Thread: Removal of isrv files
View Single Post
Old 12-04-2005, 11:36 AM   #4 (permalink)
joneu
Registered User
 
Join Date: Dec 2005
Posts: 15
OS: Vista


Ignore last post. Isrv removal?
I fixed it. Thanks that was great. Another thing though, how do i get rid of the desktop search and edmond files?



L2mfix Beta 120305
Creating Account.
The account already exists.

More help is available by typing NET HELPMSG 2224.

Adding Administrative privleges.
System error 1378 has occurred.

The specified account name is already a member of the local group.

Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 568 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 640 'winlogon.exe'
Killing PID 640 'winlogon.exe'
Killing PID 640 'winlogon.exe'
Killing PID 640 'winlogon.exe'
Killing PID 640 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1736 'explorer.exe'
Killing PID 1736 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1480 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\jtnq0755e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k0080adued080.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m4640ejqehoe0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\q0nula591d.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\jtnq0755e.dll
Successfully Deleted: C:\WINDOWS\system32\jtnq0755e.dll
deleting: C:\WINDOWS\system32\k0080adued080.dll
Successfully Deleted: C:\WINDOWS\system32\k0080adued080.dll
deleting: C:\WINDOWS\system32\m4640ejqehoe0.dll
Successfully Deleted: C:\WINDOWS\system32\m4640ejqehoe0.dll
deleting: C:\WINDOWS\system32\q0nula591d.dll
Successfully Deleted: C:\WINDOWS\system32\q0nula591d.dll


Zipping up files for submission:
zip warning: name not matched: guard.tmp

zip error: Nothing to do! (backup.zip)
adding: Documents and Settings/jon eu/Desktop/l2mfix/backregs/notibac.reg (164 bytes security) (deflated 88%)
adding: Documents and Settings/jon eu/Desktop/l2mfix/backregs/shell.reg (164 bytes security) (deflated 67%)

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: jtnq0755e.dll
deleting local copy: k0080adued080.dll
deleting local copy: m4640ejqehoe0.dll
deleting local copy: q0nula591d.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\q0nula591d.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\jtnq0755e.dll
C:\WINDOWS\system32\k0080adued080.dll
C:\WINDOWS\system32\m4640ejqehoe0.dll
C:\WINDOWS\system32\q0nula591d.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{99C77051-BDC6-4537-8383-7F9762E6A750}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{99C77051-BDC6-4537-8383-7F9762E6A750}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{99C77051-BDC6-4537-8383-7F9762E6A750}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{99C77051-BDC6-4537-8383-7F9762E6A750}\InprocServer32]
@="C:\\WINDOWS\\system32\\PWUSTAB.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6CC21305-CE29-441C-BB7C-7885EE7FB0F0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6CC21305-CE29-441C-BB7C-7885EE7FB0F0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6CC21305-CE29-441C-BB7C-7885EE7FB0F0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6CC21305-CE29-441C-BB7C-7885EE7FB0F0}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{99C77051-BDC6-4537-8383-7F9762E6A750}"=-
"{6CC21305-CE29-441C-BB7C-7885EE7FB0F0}"=-
[-HKEY_CLASSES_ROOT\CLSID\{99C77051-BDC6-4537-8383-7F9762E6A750}]
[-HKEY_CLASSES_ROOT\CLSID\{6CC21305-CE29-441C-BB7C-7885EE7FB0F0}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
C:\WINDOWS\System32\6CC21305-CE29-441C-BB7C-7885EE7FB0F0.reg
C:\WINDOWS\System32\99C77051-BDC6-4537-8383-7F9762E6A750.reg
Checking for L2MFix account(0=no 1=yes):
0
adding: dlls/jtnq0755e.dll (164 bytes security) (deflated 5%)
adding: dlls/k0080adued080.dll (164 bytes security) (deflated 5%)
adding: dlls/m4640ejqehoe0.dll (164 bytes security) (deflated 5%)
adding: dlls/q0nula591d.dll (164 bytes security) (deflated 4%)
joneu is offline