Fabri Posted March 1, 2005 Report Share Posted March 1, 2005 Hi,I keep getting messages from my firewall such as [application] wants to send UDP datagram to... or "someone wants to connect to port... owned by Internet Explorer.I've run AdAware and seeked advice from DiamondCS Support. They only found one suspicious file that turned out to be clean (nothing suspicious from my startups).Any advice? Thanks in advanceLogfile of HijackThis v1.99.1Scan saved at 08:29:54, on 01/03/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exeC:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Java\j2re1.4.2_01\bin\jusched.exeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\ltmoh\Ltmoh.exeC:\Program Files\Acer\Notebook Manager\almxptray.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\Launch Manager\LaunchAp.exeC:\Program Files\Launch Manager\PowerKey.exeC:\Program Files\Launch Manager\HotkeyApp.exeC:\Program Files\Launch Manager\CtrlVol.exeC:\Program Files\Launch Manager\OSDCtrl.exeC:\Program Files\Launch Manager\Wbutton.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\Fichiers communs\Symantec Shared\ccApp.exeC:\Program Files\Fichiers communs\Real\Update_OB\realsched.exeC:\PROGRA~1\PESTPA~1\PPControl.exeC:\PROGRA~1\PESTPA~1\PPMemCheck.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\PROGRA~1\PESTPA~1\CookiePatrol.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\Tiny Personal Firewall\persfw.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Norton AntiVirus\SAVScan.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\Fabrice\Mes documents\Ad aware\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = LiensR3 - Default URLSearchHook is missingO1 - Hosts: 64.91.255.87 www.dcsresearch.comO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exeO4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exeO4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exeO4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exeO4 - HKLM\..\Run: [AcerNotebookManager] C:\Program Files\Acer\Notebook Manager\almxptray.exeO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exeO4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exeO4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exeO4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSDCtrl.exeO4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Fichiers communs\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exeO4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exeO4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exeO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXEO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cabO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exeO23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: Tiny Personal Firewall (PersFw) - Tiny Software - C:\Program Files\Tiny Personal Firewall\persfw.exeO23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe Link to post Share on other sites
Dragon Posted March 1, 2005 Report Share Posted March 1, 2005 You have the latest version of VX2. Download L2mfix from one of these two locations:http://www.atribune.org/downloads/l2mfix.exehttp://www.downloads.subratam.org/l2mfix.exeSave the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! Link to post Share on other sites
Fabri Posted March 2, 2005 Author Report Share Posted March 2, 2005 Hi,The contents of the log are as follows:L2MFIX find log 1.02bThese are the registry keys present**********************************************************************************Winlogon/notify:Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify][HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]"DLLName"="Ati2evxx.dll""Asynchronous"=dword:00000000"Impersonate"=dword:00000001"Lock"="AtiLockEvent""Logoff"="AtiLogoffEvent""Logon"="AtiLogonEvent""Disconnect"="AtiDisConnectEvent""Reconnect"="AtiReConnectEvent""Safe"=dword:00000000"Shutdown"="AtiShutdownEvent""StartScreenSaver"="AtiStartScreenSaverEvent""StartShell"="AtiStartShellEvent""Startup"="AtiStartupEvent""StopScreenSaver"="AtiStopScreenSaverEvent""Unlock"="AtiUnLockEvent"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]"Asynchronous"=dword:00000000"Impersonate"=dword:00000000"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00"Logoff"="ChainWlxLogoffEvent"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]"Asynchronous"=dword:00000000"Impersonate"=dword:00000000"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00"Logoff"="CryptnetWlxLogoffEvent"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]"DLLName"="cscdll.dll""Logon"="WinlogonLogonEvent""Logoff"="WinlogonLogoffEvent""ScreenSaver"="WinlogonScreenSaverEvent""Startup"="WinlogonStartupEvent""Shutdown"="WinlogonShutdownEvent""StartShell"="WinlogonStartShellEvent""Impersonate"=dword:00000000"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]"DLLName"="wlnotify.dll""Logon"="SCardStartCertProp""Logoff"="SCardStopCertProp""Lock"="SCardSuspendCertProp""Unlock"="SCardResumeCertProp""Enabled"=dword:00000001"Impersonate"=dword:00000001"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]"Asynchronous"=dword:00000000"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00"Impersonate"=dword:00000000"StartShell"="SchedStartShell""Logoff"="SchedEventLogOff"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]"Logoff"="WLEventLogoff""Impersonate"=dword:00000000"Asynchronous"=dword:00000001"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]"DLLName"="WlNotify.dll""Lock"="SensLockEvent""Logon"="SensLogonEvent""Logoff"="SensLogoffEvent""Safe"=dword:00000001"MaxWait"=dword:00000258"StartScreenSaver"="SensStartScreenSaverEvent""StopScreenSaver"="SensStopScreenSaverEvent""Startup"="SensStartupEvent""Shutdown"="SensShutdownEvent""StartShell"="SensStartShellEvent""PostShell"="SensPostShellEvent""Disconnect"="SensDisconnectEvent""Reconnect"="SensReconnectEvent""Unlock"="SensUnlockEvent""Impersonate"=dword:00000001"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]"Asynchronous"=dword:00000000"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00"Impersonate"=dword:00000000"Logoff"="TSEventLogoff""Logon"="TSEventLogon""PostShell"="TSEventPostShell""Shutdown"="TSEventShutdown""StartShell"="TSEventStartShell""Startup"="TSEventStartup""MaxWait"=dword:00000258"Reconnect"="TSEventReconnect""Disconnect"="TSEventDisconnect"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]"DLLName"="wlnotify.dll""Logon"="RegisterTicketExpiredNotificationEvent""Logoff"="UnregisterTicketExpiredNotificationEvent""Impersonate"=dword:00000001"Asynchronous"=dword:00000001**********************************************************************************useragent:Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]**********************************************************************************Shell Extension key:Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]"{00022613-0000-0000-C000-000000000046}"="Feuille de propri‚t‚s du fichier multim‚dia""{176d6597-26d3-11d1-b350-080036a75b03}"="Gestion de scanneur ICM""{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="Page de s‚curit‚ NTFS""{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Page des propri‚t‚s de OLE DocFile""{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Extensions de l'environnement pour le partage""{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension""{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Carte du Panneau de configuration""{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Âcran du Panneau de configuration""{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Panorama du Panneau de configuration""{4E40F770-369C-11d0-8922-00A024AB2DBB}"="Page de s‚curit‚ DS""{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Page de compatibilit‚""{56117100-C0CD-101B-81E2-00AA004AE837}"="Gestionnaire de donn‚es endommag‚es de l'environnement""{59099400-57FF-11CE-BD94-0020AF85B590}"="Extension copie de disquette""{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Extensions de l'environnement pour les objets r‚seau de Microsoft Windows""{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="Gestion d'‚cran ICM""{675F097E-4C4D-11D0-B6C1-0800091AA605}"="Gestion d'imprimante ICM""{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Extensions de l'environnement de compression de fichiers""{77597368-7b15-11d0-a0c2-080036af3f03}"="Extension de l'environnement d'imprimante Web""{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI""{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Menu contextuel de cryptage""{85BBD920-42A0-1069-A2E4-08002B30309D}"="Porte-documents""{88895560-9AA2-1069-930E-00AA0030EBC8}"="Extension ic“ne HyperTerminal""{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts""{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="Profil ICC""{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Page de s‚curit‚ des imprimantes""{f81e9010-6ea4-11c Link to post Share on other sites
Fabri Posted March 2, 2005 Author Report Share Posted March 2, 2005 Hi,The contents of the log are as follows:L2MFIX find log 1.02bThese are the registry keys present**********************************************************************************Winlogon/notify:Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify][HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]"DLLName"="Ati2evxx.dll""Asynchronous"=dword:00000000"Impersonate"=dword:00000001"Lock"="AtiLockEvent""Logoff"="AtiLogoffEvent""Logon"="AtiLogonEvent""Disconnect"="AtiDisConnectEvent""Reconnect"="AtiReConnectEvent""Safe"=dword:00000000"Shutdown"="AtiShutdownEvent""StartScreenSaver"="AtiStartScreenSaverEvent""StartShell"="AtiStartShellEvent""Startup"="AtiStartupEvent""StopScreenSaver"="AtiStopScreenSaverEvent""Unlock"="AtiUnLockEvent"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]"Asynchronous"=dword:00000000"Impersonate"=dword:00000000"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00"Logoff"="ChainWlxLogoffEvent"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]"Asynchronous"=dword:00000000"Impersonate"=dword:00000000"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00"Logoff"="CryptnetWlxLogoffEvent"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]"DLLName"="cscdll.dll""Logon"="WinlogonLogonEvent""Logoff"="WinlogonLogoffEvent""ScreenSaver"="WinlogonScreenSaverEvent""Startup"="WinlogonStartupEvent""Shutdown"="WinlogonShutdownEvent""StartShell"="WinlogonStartShellEvent""Impersonate"=dword:00000000"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]"DLLName"="wlnotify.dll""Logon"="SCardStartCertProp""Logoff"="SCardStopCertProp""Lock"="SCardSuspendCertProp""Unlock"="SCardResumeCertProp""Enabled"=dword:00000001"Impersonate"=dword:00000001"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]"Asynchronous"=dword:00000000"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00"Impersonate"=dword:00000000"StartShell"="SchedStartShell""Logoff"="SchedEventLogOff"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]"Logoff"="WLEventLogoff""Impersonate"=dword:00000000"Asynchronous"=dword:00000001"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]"DLLName"="WlNotify.dll""Lock"="SensLockEvent""Logon"="SensLogonEvent""Logoff"="SensLogoffEvent""Safe"=dword:00000001"MaxWait"=dword:00000258"StartScreenSaver"="SensStartScreenSaverEvent""StopScreenSaver"="SensStopScreenSaverEvent""Startup"="SensStartupEvent""Shutdown"="SensShutdownEvent""StartShell"="SensStartShellEvent""PostShell"="SensPostShellEvent""Disconnect"="SensDisconnectEvent""Reconnect"="SensReconnectEvent""Unlock"="SensUnlockEvent""Impersonate"=dword:00000001"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]"Asynchronous"=dword:00000000"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00"Impersonate"=dword:00000000"Logoff"="TSEventLogoff""Logon"="TSEventLogon""PostShell"="TSEventPostShell""Shutdown"="TSEventShutdown""StartShell"="TSEventStartShell""Startup"="TSEventStartup""MaxWait"=dword:00000258"Reconnect"="TSEventReconnect""Disconnect"="TSEventDisconnect"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]"DLLName"="wlnotify.dll""Logon"="RegisterTicketExpiredNotificationEvent""Logoff"="UnregisterTicketExpiredNotificationEvent""Impersonate"=dword:00000001"Asynchronous"=dword:00000001**********************************************************************************useragent:Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]**********************************************************************************Shell Extension key:Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]"{00022613-0000-0000-C000-000000000046}"="Feuille de propri‚t‚s du fichier multim‚dia""{176d6597-26d3-11d1-b350-080036a75b03}"="Gestion de scanneur ICM""{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="Page de s‚curit‚ NTFS""{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Page des propri‚t‚s de OLE DocFile""{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Extensions de l'environnement pour le partage""{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension""{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Carte du Panneau de configuration""{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Âcran du Panneau de configuration""{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Panorama du Panneau de configuration""{4E40F770-369C-11d0-8922-00A024AB2DBB}"="Page de s‚curit‚ DS""{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Page de compatibilit‚""{56117100-C0CD-101B-81E2-00AA004AE837}"="Gestionnaire de donn‚es endommag‚es de l'environnement""{59099400-57FF-11CE-BD94-0020AF85B590}"="Extension copie de disquette""{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Extensions de l'environnement pour les objets r‚seau de Microsoft Windows""{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="Gestion d'‚cran ICM""{675F097E-4C4D-11D0-B6C1-0800091AA605}"="Gestion d'imprimante ICM""{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Extensions de l'environnement de compression de fichiers""{77597368-7b15-11d0-a0c2-080036af3f03}"="Extension de l'environnement d'imprimante Web""{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI""{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Menu contextuel de cryptage""{85BBD920-42A0-1069-A2E4-08002B30309D}"="Porte-documents""{88895560-9AA2-1069-930E-00AA0030EBC8}"="Extension ic“ne HyperTerminal""{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts""{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="Profil ICC""{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Page de s‚curit‚ des imprimantes""{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Extensions de l'environnement pour le partage""{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension""{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Extension de cryptographie PKO""{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Extension de cryptographie Sign""{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Connexions r‚seau""{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Connexions r‚seau""{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="&Scanneurs et appareils photo""{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="&Scanneurs et appareils photo""{905667aa-acd6-11d2-8080-00805f6596d2}"="&Scanneurs et appareils photo""{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="&Scanneurs et appareils photo""{83bbcbf3-b28a-4919-a5aa-73027445d672}"="&Scanneurs et appareils photo""{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension""{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension""{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Extensions de l'interpr‚teur de commandes pour l'environnement d'ex‚cution de scripts Windows""{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Liaison de donn‚es Microsoft""{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler""{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension""{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="TÆ’ches planifi‚es""{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Barre des tÆ’ches et menu D‚marrer""{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Rechercher""{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Aide et support""{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Aide et support""{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Ex‚cuter...""{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet""{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="Courrier ‚lectronique""{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Polices""{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Outils d'administration""{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler""{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler""{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler""{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler""{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler""{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor""{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Barre d'outils Internet Microsoft""{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Âtat du t‚l‚chargement""{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Dossier Bureau ‚tendu""{6413BA2C-B461-11d1-A18A-080036B11A03}"="Dossier du shell augment‚""{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy""{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Bande du navigateur Microsoft""{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Bande de recherche""{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band""{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="Volet int‚gr‚ de recherche""{07798131-AF23-11d1-9111-00A0C98BA67D}"="Recherche Web""{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Utilitaire des options de l'arborescence du Registre""{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse""{A08C11D2-A228-11d0-825B-00AA005B4383}"="BoÅ’te d'entr‚e de l'adresse""{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Saisie semi-automatique Microsoft""{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor""{6756A641-DE71-11d0-831B-00AA005B4383}"="Liste de saisie semi-automatique MRU""{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Liste de saisie semi-automatique personnalis‚e MRU""{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible""{acf35015-526e-4230-9596-becbe19f0ac9}"="Barre de progrÅ s auto-ouvrante""{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Analyseur de la barre d'adresses""{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Liste de saisie semi-automatique de l'historique Microsoft""{03C036F1-A186-11D0-824A-00AA005B4383}"="Liste de saisie semi-automatique du dossier Shell Microsoft""{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Conteneur de la liste de saisie semi-automatique multiple Microsoft""{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Menu Site de bandes""{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp""{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Barre du Bureau""{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite""{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Assistance utilisateur""{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="ParamÅ tres du dossier global""{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band""{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service""{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer""{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture""{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut""{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service""{FF393560-C2A7-11CF-BFF4-444553540000}"="Historique""{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files""{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files""{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook""{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Image de d‚marrage de la Suite IE4""{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook""{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC""{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC""{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet""{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space""{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band""{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service""{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service""{88C6C381-2E85-11D0-94DE-444553540000}"="Dossier ActiveX Cache""{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck""{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr""{F5175861-2688-11d0-9C5E-00AA00A45957}"="Dossier Inscription""{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler""{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent""{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent""{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent""{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent""{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent""{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler""{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Gestionnaire d'applications d'environnement""{0B124F8F-91F0-11D1-B8B5-006008059382}"="Ânum‚rateur d'applications install‚es""{CFCCC7A0-A282-11D1-9082-006008059382}"="Publication d'application Darwin""{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs""{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory""{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Extracteur de miniatures de fichier + GDI""{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Gestionnaire de miniatures - Informations de r‚sum‚ (DOCFILES)""{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Extracteur de miniatures HTML""{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler""{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Assistant Publication de sites Web""{add36aa8-751a-4579-a266-d66f5202ccbb}"="Commande d'impressions via le Web""{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Objet Assistant de publication Shell""{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Assistant Obtenir une identit‚ Passport""{7A9D77BD-5403-11d2-8785-2E0420524153}"="Comptes d'utilisateurs""{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler""{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target""{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Fichier de chaÅ’ne""{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Raccourci de chaÅ’ne""{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object""{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu""{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties""{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview""{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext""{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control""{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control""{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control""{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control""{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control""{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI""{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object""{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find""{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find""{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI""{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs""{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook""{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target""{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties""{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu""{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options""{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Dossier Fichiers hors connexion""{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler""{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell""{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%""{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler""{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer""{32714800-2E5F-11d0-8B85-00AA0044F941}"="Des &personnes...""{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler""{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler""{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler""{2F603045-309F-11CF-9774-0020AFD0CFF6}"="Synaptics Control Panel""{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache""{AB77609F-2178-4E6F-9C4B-44AC179D937A}"="aý Context Menu Shell Extension""{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices""{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu""{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"**********************************************************************************HKEY ROOT CLASSIDS:**********************************************************************************Files Found are not all bad files:C:\WINDOWS\SYSTEM32\ pncrt.dll Tue 7 Dec 2004 9:59:28 A.... 278 528 272,00 K pndx5016.dll Tue 7 Dec 2004 9:59:32 A.... 6 656 6,50 K pndx5032.dll Tue 7 Dec 2004 9:59:32 A.... 5 632 5,50 K rmoc3260.dll Tue 7 Dec 2004 9:59:44 A.... 176 167 172,04 K4 items found: 4 files, 0 directories. Total of file sizes: 466 983 bytes 456,04 KLocate .tmp files:No matches found.**********************************************************************************Directory Listing of system files: Le volume dans le lecteur C s'appelle ACER Le num‚ro de s‚rie du volume est 2629-16F0 R‚pertoire de C:\WINDOWS\System3219/02/2004 02:13 <REP> Microsoft19/02/2004 01:36 <REP> dllcache 0 fichier(s) 0 octets 2 R‚p(s) 9ÿ267ÿ306ÿ496 octets libres Link to post Share on other sites
Dragon Posted March 3, 2005 Report Share Posted March 3, 2005 Close any programs you have open since this step requires a reboot.From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left. IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Link to post Share on other sites
Fabri Posted March 3, 2005 Author Report Share Posted March 3, 2005 Hi,Here are the 2 logs. Are we getting closer to a solution? L2Mfix 1.02bRunning From:C:\Documents and Settings\Fabrice\Bureau\l2mfixRegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and aboveCopyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)This program is Freeware, use it on your own risk!Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:(ID-NI) ALLOW Read BUILTIN\Utilisateurs(ID-IO) ALLOW Read BUILTIN\Utilisateurs(ID-NI) ALLOW Full access BUILTIN\Administrateurs(ID-IO) ALLOW Full access BUILTIN\Administrateurs(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRESetting registry permissions:RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and aboveCopyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)This program is Freeware, use it on your own risk!Denying C access for really "Everyone" - adding new ACCESS DENY entryRegistry Permissions set too:RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and aboveCopyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)This program is Freeware, use it on your own risk!Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:(CI) DENY --C------- Tout le monde(ID-NI) ALLOW Read BUILTIN\Utilisateurs(ID-IO) ALLOW Read BUILTIN\Utilisateurs(ID-NI) ALLOW Full access BUILTIN\Administrateurs(ID-IO) ALLOW Full access BUILTIN\Administrateurs(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRESetting up for RebootStarting Reboot!C:\Documents and Settings\Fabrice\Bureau\l2mfix System Rebooted! Running From:C:\Documents and Settings\Fabrice\Bureau\l2mfixkilling explorer and rundll32.exe Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03Copyright© 2002-2003 [email protected]Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Killing PID 1400 'explorer.exe'Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03Copyright© 2002-2003 [email protected]Error, Cannot find a process with an image name of rundll32.exeScanning First Pass. Please Wait!First Pass Completed Second Pass Scanning Second pass Completed!Desktop.ini sucessfully removedZipping up files for submission: adding: echo.reg (deflated 9%) adding: clear.reg (deflated 2%) adding: desktop.ini (stored 0%) adding: readme.txt (deflated 49%) adding: direct.txt (stored 0%) adding: report.txt (deflated 63%) adding: lo2.txt (deflated 77%) adding: test2.txt (stored 0%) adding: test3.txt (stored 0%) adding: test5.txt (stored 0%) adding: test.txt (stored 0%) adding: backregs/shell.reg (deflated 73%)Restoring Registry Permissions: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and aboveCopyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)This program is Freeware, use it on your own risk!Revoking access for really "Everyone"Registry permissions set too:RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and aboveCopyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)This program is Freeware, use it on your own risk!Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:(ID-NI) ALLOW Read BUILTIN\Utilisateurs(ID-IO) ALLOW Read BUILTIN\Utilisateurs(ID-NI) ALLOW Full access BUILTIN\Administrateurs(ID-IO) ALLOW Full access BUILTIN\Administrateurs(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRERestoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332 The following Is the Current Export of the Winlogon notify key:****************************************************************************Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify][HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]"DLLName"="Ati2evxx.dll""Asynchronous"=dword:00000000"Impersonate"=dword:00000001"Lock"="AtiLockEvent""Logoff"="AtiLogoffEvent""Logon"="AtiLogonEvent""Disconnect"="AtiDisConnectEvent""Reconnect"="AtiReConnectEvent""Safe"=dword:00000000"Shutdown"="AtiShutdownEvent""StartScreenSaver"="AtiStartScreenSaverEvent""StartShell"="AtiStartShellEvent""Startup"="AtiStartupEvent""StopScreenSaver"="AtiStopScreenSaverEvent""Unlock"="AtiUnLockEvent"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]"Asynchronous"=dword:00000000"Impersonate"=dword:00000000"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00"Logoff"="ChainWlxLogoffEvent"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]"Asynchronous"=dword:00000000"Impersonate"=dword:00000000"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00"Logoff"="CryptnetWlxLogoffEvent"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]"DLLName"="cscdll.dll""Logon"="WinlogonLogonEvent""Logoff"="WinlogonLogoffEvent""ScreenSaver"="WinlogonScreenSaverEvent""Startup"="WinlogonStartupEvent""Shutdown"="WinlogonShutdownEvent""StartShell"="WinlogonStartShellEvent""Impersonate"=dword:00000000"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]"DLLName"="wlnotify.dll""Logon"="SCardStartCertProp""Logoff"="SCardStopCertProp""Lock"="SCardSuspendCertProp""Unlock"="SCardResumeCertProp""Enabled"=dword:00000001"Impersonate"=dword:00000001"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]"Asynchronous"=dword:00000000"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00"Impersonate"=dword:00000000"StartShell"="SchedStartShell""Logoff"="SchedEventLogOff"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]"Logoff"="WLEventLogoff""Impersonate"=dword:00000000"Asynchronous"=dword:00000001"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]"DLLName"="WlNotify.dll""Lock"="SensLockEvent""Logon"="SensLogonEvent""Logoff"="SensLogoffEvent""Safe"=dword:00000001"MaxWait"=dword:00000258"StartScreenSaver"="SensStartScreenSaverEvent""StopScreenSaver"="SensStopScreenSaverEvent""Startup"="SensStartupEvent""Shutdown"="SensShutdownEvent""StartShell"="SensStartShellEvent""PostShell"="SensPostShellEvent""Disconnect"="SensDisconnectEvent""Reconnect"="SensReconnectEvent""Unlock"="SensUnlockEvent""Impersonate"=dword:00000001"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]"Asynchronous"=dword:00000000"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00"Impersonate"=dword:00000000"Logoff"="TSEventLogoff""Logon"="TSEventLogon""PostShell"="TSEventPostShell""Shutdown"="TSEventShutdown""StartShell"="TSEventStartShell""Startup"="TSEventStartup""MaxWait"=dword:00000258"Reconnect"="TSEventReconnect""Disconnect"="TSEventDisconnect"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]"DLLName"="wlnotify.dll""Logon"="RegisterTicketExpiredNotificationEvent""Logoff"="UnregisterTicketExpiredNotificationEvent""Impersonate"=dword:00000001"Asynchronous"=dword:00000001The following are the files found: ****************************************************************************Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. ****************************************************************************REGEDIT4[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]"{}"=-****************************************************************************Desktop.ini Contents: ****************************************************************************[.ShellClassInfo]CLSID={645FF040-5081-101B-9F08-00AA002F954E}****************************************************************************Logfile of HijackThis v1.99.1Scan saved at 05:14:52, on 03/03/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exeC:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Java\j2re1.4.2_01\bin\jusched.exeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\ltmoh\Ltmoh.exeC:\Program Files\Acer\Notebook Manager\almxptray.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\Launch Manager\LaunchAp.exeC:\Program Files\Launch Manager\PowerKey.exeC:\Program Files\Launch Manager\HotkeyApp.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Launch Manager\CtrlVol.exeC:\Program Files\Launch Manager\OSDCtrl.exeC:\Program Files\Launch Manager\Wbutton.exeC:\Program Files\Tiny Personal Firewall\persfw.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\Fichiers communs\Symantec Shared\ccApp.exeC:\Program Files\Fichiers communs\Real\Update_OB\realsched.exeC:\PROGRA~1\PESTPA~1\PPControl.exeC:\PROGRA~1\PESTPA~1\PPMemCheck.exeC:\PROGRA~1\PESTPA~1\CookiePatrol.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\Norton AntiVirus\SAVScan.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Messenger\msmsgs.exeC:\Documents and Settings\Fabrice\Mes documents\Ad aware\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = LiensR3 - Default URLSearchHook is missingO1 - Hosts: 64.91.255.87 www.dcsresearch.comO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exeO4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exeO4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exeO4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exeO4 - HKLM\..\Run: [AcerNotebookManager] C:\Program Files\Acer\Notebook Manager\almxptray.exeO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exeO4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exeO4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exeO4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSDCtrl.exeO4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Fichiers communs\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exeO4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exeO4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXEO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1109663878890O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exeO23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: Tiny Personal Firewall (PersFw) - Tiny Software - C:\Program Files\Tiny Personal Firewall\persfw.exeO23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe Link to post Share on other sites
Dragon Posted March 3, 2005 Report Share Posted March 3, 2005 Please look over the Following Entries I have listed, run Hijack This again and check them and then, making sure you have No Internet Explorer Windows open, including this one, Press the "Fix Checked" Button with HijackThis.Reboot If I have specified below, and Post a Fresh HijackThis log.R3 - Default URLSearchHook is missingO1 - Hosts: 64.91.255.87 www.dcsresearch.comO4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exeAfter this, Reboot and Delete the following files:C:\Windows\RUNXMLPL.exeNote: Make sure you have Set Windows to show Hidden Files & Folders before you Start Sending Them to us For Analysis, or you're deleting them. This can be done by looking at the instructions at This Webpage http://www.xtra.co.nz/help/0,,4155-1916458,00.htmlTo Delete These Files/Folders, You Will need to Boot into Safe Mode. This can be done by tapping F8 while your machine restarts.Then post a fresh Hijack this log please Link to post Share on other sites
Fabri Posted March 4, 2005 Author Report Share Posted March 4, 2005 Hi,I've followed your instructions.Please find the latest log below:Logfile of HijackThis v1.99.1Scan saved at 01:59:55, on 04/03/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exeC:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Java\j2re1.4.2_01\bin\jusched.exeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\ltmoh\Ltmoh.exeC:\Program Files\Acer\Notebook Manager\almxptray.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\Launch Manager\LaunchAp.exeC:\Program Files\Launch Manager\PowerKey.exeC:\Program Files\Launch Manager\HotkeyApp.exeC:\Program Files\Launch Manager\CtrlVol.exeC:\Program Files\Launch Manager\OSDCtrl.exeC:\Program Files\Launch Manager\Wbutton.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\Fichiers communs\Symantec Shared\ccApp.exeC:\Program Files\Fichiers communs\Real\Update_OB\realsched.exeC:\PROGRA~1\PESTPA~1\PPControl.exeC:\PROGRA~1\PESTPA~1\PPMemCheck.exeC:\PROGRA~1\PESTPA~1\CookiePatrol.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Tiny Personal Firewall\persfw.exeC:\WINDOWS\System32\wuauclt.exeC:\WINDOWS\System32\msiexec.exeC:\Program Files\Norton AntiVirus\SAVScan.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\Documents and Settings\Fabrice\Mes documents\Ad aware\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = LiensO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exeO4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exeO4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exeO4 - HKLM\..\Run: [AcerNotebookManager] C:\Program Files\Acer\Notebook Manager\almxptray.exeO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exeO4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exeO4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exeO4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSDCtrl.exeO4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Fichiers communs\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exeO4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exeO4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exeO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXEO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1109663878890O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exeO23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: Tiny Personal Firewall (PersFw) - Tiny Software - C:\Program Files\Tiny Personal Firewall\persfw.exeO23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe Link to post Share on other sites
Dragon Posted March 4, 2005 Report Share Posted March 4, 2005 Your log is cleanany more messages from your firewall?For Future ProtectionDownload and install:SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacoolsoftware.com/spywareblaster.htmlIE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYADBoth are very small free programs that you run once, and then just occasionally to check for updates.And also see So how did I get infected in the first place? Link to post Share on other sites
Fabri Posted March 5, 2005 Author Report Share Posted March 5, 2005 Thanks very much for your help.But I still get messages from my firewall.[application] from your computer wants to send UDP datagram to...Usually, application is "Generic Host Process for Win32 services" or Messenger, but sometimes also "weird" characters such as "P!Ar" or no application is diplayed at all in the Application filename box.Also there seems to be a problem with my firewall as I can't uninstall it (offline and with firewall disabled). When I get those messages, after several clicks on "deny", my computer crashes and restarts.Would it be advisable to reinstall everything to get rid of these problems? Link to post Share on other sites
Dragon Posted March 7, 2005 Report Share Posted March 7, 2005 hi sorry for the delay in response, its sounds like your Norton system is corrupted, go here for suggestions on how to remove Norton, then if you want to keep Norton just reinstall it.http://www.symantec.com/techsupp/consumer.html Link to post Share on other sites
Fabri Posted March 8, 2005 Author Report Share Posted March 8, 2005 Hi,I guess a problem with Norton could explain the crashes but what about the messages from my firewall? I'm no computer expert...Where could these messages come from if the last log is clean?Thanks Link to post Share on other sites
Dragon Posted March 8, 2005 Report Share Posted March 8, 2005 Even though you have antivirus software on your system, it can become corrupted by malware.Please run a free online virus scan here (tick the "Auto Clean" checkbox):http://housecall.antivirus.com/And a free trojan scan here:http://www.moosoft.com/Reboot your PC. let us know what if anything is found and removed Link to post Share on other sites
Recommended Posts