICE_NAME: MSIServer
Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\msiexec.exe /V
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Installer
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDE
Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
LOAD_ORDER_GROUP : NetDDEGroup
TAG : 0
DISPLAY_NAME : Network DDE
DEPENDENCIES : NetDDEDSDM
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDEdsdm
Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network DDE DSDM
DEPENDENCIES :
: EGrLocalSystem
: Network DDE DSDM
: etwork DDE
: workService
: Distributed Transaction Coordinator
: ion
: Files=C:b
: 
: {
: 
: ˆ7
: ˆ7
: ges Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
:
: u
: n
: a
: v
: a
: i
: l
: a
: b
: l
: e
: .
:
: I
: f
:
: t
: h
: i
: s
:
: s
: e
: r
: v
: i
: c
: e
:
: i
: s
:
: d
: i
: s
: a
: b
: l
: e
: d
: ,
:
: a
: n
: y
:
: s
: e
: r
: v
: i
: c
: e
: s
:
: t
: h
: a
: t
:
: e
: x
: p
: l
: i
: c
: i
: t
: l
: y
:
: d
: e
: p
: e
: n
: d
:
: o
: n
:
: i
: t
:
: w
: i
: l
: l
:
: f
: a
: i
: l
:
: t
: o
:
: s
: t
: a
: r
: t
: .
:
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netlogon
Supports pass-through authentication of account logon events for computers in a domain.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe
LOAD_ORDER_GROUP : RemoteValidation
TAG : 0
DISPLAY_NAME : Net Logon
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netman
Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Connections
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Nla
Collects and stores network configuration and location information, and notifies applications when this information changes.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Location Awareness (NLA)
DEPENDENCIES : Tcpip
: Afd
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NPFMntor
Detects installation of Symantec Firewall clients
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Norton AntiVirus Firewall Monitor Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtLmSsp
Provides security to remote procedure call (RPC) programs that use transports other than named pipes.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NT LM Security Support Provider
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtmsSvc
(null)
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Removable Storage
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PersFw
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Kerio\Personal Firewall\persfw.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Kerio Personal Firewall
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PlugPlay
Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
LOAD_ORDER_GROUP : PlugPlay
TAG : 0
DISPLAY_NAME : Plug and Play
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PolicyAgent
Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IPSEC Services
DEPENDENCIES : RPCSS
: Tcpip
: IPSec
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ProtectedStorage
Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Protected Storage
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasAuto
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Access Auto Connection Manager
DEPENDENCIES : RasMan
: Tapisrv
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasMan
Creates a network connection.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Access Connection Manager
DEPENDENCIES : Tapisrv
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RDSessMgr
Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\sessmgr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Desktop Help Session Manager
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteAccess
Offers routing services to businesses in local area and wide area network environments.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Routing and Remote Access
DEPENDENCIES : RpcSS
: +NetBIOSGroup
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RpcLocator
Manages the RPC name service database.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\locator.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC) Locator
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: RpcSs
Provides the endpoint mapper and other miscellaneous RPC services.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k rpcss
LOAD_ORDER_GROUP : COM Infrastructure
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC)
DEPENDENCIES :
SERVICE_START_NAME: NT Authority\NetworkService
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : Reboot DELAY: 60000 seconds

SERVICE_NAME: RSVP
Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\rsvp.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : QoS RSVP
DEPENDENCIES : TcpIp
: Afd
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SamSs
Stores security information for local user accounts.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP : LocalValidation
TAG : 0
DISPLAY_NAME : Security Accounts Manager
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SCardSvr
Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\SCardSvr.exe
LOAD_ORDER_GROUP : SmartCardGroup
TAG : 0
DISPLAY_NAME : Smart Card
DEPENDENCIES : PlugPlay
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: Schedule
Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : SchedulerGroup
TAG : 0
DISPLAY_NAME : Task Scheduler
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: seclogon
Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Secondary Logon
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SENS
Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : System Event Notification
DEPENDENCIES : EventSystem
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ServU
ServU Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe -s
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : FireDaemon Service: ServU
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SharedAccess
Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Firewall/Internet Connection Sharing (ICS)
DEPENDENCIES : Netman
: WinMgmt
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ShellHWDetection
(null)
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : ShellSvcGroup
TAG : 0
DISPLAY_NAME : Shell Hardware Detection
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SNDSrvc
Symantec Network Drivers Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"
LOAD_ORDER_GROUP : Symantec Services
TAG : 0
DISPLAY_NAME : Symantec Network Drivers Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Spooler
Loads files to memory for later printing.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\spoolsv.exe
LOAD_ORDER_GROUP : SpoolerGroup
TAG : 0
DISPLAY_NAME : Print Spooler
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds
: None DELAY: 0 seconds

SERVICE_NAME: srservice
Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : System Restore Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SSDPSRV
Enables discovery of UPnP devices on your home network.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SSDP Discovery Service
DEPENDENCIES : HTTP
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: stisvc
Provides image acquisition services for scanners and cameras.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k imgsvc
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Image Acquisition (WIA)
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SwPrv
Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\dllhost.exe /Processid:{F79A1568-D6C5-4C69-A086-936CF52DBBE3}
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MS Software Shadow Copy Provider
DEPENDENCIES : rpcss
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SysmonLog
Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\smlogsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Performance Logs and Alerts
DEPENDENCIES :
SERVICE_START_NAME: NT Authority\NetworkService

SERVICE_NAME: TapiSrv
Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Telephony
DEPENDENCIES : PlugPlay
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TermService
Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost -k DComLaunch
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Terminal Services
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Themes
Provides user experience theme management.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : UIGroup
TAG : 0
DISPLAY_NAME : Themes
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds
: None DELAY: 0 seconds

SERVICE_NAME: TrkWks
Maintains links between NTFS files within a computer or across computers in a network domain.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Distributed Link Tracking Client
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TUWinStylerThemeSvc
(null)
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
LOAD_ORDER_GROUP : COM Infrastructure
TAG : 0
DISPLAY_NAME : TuneUp WinStyler Theme Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: upnphost
Provides support to host Universal Plug and Play devices.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Universal Plug and Play Device Host
DEPENDENCIES : SSDPSRV
: HTTP
SERVICE_START_NAME: NT AUTHORITY\LocalService
FAIL_RESET_PERIOD : -1 seconds
FAILURE_ACTIONS : Restart DELAY: 0 seconds

SERVICE_NAME: UPS
Manages an uninterruptible power supply (UPS) connected to the computer.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\ups.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Uninterruptible Power Supply
DEPENDENCIES :
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: VSS
Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\vssvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Volume Shadow Copy
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: w32time
Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.


TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Time
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 5 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds

SERVICE_NAME: WebClient
Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP : NetworkProvider
TAG : 0
DISPLAY_NAME : WebClient
DEPENDENCIES : MRxDAV
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: winmgmt
Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Management Instrumentation
DEPENDENCIES : RPCSS
: Eventlog
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds

SERVICE_NAME: WmdmPmSN
Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Portable Media Serial Number Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WmiApSrv
Provides performance library information from WMI HiPerf providers.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\wbem\wmiapsrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WMI Performance Adapter
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wscsvc
Monitors system security settings and configurations.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Security Center
DEPENDENCIES : RpcSs
: winmgmt
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wuauserv
Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Automatic Updates
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WZCSVC
Provides automatic configuration for the 802.11 adapters
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : Wireless Zero Configuration
DEPENDENCIES : RpcSs
: Ndisuio
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: xmlprov
Manages XML configuration files on a domain basis for automatic network provisioning.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Provisioning Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Fri Mar 18, 2005 10:04 pm    Post subject: Reply with quote
OK, this fix is going to invovle some registry hacks, and I do not know how to do them.

So, I am going to hand you over to Blender, she will carry the rest of the fix out for you.

Thanks for hanging in there, she will get you fixed up proper.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
RexatorBirdo
Junior Member


Joined: 12 Mar 2005
Last Visit: 17 May 2006
Posts: 39
PostPosted: Fri Mar 18, 2005 10:55 pm    Post subject: Reply with quote
Okay, then I have some questions. (For either you or blender.)

ECA told me I have a cracked version of windows.

Quote:
O20 - Winlogon Notify: IntlRun - C:\WINDOWS\system32\t2r8lc9u1f.dll
SEE this... shows you have a CRACKED version of windows...
Dont know what happens if you erase it...So I wouldnt touch it...


What can I do about this?

And I deleted an alg.exe, I thought it was a type of worm from another topic from those forums, but I find out its an important piece for a firewall, how can I reinstall that piece? I use Kerio for a firewall.

And, last, any information on exes Aun_0010 and AppWrap?
Back to top
View user's profile Send private message
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 03 Mar 2011
Posts: 10886
Location: Ontario
PostPosted: Sat Mar 19, 2005 6:51 am    Post subject: Reply with quote
Hi

To answer your questions...

Quote:
ECA told me I have a cracked version of windows.

Quote:

O20 - Winlogon Notify: IntlRun - C:\WINDOWS\system32\t2r8lc9u1f.dll
SEE this... shows you have a CRACKED version of windows...
Dont know what happens if you erase it...So I wouldnt touch it...


What can I do about this?


That is part of vx2 (look2me trojan) TeMerc had you fix...Has nothing to do with wether or not your version of windows is cracked.
Are you still seeing those in your logs? (the O20 items)

If you want to know if your version of windows is legit I can post link to check or give you phone # to call. (free)

Who is this ECA guy anyway?...off some forum?

Aun_0010.exe....

Part of the active x control TeMerc had you remove.
From what i understand....more adware, likely cause popups.
You still getting warnings about that one?

AppWrap.exe....

Its a downloader....downloads more spyware/adware. Yes a security concern since it can and will download/install malware without your knowledge.
They still not showing up anymore?

alg.exe....yes it is a fairly important file.

Please dont delete files unless known for sure they are infected and not cleanable.
You could render your system unbootable if wrong file is deleted!
Some files are absolutely critical for system startup.

Info:

http://www.liutilities.com/products/wintaskspro/processlibrary/alg/

Used if you networked computers together and/or use Windows firewall.

Check the following folder for a copy of same file:

C:\Windows\ServicePackFiles\i386

In the i386 folder is a copy of alg.exe.
Copy it to your system32 folder, then reboot.
It should start up fine if windows thinks it needs to.

If you dont have that folder....let me know..I can email you a clean copy as I have same OS.

Now....on to removing your ftp server. (The services TeMerc asked you about).
Since you didn't install it....possible someone has or is planning on using your computer as an ftp server for warez....
Most Anti-trojan/Antivirus detect it as riskware. Whoever installed it can connect to it and download/upload files to/from your computer.
Some hackers like to do that to distribute pirated software.

I will need to see if there is anything else we will need to do after stopping/removing visible problem.

Can I get you to zip up this folder please?:
Preferably password protect it so my antivirus does not remove any files on me before I get chance to analyze whatever is there.

C:\windows\system32\Macromed <--this folder.

Send it here: (dont click the ads....they are junkware)

http://s20.yousendit.com/

Use the email address that is displayed when you mouse over the email button at bottom of my post.

There will likely be several bat, ini, reg files in there I need to look at.

It is most likely hidden folder.
How to "show all files":

http://www.bleepingcomputer.com/forums/tutorial62.html

thanks!

Once done that....Lets kill this thing.

Click start> run> type services.msc and hit enter.

Scroll down to:

FireDaemon Service: IRoffer

double click it to bring up properties, click stop.
Use pulldown arrow under "startup type" and set service to disabled

Do exactly the same with this service:

FireDaemon Service: ServU

Check your firewall settings that those services are denied internet access and server access.
If you have pro version of firewall or option for advanced rule creation is available....check the rules listing that there are none there to allow those services we just disabled.
That will keep the ports closed that use those service....nobody can connect to them now.
Check the rest of firewall settings that no other changes were made other than by yourself.
Likely best to re-install your firewall if a bunch of settings messed up.

Check settings of antivirus that nothing has changed other than set by yourself. (excluded files/folders for example)

Download the trial version of tds-3 anti trojan from here:

http://www.diamondcs.com.au/tds/downloads/tds3setup.exe

Install it, but do not launch it yet

Update it: right click the link below, select "save as"

http://www.diamondcs.com.au/tds/radius.td3

Save it to the directory where you installed tds-3, overwriting the previous radius.td3.

Then launch tds-3. In the top bar of tds window click system testing> full system scan.
Detections will appear in the lower pane of tds window. After the scan is finished ( it'll take a while ) right click the list> select save as txt. Save it and post the contents of the scandump.txt here.

After posting the scandump go ahead and right click the list of alarms again, this time select delete...only delete those with POSITIVE IDENTIFICATION

Then reboot and post a fresh hijackthis log.

We still have some registry hacking to do but that *should get rid of the worst.

LMK if you have any problems with any of above.

Thank you.
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
RexatorBirdo
Junior Member


Joined: 12 Mar 2005
Last Visit: 17 May 2006
Posts: 39
PostPosted: Sat Mar 19, 2005 1:41 pm    Post subject: Reply with quote
Alright. The O20 items are gone. Post the link, please. ECA is from this forum:

http://forums.designtechnica.com/forumdisplay.php?f=94

AVG hasn't said anything about the Aun viruses or the AppWrap ones, awesome.

I copied the alg exe into system32.

I zipped up Macromed, but I dunno how to make it password protected. But I still sent it, just in case.

I need to know how to add a rule to stop those services, heres a screenshot of Kerio's filter rule.

http://s20.yousendit.com/d.aspx?id=1G5ZBLJ2J9ZFO27KJJIQK1IY7M ( I never knew much about how exactly to use this.)

I don't think I should go further until I add that filter...
Back to top
View user's profile Send private message
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 03 Mar 2011
Posts: 10886
Location: Ontario
PostPosted: Sat Mar 19, 2005 3:36 pm    Post subject: Reply with quote
Hi

Got the folder ok. Thanks.

Thanks for the link from other forum too....gives me more 'history' so to speak what else you were fighting before comming here.

If you were able to stop those services as instructed above ok Don't worry too much about trying to create rule to block it.
Once you get those service shut off...firewall won't have to fight it.
I wanted to make sure there was no rule there allowing it.
By default the firewall will block incoming attempted connections except for those specifically allowed by you or known to be SAFE by Kerio.
I never ran Kerio firewall so I dont know all the ins and outs of it. I use zone alarm.
Is there a programs control tab/section anywhere within the Kerio program? It would be in that section where program list would be.

Look thru the list and if Iroffer, ServU, FireDaemon, win32.exe programs are there....set them to always deny/block.

Go ahead and stop/disable those services and get that TDS scan done. That we need to do. (dont forget to save the log)

I wont be back till morning...I have to work tonight.

thanks!
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
RexatorBirdo
Junior Member


Joined: 12 Mar 2005
Last Visit: 17 May 2006
Posts: 39
PostPosted: Sun Mar 20, 2005 1:09 am    Post subject: Reply with quote
Okay. They aren't on the list, and Kerio will ask me if it comes back to allow not allow it, so no worries. Now to the scan.

...

Dammit. I just got the warnings for the Appwrap viruses again.

Heres the log.

Scan Control Dumped @ 06:37:43 20-03-05
Suspicious Filename: Dual extensions
File: c:\documents and settings\johnathan cruz\desktop\firefox setup 1.0.1.exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\johnathan cruz\desktop\installers\firefoxsetup-0.9.1.exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\johnathan cruz\desktop\installers\firefoxsetup-1.9.1.exe

Positive identification: Adware.Zestyfind.a
File: c:\documents and settings\johnathan cruz\local settings\temp\temporary internet files\content.ie5\0jyjzerv\appwrap[2].exe

Positive identification (embedded in file): Adware.Look2Me.r2 (dll)
File: c:\documents and settings\johnathan cruz\local settings\temporary internet files\content.ie5\8iyd95re\upd200[1].exe

Positive identification: Adware.Look2Me.r
File: c:\documents and settings\johnathan cruz\local settings\temporary internet files\content.ie5\8iyd95re\upd200[1].exe

Positive identification: Adware.Zestyfind.a
File: c:\documents and settings\johnathan cruz\local settings\temporary internet files\content.ie5\t1mr4afu\appwrap[2].exe

Positive identification (embedded in file): Adware.Look2Me.r2 (dll)
File: c:\documents and settings\johnathan cruz\local settings\temporary internet files\content.ie5\t1mr4afu\installer[1].exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\johnathan cruz\my documents\download\thecdrive\cgoban-win32-2.6.8.exe

Suspicious Filename: Dual extensions
File: c:\program files\accessdiver\ad4.170.exe

Positive identification: Adware.LOP.s
File: c:\program files\c2media\setup.exe

Suspicious Filename: HTA file in suspicious location
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp257\a0040802.hta

Suspicious Filename: HTA file in suspicious location
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp272\a0042857.hta

Suspicious Filename: HTA file in suspicious location
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp276\a0043573.hta

Positive identification: Adware.Zestyfind.a
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp289\a0047190.exe

Positive identification: Adware.EZula.g1
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp290\a0048145.exe

Positive identification: Adware.EZula.g1
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp314\a0050008.exe

Positive identification: Adware.EZula.g1
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp320\a0050468.exe

Positive identification: Adware.Zestyfind.a
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp321\a0050535.exe

Positive identification: Adware.Zestyfind.a
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp339\a0053488.exe

Positive identification: Adware.EZula.g1
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp344\a0054132.exe

Positive identification: Adware.EZula.g1
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp344\a0054133.exe

Positive identification: Adware.Zestyfind.a
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp344\a0054152.exe

Positive identification: Adware.EZula.g1
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp345\a0055158.exe

Positive identification: Adware.Zestyfind.a
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp345\a0055194.exe

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp345\a0055203.dll

Positive identification: Adware.EZula.g1
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp345\a0055205.exe

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp345\a0055207.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp345\a0055208.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp345\a0055214.dll

Positive identification: Adware.EZula.g1
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp346\a0055267.exe

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp346\a0055273.dll

Positive identification: Adware.Zestyfind.a
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp346\a0055278.exe

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp346\a0055282.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp346\a0055289.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp346\a0055297.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp346\a0055303.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp346\a0055306.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp346\a0055316.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp346\a0055333.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp346\a0055339.dll

Positive identification: Adware.Zestyfind.a
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp346\a0055348.exe

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp347\a0055524.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp347\a0055530.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp347\a0055538.dll

Positive identification: Adware.Zestyfind.a
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp347\a0055547.exe

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp347\a0055573.dll

Positive identification: Adware.Zestyfind.a
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp347\a0055592.exe

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp348\a0055691.dll

Positive identification: Adware.Zestyfind.a
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp348\a0055710.exe

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp348\a0055745.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp348\a0055746.dll

Positive identification: Adware.WildTangent.a
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp348\a0055758.exe

Positive identification: Adware.WildTangent.a
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp348\a0055761.exe

Positive identification: Adware.WildTangent
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp348\a0055762.exe

Positive identification: Adware.Zestyfind.a
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp348\a0055784.exe

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp348\a0056745.dll

Positive identification: Adware.Zestyfind.a
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp348\a0056797.exe

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp348\a0056828.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp348\a0056829.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp348\a0056848.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp348\a0056849.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp348\a0056855.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp348\a0056861.dll

Positive identification: Adware.Zestyfind.a
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp348\a0056862.exe

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp349\a0056942.dll

Positive identification: Adware.Zestyfind.a
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp349\a0056951.exe

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp349\a0056962.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp349\a0056968.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp349\a0056975.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp349\a0056984.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp349\a0057065.dll

Positive identification: Adware.Zestyfind.a
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp349\a0057164.exe

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp350\a0057215.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp350\a0057250.dll

Positive identification: Adware.Zestyfind.a
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp350\a0057256.exe

Positive identification: Adware.Zestyfind.a
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp351\a0057342.exe

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058388.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058395.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058396.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058397.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058398.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058399.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058400.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058401.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058402.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058403.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058404.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058405.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058406.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058407.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058408.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058409.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058410.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058411.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058412.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058413.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058414.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058415.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058416.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058417.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058418.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058419.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058420.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058421.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058422.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058423.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058424.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058425.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058426.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058427.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058428.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058429.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058430.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058431.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058432.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058433.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058434.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058435.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058436.dll

Positive identification (DLL): Adware.Look2Me.ab (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp352\a0058437.dll

Positive identification: Adware.Zestyfind.a
File: c:\windows\iconu.exe

Positive identification: Adware.BargainBuddy.n4
File: c:\windows\system32\exdl1.exe

Positive identification (embedded in file): Adware.Look2Me.r2 (dll)
File: c:\windows\temp\installer.exe

Positive identification (embedded in file): Adware.Look2Me.r2 (dll)
File: c:\windows\temp\upd200.exe

Positive identification: Adware.Look2Me.r
File: c:\windows\temp\upd200.exe

Positive identification: TrojanDownloader.Win32.Adload.a
File: c:\windows\temp\icd10.tmp\installer_marketing11.exe

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 6:51:02 AM, on 3/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Winamp\Winamp.exe
C:\Documents and Settings\Johnathan Cruz\Desktop\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo.com/mmviewer_ic13.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
Back to top
View user's profile Send private message
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 03 Mar 2011
Posts: 10886
Location: Ontario
PostPosted: Sun Mar 20, 2005 6:07 pm    Post subject: Reply with quote
Ok...Sorry for late reply....I didnt run off on ya...I had to work then sleeeeeep. Smile

Most of the detections are in temp folders and system restore.
Will be dealing with system restore last. None of the infected files in there can hurt you unless you actually use system restore to "go back". I dont like to disable that till all is well. If something goes really wrong better to restore to infected state than no computer.

TDS removed the Positive detections ok?

Most of those "suspicious filename" items look ok.

One I dont find much info on...
You know what this is?

c:\documents and settings\johnathan cruz\my documents\download\thecdrive\cgoban-win32-2.6.8.exe
Check properties of it and let me know.
If unknown Upload the file here:

http://virusscan.jotti.org/

Let them scan it. If positive results let me know what detection is.
Scan takes a few minuites cus 12 scanners are goin at it.

Cleanin up the rest....

Copy the following text inside the code box to a new notepad file, save as file name cleantemps.bat, as file types all files and save to convienant spot.

Code:
del c:\ *.tmp
del %temp%\*.tmp /f
del %windir%\prefetch\*.*
del %windir%\temp\*.* /f
del C:\documents and settings\*\local settings\temp\*.* /f
del c:\documents and settings\*\local settings\temporary internet files\*.* /f


Reboot to safe mode
Double click cleantemps.bat
Answer yes to each prompt by typing y and hitting enter at each one.
It will close itself when done.
That will clean out all your temporary files, temp internet files, and anything in prefetch folder. Any sites you 'log into' you will need to do so again cus we also just deleted your cookies.


Reboot to normal windows.

Lets get another cleanup app installed.

Download Ad-aware SE from here if you dont already have it.:

http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button

Install the app accepting the defaults BUT at last install screen UNcheck all 3 options.
Will need to update manually.

Once install is done...
Open ad-aware
Click the globe> connect> yes to install updates. (will need to allow access thru firewall)

Once updates are installed...
Disconnect from internet
Shut down antivirus to prevent conflicts.
In main ad-aware window click "start"
Uncheck "Search for neglagable risk entries"
Check "run full system scan"
Click "next" to start scan.

Go have sandwich or something...will take some time.

When scan is done, click "next"
Right click in results window> "select all"
Click "next" and OK to remove objects found.

Reboot

Run full scan a second time while offline AV disabled to ensure you are clean.
Reboot to finish.

Post new hijack log and let me know how things are running.
Let me know what Jotti say on that file.

TY Smile
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
RexatorBirdo
Junior Member


Joined: 12 Mar 2005
Last Visit: 17 May 2006
Posts: 39
PostPosted: Sun Mar 20, 2005 8:41 pm    Post subject: Reply with quote
Yeah, that cgoban exe is a type of boardgame, played online. My friend sent it to me, who got it from his friend, so I don't think theres nothing wrong with it, or one of us would've already detected it. I scanned it either way.

Quote:
File: cgoban-win32-2.6.8.exe
Status:
MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected:
-

AntiVir
No viruses found
Avast
No viruses found
AVG Antivirus
No viruses found
BitDefender
No viruses found
ClamAV
No viruses found
Dr.Web
No viruses found
F-Prot Antivirus
No viruses found
Fortinet
No viruses found
Kaspersky Anti-Virus
No viruses found
mks_vir
No viruses found
NOD32
No viruses found
Norman Virus Control
No viruses found


I deleted it, I don't need it anyway.

Is that bat going to delete My Documents?
Back to top
View user's profile Send private message
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 03 Mar 2011
Posts: 10886
Location: Ontario
PostPosted: Mon Mar 21, 2005 11:46 pm    Post subject: Reply with quote
Hi

No that bat file will not touch "my documents" UNLESS....you have anything you purposely stored in any of the temp folders shown in that bat file.....look at the paths.
%windir% = windows
%temp% is: c:\Documents and settings\your name\local settings\temp
If you store stuff in those temp folders.....move the files or they will get deleted.

If you are looking in those folders there will be lots of setup files and stuff.....its fine to delete them. Many malwares like to hide there and many program installs leave lots of leftovers in there.
many installers are horrible at cleaning up after themselves when install is done.

The items in prefetch folder....any needed ones will be re-created by windows when you reboot.

I would never recommend storing anything in temp folders permanently since many cleaning utils target the temp folders and wipe out the contents. Should be done from time to time to help keep performance up.

Thanks for scannin that file....I had NO results when searching it....usually a red flag but not always.
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
RexatorBirdo
Junior Member


Joined: 12 Mar 2005
Last Visit: 17 May 2006
Posts: 39
PostPosted: Tue Mar 22, 2005 12:39 am    Post subject: Reply with quote
Okay, no I don't store stuff in those temp folders, but I read what directories it was cleaning out wrong. Hold on, I'll continue in a few minutes, or in the morning.

Alright, HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 3:41:22 PM, on 3/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\AIM95\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Winamp\Winamp.exe
C:\Documents and Settings\Johnathan Cruz\Desktop\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo.com/mmviewer_ic13.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe


But my computer has been kicking ass now, alg is running through task again, I've gotten no popups as of late, and the viruses have stopped, I can finally use my computer without dreading the irritating from those problems. Many thanks to you so far, but we're not completely out of this yet, I'm guessing.

The Appwrap viruses are still coming... ._.
Back to top
View user's profile Send private message
RexatorBirdo
Junior Member


Joined: 12 Mar 2005
Last Visit: 17 May 2006
Posts: 39
PostPosted: Sat Apr 02, 2005 9:56 am    Post subject: Reply with quote
Errr?
Back to top
View user's profile Send private message
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 03 Mar 2011
Posts: 10886
Location: Ontario
PostPosted: Sun Apr 03, 2005 5:13 am    Post subject: Reply with quote
Hi

Sorry I missed ya... Embarassed

Lets go after these temp folders manually.

First reboot just in case your antivirus had update files stored there to affect update after reboot.

Once restarted....

Ensure you can "see all files":

http://www.bleepingcomputer.com/forums/tutorial62.html

Empty out entire conts of the following folders:

C:\windows\temp

C:\windows\prefetch

C:\documents and settings\Johnathan Cruz\local settings\temp

C:\Documents and settings\any other user name\local settings\temp

C:\Documents and settings\Any other user name\local settings\temporary internet files

Open internet options in control panel
Hit "delete files" and check to delete offline content, then OK.

Open java plug-in in control panel (if exist)
Click the "cache" tab
Click "clear" and OK to clean out cache folder.

Open Mozilla firefox
Click "tools"> options
Click "privacy" at left
Beside "cache" click the "clear" button, then OK at prompt if any.

Empty trash again.

One more place to clean out but I want to see fresh hijack log first.

Thanks!

ps. I'll try not to loose ya this time. Razz
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
RexatorBirdo
Junior Member


Joined: 12 Mar 2005
Last Visit: 17 May 2006
Posts: 39
PostPosted: Sun Apr 03, 2005 12:50 pm    Post subject: Reply with quote
Thanks.

HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 4:51:00 PM, on 4/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\AIM95\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\Documents and Settings\Johnathan Cruz\Desktop\HijackThis\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo.com/mmviewer_ic13.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
Back to top
View user's profile Send private message
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 03 Mar 2011
Posts: 10886
Location: Ontario
PostPosted: Sun Apr 03, 2005 4:06 pm    Post subject: Reply with quote
Hi

Current log looks good. Smile

If you did not use spybot to set this entry have hijack fix it:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

You can find and delete this folder:

C:\Windows\system32\macromed <--whole folder was built by the ftp server hack.

I need some registry info from you to remove the registry keys created by ServU and IRoffer.

Download Registry search tool from here:

http://www.billsway.com/vbspage/

Unzip it
Double click regsearch.vbs
Paste this into the search box:

ServU

Hit OK. It will dissapear for few minuites while it searches registry for that string.
Once done it will tell you and offer you to look at wordpad file.
Say yes, save the file somewhere you can find it (save as .txt) I will need info from it.

Do the same search fot this:

IRoffer

Post results of both logs please.

**Note** If AV warns you of possible dangerous script; please allow it to run. It is not dangerous. All it is doing is searching registry for info I ask and putting results to text file we can read.

thanks!

In preparation for the final cleanup, copy the contents of the code box to Notepad. Name the file
Import reg file with priv.vbs

Save as Type: All files

Create a new folder on the desktop and save it there. We are going to add another file in that same folder later.

Code:
'Written by Mosaic1

Dim T,H ,M ,colon,TimeDec
Dim fso ,CF ,Future , Location
Dim WshShell
Set WshShell = Wscript.CreateObject("Wscript.Shell")
set fso = Wscript.CreateObject("Scripting.FilesystemObject")
Location = fso.GetFile("r.reg")



T = FormatDateTime(Time,4) 'Get the current time in hours and minutes




 colon = Instr(T,":") 'Break it up.
 H = Mid(T,1,colon -1 ) 'Get the hour
 M = Mid(T,colon + 1 ,(Len(T) - colon)) 'get the minute

 M = (M + 1) 'Reset the minute + 1
   IF M = "60" Then  'If the  minute is 60 then reset it to 00
     M = "00"
     H = H + 1   'And reset the hour value to add 1
   End IF

Future= H & ":" & M 
  If Future = "24:00" then Future = "00:00" 'Reset Midnight to 00:00


Set CF =fso.CreateTextFile("my.bat",true)
   CF.WriteLine "At" & Chr(32)  & Future & " " & " /Interactive regedit" & Chr(32) & Chr(34) &  Location  & Chr(34)    'set the task with system priviledges

CF.CLose

Wshshell.Run "my.bat",vbhidden ,true   

MsgBox "Wait for Registry Confirmation and then press Yes." & vbcrlf & "This may take a minute."  'Alert the User
fso.DeleteFile("my.bat")

_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
RexatorBirdo
Junior Member


Joined: 12 Mar 2005
Last Visit: 17 May 2006
Posts: 39
PostPosted: Mon Apr 04, 2005 10:57 am    Post subject: Reply with quote
Where does that install to? And what am I supposed to do with that code in the end of your post?
Back to top
View user's profile Send private message
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 03 Mar 2011
Posts: 10886
Location: Ontario
PostPosted: Mon Apr 04, 2005 7:10 pm    Post subject: Reply with quote
Rex

That regsearch.vbs does not 'install' anywhere. It is a standalone file. It will just search for the info I asked it to. (when you paste it in)
Do you still have the zipped up version of RegSearch?
If using XP's unzipper....
Right click RegSearch.zip
Hit "extract all"
Follow prompts by the wizzard...it should show path to file.

That code I posted....

You will need to copy it to a new notepad file and save it as Import reg file with priv.vbs. Make sure you save it as file types All Files or it wont work.
Save that vbs file to a new folder on the desktop.
Once you post the registry info I can build the regedit we need to remove those entries related to the services we need to remove.

Because of permission settings of some of the registry items we need to remove. That script is going to help us with that. Easier than hacking the registry items out manually.
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
RexatorBirdo
Junior Member


Joined: 12 Mar 2005
Last Visit: 17 May 2006
Posts: 39
PostPosted: Tue Apr 05, 2005 7:41 am    Post subject: Reply with quote
Ok, sorry about that.

ServU Results

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "ServU" 4/5/2005 11:38:05 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SERVU]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SERVU\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SERVU\0000]
"Service"="ServU"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SERVU\0000]
"DeviceDesc"="FireDaemon Service: ServU"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ServU]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServU]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServU]
"DisplayName"="FireDaemon Service: ServU"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServU]
"Description"="ServU Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServU\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServU\Parameters]
"ServiceExe"="C:\\WINDOWS\\System32\\Macromed\\servu\\ServUDaemon.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServU\Parameters]
"ServiceWorkingDir"="C:\\WINDOWS\\System32\\Macromed\\servu"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServU\Parameters]
"DisplayName"="ServU"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServU\Parameters]
"Description"="ServU Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServU\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServU\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServU\Enum]
"0"="Root\\LEGACY_SERVU\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SERVU]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SERVU\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SERVU\0000]
"Service"="ServU"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SERVU\0000]
"DeviceDesc"="FireDaemon Service: ServU"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\ServU]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ServU]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ServU]
"DisplayName"="FireDaemon Service: ServU"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ServU]
"Description"="ServU Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ServU\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ServU\Parameters]
"ServiceExe"="C:\\WINDOWS\\System32\\Macromed\\servu\\ServUDaemon.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ServU\Parameters]
"ServiceWorkingDir"="C:\\WINDOWS\\System32\\Macromed\\servu"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ServU\Parameters]
"DisplayName"="ServU"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ServU\Parameters]
"Description"="ServU Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ServU\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SERVU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SERVU\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SERVU\0000]
"Service"="ServU"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SERVU\0000]
"DeviceDesc"="FireDaemon Service: ServU"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ServU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServU]
"DisplayName"="FireDaemon Service: ServU"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServU]
"Description"="ServU Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServU\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServU\Parameters]
"ServiceExe"="C:\\WINDOWS\\System32\\Macromed\\servu\\ServUDaemon.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServU\Parameters]
"ServiceWorkingDir"="C:\\WINDOWS\\System32\\Macromed\\servu"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServU\Parameters]
"DisplayName"="ServU"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServU\Parameters]
"Description"="ServU Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServU\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServU\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServU\Enum]
"0"="Root\\LEGACY_SERVU\\0000"


IRoffer Results

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "IRoffer" 4/5/2005 11:39:26 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IROFFER]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IROFFER\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IROFFER\0000]
"Service"="IRoffer"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IROFFER\0000]
"DeviceDesc"="FireDaemon Service: IRoffer"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\IRoffer]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IRoffer]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IRoffer]
"DisplayName"="FireDaemon Service: IRoffer"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IRoffer]
"Description"="IRoffer Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IRoffer\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IRoffer\Parameters]
"ServiceWorkingDir"="C:\\WINDOWS\\System32\\Macromed\\iroffer"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IRoffer\Parameters]
"DisplayName"="IRoffer"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IRoffer\Parameters]
"Description"="IRoffer Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IRoffer\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IRoffer\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IRoffer\Enum]
"0"="Root\\LEGACY_IROFFER\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IROFFER]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IROFFER\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IROFFER\0000]
"Service"="IRoffer"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IROFFER\0000]
"DeviceDesc"="FireDaemon Service: IRoffer"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\IRoffer]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\IRoffer]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\IRoffer]
"DisplayName"="FireDaemon Service: IRoffer"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\IRoffer]
"Description"="IRoffer Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\IRoffer\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\IRoffer\Parameters]
"ServiceWorkingDir"="C:\\WINDOWS\\System32\\Macromed\\iroffer"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\IRoffer\Parameters]
"DisplayName"="IRoffer"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\IRoffer\Parameters]
"Description"="IRoffer Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\IRoffer\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IROFFER]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IROFFER\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IROFFER\0000]
"Service"="IRoffer"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IROFFER\0000]
"DeviceDesc"="FireDaemon Service: IRoffer"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\IRoffer]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IRoffer]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IRoffer]
"DisplayName"="FireDaemon Service: IRoffer"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IRoffer]
"Description"="IRoffer Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IRoffer\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IRoffer\Parameters]
"ServiceWorkingDir"="C:\\WINDOWS\\System32\\Macromed\\iroffer"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IRoffer\Parameters]
"DisplayName"="IRoffer"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IRoffer\Parameters]
"Description"="IRoffer Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IRoffer\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IRoffer\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IRoffer\Enum]
"0"="Root\\LEGACY_IROFFER\\0000"
Back to top
View user's profile Send private message
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 03 Mar 2011
Posts: 10886
Location: Ontario
PostPosted: Tue Apr 05, 2005 12:59 pm    Post subject: Reply with quote
Hi

Ok...thanks for posting that.

You got the vbs file saved ok?

Give me a bit of time. I need to check with Mosaic1 on a couple entries.

thanks. Smile
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 03 Mar 2011
Posts: 10886
Location: Ontario
PostPosted: Wed Apr 06, 2005 5:08 am    Post subject: Reply with quote
Hi

Just got in from work. Smile

Got confirmation from Mosaic1 for this too.

Copy the contents of the code box to notepad.

Save in the same folder you created earlier for the script named
Import reg file with priv.vbs

Name it r.reg <--Important!
Save as Type:All files

Code:
REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SERVU]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServU]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ServU]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SERVU]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ServU]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\ServU]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SERVU]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServU]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ServU]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IROFFER]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IRoffer]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\IRoffer]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IROFFER]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\IRoffer]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\IRoffer]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IROFFER]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IRoffer]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\IRoffer]


If you have regedit open, close it.



Look at your clock in systray. When the minute turns over, double click on
Import reg file with priv.vbs

If you get a warning about a malicious script, please allow this to run. Mosaic1 wrote it. It is going to import a registry file (r.reg) under the auspices of the System Account to remove those registry entries.

When the message box appears, read it.

Let me know how that goes. Any errors. Sometimes scripts can point out problems you didn't know you had.

Run regsearch.vbs again and run a search on both ServU and IRoffer

Post results of both scans if any results please.

Also post new hijackthis log please.

thank you. Smile
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
RexatorBirdo
Junior Member


Joined: 12 Mar 2005
Last Visit: 17 May 2006
Posts: 39
PostPosted: Wed Apr 06, 2005 6:21 am    Post subject: Reply with quote
Badass. Nothing found on IRoffer and ServU.

HJT

Logfile of HijackThis v1.99.1
Scan saved at 10:22:14 AM, on 4/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Johnathan Cruz\Desktop\Installers\MSPAINT.EXE
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\Program Files\Winamp\Winamp.exe
C:\Documents and Settings\Johnathan Cruz\Desktop\Installers\MSPAINT.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Johnathan Cruz\Desktop\HijackThis\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\RunOnce: [Regsister WScript] wscript -regserver
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo.com/mmviewer_ic13.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics All times are GMT - 8 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group