bluzdude

February 23, 2005

new log:

L2Mfix 1.02b

Running From:

C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Desktop\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Read BUILTIN\Power Users

(ID-IO) ALLOW Read BUILTIN\Power Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

This program is Freeware, use it on your own risk!

Denying C access for really "Everyone"

- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:

(CI) DENY --C------- Everyone

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Read BUILTIN\Power Users

(ID-IO) ALLOW Read BUILTIN\Power Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Desktop\l2mfix

System Rebooted!

Running From:

C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Killing PID 1788 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Killing PID 724 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Backing Up: C:\WINDOWS\system32\g240lchm1f4a.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\gpp0l37m1.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\ifv6mon.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\k026lafs1d26.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\mxxclu.dll

1 file(s) copied.

Backing Up: C:\WINDOWS\system32\rznd.dll

1 file(s) copied.

deleting: C:\WINDOWS\system32\g240lchm1f4a.dll

Successfully Deleted: C:\WINDOWS\system32\g240lchm1f4a.dll

deleting: C:\WINDOWS\system32\gpp0l37m1.dll

Successfully Deleted: C:\WINDOWS\system32\gpp0l37m1.dll

deleting: C:\WINDOWS\system32\ifv6mon.dll

Successfully Deleted: C:\WINDOWS\system32\ifv6mon.dll

deleting: C:\WINDOWS\system32\k026lafs1d26.dll

Successfully Deleted: C:\WINDOWS\system32\k026lafs1d26.dll

deleting: C:\WINDOWS\system32\mxxclu.dll

Successfully Deleted: C:\WINDOWS\system32\mxxclu.dll

deleting: C:\WINDOWS\system32\rznd.dll

Successfully Deleted: C:\WINDOWS\system32\rznd.dll

Desktop.ini sucessfully removed

Zipping up files for submission:

adding: g240lchm1f4a.dll (140 bytes security) (deflated 4%)

adding: gpp0l37m1.dll (140 bytes security) (deflated 4%)

adding: ifv6mon.dll (140 bytes security) (deflated 5%)

adding: k026lafs1d26.dll (140 bytes security) (deflated 4%)

adding: mxxclu.dll (140 bytes security) (deflated 5%)

adding: rznd.dll (140 bytes security) (deflated 5%)

adding: clear.reg (140 bytes security) (deflated 23%)

adding: echo.reg (140 bytes security) (deflated 9%)

adding: desktop.ini (140 bytes security) (deflated 15%)

adding: direct.txt (140 bytes security) (stored 0%)

adding: lo2.txt (140 bytes security) (deflated 77%)

adding: readme.txt (140 bytes security) (deflated 49%)

adding: report.txt (140 bytes security) (deflated 64%)

adding: test.txt (140 bytes security) (deflated 63%)

adding: test2.txt (140 bytes security) (stored 0%)

adding: test3.txt (140 bytes security) (stored 0%)

adding: test5.txt (140 bytes security) (stored 0%)

adding: xfind.txt (140 bytes security) (deflated 57%)

adding: backregs/5A48A885-4B6F-44C4-B50A-565B0979E8E6.reg (140 bytes security) (deflated 70%)

adding: backregs/shell.reg (140 bytes security) (deflated 73%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

This program is Freeware, use it on your own risk!

Revoking access for really "Everyone"

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Read BUILTIN\Power Users

(ID-IO) ALLOW Read BUILTIN\Power Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: g240lchm1f4a.dll

deleting local copy: gpp0l37m1.dll

deleting local copy: ifv6mon.dll

deleting local copy: k026lafs1d26.dll

deleting local copy: mxxclu.dll

deleting local copy: rznd.dll

The following Is the Current Export of the Winlogon notify key:

****************************************************************************

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

The following are the files found:

****************************************************************************

C:\WINDOWS\system32\g240lchm1f4a.dll

C:\WINDOWS\system32\gpp0l37m1.dll

C:\WINDOWS\system32\ifv6mon.dll

C:\WINDOWS\system32\k026lafs1d26.dll

C:\WINDOWS\system32\mxxclu.dll

C:\WINDOWS\system32\rznd.dll

Registry Entries that were Deleted:

Please verify that the listing looks ok.

If there was something deleted wrongly there are backups in the backreg folder.

****************************************************************************

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{5A48A885-4B6F-44C4-B50A-565B0979E8E6}"=-

[-HKEY_CLASSES_ROOT\CLSID\{5A48A885-4B6F-44C4-B50A-565B0979E8E6}]

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"{845F8E8D-5273-4D20-856A-8C016C7CE8A8}"=-

****************************************************************************

Desktop.ini Contents:

****************************************************************************

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

****************************************************************************

February 23, 2005

Ok, here it is:

L2MFIX find log 1.02b

These are the registry keys present

********************************************************************************

**

Winlogon/notify:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OptimalLayout]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINDOWS\\system32\\ktr6l79s1.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

********************************************************************************

**

useragent:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"{845F8E8D-5273-4D20-856A-8C016C7CE8A8}"=""

********************************************************************************

**

Shell Extension key:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"

"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"

"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"

"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"

"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"

"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"

"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"

"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"

"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"

"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"

"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"

"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"

"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"

"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"

"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"

"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"

"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"

"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"

"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"

"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"

"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"

"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"

"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"

"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"

"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"

"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"

"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"

"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"

"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"

"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"

"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"

"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"

"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"

"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"

"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"

"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"

"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"

"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"

"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"

"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"

"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"

"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"

"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"

"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"

"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"

"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"

"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."

"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"

"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"

"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"

"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"

"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"

"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"

"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"

"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"

"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"

"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"

"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"

"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"

"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"

"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"

"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"

"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"

"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"

"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"

"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"

"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"

"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"

"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"

"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"

"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"

"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"

"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"

"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"

"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"

"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"

"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"

"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"

"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"

"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"

"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"

"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"

"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"

"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"

"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"

"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"

"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"

"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"

"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"

"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"

"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"

"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"

"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"

"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"

"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"

"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"

"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"

"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"

"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"

"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"

"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"

"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"

"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"

"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"

"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"

"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"

"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"

"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"

"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"

"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"

"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"

"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"

"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"

"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"

"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"

"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"

"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"

"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"

"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"

"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"

"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"

"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"

"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"

"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"

"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"

"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"

"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"

"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"

"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"

"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"

"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"

"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"

"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"

"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"

"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"

"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"

"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"

"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"

"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"

"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"

"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"

"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"

"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"

"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"

"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"

"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"

"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"

"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"

"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"

"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"

"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"

"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"

"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"

"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"

"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"

"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"

"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"

"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"

"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."

"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"

"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"

"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"

"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"

"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"

"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"

"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"

"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"

"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"

"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"

"{5A48A885-4B6F-44C4-B50A-565B0979E8E6}"=""

"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"="SpySubtract Shell Extension"

********************************************************************************

**

HKEY ROOT CLASSIDS:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5A48A885-4B6F-44C4-B50A-565B0979E8E6}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{5A48A885-4B6F-44C4-B50A-565B0979E8E6}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{5A48A885-4B6F-44C4-B50A-565B0979E8E6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{5A48A885-4B6F-44C4-B50A-565B0979E8E6}\InprocServer32]

@="C:\\WINDOWS\\system32\\MIPI.DLL"

"ThreadingModel"="Apartment"

********************************************************************************

**

Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\

akcore.dll Wed Feb 23 2005 2:39:02a A.... 188,416 184.00 K

aklsp.dll Wed Feb 23 2005 2:39:06a A.... 196,608 192.00 K

akrules.dll Wed Feb 23 2005 2:39:04a A.... 110,592 108.00 K

akupd.dll Wed Feb 23 2005 2:38:56a A.... 155,648 152.00 K

cpicuc.dll Wed Feb 23 2005 3:43:36a A.... 5,632 5.50 K

docore.dll Wed Feb 23 2005 4:00:56a A.... 151,552 148.00 K

dolsp.dll Wed Feb 23 2005 4:00:58a A.... 139,264 136.00 K

dosync.dll Wed Feb 23 2005 4:00:52a A.... 114,688 112.00 K

easepe.dll Wed Feb 23 2005 3:43:36a A.... 24,576 24.00 K

g240lc~1.dll Wed Feb 23 2005 3:30:30a ..S.R 228,721 223.36 K

gpp0l3~1.dll Wed Feb 23 2005 3:47:42a ..S.R 228,736 223.38 K

ktr6l7~1.dll Wed Feb 23 2005 2:57:44a ..S.R 231,433 226.01 K

mipi.dll Wed Feb 23 2005 3:47:42a ..S.R 231,433 226.01 K

rznd.dll Wed Feb 23 2005 2:32:50a A.... 229,736 224.35 K

sporder.dll Wed Feb 23 2005 2:39:04a A.... 8,464 8.27 K

15 items found: 15 files (4 H/S), 0 directories.

Total of file sizes: 2,245,499 bytes 2.14 M

Locate .tmp files:

No matches found.

********************************************************************************

**

Directory Listing of system files:

Volume in drive C is Local Disk

Volume Serial Number is 08E3-1D19

Directory of C:\WINDOWS\System32

02/23/2005 03:47 AM 231,433 MIPI.DLL

02/23/2005 03:47 AM 228,736 gpp0l37m1.dll

02/23/2005 03:30 AM 228,721 g240lchm1f4a.dll

02/23/2005 03:17 AM <DIR> dllcache

02/23/2005 02:57 AM 231,433 ktr6l79s1.dll

02/08/2005 08:34 AM 417,792 m?hta.exe

07/17/2004 08:29 PM 0 mcc.exe

07/17/2004 08:29 PM 0 d2kpax.exe

07/17/2004 08:29 PM 0 winproc32.exe

07/17/2004 08:29 PM 0 d2kpax.dll

07/17/2004 08:29 PM 0 jac.dll

07/17/2004 08:29 PM 0 bridge.dll

07/17/2004 08:29 PM 0 a.exe

07/17/2004 08:29 PM 0 msxslab.dll

08/21/2003 01:02 PM <DIR> Microsoft

13 File(s) 1,338,115 bytes

2 Dir(s) 66,235,170,816 bytes free

February 23, 2005

Well, it's been several minutes now and nothing is happening. No NotePad.

February 23, 2005

Logfile of HijackThis v1.98.2

Scan saved at 4:30:57 AM, on 2/23/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\WINDOWS\SYSTEM32\3cmlink.exe

C:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exe

C:\WINDOWS\SYSTEM32\3cshtdwn.exe

C:\WINDOWS\SYSTEM32\3cmlink.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\ScanSoft\OmniPageSE\opware32.exe

C:\WINDOWS\System32\vmss\vmss.exe

C:\WINDOWS\System32\wkqwuw.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe

C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe

C:\WINDOWS\FSScrCtl.exe

C:\Program Files\TK8\TK8 EasyNote 1.1\EasyNote.exe

C:\Program Files\U.S. Robotics\Internet Call Notification\CallWaiting.exe

C:\Program Files\Sprint Virtual Assistant\bin\mpbtn.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\cnmsm58.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HiJackThis\hijackthis\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com

O1 - Hosts: 69.20.16.183 search.netscape.com

O1 - Hosts: 69.20.16.183 ieautosearch

O4 - Global Startup: TK8 EasyNote 1.1.lnk = C:\Program Files\TK8\TK8 EasyNote 1.1\EasyNote.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk

O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll

November 24, 2004

Sorry I took so long to reply. My comp is working fine again. Thanks for your assistance Rock!

Bluz

November 23, 2004

Ok, I had to do a Ctrl/Alt/Del and End Process because the MSNSGSVC.exe application was running in the background. Repeated the scan/reboot/deletions and here is the latest HJT scan (it appears I'm clean now):

Logfile of HijackThis v1.98.2

Scan saved at 10:12:02 PM, on 11/22/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\DIGStream\digstream.exe

C:\WINDOWS\SYSTEM32\3cmlink.exe

C:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exe

C:\WINDOWS\SYSTEM32\3cshtdwn.exe

C:\WINDOWS\SYSTEM32\3cmlink.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\ScanSoft\OmniPageSE\opware32.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe

C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe

C:\WINDOWS\FSScrCtl.exe

C:\Program Files\U.S. Robotics\Internet Call Notification\CallWaiting.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\cnmsm58.exe

C:\Program Files\Sprint Virtual Assistant\bin\mpbtn.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\HiJackThis\hijackthis\HijackThis.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

November 23, 2004

accomplished all except the deletion of:

O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe

get a message that says: "Can't delete MSNSGSVC: Access denied"

Here's the new log (it all came back after reboot, as you can see):

Logfile of HijackThis v1.98.2

Scan saved at 8:08:14 PM, on 11/22/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\DIGStream\digstream.exe

C:\WINDOWS\SYSTEM32\3cmlink.exe

C:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exe

C:\WINDOWS\SYSTEM32\3cshtdwn.exe

C:\WINDOWS\SYSTEM32\3cmlink.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\ScanSoft\OmniPageSE\opware32.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System\MSMSGSVC.exe

C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe

C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe

C:\WINDOWS\FSScrCtl.exe

C:\Program Files\U.S. Robotics\Internet Call Notification\CallWaiting.exe

C:\Program Files\Sprint Virtual Assistant\bin\mpbtn.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\HiJackThis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)

O2 - BHO: DOMPeek Class - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll

O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

November 23, 2004

HJT version 1.98.2 log:

Logfile of HijackThis v1.98.2

Scan saved at 7:17:16 PM, on 11/22/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\DIGStream\digstream.exe

C:\WINDOWS\SYSTEM32\3cmlink.exe

C:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exe

C:\WINDOWS\SYSTEM32\3cshtdwn.exe

C:\WINDOWS\SYSTEM32\3cmlink.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\ScanSoft\OmniPageSE\opware32.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System\MSMSGSVC.exe

C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe

C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe

C:\WINDOWS\FSScrCtl.exe

C:\Program Files\U.S. Robotics\Internet Call Notification\CallWaiting.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\cnmsm58.exe

C:\Program Files\Sprint Virtual Assistant\bin\mpbtn.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\MSN Messenger\msnmsgr.exe