Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Problem removing this spyware in XP (borg)

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Problem removing this spyware in XP (borg)

Unread postby Borg7of9 » August 2nd, 2005, 12:20 pm

I am having trouble removing some spyware, that brings popups, even when Internet explorer is Not open. I tried to clean system and here is what I did. The system is Windows XP Pro. The system did not have any antispyware running, but was upto date with Norton Antivirus. Did a full virus scan as well.

Turned of system restore

deleted all temp files, via properties, and then manually clearing out remaining, and deleted recycle bin

ran hijack just to see if I recognized the spyware from past cleans, did not.

User installed MSN toolbar, I removed it just to so I could see what entries remained afterwards.

Installed and updated both Spybot search and destroy 1.4 and latest Adaware

Re-booted in safe mode

ran both programs, Spybot only showed 2 what I think harmless ad softwares, and adaware removed a few others, and I also ran the ad stream option, and cleaned that. ( automatically )

Then I ran CWShredder, reported clean, and then ABOUTBLASTER, also reported clean

In HiJack I tried to remove the g.msn lines, but they keep returning. I looked into C\windows and C\windows\system32 to see if I could identify any spyware files ( exe or dll ) and I could not. ( I May just not have been able to recognized them, as often just by date and weird name its obvious )

So far I have been unable to remove the popups

they are often these sites
www219.paypopup.com
loadingwebsites.com
64.192.130.141
and some always ending *yyy65.html

I tried even adding these sites to restricted sites in explorer and that did not work.

So here is my final HIJACK log after all of this, as well as I printed a Tasks listing in case that helps!!

Cause I sure need HELP :)

I hope I have provided a detailed a good explanation of the situation, thanks to all who can help me!!!!!

HIJack Log

Logfile of HijackThis v1.99.1
Scan saved at 15:12:02, on 2005-08-01
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\A_tech\Hijack\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0746904949
O17 - HKLM\System\CCS\Services\Tcpip\..\{80970B51-BA6A-41B0-8F85-E340EB0E8B01}: NameServer = 198.235.216.134,198.235.216.135
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\cItsrvut.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe

Tasks List from Task manager
PsList 1.26 - Process Information Lister
Copyright (C) 1999-2004 Mark Russinovich
Sysinternals - http://www.sysinternals.com

Process information for GARAGE1:

Name Pid Pri Thd Hnd Priv CPU Time Elapsed Time
Idle 0 0 1 0 0 0:06:20.984 0:00:00.000
System 4 8 50 236 0 0:00:04.671 0:00:00.000
smss 664 11 3 21 164 0:00:00.031 0:07:06.875
csrss 720 13 11 420 1596 0:00:04.328 0:07:05.328
winlogon 744 13 29 544 8848 0:00:01.906 0:07:05.062
services 788 9 19 293 1396 0:00:01.171 0:07:04.875
lsass 800 9 18 303 4980 0:00:00.437 0:07:04.859
svchost 972 8 8 252 1144 0:00:00.296 0:07:04.375
svchost 1020 8 63 1147 12996 0:00:02.312 0:07:04.312
svchost 1104 8 7 66 680 0:00:00.031 0:07:03.609
svchost 1120 8 15 170 3332 0:00:00.265 0:07:03.531
rundll32 1328 8 2 109 4412 0:00:00.078 0:07:02.359
CCSETMGR 1404 8 7 184 2432 0:00:00.187 0:07:02.156
CCEVTMGR 1432 8 23 262 2668 0:00:00.281 0:07:02.000
spoolsv 1592 8 14 145 3000 0:00:00.093 0:07:01.500
mdm 1836 8 5 98 2740 0:00:00.078 0:06:55.375
NAVAPSVC 1868 8 13 224 2636 0:00:02.234 0:06:55.312
CCAPP 576 8 22 340 7124 0:00:02.843 0:06:49.234
ctfmon 688 8 1 55 368 0:00:00.093 0:06:48.921
TeaTimer 716 4 3 78 7012 0:00:08.453 0:06:48.859
SAVSCAN 1260 8 7 63 14388 0:00:00.640 0:06:47.000
explorer 2256 8 14 443 18556 0:00:07.734 0:06:13.046
IEXPLORE 3500 8 13 425 11776 0:00:06.734 0:04:30.562
cmd 2616 8 1 21 1428 0:00:00.078 0:01:52.968
msmsgs 2768 8 12 279 13000 0:00:00.906 0:01:39.656
pslist 3796 13 2 72 684 0:00:00.093 0:00:00.109
Borg7of9
Active Member
 
Posts: 6
Joined: August 2nd, 2005, 11:36 am
Location: Quebec
Advertisement
Register to Remove

Unread postby ChrisRLG » August 2nd, 2005, 3:43 pm

Being helped in chat room by atri (#NISupport)
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

l2mfix Log file

Unread postby Borg7of9 » August 3rd, 2005, 4:04 pm

Atri

Here is the log file, as you said, I only ran option 1 for now!

THanks!!!! This was a long one!

:)
Borg

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\cItsrvut.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E65D091C-7CAC-6F5B-3CE3-36E249E7B91E}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Feuille de propri‚t‚s du fichier multim‚dia"
"{176d6597-26d3-11d1-b350-080036a75b03}"="Gestion de scanneur ICM"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="Page de s‚curit‚ NTFS"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Page des propri‚t‚s de OLE DocFile"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Extensions de l'environnement pour le partage"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Carte du Panneau de configuration"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Â
Borg7of9
Active Member
 
Posts: 6
Joined: August 2nd, 2005, 11:36 am
Location: Quebec

Unread postby ChrisRLG » August 4th, 2005, 7:52 am

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Note : Once the pc has restarted if a log does not appear or the icons didn't dissappear, run the "second.bat" located inside the L2mfix folder.

After the fix portion is done. Please run the option to restore the winlogon defaults (menu option 4) as most of the notify key is missing. After you do that post an option 1 log again.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

All Logs after running Option 2 fix

Unread postby Borg7of9 » August 5th, 2005, 11:11 am

Hello Atri, I ran all steps as per your instructions, everthing executed fine so I didnt have to run the second.bat. Here is my Logs

Need I say 1000 thanks!!! I really appreciate your help

1) Atri log after running Option 2 to fix
2) Atri log after running option 4
3) Atri log , new log file option 1
4) New log file from Hijack after running all above

1)
L2Mfix 1.03a

Running From:
C:\A_tech\Atri\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Utilisateurs
(ID-IO) ALLOW Read BUILTIN\Utilisateurs
(ID-NI) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-IO) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-NI) ALLOW Full access BUILTIN\Administrateurs
(ID-IO) ALLOW Full access BUILTIN\Administrateurs
(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrateurs
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Utilisateurs
(ID-IO) ALLOW Read BUILTIN\Utilisateurs
(ID-NI) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-IO) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-NI) ALLOW Full access BUILTIN\Administrateurs
(ID-IO) ALLOW Full access BUILTIN\Administrateurs
(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE



Setting up for Reboot


Starting Reboot!

C:\A_tech\Atri\l2mfix
System Rebooted!

Running From:
C:\A_tech\Atri\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1836 'explorer.exe'
Killing PID 1836 'explorer.exe'
Killing PID 1836 'explorer.exe'
Killing PID 1836 'explorer.exe'
Killing PID 1836 'explorer.exe'
Killing PID 1836 'explorer.exe'
Killing PID 1836 'explorer.exe'
Killing PID 1836 'explorer.exe'
Killing PID 2040 'explorer.exe'
Killing PID 128 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1896 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\awtodisc.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\awtodisc.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\cItsrvut.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\cItsrvut.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\dcnlobby.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\dcnlobby.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\dssapi.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\dssapi.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\dVdramp.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\dVdramp.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\dynaddr.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\dynaddr.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\ef.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\ef.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\gii32.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\gii32.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\gyi32.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\gyi32.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\hcetcfg.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\hcetcfg.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\iBssam.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\iBssam.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\iggutil.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\iggutil.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\iiagehlp.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\iiagehlp.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\ipmp.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\ipmp.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\iyetpp.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\iyetpp.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\izwphbk.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\izwphbk.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\khdir.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\khdir.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\khdla.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\khdla.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\krdfi.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\krdfi.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\krdhela3.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\krdhela3.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\ktdpo.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\ktdpo.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\kwdur.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\kwdur.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\kzdda.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\kzdda.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\kzdhe220.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\kzdhe220.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\llghours.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\llghours.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\maidntld.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\maidntld.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mefutil.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mefutil.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mjwebdvd.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mjwebdvd.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\MLC42FRA.DLL
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\MLC42FRA.DLL
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mlmtapi.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mlmtapi.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mordim.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mordim.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mqihnd.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mqihnd.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mvdemui.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mvdemui.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mxjava.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mxjava.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mxls31.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mxls31.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\nodll.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\nodll.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\nylanman.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\nylanman.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\olcache.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\olcache.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\oxbc16gt.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\oxbc16gt.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\rycrt4.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\rycrt4.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\sindcmsg.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\sindcmsg.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\snrrnfr.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\snrrnfr.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\sqe.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\sqe.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\ssesrv.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\ssesrv.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\urildll.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\urildll.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\VMAME.DLL
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\VMAME.DLL
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\VZAME.DLL
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\VZAME.DLL
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\wpssvc.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\wpssvc.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\wU2topl.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\wU2topl.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\guard.tmp
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\guard.tmp
1 fichier(s) copi‚(s).
deleting: C:\WINDOWS\system32\awtodisc.dll
Successfully Deleted: C:\WINDOWS\system32\awtodisc.dll
deleting: C:\WINDOWS\system32\awtodisc.dll
Successfully Deleted: C:\WINDOWS\system32\awtodisc.dll
deleting: C:\WINDOWS\system32\cItsrvut.dll
Successfully Deleted: C:\WINDOWS\system32\cItsrvut.dll
deleting: C:\WINDOWS\system32\cItsrvut.dll
Successfully Deleted: C:\WINDOWS\system32\cItsrvut.dll
deleting: C:\WINDOWS\system32\dcnlobby.dll
Successfully Deleted: C:\WINDOWS\system32\dcnlobby.dll
deleting: C:\WINDOWS\system32\dcnlobby.dll
Successfully Deleted: C:\WINDOWS\system32\dcnlobby.dll
deleting: C:\WINDOWS\system32\dssapi.dll
Successfully Deleted: C:\WINDOWS\system32\dssapi.dll
deleting: C:\WINDOWS\system32\dssapi.dll
Successfully Deleted: C:\WINDOWS\system32\dssapi.dll
deleting: C:\WINDOWS\system32\dVdramp.dll
Successfully Deleted: C:\WINDOWS\system32\dVdramp.dll
deleting: C:\WINDOWS\system32\dVdramp.dll
Successfully Deleted: C:\WINDOWS\system32\dVdramp.dll
deleting: C:\WINDOWS\system32\dynaddr.dll
Successfully Deleted: C:\WINDOWS\system32\dynaddr.dll
deleting: C:\WINDOWS\system32\dynaddr.dll
Successfully Deleted: C:\WINDOWS\system32\dynaddr.dll
deleting: C:\WINDOWS\system32\ef.dll
Successfully Deleted: C:\WINDOWS\system32\ef.dll
deleting: C:\WINDOWS\system32\ef.dll
Successfully Deleted: C:\WINDOWS\system32\ef.dll
deleting: C:\WINDOWS\system32\gii32.dll
Successfully Deleted: C:\WINDOWS\system32\gii32.dll
deleting: C:\WINDOWS\system32\gii32.dll
Successfully Deleted: C:\WINDOWS\system32\gii32.dll
deleting: C:\WINDOWS\system32\gyi32.dll
Successfully Deleted: C:\WINDOWS\system32\gyi32.dll
deleting: C:\WINDOWS\system32\gyi32.dll
Successfully Deleted: C:\WINDOWS\system32\gyi32.dll
deleting: C:\WINDOWS\system32\hcetcfg.dll
Successfully Deleted: C:\WINDOWS\system32\hcetcfg.dll
deleting: C:\WINDOWS\system32\hcetcfg.dll
Successfully Deleted: C:\WINDOWS\system32\hcetcfg.dll
deleting: C:\WINDOWS\system32\iBssam.dll
Successfully Deleted: C:\WINDOWS\system32\iBssam.dll
deleting: C:\WINDOWS\system32\iBssam.dll
Successfully Deleted: C:\WINDOWS\system32\iBssam.dll
deleting: C:\WINDOWS\system32\iggutil.dll
Successfully Deleted: C:\WINDOWS\system32\iggutil.dll
deleting: C:\WINDOWS\system32\iggutil.dll
Successfully Deleted: C:\WINDOWS\system32\iggutil.dll
deleting: C:\WINDOWS\system32\iiagehlp.dll
Successfully Deleted: C:\WINDOWS\system32\iiagehlp.dll
deleting: C:\WINDOWS\system32\iiagehlp.dll
Successfully Deleted: C:\WINDOWS\system32\iiagehlp.dll
deleting: C:\WINDOWS\system32\ipmp.dll
Successfully Deleted: C:\WINDOWS\system32\ipmp.dll
deleting: C:\WINDOWS\system32\ipmp.dll
Successfully Deleted: C:\WINDOWS\system32\ipmp.dll
deleting: C:\WINDOWS\system32\iyetpp.dll
Successfully Deleted: C:\WINDOWS\system32\iyetpp.dll
deleting: C:\WINDOWS\system32\iyetpp.dll
Successfully Deleted: C:\WINDOWS\system32\iyetpp.dll
deleting: C:\WINDOWS\system32\izwphbk.dll
Successfully Deleted: C:\WINDOWS\system32\izwphbk.dll
deleting: C:\WINDOWS\system32\izwphbk.dll
Successfully Deleted: C:\WINDOWS\system32\izwphbk.dll
deleting: C:\WINDOWS\system32\khdir.dll
Successfully Deleted: C:\WINDOWS\system32\khdir.dll
deleting: C:\WINDOWS\system32\khdir.dll
Successfully Deleted: C:\WINDOWS\system32\khdir.dll
deleting: C:\WINDOWS\system32\khdla.dll
Successfully Deleted: C:\WINDOWS\system32\khdla.dll
deleting: C:\WINDOWS\system32\khdla.dll
Successfully Deleted: C:\WINDOWS\system32\khdla.dll
deleting: C:\WINDOWS\system32\krdfi.dll
Successfully Deleted: C:\WINDOWS\system32\krdfi.dll
deleting: C:\WINDOWS\system32\krdfi.dll
Successfully Deleted: C:\WINDOWS\system32\krdfi.dll
deleting: C:\WINDOWS\system32\krdhela3.dll
Successfully Deleted: C:\WINDOWS\system32\krdhela3.dll
deleting: C:\WINDOWS\system32\krdhela3.dll
Successfully Deleted: C:\WINDOWS\system32\krdhela3.dll
deleting: C:\WINDOWS\system32\ktdpo.dll
Successfully Deleted: C:\WINDOWS\system32\ktdpo.dll
deleting: C:\WINDOWS\system32\ktdpo.dll
Successfully Deleted: C:\WINDOWS\system32\ktdpo.dll
deleting: C:\WINDOWS\system32\kwdur.dll
Successfully Deleted: C:\WINDOWS\system32\kwdur.dll
deleting: C:\WINDOWS\system32\kwdur.dll
Successfully Deleted: C:\WINDOWS\system32\kwdur.dll
deleting: C:\WINDOWS\system32\kzdda.dll
Successfully Deleted: C:\WINDOWS\system32\kzdda.dll
deleting: C:\WINDOWS\system32\kzdda.dll
Successfully Deleted: C:\WINDOWS\system32\kzdda.dll
deleting: C:\WINDOWS\system32\kzdhe220.dll
Successfully Deleted: C:\WINDOWS\system32\kzdhe220.dll
deleting: C:\WINDOWS\system32\kzdhe220.dll
Successfully Deleted: C:\WINDOWS\system32\kzdhe220.dll
deleting: C:\WINDOWS\system32\llghours.dll
Successfully Deleted: C:\WINDOWS\system32\llghours.dll
deleting: C:\WINDOWS\system32\llghours.dll
Successfully Deleted: C:\WINDOWS\system32\llghours.dll
deleting: C:\WINDOWS\system32\maidntld.dll
Successfully Deleted: C:\WINDOWS\system32\maidntld.dll
deleting: C:\WINDOWS\system32\maidntld.dll
Successfully Deleted: C:\WINDOWS\system32\maidntld.dll
deleting: C:\WINDOWS\system32\mefutil.dll
Successfully Deleted: C:\WINDOWS\system32\mefutil.dll
deleting: C:\WINDOWS\system32\mefutil.dll
Successfully Deleted: C:\WINDOWS\system32\mefutil.dll
deleting: C:\WINDOWS\system32\mjwebdvd.dll
Successfully Deleted: C:\WINDOWS\system32\mjwebdvd.dll
deleting: C:\WINDOWS\system32\mjwebdvd.dll
Successfully Deleted: C:\WINDOWS\system32\mjwebdvd.dll
deleting: C:\WINDOWS\system32\MLC42FRA.DLL
Successfully Deleted: C:\WINDOWS\system32\MLC42FRA.DLL
deleting: C:\WINDOWS\system32\MLC42FRA.DLL
Successfully Deleted: C:\WINDOWS\system32\MLC42FRA.DLL
deleting: C:\WINDOWS\system32\mlmtapi.dll
Successfully Deleted: C:\WINDOWS\system32\mlmtapi.dll
deleting: C:\WINDOWS\system32\mlmtapi.dll
Successfully Deleted: C:\WINDOWS\system32\mlmtapi.dll
deleting: C:\WINDOWS\system32\mordim.dll
Successfully Deleted: C:\WINDOWS\system32\mordim.dll
deleting: C:\WINDOWS\system32\mordim.dll
Successfully Deleted: C:\WINDOWS\system32\mordim.dll
deleting: C:\WINDOWS\system32\mqihnd.dll
Successfully Deleted: C:\WINDOWS\system32\mqihnd.dll
deleting: C:\WINDOWS\system32\mqihnd.dll
Successfully Deleted: C:\WINDOWS\system32\mqihnd.dll
deleting: C:\WINDOWS\system32\mvdemui.dll
Successfully Deleted: C:\WINDOWS\system32\mvdemui.dll
deleting: C:\WINDOWS\system32\mvdemui.dll
Successfully Deleted: C:\WINDOWS\system32\mvdemui.dll
deleting: C:\WINDOWS\system32\mxjava.dll
Successfully Deleted: C:\WINDOWS\system32\mxjava.dll
deleting: C:\WINDOWS\system32\mxjava.dll
Successfully Deleted: C:\WINDOWS\system32\mxjava.dll
deleting: C:\WINDOWS\system32\mxls31.dll
Successfully Deleted: C:\WINDOWS\system32\mxls31.dll
deleting: C:\WINDOWS\system32\mxls31.dll
Successfully Deleted: C:\WINDOWS\system32\mxls31.dll
deleting: C:\WINDOWS\system32\nodll.dll
Successfully Deleted: C:\WINDOWS\system32\nodll.dll
deleting: C:\WINDOWS\system32\nodll.dll
Successfully Deleted: C:\WINDOWS\system32\nodll.dll
deleting: C:\WINDOWS\system32\nylanman.dll
Successfully Deleted: C:\WINDOWS\system32\nylanman.dll
deleting: C:\WINDOWS\system32\nylanman.dll
Successfully Deleted: C:\WINDOWS\system32\nylanman.dll
deleting: C:\WINDOWS\system32\olcache.dll
Successfully Deleted: C:\WINDOWS\system32\olcache.dll
deleting: C:\WINDOWS\system32\olcache.dll
Successfully Deleted: C:\WINDOWS\system32\olcache.dll
deleting: C:\WINDOWS\system32\oxbc16gt.dll
Successfully Deleted: C:\WINDOWS\system32\oxbc16gt.dll
deleting: C:\WINDOWS\system32\oxbc16gt.dll
Successfully Deleted: C:\WINDOWS\system32\oxbc16gt.dll
deleting: C:\WINDOWS\system32\rycrt4.dll
Successfully Deleted: C:\WINDOWS\system32\rycrt4.dll
deleting: C:\WINDOWS\system32\rycrt4.dll
Successfully Deleted: C:\WINDOWS\system32\rycrt4.dll
deleting: C:\WINDOWS\system32\sindcmsg.dll
Successfully Deleted: C:\WINDOWS\system32\sindcmsg.dll
deleting: C:\WINDOWS\system32\sindcmsg.dll
Successfully Deleted: C:\WINDOWS\system32\sindcmsg.dll
deleting: C:\WINDOWS\system32\snrrnfr.dll
Successfully Deleted: C:\WINDOWS\system32\snrrnfr.dll
deleting: C:\WINDOWS\system32\snrrnfr.dll
Successfully Deleted: C:\WINDOWS\system32\snrrnfr.dll
deleting: C:\WINDOWS\system32\sqe.dll
Successfully Deleted: C:\WINDOWS\system32\sqe.dll
deleting: C:\WINDOWS\system32\sqe.dll
Successfully Deleted: C:\WINDOWS\system32\sqe.dll
deleting: C:\WINDOWS\system32\ssesrv.dll
Successfully Deleted: C:\WINDOWS\system32\ssesrv.dll
deleting: C:\WINDOWS\system32\ssesrv.dll
Successfully Deleted: C:\WINDOWS\system32\ssesrv.dll
deleting: C:\WINDOWS\system32\urildll.dll
Successfully Deleted: C:\WINDOWS\system32\urildll.dll
deleting: C:\WINDOWS\system32\urildll.dll
Successfully Deleted: C:\WINDOWS\system32\urildll.dll
deleting: C:\WINDOWS\system32\VMAME.DLL
Successfully Deleted: C:\WINDOWS\system32\VMAME.DLL
deleting: C:\WINDOWS\system32\VMAME.DLL
Successfully Deleted: C:\WINDOWS\system32\VMAME.DLL
deleting: C:\WINDOWS\system32\VZAME.DLL
Successfully Deleted: C:\WINDOWS\system32\VZAME.DLL
deleting: C:\WINDOWS\system32\VZAME.DLL
Successfully Deleted: C:\WINDOWS\system32\VZAME.DLL
deleting: C:\WINDOWS\system32\wpssvc.dll
Successfully Deleted: C:\WINDOWS\system32\wpssvc.dll
deleting: C:\WINDOWS\system32\wpssvc.dll
Successfully Deleted: C:\WINDOWS\system32\wpssvc.dll
deleting: C:\WINDOWS\system32\wU2topl.dll
Successfully Deleted: C:\WINDOWS\system32\wU2topl.dll
deleting: C:\WINDOWS\system32\wU2topl.dll
Successfully Deleted: C:\WINDOWS\system32\wU2topl.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: awtodisc.dll (188 bytes security) (deflated 48%)
adding: cItsrvut.dll (188 bytes security) (deflated 48%)
adding: dcnlobby.dll (188 bytes security) (deflated 48%)
adding: dssapi.dll (188 bytes security) (deflated 48%)
adding: dVdramp.dll (188 bytes security) (deflated 48%)
adding: dynaddr.dll (188 bytes security) (deflated 48%)
adding: ef.dll (188 bytes security) (deflated 48%)
adding: gii32.dll (188 bytes security) (deflated 48%)
adding: gyi32.dll (188 bytes security) (deflated 48%)
adding: hcetcfg.dll (188 bytes security) (deflated 48%)
adding: iBssam.dll (188 bytes security) (deflated 48%)
adding: iggutil.dll (188 bytes security) (deflated 48%)
adding: iiagehlp.dll (188 bytes security) (deflated 48%)
adding: ipmp.dll (188 bytes security) (deflated 48%)
adding: iyetpp.dll (188 bytes security) (deflated 48%)
adding: izwphbk.dll (188 bytes security) (deflated 48%)
adding: khdir.dll (188 bytes security) (deflated 48%)
adding: khdla.dll (188 bytes security) (deflated 48%)
adding: krdfi.dll (188 bytes security) (deflated 48%)
adding: krdhela3.dll (188 bytes security) (deflated 48%)
adding: ktdpo.dll (188 bytes security) (deflated 48%)
adding: kwdur.dll (188 bytes security) (deflated 48%)
adding: kzdda.dll (188 bytes security) (deflated 48%)
adding: kzdhe220.dll (188 bytes security) (deflated 48%)
adding: llghours.dll (188 bytes security) (deflated 48%)
adding: maidntld.dll (188 bytes security) (deflated 48%)
adding: mefutil.dll (188 bytes security) (deflated 48%)
adding: mjwebdvd.dll (188 bytes security) (deflated 48%)
adding: MLC42FRA.DLL (188 bytes security) (deflated 48%)
adding: mlmtapi.dll (188 bytes security) (deflated 48%)
adding: mordim.dll (188 bytes security) (deflated 48%)
adding: mqihnd.dll (188 bytes security) (deflated 48%)
adding: mvdemui.dll (188 bytes security) (deflated 48%)
adding: mxjava.dll (188 bytes security) (deflated 48%)
adding: mxls31.dll (188 bytes security) (deflated 48%)
adding: nodll.dll (188 bytes security) (deflated 48%)
adding: nylanman.dll (188 bytes security) (deflated 48%)
adding: olcache.dll (188 bytes security) (deflated 48%)
adding: oxbc16gt.dll (188 bytes security) (deflated 48%)
adding: rycrt4.dll (188 bytes security) (deflated 48%)
adding: sindcmsg.dll (188 bytes security) (deflated 48%)
adding: snrrnfr.dll (188 bytes security) (deflated 48%)
adding: sqe.dll (188 bytes security) (deflated 48%)
adding: ssesrv.dll (188 bytes security) (deflated 48%)
adding: urildll.dll (188 bytes security) (deflated 48%)
adding: VMAME.DLL (188 bytes security) (deflated 48%)
adding: VZAME.DLL (188 bytes security) (deflated 48%)
adding: wpssvc.dll (188 bytes security) (deflated 48%)
adding: wU2topl.dll (188 bytes security) (deflated 48%)
adding: guard.tmp (188 bytes security) (deflated 48%)
adding: clear.reg (188 bytes security) (deflated 58%)
adding: echo.reg (188 bytes security) (deflated 6%)
adding: direct.txt (188 bytes security) (stored 0%)
adding: lo2.txt (188 bytes security) (deflated 92%)
adding: readme.txt (188 bytes security) (deflated 49%)
adding: report.txt (188 bytes security) (deflated 70%)
adding: test.txt (188 bytes security) (deflated 91%)
adding: test2.txt (188 bytes security) (deflated 39%)
adding: test3.txt (188 bytes security) (deflated 39%)
adding: test5.txt (188 bytes security) (deflated 39%)
adding: xfind.txt (188 bytes security) (deflated 89%)
adding: backregs/26280960-30F2-418F-BDC4-BAF381F739D9.reg (188 bytes security) (deflated 70%)
adding: backregs/29B39225-3D60-42F0-B5A6-5FC747629DEC.reg (188 bytes security) (deflated 70%)
adding: backregs/8E8F7DBA-7F12-44F0-85B2-CCE5907967C6.reg (188 bytes security) (deflated 69%)
adding: backregs/B337F996-CC6C-4BF3-9604-88D1E6F10881.reg (188 bytes security) (deflated 70%)
adding: backregs/B463C6DC-2734-4698-B254-4C44E629F788.reg (188 bytes security) (deflated 70%)
adding: backregs/D9012718-0F3C-4AEA-BFB1-C0E144523E36.reg (188 bytes security) (deflated 70%)
adding: backregs/shell.reg (188 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Utilisateurs
(ID-IO) ALLOW Read BUILTIN\Utilisateurs
(ID-NI) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-IO) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-NI) ALLOW Full access BUILTIN\Administrateurs
(ID-IO) ALLOW Full access BUILTIN\Administrateurs
(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332

deleting local copy: awtodisc.dll
deleting local copy: awtodisc.dll
deleting local copy: cItsrvut.dll
deleting local copy: cItsrvut.dll
deleting local copy: dcnlobby.dll
deleting local copy: dcnlobby.dll
deleting local copy: dssapi.dll
deleting local copy: dssapi.dll
deleting local copy: dVdramp.dll
deleting local copy: dVdramp.dll
deleting local copy: dynaddr.dll
deleting local copy: dynaddr.dll
deleting local copy: ef.dll
deleting local copy: ef.dll
deleting local copy: gii32.dll
deleting local copy: gii32.dll
deleting local copy: gyi32.dll
deleting local copy: gyi32.dll
deleting local copy: hcetcfg.dll
deleting local copy: hcetcfg.dll
deleting local copy: iBssam.dll
deleting local copy: iBssam.dll
deleting local copy: iggutil.dll
deleting local copy: iggutil.dll
deleting local copy: iiagehlp.dll
deleting local copy: iiagehlp.dll
deleting local copy: ipmp.dll
deleting local copy: ipmp.dll
deleting local copy: iyetpp.dll
deleting local copy: iyetpp.dll
deleting local copy: izwphbk.dll
deleting local copy: izwphbk.dll
deleting local copy: khdir.dll
deleting local copy: khdir.dll
deleting local copy: khdla.dll
deleting local copy: khdla.dll
deleting local copy: krdfi.dll
deleting local copy: krdfi.dll
deleting local copy: krdhela3.dll
deleting local copy: krdhela3.dll
deleting local copy: ktdpo.dll
deleting local copy: ktdpo.dll
deleting local copy: kwdur.dll
deleting local copy: kwdur.dll
deleting local copy: kzdda.dll
deleting local copy: kzdda.dll
deleting local copy: kzdhe220.dll
deleting local copy: kzdhe220.dll
deleting local copy: llghours.dll
deleting local copy: llghours.dll
deleting local copy: maidntld.dll
deleting local copy: maidntld.dll
deleting local copy: mefutil.dll
deleting local copy: mefutil.dll
deleting local copy: mjwebdvd.dll
deleting local copy: mjwebdvd.dll
deleting local copy: MLC42FRA.DLL
deleting local copy: MLC42FRA.DLL
deleting local copy: mlmtapi.dll
deleting local copy: mlmtapi.dll
deleting local copy: mordim.dll
deleting local copy: mordim.dll
deleting local copy: mqihnd.dll
deleting local copy: mqihnd.dll
deleting local copy: mvdemui.dll
deleting local copy: mvdemui.dll
deleting local copy: mxjava.dll
deleting local copy: mxjava.dll
deleting local copy: mxls31.dll
deleting local copy: mxls31.dll
deleting local copy: nodll.dll
deleting local copy: nodll.dll
deleting local copy: nylanman.dll
deleting local copy: nylanman.dll
deleting local copy: olcache.dll
deleting local copy: olcache.dll
deleting local copy: oxbc16gt.dll
deleting local copy: oxbc16gt.dll
deleting local copy: rycrt4.dll
deleting local copy: rycrt4.dll
deleting local copy: sindcmsg.dll
deleting local copy: sindcmsg.dll
deleting local copy: snrrnfr.dll
deleting local copy: snrrnfr.dll
deleting local copy: sqe.dll
deleting local copy: sqe.dll
deleting local copy: ssesrv.dll
deleting local copy: ssesrv.dll
deleting local copy: urildll.dll
deleting local copy: urildll.dll
deleting local copy: VMAME.DLL
deleting local copy: VMAME.DLL
deleting local copy: VZAME.DLL
deleting local copy: VZAME.DLL
deleting local copy: wpssvc.dll
deleting local copy: wpssvc.dll
deleting local copy: wU2topl.dll
deleting local copy: wU2topl.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\awtodisc.dll
C:\WINDOWS\system32\awtodisc.dll
C:\WINDOWS\system32\cItsrvut.dll
C:\WINDOWS\system32\cItsrvut.dll
C:\WINDOWS\system32\dcnlobby.dll
C:\WINDOWS\system32\dcnlobby.dll
C:\WINDOWS\system32\dssapi.dll
C:\WINDOWS\system32\dssapi.dll
C:\WINDOWS\system32\dVdramp.dll
C:\WINDOWS\system32\dVdramp.dll
C:\WINDOWS\system32\dynaddr.dll
C:\WINDOWS\system32\dynaddr.dll
C:\WINDOWS\system32\ef.dll
C:\WINDOWS\system32\ef.dll
C:\WINDOWS\system32\gii32.dll
C:\WINDOWS\system32\gii32.dll
C:\WINDOWS\system32\gyi32.dll
C:\WINDOWS\system32\gyi32.dll
C:\WINDOWS\system32\hcetcfg.dll
C:\WINDOWS\system32\hcetcfg.dll
C:\WINDOWS\system32\iBssam.dll
C:\WINDOWS\system32\iBssam.dll
C:\WINDOWS\system32\iggutil.dll
C:\WINDOWS\system32\iggutil.dll
C:\WINDOWS\system32\iiagehlp.dll
C:\WINDOWS\system32\iiagehlp.dll
C:\WINDOWS\system32\ipmp.dll
C:\WINDOWS\system32\ipmp.dll
C:\WINDOWS\system32\iyetpp.dll
C:\WINDOWS\system32\iyetpp.dll
C:\WINDOWS\system32\izwphbk.dll
C:\WINDOWS\system32\izwphbk.dll
C:\WINDOWS\system32\khdir.dll
C:\WINDOWS\system32\khdir.dll
C:\WINDOWS\system32\khdla.dll
C:\WINDOWS\system32\khdla.dll
C:\WINDOWS\system32\krdfi.dll
C:\WINDOWS\system32\krdfi.dll
C:\WINDOWS\system32\krdhela3.dll
C:\WINDOWS\system32\krdhela3.dll
C:\WINDOWS\system32\ktdpo.dll
C:\WINDOWS\system32\ktdpo.dll
C:\WINDOWS\system32\kwdur.dll
C:\WINDOWS\system32\kwdur.dll
C:\WINDOWS\system32\kzdda.dll
C:\WINDOWS\system32\kzdda.dll
C:\WINDOWS\system32\kzdhe220.dll
C:\WINDOWS\system32\kzdhe220.dll
C:\WINDOWS\system32\llghours.dll
C:\WINDOWS\system32\llghours.dll
C:\WINDOWS\system32\maidntld.dll
C:\WINDOWS\system32\maidntld.dll
C:\WINDOWS\system32\mefutil.dll
C:\WINDOWS\system32\mefutil.dll
C:\WINDOWS\system32\mjwebdvd.dll
C:\WINDOWS\system32\mjwebdvd.dll
C:\WINDOWS\system32\MLC42FRA.DLL
C:\WINDOWS\system32\MLC42FRA.DLL
C:\WINDOWS\system32\mlmtapi.dll
C:\WINDOWS\system32\mlmtapi.dll
C:\WINDOWS\system32\mordim.dll
C:\WINDOWS\system32\mordim.dll
C:\WINDOWS\system32\mqihnd.dll
C:\WINDOWS\system32\mqihnd.dll
C:\WINDOWS\system32\mvdemui.dll
C:\WINDOWS\system32\mvdemui.dll
C:\WINDOWS\system32\mxjava.dll
C:\WINDOWS\system32\mxjava.dll
C:\WINDOWS\system32\mxls31.dll
C:\WINDOWS\system32\mxls31.dll
C:\WINDOWS\system32\nodll.dll
C:\WINDOWS\system32\nodll.dll
C:\WINDOWS\system32\nylanman.dll
C:\WINDOWS\system32\nylanman.dll
C:\WINDOWS\system32\olcache.dll
C:\WINDOWS\system32\olcache.dll
C:\WINDOWS\system32\oxbc16gt.dll
C:\WINDOWS\system32\oxbc16gt.dll
C:\WINDOWS\system32\rycrt4.dll
C:\WINDOWS\system32\rycrt4.dll
C:\WINDOWS\system32\sindcmsg.dll
C:\WINDOWS\system32\sindcmsg.dll
C:\WINDOWS\system32\snrrnfr.dll
C:\WINDOWS\system32\snrrnfr.dll
C:\WINDOWS\system32\sqe.dll
C:\WINDOWS\system32\sqe.dll
C:\WINDOWS\system32\ssesrv.dll
C:\WINDOWS\system32\ssesrv.dll
C:\WINDOWS\system32\urildll.dll
C:\WINDOWS\system32\urildll.dll
C:\WINDOWS\system32\VMAME.DLL
C:\WINDOWS\system32\VMAME.DLL
C:\WINDOWS\system32\VZAME.DLL
C:\WINDOWS\system32\VZAME.DLL
C:\WINDOWS\system32\wpssvc.dll
C:\WINDOWS\system32\wpssvc.dll
C:\WINDOWS\system32\wU2topl.dll
C:\WINDOWS\system32\wU2topl.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{D9012718-0F3C-4AEA-BFB1-C0E144523E36}"=-
"{29B39225-3D60-42F0-B5A6-5FC747629DEC}"=-
"{B337F996-CC6C-4BF3-9604-88D1E6F10881}"=-
"{8E8F7DBA-7F12-44F0-85B2-CCE5907967C6}"=-
"{B463C6DC-2734-4698-B254-4C44E629F788}"=-
"{26280960-30F2-418F-BDC4-BAF381F739D9}"=-
[-HKEY_CLASSES_ROOT\CLSID\{D9012718-0F3C-4AEA-BFB1-C0E144523E36}]
[-HKEY_CLASSES_ROOT\CLSID\{29B39225-3D60-42F0-B5A6-5FC747629DEC}]
[-HKEY_CLASSES_ROOT\CLSID\{B337F996-CC6C-4BF3-9604-88D1E6F10881}]
[-HKEY_CLASSES_ROOT\CLSID\{8E8F7DBA-7F12-44F0-85B2-CCE5907967C6}]
[-HKEY_CLASSES_ROOT\CLSID\{B463C6DC-2734-4698-B254-4C44E629F788}]
[-HKEY_CLASSES_ROOT\CLSID\{26280960-30F2-418F-BDC4-BAF381F739D9}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


2

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

3

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Feuille de propri‚t‚s du fichier multim‚dia"
"{176d6597-26d3-11d1-b350-080036a75b03}"="Gestion de scanneur ICM"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="Page de s‚curit‚ NTFS"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Page des propri‚t‚s de OLE DocFile"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Extensions de l'environnement pour le partage"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Carte du Panneau de configuration"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Â
Borg7of9
Active Member
 
Posts: 6
Joined: August 2nd, 2005, 11:36 am
Location: Quebec

Unread postby ChrisRLG » August 5th, 2005, 11:40 am

Looks Good - BTW I am ChrisRLG, Atri was unable to assist at the time you posed back so I took over.

=============

All the malware looks like it is gone :)

the R0/R1 lines may not be what you require. (Your home page and search page) so IF THEY ARE not fix them below with the ofther lines which look as though they are just orphaned entries.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O23 - Service: SAVScan -


Click on Fix Checked when finished and exit HijackThis.

To get your home page of choice use IE to get to your page and select from the menu, tool, internet option, set to current.

One thing you should check is if the recycle bin is working correctly - if not post back for some more instructions.

===================

This is my normal post for when you are clear - which you now are - or seem to be. Please advise of any problems you still have :-

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

  1. Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
    You can find instructions on how to enable and re enable system restore here:
    Managing Windows Millennium System Restore
    or
    Windows XP System Restore Guide
    re-enable system restore with instructions from tutorial above
  2. Make your Internet Explorer more secure - This can be done by following these simple instructions:

    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.

      1. Change the Download signed ActiveX controls to Prompt
      2. Change the Download unsigned ActiveX controls to Disable
      3. Change the Initialise and script ActiveX controls not marked as safe to Disable
      4. Change the Installation of desktop items to Prompt
      5. Change the Launching programs and files in an IFRAME to Prompt
      6. Change the Navigate sub-frames across different domains to Prompt
      7. When all these settings have been made, click on the OK button.
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  3. Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
    Computer Safety On line - Anti-Virus
  4. Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
  5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
    Computer Safety On line - Software Firewalls
  6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D and Ad-aware
  8. Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D and Ad-aware
  9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line - Anti-Malware
  10. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

May your God go with you..
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Not out of the woods just yet!

Unread postby Borg7of9 » August 9th, 2005, 12:11 am

Hi there

Ok, it appears the pops up are gone, however a few remaining problems, as you mentioned, there is a problem with the the recylce bin, there was one item there ( a string of letters and numbers ) and I can not empty the bin.

Second, I removed the items in Hijack as you said, however everytime I re-boot, teatimer on boot up keeps advising me that it is deleting these entries again. When I check they are not there, but I am wondering if this means something is trying to add them back again.

I will post the latest HIJACK log so you can see, but when I try and delete this line, it keeps re-appearing on a re-boot.

O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)

I also adjusted Internet explorer settings as per you default post, and I have one small question, when going to safe sites, like Microsoft, or Hotmail, I keep getting dialog boxes asking , yes or no, to active X scripts. As its happening often, is there anyway to add sites to a safe list as the dialog box comes up almost as often as Popups. Just curious.

THanks!! :)

Here is Last Hijack Log from today

Logfile of HijackThis v1.99.1
Scan saved at 10:37:26, on 2005-08-08
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\A_tech\Hijack\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0746904949
O17 - HKLM\System\CCS\Services\Tcpip\..\{80970B51-BA6A-41B0-8F85-E340EB0E8B01}: NameServer = 198.235.216.134,198.235.216.135
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
Borg7of9
Active Member
 
Posts: 6
Joined: August 2nd, 2005, 11:36 am
Location: Quebec

Unread postby ChrisRLG » August 9th, 2005, 4:06 am

Unless you do have something hidden that is reinstalling those lines, very unlikely as the lines in question are not related to known BAD malware, just slightly bad, I think this is teatimer doing its thing, and has happened before.

My suggestion is to reset teatimer so that it can restart with a known good status. One method would be to uninstall and reinstall the program and is the method I usually advise.

While uninstalled use HJT to remove the R0/R1 lines and that orphaned O2.

Post back with a new HJT log when done.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Recycle Bin

Unread postby Borg7of9 » August 9th, 2005, 9:41 pm

Hi Chris,

Yes I thought the same as you about those entries, just thought I could have been missing something.

What about the recycle bin, you mentioned it may not work, and sure enough I can not empty it.

:)

Thanks
Borg7of9
Active Member
 
Posts: 6
Joined: August 2nd, 2005, 11:36 am
Location: Quebec

Unread postby ChrisRLG » August 10th, 2005, 9:22 am

I know I have a l;ink somewhere to a restore script for the recycle bin, can't find it anywhere.

Did find this which will probably do the same job.
http://www.dougknox.com/xp/scripts_desc/rec_bin.htm

Download to your desktop, then doubleclick - it will ask are you sure to merging with the registery - confirm.

Then reboot and try your recycle bin again.

Post back with a new HJT log when you have done that.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Recycle Bin

Unread postby Borg7of9 » August 12th, 2005, 5:51 pm

Thanks Chris, I looked at the link, not sure its exactly my problem as it says it restores the desktop icon, so it didnt exactly detail my problem. I think I will leave it for now, so we can close this out, I kept the link, and I will keep reading here, and see if there are other links for the exact problem. ( Unless you think its safe to run this one and try anyway ) The main thing is I have the system running again!! :)

Thanks for all your help!!!

:)
Borg
Borg7of9
Active Member
 
Posts: 6
Joined: August 2nd, 2005, 11:36 am
Location: Quebec

Unread postby ChrisRLG » August 16th, 2005, 6:09 pm

Nellie2 - another teacher reminded me of this link

http://www.kellys-korner-xp.com/xp_tweaks.htm

And this post on it.

http://www.kellys-korner-xp.com/regs_ed ... clebin.reg
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Nellie2 » August 29th, 2005, 3:47 pm

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

The help you receive here is free but you can help support this site from this link if you wish:
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted
User avatar
Nellie2
Administrator Emeritus
 
Posts: 8737
Joined: December 16th, 2004, 5:01 pm
Location: UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 161 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware