PPRuNe Forums - View Single Post - Help with major highjacking!!
Thread: Help with major highjacking!!
View Single Post
Old 31st January 2005 | 20:44
  #19 (permalink)  
aiglon
 
Joined: Feb 2003
Posts: 132
Likes: 0
From: London
E-Liam,

OK, here goes - this will be a long post!

Starting with the Lmfix log (in instalments):

L2Mfix 1.02a

Running From:
C:\Documents and Settings\Ciaran\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C access for really "Everyone"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Ciaran\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Ciaran\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 1476 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 1820 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\dn8m01l1e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dn8o01l3e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dnp0017me.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\e8jm0i11e8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en4ol1h31.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fnl0213mg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp8s03l7e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fpn2035oe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fpnm0351e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gp4ol3h31.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gpjsl3171.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\h6j4lg1q16.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hr0605dse.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hr6005jme.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i6420ghoe64c0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir6ol5j31.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir6sl5j71.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j8j60i1se8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jt0m07d1e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jt6407jqe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jtjq0715e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\KSDSP.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kt26l7fs1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktl4l73q1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l64q0gh5e64.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv0m09d1e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv0o09d3e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvlm0931e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvp0097me.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m046lahs1d46.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m0ls0a37ed.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m4ls0e37eh.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m664lgjq16oe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mord2x40.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MTXML2R.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\n64slgh7164.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nmtshell.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o2480chuef480.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p6n80g5ue6.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\q8nu0i59e8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\r6p80g7ue6.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\s0880aluedq80.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\SMTUPX.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\SQDLL.DLL
1 file(s) copied.
deleting: C:\WINDOWS\system32\dn8m01l1e.dll
Successfully Deleted: C:\WINDOWS\system32\dn8m01l1e.dll
deleting: C:\WINDOWS\system32\dn8o01l3e.dll
Successfully Deleted: C:\WINDOWS\system32\dn8o01l3e.dll
deleting: C:\WINDOWS\system32\dnp0017me.dll
Successfully Deleted: C:\WINDOWS\system32\dnp0017me.dll
deleting: C:\WINDOWS\system32\e8jm0i11e8.dll
Successfully Deleted: C:\WINDOWS\system32\e8jm0i11e8.dll
deleting: C:\WINDOWS\system32\en4ol1h31.dll
Successfully Deleted: C:\WINDOWS\system32\en4ol1h31.dll
deleting: C:\WINDOWS\system32\fnl0213mg.dll
Successfully Deleted: C:\WINDOWS\system32\fnl0213mg.dll
deleting: C:\WINDOWS\system32\fp8s03l7e.dll
Successfully Deleted: C:\WINDOWS\system32\fp8s03l7e.dll
deleting: C:\WINDOWS\system32\fpn2035oe.dll
Successfully Deleted: C:\WINDOWS\system32\fpn2035oe.dll
deleting: C:\WINDOWS\system32\fpnm0351e.dll
Successfully Deleted: C:\WINDOWS\system32\fpnm0351e.dll
deleting: C:\WINDOWS\system32\gp4ol3h31.dll
Successfully Deleted: C:\WINDOWS\system32\gp4ol3h31.dll
deleting: C:\WINDOWS\system32\gpjsl3171.dll
Successfully Deleted: C:\WINDOWS\system32\gpjsl3171.dll
deleting: C:\WINDOWS\system32\h6j4lg1q16.dll
Successfully Deleted: C:\WINDOWS\system32\h6j4lg1q16.dll
deleting: C:\WINDOWS\system32\hr0605dse.dll
Successfully Deleted: C:\WINDOWS\system32\hr0605dse.dll
deleting: C:\WINDOWS\system32\hr6005jme.dll
Successfully Deleted: C:\WINDOWS\system32\hr6005jme.dll
deleting: C:\WINDOWS\system32\i6420ghoe64c0.dll
Successfully Deleted: C:\WINDOWS\system32\i6420ghoe64c0.dll
deleting: C:\WINDOWS\system32\ir6ol5j31.dll
Successfully Deleted: C:\WINDOWS\system32\ir6ol5j31.dll
deleting: C:\WINDOWS\system32\ir6sl5j71.dll
Successfully Deleted: C:\WINDOWS\system32\ir6sl5j71.dll
deleting: C:\WINDOWS\system32\j8j60i1se8.dll
Successfully Deleted: C:\WINDOWS\system32\j8j60i1se8.dll
deleting: C:\WINDOWS\system32\jt0m07d1e.dll
Successfully Deleted: C:\WINDOWS\system32\jt0m07d1e.dll
deleting: C:\WINDOWS\system32\jt6407jqe.dll
Successfully Deleted: C:\WINDOWS\system32\jt6407jqe.dll
deleting: C:\WINDOWS\system32\jtjq0715e.dll
Successfully Deleted: C:\WINDOWS\system32\jtjq0715e.dll
deleting: C:\WINDOWS\system32\KSDSP.DLL
Successfully Deleted: C:\WINDOWS\system32\KSDSP.DLL
deleting: C:\WINDOWS\system32\kt26l7fs1.dll
Successfully Deleted: C:\WINDOWS\system32\kt26l7fs1.dll
deleting: C:\WINDOWS\system32\ktl4l73q1.dll
Successfully Deleted: C:\WINDOWS\system32\ktl4l73q1.dll
deleting: C:\WINDOWS\system32\l64q0gh5e64.dll
Successfully Deleted: C:\WINDOWS\system32\l64q0gh5e64.dll
deleting: C:\WINDOWS\system32\lv0m09d1e.dll
Successfully Deleted: C:\WINDOWS\system32\lv0m09d1e.dll
deleting: C:\WINDOWS\system32\lv0o09d3e.dll
Successfully Deleted: C:\WINDOWS\system32\lv0o09d3e.dll
deleting: C:\WINDOWS\system32\lvlm0931e.dll
Successfully Deleted: C:\WINDOWS\system32\lvlm0931e.dll
deleting: C:\WINDOWS\system32\lvp0097me.dll
Successfully Deleted: C:\WINDOWS\system32\lvp0097me.dll
deleting: C:\WINDOWS\system32\m046lahs1d46.dll
Successfully Deleted: C:\WINDOWS\system32\m046lahs1d46.dll
deleting: C:\WINDOWS\system32\m0ls0a37ed.dll
Successfully Deleted: C:\WINDOWS\system32\m0ls0a37ed.dll
deleting: C:\WINDOWS\system32\m4ls0e37eh.dll
Successfully Deleted: C:\WINDOWS\system32\m4ls0e37eh.dll
deleting: C:\WINDOWS\system32\m664lgjq16oe.dll
Successfully Deleted: C:\WINDOWS\system32\m664lgjq16oe.dll
deleting: C:\WINDOWS\system32\mord2x40.dll
Successfully Deleted: C:\WINDOWS\system32\mord2x40.dll
deleting: C:\WINDOWS\system32\MTXML2R.DLL
Successfully Deleted: C:\WINDOWS\system32\MTXML2R.DLL
deleting: C:\WINDOWS\system32\n64slgh7164.dll
Successfully Deleted: C:\WINDOWS\system32\n64slgh7164.dll
deleting: C:\WINDOWS\system32\nmtshell.dll
Successfully Deleted: C:\WINDOWS\system32\nmtshell.dll
deleting: C:\WINDOWS\system32\o2480chuef480.dll
Successfully Deleted: C:\WINDOWS\system32\o2480chuef480.dll
deleting: C:\WINDOWS\system32\p6n80g5ue6.dll
Successfully Deleted: C:\WINDOWS\system32\p6n80g5ue6.dll
deleting: C:\WINDOWS\system32\q8nu0i59e8.dll
Successfully Deleted: C:\WINDOWS\system32\q8nu0i59e8.dll
deleting: C:\WINDOWS\system32\r6p80g7ue6.dll
Successfully Deleted: C:\WINDOWS\system32\r6p80g7ue6.dll
deleting: C:\WINDOWS\system32\s0880aluedq80.dll
Successfully Deleted: C:\WINDOWS\system32\s0880aluedq80.dll
deleting: C:\WINDOWS\system32\SMTUPX.DLL
Successfully Deleted: C:\WINDOWS\system32\SMTUPX.DLL
deleting: C:\WINDOWS\system32\SQDLL.DLL
Successfully Deleted: C:\WINDOWS\system32\SQDLL.DLL

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: dn8m01l1e.dll (140 bytes security) (deflated 3%)
adding: dn8o01l3e.dll (140 bytes security) (deflated 4%)
adding: dnp0017me.dll (140 bytes security) (deflated 5%)
adding: e8jm0i11e8.dll (140 bytes security) (deflated 5%)
adding: en4ol1h31.dll (140 bytes security) (deflated 4%)
adding: fnl0213mg.dll (140 bytes security) (deflated 3%)
adding: fp8s03l7e.dll (140 bytes security) (deflated 4%)
adding: fpn2035oe.dll (140 bytes security) (deflated 4%)
adding: fpnm0351e.dll (140 bytes security) (deflated 4%)
adding: gp4ol3h31.dll (140 bytes security) (deflated 3%)
adding: gpjsl3171.dll (140 bytes security) (deflated 4%)
adding: h6j4lg1q16.dll (140 bytes security) (deflated 4%)
adding: hr0605dse.dll (140 bytes security) (deflated 4%)
adding: hr6005jme.dll (140 bytes security) (deflated 5%)
adding: i6420ghoe64c0.dll (140 bytes security) (deflated 4%)
adding: ir6ol5j31.dll (140 bytes security) (deflated 4%)
adding: ir6sl5j71.dll (140 bytes security) (deflated 3%)
adding: j8j60i1se8.dll (140 bytes security) (deflated 5%)
adding: jt0m07d1e.dll (140 bytes security) (deflated 4%)
adding: jt6407jqe.dll (140 bytes security) (deflated 4%)
adding: jtjq0715e.dll (140 bytes security) (deflated 4%)
adding: KSDSP.DLL (140 bytes security) (deflated 4%)
adding: kt26l7fs1.dll (140 bytes security) (deflated 4%)
adding: ktl4l73q1.dll (140 bytes security) (deflated 4%)
adding: l64q0gh5e64.dll (140 bytes security) (deflated 4%)
adding: lv0m09d1e.dll (140 bytes security) (deflated 4%)
adding: lv0o09d3e.dll (140 bytes security) (deflated 4%)
adding: lvlm0931e.dll (140 bytes security) (deflated 3%)
adding: lvp0097me.dll (140 bytes security) (deflated 4%)
adding: m046lahs1d46.dll (140 bytes security) (deflated 4%)
adding: m0ls0a37ed.dll (140 bytes security) (deflated 4%)
adding: m4ls0e37eh.dll (140 bytes security) (deflated 5%)
adding: m664lgjq16oe.dll (140 bytes security) (deflated 4%)
adding: mord2x40.dll (140 bytes security) (deflated 4%)
adding: MTXML2R.DLL (140 bytes security) (deflated 4%)
adding: n64slgh7164.dll (140 bytes security) (deflated 4%)
adding: nmtshell.dll (140 bytes security) (deflated 4%)
adding: o2480chuef480.dll (140 bytes security) (deflated 4%)
adding: p6n80g5ue6.dll (140 bytes security) (deflated 4%)
adding: q8nu0i59e8.dll (140 bytes security) (deflated 3%)
adding: r6p80g7ue6.dll (140 bytes security) (deflated 4%)
adding: s0880aluedq80.dll (140 bytes security) (deflated 4%)
adding: SMTUPX.DLL (140 bytes security) (deflated 4%)
adding: SQDLL.DLL (140 bytes security) (deflated 4%)
adding: clear.reg (140 bytes security) (deflated 63%)
adding: echo.reg (140 bytes security) (deflated 9%)
adding: desktop.ini (140 bytes security) (deflated 14%)
adding: direct.txt (140 bytes security) (stored 0%)
adding: lo2.txt (140 bytes security) (deflated 86%)
adding: readme.txt (140 bytes security) (deflated 49%)
adding: report.txt (140 bytes security) (deflated 68%)
adding: report1.txt (140 bytes security) (deflated 68%)
adding: test.txt (140 bytes security) (deflated 81%)
adding: test2.txt (140 bytes security) (deflated 45%)
adding: test3.txt (140 bytes security) (deflated 44%)
adding: test5.txt (140 bytes security) (deflated 45%)
adding: xfind.txt (140 bytes security) (deflated 76%)
adding: backregs/111716D1-3138-4C33-9847-7FE2FCA71736.reg (140 bytes security) (deflated 70%)
adding: backregs/2571E528-A5AB-455F-AB97-47808498ABDA.reg (140 bytes security) (deflated 70%)
adding: backregs/33C5329C-060C-4258-9B4B-7CAE4A28858C.reg (140 bytes security) (deflated 70%)
adding: backregs/33D5338A-564C-4D8C-B928-4476E406F895.reg (140 bytes security) (deflated 70%)
adding: backregs/394BABF9-E9C1-4F68-85CA-5E561CA7A4A7.reg (140 bytes security) (deflated 70%)
adding: backregs/69C6CBAC-1029-4800-9E24-B4F47CD2819A.reg (140 bytes security) (deflated 70%)
adding: backregs/80A02F13-C156-4FC4-BAE0-738121E5A8E4.reg (140 bytes security) (deflated 70%)
adding: backregs/AD5C6512-784F-4D27-A644-FCCFAA237F6F.reg (140 bytes security) (deflated 70%)
adding: backregs/F81CBE82-D1AF-4F37-A0E9-1A82B0CDD710.reg (140 bytes security) (deflated 70%)
adding: backregs/shell.reg (140 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for really "Everyone"


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify:
(ID-NI) ALLOW Read BUILTIN\\Users
(ID-IO) ALLOW Read BUILTIN\\Users
(ID-NI) ALLOW Full access BUILTIN\\Administrators
(ID-IO) ALLOW Full access BUILTIN\\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: dn8m01l1e.dll
deleting local copy: dn8o01l3e.dll
deleting local copy: dnp0017me.dll
deleting local copy: e8jm0i11e8.dll
deleting local copy: en4ol1h31.dll
deleting local copy: fnl0213mg.dll
deleting local copy: fp8s03l7e.dll
deleting local copy: fpn2035oe.dll
deleting local copy: fpnm0351e.dll
deleting local copy: gp4ol3h31.dll
deleting local copy: gpjsl3171.dll
deleting local copy: h6j4lg1q16.dll
deleting local copy: hr0605dse.dll
deleting local copy: hr6005jme.dll
deleting local copy: i6420ghoe64c0.dll
deleting local copy: ir6ol5j31.dll
deleting local copy: ir6sl5j71.dll
deleting local copy: j8j60i1se8.dll
deleting local copy: jt0m07d1e.dll
deleting local copy: jt6407jqe.dll
deleting local copy: jtjq0715e.dll
deleting local copy: KSDSP.DLL
deleting local copy: kt26l7fs1.dll
deleting local copy: ktl4l73q1.dll
deleting local copy: l64q0gh5e64.dll
deleting local copy: lv0m09d1e.dll
deleting local copy: lv0o09d3e.dll
deleting local copy: lvlm0931e.dll
deleting local copy: lvp0097me.dll
deleting local copy: m046lahs1d46.dll
deleting local copy: m0ls0a37ed.dll
deleting local copy: m4ls0e37eh.dll
deleting local copy: m664lgjq16oe.dll
deleting local copy: mord2x40.dll
deleting local copy: MTXML2R.DLL
deleting local copy: n64slgh7164.dll
deleting local copy: nmtshell.dll
deleting local copy: o2480chuef480.dll
deleting local copy: p6n80g5ue6.dll
deleting local copy: q8nu0i59e8.dll
deleting local copy: r6p80g7ue6.dll
deleting local copy: s0880aluedq80.dll
deleting local copy: SMTUPX.DLL
deleting local copy: SQDLL.DLL

The following Is the Current Export of the Winlogon notify key:
************************************************************ ****************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


The following are the files found:
************************************************************ ****************
C:\\WINDOWS\\system32\\dn8m01l1e.dll
C:\\WINDOWS\\system32\\dn8o01l3e.dll
C:\\WINDOWS\\system32\\dnp0017me.dll
C:\\WINDOWS\\system32\\e8jm0i11e8.dll
C:\\WINDOWS\\system32\\en4ol1h31.dll
C:\\WINDOWS\\system32\\fnl0213mg.dll
C:\\WINDOWS\\system32\\fp8s03l7e.dll
C:\\WINDOWS\\system32\\fpn2035oe.dll
C:\\WINDOWS\\system32\\fpnm0351e.dll
C:\\WINDOWS\\system32\\gp4ol3h31.dll
C:\\WINDOWS\\system32\\gpjsl3171.dll
C:\\WINDOWS\\system32\\h6j4lg1q16.dll
C:\\WINDOWS\\system32\\hr0605dse.dll
C:\\WINDOWS\\system32\\hr6005jme.dll
C:\\WINDOWS\\system32\\i6420ghoe64c0.dll
C:\\WINDOWS\\system32\\ir6ol5j31.dll
C:\\WINDOWS\\system32\\ir6sl5j71.dll
C:\\WINDOWS\\system32\\j8j60i1se8.dll
C:\\WINDOWS\\system32\\jt0m07d1e.dll
C:\\WINDOWS\\system32\\jt6407jqe.dll
C:\\WINDOWS\\system32\\jtjq0715e.dll
C:\\WINDOWS\\system32\\KSDSP.DLL
C:\\WINDOWS\\system32\\kt26l7fs1.dll
C:\\WINDOWS\\system32\\ktl4l73q1.dll
C:\\WINDOWS\\system32\\l64q0gh5e64.dll
C:\\WINDOWS\\system32\\lv0m09d1e.dll
C:\\WINDOWS\\system32\\lv0o09d3e.dll
C:\\WINDOWS\\system32\\lvlm0931e.dll
C:\\WINDOWS\\system32\\lvp0097me.dll
C:\\WINDOWS\\system32\\m046lahs1d46.dll
C:\\WINDOWS\\system32\\m0ls0a37ed.dll
C:\\WINDOWS\\system32\\m4ls0e37eh.dll
C:\\WINDOWS\\system32\\m664lgjq16oe.dll
C:\\WINDOWS\\system32\\mord2x40.dll
C:\\WINDOWS\\system32\\MTXML2R.DLL
C:\\WINDOWS\\system32\\n64slgh7164.dll
C:\\WINDOWS\\system32\\nmtshell.dll
C:\\WINDOWS\\system32\\o2480chuef480.dll
C:\\WINDOWS\\system32\\p6n80g5ue6.dll
C:\\WINDOWS\\system32\\q8nu0i59e8.dll
C:\\WINDOWS\\system32\\r6p80g7ue6.dll
C:\\WINDOWS\\system32\\s0880aluedq80.dll
C:\\WINDOWS\\system32\\SMTUPX.DLL
C:\\WINDOWS\\system32\\SQDLL.DLL

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
************************************************************ ****************
REGEDIT4

[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVer sion\\Shell Extensions\\Approved]
"{2571E528-A5AB-455F-AB97-47808498ABDA}"=-
"{33D5338A-564C-4D8C-B928-4476E406F895}"=-
"{F81CBE82-D1AF-4F37-A0E9-1A82B0CDD710}"=-
"{69C6CBAC-1029-4800-9E24-B4F47CD2819A}"=-
"{AD5C6512-784F-4D27-A644-FCCFAA237F6F}"=-
"{80A02F13-C156-4FC4-BAE0-738121E5A8E4}"=-
"{111716D1-3138-4C33-9847-7FE2FCA71736}"=-
"{33C5329C-060C-4258-9B4B-7CAE4A28858C}"=-
"{394BABF9-E9C1-4F68-85CA-5E561CA7A4A7}"=-
[-HKEY_CLASSES_ROOT\\CLSID\\{2571E528-A5AB-455F-AB97-47808498ABDA}]
[-HKEY_CLASSES_ROOT\\CLSID\\{33D5338A-564C-4D8C-B928-4476E406F895}]
[-HKEY_CLASSES_ROOT\\CLSID\\{F81CBE82-D1AF-4F37-A0E9-1A82B0CDD710}]
[-HKEY_CLASSES_ROOT\\CLSID\\{69C6CBAC-1029-4800-9E24-B4F47CD2819A}]
[-HKEY_CLASSES_ROOT\\CLSID\\{AD5C6512-784F-4D27-A644-FCCFAA237F6F}]
[-HKEY_CLASSES_ROOT\\CLSID\\{80A02F13-C156-4FC4-BAE0-738121E5A8E4}]
[-HKEY_CLASSES_ROOT\\CLSID\\{111716D1-3138-4C33-9847-7FE2FCA71736}]
[-HKEY_CLASSES_ROOT\\CLSID\\{33C5329C-060C-4258-9B4B-7CAE4A28858C}]
[-HKEY_CLASSES_ROOT\\CLSID\\{394BABF9-E9C1-4F68-85CA-5E561CA7A4A7}]
REGEDIT4

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVer sion\\Internet Settings\\User Agent\\Post Platform]
"{C9D3C1A4-4AC6-4186-9310-3C551B262778}"=-
************************************************************ ****************
Desktop.ini Contents:
************************************************************ ****************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{C9D3C1A4-4AC6-4186-9310-3C551B262778}</IDone>
<IDtwo>VT00</IDtwo>
<VERSION>200</VERSION>
************************************************************ ****************


And now the latest HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 21:40:12, on 31/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\\WINDOWS\\System32\\smss.exe
C:\\WINDOWS\\system32\\winlogon.exe
C:\\WINDOWS\\system32\\services.exe
C:\\WINDOWS\\system32\\lsass.exe
C:\\WINDOWS\\system32\\svchost.exe
C:\\WINDOWS\\System32\\svchost.exe
C:\\WINDOWS\\system32\\LEXBCES.EXE
C:\\WINDOWS\\system32\\LEXPPS.EXE
C:\\WINDOWS\\system32\\spoolsv.exe
C:\\MYAPPL~1\\Grisoft\\AVGFRE~1\\avgamsvr.exe
C:\\MYAPPL~1\\Grisoft\\AVGFRE~1\\avgupsvc.exe
C:\\WINDOWS\\System32\\DRIVERS\\CDANTSRV.EXE
C:\\WINDOWS\\System32\\svchost.exe
C:\\WINDOWS\\SYSTEM32\\ZoneLabs\\vsmon.exe
C:\\WINDOWS\\wanmpsvc.exe
C:\\WINDOWS\\system32\\hkcmd.exe
C:\\Program Files\\Java\\j2re1.4.2_06\\bin\\jusched.exe
C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe
C:\\Program Files\\Dell\\Media Experience\\PCMService.exe
C:\\WINDOWS\\System32\\DSentry.exe
C:\\WINDOWS\\system32\\dla\\tfswctrl.exe
C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe
C:\\Program Files\\Dell AIO Printer A920\\dlbkbmgr.exe
C:\\My Applications\\Zone Labs\\ZoneAlarm\\zlclient.exe
C:\\Program Files\\Dell AIO Printer A920\\dlbkbmon.exe
C:\\MYAPPL~1\\Grisoft\\AVGFRE~1\\avgcc.exe
C:\\MYAPPL~1\\Grisoft\\AVGFRE~1\\avgemc.exe
C:\\WINDOWS\\NCLAUNCH.EXe
C:\\WINDOWS\\explorer.exe
C:\\WINDOWS\\system32\\NOTEPAD.EXE
C:\\My Applications\\HiJack This\\HijackThis.exe

R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Default_Page_URL = http://www.euro.dell.com/countries/u...en/default.htm
R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = http://www.netsearchsoft.com/
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Page_URL = http://www.euro.dell.com/countries/u...en/default.htm
R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = http://www.euro.dell.com/countries/u...en/default.htm
R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Window Title = Tiscali 10.0
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\\..\\Run: [IgfxTray] C:\\WINDOWS\\system32\\igfxtray.exe
O4 - HKLM\\..\\Run: [HotKeysCmds] C:\\WINDOWS\\system32\\hkcmd.exe
O4 - HKLM\\..\\Run: [SunJavaUpdateSched] C:\\Program Files\\Java\\j2re1.4.2_06\\bin\\jusched.exe
O4 - HKLM\\..\\Run: [IntelMeM] C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe
O4 - HKLM\\..\\Run: [PCMService] "C:\\Program Files\\Dell\\Media Experience\\PCMService.exe"
O4 - HKLM\\..\\Run: [DVDSentry] C:\\WINDOWS\\System32\\DSentry.exe
O4 - HKLM\\..\\Run: [dla] C:\\WINDOWS\\system32\\dla\\tfswctrl.exe
O4 - HKLM\\..\\Run: [UpdateManager] "C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe" /r
O4 - HKLM\\..\\Run: [RealTray] C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\\..\\Run: [VirusScan] c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe
O4 - HKLM\\..\\Run: [Dell AIO Printer A920] "C:\\Program Files\\Dell AIO Printer A920\\dlbkbmgr.exe"
O4 - HKLM\\..\\Run: [Zone Labs Client] "C:\\My Applications\\Zone Labs\\ZoneAlarm\\zlclient.exe"
O4 - HKLM\\..\\Run: [BlobMate] C:\\Program Files\\BlobMate\\BlobMate.exe
O4 - HKLM\\..\\Run: [AVG7_CC] C:\\MYAPPL~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP
O4 - HKLM\\..\\Run: [AVG7_EMC] C:\\MYAPPL~1\\Grisoft\\AVGFRE~1\\avgemc.exe
O4 - HKCU\\..\\Run: [MSMSGS] "C:\\Program Files\\Messenger\\msmsgs.exe" /background
O4 - HKCU\\..\\Run: [NCLaunch] C:\\WINDOWS\\NCLAUNCH.EXe
O4 - Startup: SpywareGuard.lnk = C:\\My Applications\\SpywareGuard\\sgmain.exe
O4 - Startup: wkcalrem.LNK = C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkCalRem.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\\Program Files\\AOL 8.0\\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\\PROGRA~1\\MICROS~4\\OFFICE11\\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\\PROGRA~1\\MICROS~4\\OFFICE11\\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\\WINDOWS\\System32\\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe
O9 - Extra \'Tools\' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdriver...ve/Install.cab
O16 - DPF: {34A44FCF-50E3-63A5-A8DA-7835752B9571} - http://www.captaincode.com/ccbar/ccbar.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/p...ds/install.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\\MYAPPL~1\\Grisoft\\AVGFRE~1\\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\\MYAPPL~1\\Grisoft\\AVGFRE~1\\avgupsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\\WINDOWS\\System32\\DRIVERS\\CDANTSRV.EXE
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\\WINDOWS\\system32\\LEXBCES.EXE
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\\Program Files\\Intel\\NCS\\Sync\\NetSvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\\WINDOWS\\SYSTEM32\\ZoneLabs\\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\\WINDOWS\\wanmpsvc.exe


Thanks

Aiglon
aiglon is offline