Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
where do i begin...so many problems where do i begin...so many problems
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Reply
 
Thread Tools
Old 12-03-2004, 11:52 AM   #1 (permalink)
Registered User
 
Join Date: Nov 2004
Posts: 12
OS: winxp


Cry where do i begin...so many problems
ok...thanks to all who helped in my first post...but now...ive got some serious problems....starting with...i have a host file that i cant get rid of....it redirects me to a website every single time i click a link or try to navigate to another page...the annoying solution ive found so far is to just hit the back button...that works...for now...ive run spybot, adaware and spysweeper...i tried a registry cleaner..ive tried deleting the O1s from hijack this..and they just reappear...spy bot found coolwwwsearch or something like that but couldnt delete it..i went in manually to try to delete it...and the thing is still running like crap...sooooo here i am...at the feet of you guys...i am desparate.....this is what it looks like if i try to search with google

http://69.20.62.53/dns.php?url=www.google.com

please dont click this..unless you want to risk the chance of being infected!!!!

ook...moving on...my recycle bin is all screwed up...the icon on the desktop does not appear empty...it has stuff in it...and when i click on it...there is nothing...nothing at all..if i click empty recycle bin...it says are you sure you want to delete these 18 items?....i click yes..and nothing happens.....ive tried deleting random things like a picture or a word document..and nothing ever shows up in the bin....i did a search on google to see if anyone else had a problem similar..and i found one guy that said he had to run chkdsk and find corrupt files...but i did that..and found nothing...
shamking is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 12-03-2004, 01:37 PM   #2 (permalink)
Knower of all that is MS
 
CTSNKY's Avatar
 
Join Date: Aug 2004
Posts: 10,755
OS: (multiple machines) 95, 98, 2K & XP Home & Pro


Please download HijackThis. Create a folder at C:\HJT and move HijackThis.exe there. Run a scan and save the log file. Post the whole log file here. Do not fix anything since most of them listed there are harmless (some are system required). This program will help us determine if there is any spyware/malware on your computer.
__________________


GO BIG BLUE!!
CTSNKY is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 12-03-2004, 02:01 PM   #3 (permalink)
Registered User
 
Join Date: Nov 2004
Posts: 12
OS: winxp


Evil
Logfile of HijackThis v1.98.2
Scan saved at 4:00:52 PM, on 12/3/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\piybss.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zaplus.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\bczyojh7.slt\prefs.js)
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: WebWorks Help 2.0 - file://C:\Program Files\procreate Painter Classic\Help\wwhelp2.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/game...s/y/grt5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab

here ya go...pretty nasty huh
shamking is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 12-03-2004, 04:48 PM   #4 (permalink)
Manager, The Relaxation Room/Analyst, Security Team
 
mimo2005's Avatar
 
Join Date: Oct 2004
Posts: 10,772
OS: xp


hi

open task manager (ctrl+alt+del)
end process if found
piybss.exe

Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"


R3 - Default URLSearchHook is missing

O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com

Now find and delete
you can use the windows search tool :

C:\WINDOWS\System32\piybss.exe

navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Empty the Recycle Bin

also

download the hoster file from here

Go here and do an online virus scan.

Reboot

and post a new log .
__________________

TSF has outgrown its server, again. Please help


"Gutta cavat lapidem,
non vi sed saepe cadendo"
mimo2005 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 12-03-2004, 04:54 PM   #5 (permalink)
Security Team (ret.)
 
Pancake's Avatar
 
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,405
OS: XP Pro SP3


Hi
First off we may have a prob with the 01 items but I wont know for sure until you run the fix....


Turn off your System Restore SEE HERE Reinstate it when your log is cleaned and then create a new restore point.Close your browser window and run hjt in safe mode... HOW TO RUN SAFE MODE and have "Hijack This" fix all the following items by placing a check in the appropriate boxes and selecting "fix checked". Files highlighted in BLACK in the log will need to be removed from your hard drive. Make sure to have your system set to show hidden files and folders.. HOW TO SHOW FILES ..Please reboot and post a new log when finished...

R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
C:\WINDOWS\System32\piybss.exe
Pancake is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 12-07-2004, 10:53 AM   #6 (permalink)
Registered User
 
Join Date: Nov 2004
Posts: 12
OS: winxp


next..
ok i tried all of that..fixing those O1s from HJT dont work..they just come back....i downloaded the hoster and deleted the bad hosts....but they just come back...heres the new HJT..although it doesnt seem any different

Logfile of HijackThis v1.98.2
Scan saved at 12:52:31 PM, on 12/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\viycqq.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zaplus.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YServer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\regedit.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\bczyojh7.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: WebWorks Help 2.0 - file://C:\Program Files\procreate Painter Classic\Help\wwhelp2.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/game...s/y/grt5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab


thanks for your help
shamking is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 12-07-2004, 04:10 PM   #7 (permalink)
Security Team (ret.)
 
Pancake's Avatar
 
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,405
OS: XP Pro SP3


One more file to delete..
C:\WINDOWS\System32\viycqq.exe

The 01 items are still being worked on as this is a new type of hijack.We will clean it as soon as possible.
Pancake is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 12-08-2004, 12:43 PM   #8 (permalink)
Registered User
 
Join Date: Nov 2004
Posts: 12
OS: winxp


:)
thank you guys for helping me...i deleted that file..and ill keep checkin the progress on the new hijacker thing......also..what about my recycle bin?....ive tried restoring all items but it still says its got 18 items and wont delete them...nor will it show them...it looks empty....so confusing....
shamking is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 12-08-2004, 05:06 PM   #9 (permalink)
Security Team (ret.)
 
Pancake's Avatar
 
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,405
OS: XP Pro SP3


Post a fresh log.....
Pancake is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 12-09-2004, 12:32 PM   #10 (permalink)
Registered User
 
Join Date: Nov 2004
Posts: 12
OS: winxp


new log
Logfile of HijackThis v1.98.2
Scan saved at 2:31:36 PM, on 12/9/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Zone Labs\ZoneAlarm\zaplus.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\bczyojh7.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: WebWorks Help 2.0 - file://C:\Program Files\procreate Painter Classic\Help\wwhelp2.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/game...s/y/grt5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab

here ya go
shamking is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 12-09-2004, 02:55 PM   #11 (permalink)
Analyst, Security Team
 
greyknight17's Avatar
 
Join Date: Jul 2004
Location: New York
Posts: 14,327
OS: Windows 98 & Windows XP Home/Pro

My System

The infection you have is one of the newest ones out there. We have managed to get a fix for this. Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer. I won't be online for very long tonight. So if you want, you may do this tomorrow (so shutdown if you want). But if not, you may do the following now (hopefully MicroBell or one of our other analysts will be here if I'm not online):

Please download the following programs required for the removal process:

Kill2Me http://www.greyknight17.com/spy/Kill2Me.zip
PV http://www.greyknight17.com/spy/pv.zip
VX2Finder(126) http://www.greyknight17.com/spy/VX2Finder(126).exe
Hoster http://www.greyknight17.com/spy/Hoster.exe
CleanUp http://cleanup.stevengould.org/
KillBox http://www.greyknight17.com/spy/KillBox.exe
notify.bat http://www.greyknight17.com/spy/notify.bat

Please follow the steps below:

1. Run Kill2Me.

2. Unzip the pv.zip files contents to your Desktop (NOTE: It MUST be on your Desktop!).
a) Open that folder on your Desktop and double click on the runme.bat file.
b) Type in 3 and hit your Enter key. Save the log file.
c) Type in 5 and hit your Enter key. Save the log file.
d) Remember to copy and paste both of these log files in the forum AFTER you are finished with the rest of the steps below.

3. Run notify.bat and it should open up a notify.txt Notepad file. Copy and paste this in the forum later.

4. Run VX2Finder(126) and click on the Find VX2.BetterInternet button. Click Make Log and post this in the fourm later.

If you must restart/reboot your computer, you will have to basically start all over again (starting from Step 2 above with PV). The detection and removal process must be done at the same time without the PC being rebooted.

We also need a list of files in the following folders:

C:\WINDOWS\Downloaded Program Files\
C:\Program Files\Internet Explorer\ - there might be a download folder here. We are looking for any randomly named files. Post anything that looks suspicious.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it.
greyknight17 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 12-09-2004, 04:23 PM   #12 (permalink)
Registered User
 
Join Date: Nov 2004
Posts: 12
OS: winxp


mmmk...lets kill this thing
heres the runme log (3)


Module information for 'rundll32.exe'
MODULE BASE SIZE PATH
rundll32.exe 1000000 40960 C:\WINDOWS\system32\rundll32.exe 5.1.2600.0 (xpclient.010817-1148) Run a DLL as an App
ntdll.dll 77f50000 692224 C:\WINDOWS\System32\ntdll.dll 5.1.2600.0 (xpclient.010817-1148) NT Layer DLL
kernel32.dll 77e60000 917504 C:\WINDOWS\system32\kernel32.dll 5.1.2600.153 (xpclnt_qfe.021108-2107) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT CRT DLL
GDI32.dll 77c70000 253952 C:\WINDOWS\system32\GDI32.dll 5.1.2600.151 (xpclnt_qfe.021108-2107) GDI Client DLL
USER32.dll 77d40000 548864 C:\WINDOWS\system32\USER32.dll 5.1.2600.152 (xpclnt_qfe.021108-2107) Windows XP USER API Client DLL
ADVAPI32.dll 77dd0000 569344 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-1148) Advanced Windows 32 Base API
RPCRT4.dll 78000000 454656 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.135 (xpclnt_qfe.021108-2107) Remote Procedure Call Runtime
IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.0 (XPClient.010817-1148) Windows NT Image Helper
LPK.DLL 629c0000 32768 C:\WINDOWS\system32\LPK.DLL 5.1.2600.0 (xpclient.010817-1148) Language Pack
USP10.dll 72fa0000 368640 C:\WINDOWS\system32\USP10.dll 1.0407.2600.0 (xpclient.010817-1148) Uniscribe Unicode script processor
guard.tmp 10000000 479232 C:\WINDOWS\system32\guard.tmp
COMCTL32.dll 77340000 569344 C:\WINDOWS\system32\COMCTL32.dll 5.82 (xpclient.010817-1148) Common Controls Library
comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2600.0000 (xpclient.010817-1148) Common Dialogs DLL
SHLWAPI.dll 70a70000 430080 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1584 (xpsp2.040720-1705) Shell Light-weight Utility Library
SHELL32.dll 773d0000 8318976 C:\WINDOWS\system32\SHELL32.dll 6.00.2750.166 (xpclnt_qfe.040728-2019) Windows Shell Common Dll
CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.137 (xpclnt_qfe.021108-2107) ASN.1 Runtime APIs
ole32.dll 771b0000 1126400 C:\WINDOWS\system32\ole32.dll 5.1.2600.136 (xpclnt_qfe.021108-2107) Microsoft OLE for Windows
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5014.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
oledlg.dll 74d30000 131072 C:\WINDOWS\system32\oledlg.dll 1.0 (XPClient.010817-1148) Microsoft Windows(TM) OLE 2.0 User Interface Support
PSAPI.DLL 76bf0000 45056 C:\WINDOWS\system32\PSAPI.DLL 5.1.2600.0 (XPClient.010817-1148) Process Status Helper
urlmon.dll 1a400000 503808 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1474 OLE32 Extensions for Win32
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
USERENV.dll 52880000 667648 C:\WINDOWS\system32\USERENV.dll 5.1.2600.15 (xpclnt_qfe.010827-1803) Userenv
WININET.dll 63000000 614400 C:\WINDOWS\system32\WININET.dll 6.00.2800.1468 Internet Extensions for Win32
WINSPOOL.DRV 73000000 143360 C:\WINDOWS\system32\WINSPOOL.DRV 5.1.2600.0 (XPClient.010817-1148) Windows Spooler Driver
WS2_32.dll 71ab0000 86016 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library
uxtheme.dll 5ad70000 212992 C:\WINDOWS\system32\uxtheme.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft UxTheme Library
tabhook.dll 930000 65536 C:\WINDOWS\System32\tabhook.dll 4.76-8 TabHook
Secur32.dll 76f90000 65536 C:\WINDOWS\system32\Secur32.dll 5.1.2600.0 (xpclient.010817-1148) Security Support Provider Interface
RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\system32\RASAPI32.DLL 5.1.2600.0 (xpclient.010817-1148) Remote Access API
rasman.dll 76e90000 69632 C:\WINDOWS\system32\rasman.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access Connection Manager
NETAPI32.dll 71c20000 315392 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.122 (xpclnt_qfe.021108-2107) Net Win32 API DLL
TAPI32.dll 76eb0000 172032 C:\WINDOWS\system32\TAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Windows(TM) Telephony API Client DLL
rtutils.dll 76e80000 53248 C:\WINDOWS\system32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
WINMM.dll 76b40000 180224 C:\WINDOWS\system32\WINMM.dll 5.1.2600.0 (xpclient.010817-1148) MCI API DLL
sensapi.dll 722b0000 20480 C:\WINDOWS\system32\sensapi.dll 5.1.2600.0 (XPClient.010817-1148) SENS Connectivity API DLL
mswsock.dll 71a50000 241664 C:\WINDOWS\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL
DNSAPI.dll 76f20000 151552 C:\WINDOWS\system32\DNSAPI.dll 5.1.2600.0 (xpclient.010817-1148) DNS Client API DLL
iphlpapi.dll 76d60000 86016 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2 (xpclient.010817-1148) IP Helper API
netman.dll 76de0000 155648 C:\WINDOWS\system32\netman.dll 5.1.2600.0 (xpclient.010817-1148) Network Connections Manager
MPRAPI.dll 76d40000 90112 C:\WINDOWS\system32\MPRAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT MP Router Administration DLL
ACTIVEDS.dll 76e40000 192512 C:\WINDOWS\system32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-1148) ADs Router Layer DLL
adsldpc.dll 76e10000 147456 C:\WINDOWS\system32\adsldpc.dll 5.1.2600.0 (xpclient.010817-1148) ADs LDAP Provider C DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.0 (xpclient.010817-1148) Win32 LDAP API DLL
ATL.DLL 76b20000 86016 C:\WINDOWS\system32\ATL.DLL 3.00.9238 ATL Module for Windows NT (Unicode)
SAMLIB.dll 71bf0000 69632 C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.0 (xpclient.010817-1148) SAM Library DLL
SETUPAPI.dll 76670000 933888 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows Setup API
WZCSvc.DLL 76da0000 196608 C:\WINDOWS\system32\WZCSvc.DLL 5.1.2600.0 (xpclient.010817-1148) Wireless Zero Configuration Service
WMI.dll 76d30000 16384 C:\WINDOWS\system32\WMI.dll 5.1.2600.0 (XPClient.010817-1148) WMI DC and DP functionality
DHCPCSVC.DLL 76d80000 106496 C:\WINDOWS\system32\DHCPCSVC.DLL 5.1.2600.0 (xpclient.010817-1148) DHCP Client Service
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\system32\WTSAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Terminal Server SDK APIs
WINSTA.dll 76360000 61440 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.0 (xpclient.010817-1148) Winstation Library
winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL
rasadhlp.dll 76fc0000 20480 C:\WINDOWS\system32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper
shgizaid.dll 62000000 221184 C:\WINDOWS\System32\shgizaid.dll
WSOCK32.dll 71ad0000 32768 C:\WINDOWS\System32\WSOCK32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-Bit DLL
ioqnss.dll 1830000 36864 C:\WINDOWS\System32\ioqnss.dll



runme (5)


Module information for 'winlogon.exe'
MODULE BASE SIZE PATH
winlogon.exe 1000000 450560 C:\WINDOWS\system32\winlogon.exe 5.1.2600.149 (xpclnt_qfe.021108-2107) Windows NT Logon Application
ntdll.dll 77f50000 692224 C:\WINDOWS\System32\ntdll.dll 5.1.2600.0 (xpclient.010817-1148) NT Layer DLL
kernel32.dll 77e60000 917504 C:\WINDOWS\system32\kernel32.dll 5.1.2600.153 (xpclnt_qfe.021108-2107) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 569344 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-1148) Advanced Windows 32 Base API
RPCRT4.dll 78000000 454656 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.135 (xpclnt_qfe.021108-2107) Remote Procedure Call Runtime
AUTHZ.dll 76cc0000 65536 C:\WINDOWS\system32\AUTHZ.dll 5.1.2600.0 (xpclient.010817-1148) Authorization Framework
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT CRT DLL
CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
USER32.dll 77d40000 548864 C:\WINDOWS\system32\USER32.dll 5.1.2600.152 (xpclnt_qfe.021108-2107) Windows XP USER API Client DLL
GDI32.dll 77c70000 253952 C:\WINDOWS\system32\GDI32.dll 5.1.2600.151 (xpclnt_qfe.021108-2107) GDI Client DLL
MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.137 (xpclnt_qfe.021108-2107) ASN.1 Runtime APIs
NDdeApi.dll 75940000 28672 C:\WINDOWS\system32\NDdeApi.dll 5.1.2600.0 (xpclient.010817-1148) Network DDE Share Management APIs
PROFMAP.dll 75930000 40960 C:\WINDOWS\system32\PROFMAP.dll 5.1.2600.0 (xpclient.010817-1148) Userenv
NETAPI32.dll 71c20000 315392 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.122 (xpclnt_qfe.021108-2107) Net Win32 API DLL
USERENV.dll 52880000 667648 C:\WINDOWS\system32\USERENV.dll 5.1.2600.15 (xpclnt_qfe.010827-1803) Userenv
PSAPI.DLL 76bf0000 45056 C:\WINDOWS\system32\PSAPI.DLL 5.1.2600.0 (XPClient.010817-1148) Process Status Helper
REGAPI.dll 76bc0000 57344 C:\WINDOWS\system32\REGAPI.dll 5.1.2600.0 (xpclient.010817-1148) Registry Configuration APIs
Secur32.dll 76f90000 65536 C:\WINDOWS\system32\Secur32.dll 5.1.2600.0 (xpclient.010817-1148) Security Support Provider Interface
SETUPAPI.dll 76670000 933888 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows Setup API
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
WINSTA.dll 76360000 61440 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.0 (xpclient.010817-1148) Winstation Library
WS2_32.dll 71ab0000 86016 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
LPK.DLL 629c0000 32768 C:\WINDOWS\system32\LPK.DLL 5.1.2600.0 (xpclient.010817-1148) Language Pack
USP10.dll 72fa0000 368640 C:\WINDOWS\system32\USP10.dll 1.0407.2600.0 (xpclient.010817-1148) Uniscribe Unicode script processor
MSGINA.dll 75970000 987136 C:\WINDOWS\system32\MSGINA.dll 5.1.2600.128 (xpclnt_qfe.021108-2107) Windows NT Logon GINA DLL
SHELL32.dll 773d0000 8318976 C:\WINDOWS\system32\SHELL32.dll 6.00.2750.166 (xpclnt_qfe.040728-2019) Windows Shell Common Dll
SHLWAPI.dll 70a70000 430080 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1584 (xpsp2.040720-1705) Shell Light-weight Utility Library
COMCTL32.dll 77340000 569344 C:\WINDOWS\system32\COMCTL32.dll 5.82 (xpclient.010817-1148) Common Controls Library
ODBC32.dll 1f7b0000 200704 C:\WINDOWS\system32\ODBC32.dll 3.520.7713.0 Microsoft Data Access - ODBC Driver Manager
comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2600.0000 (xpclient.010817-1148) Common Dialogs DLL
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library
odbcint.dll 1f850000 90112 C:\WINDOWS\system32\odbcint.dll 3.520.7713.0 Microsoft Data Access - ODBC Resources
SHSVCS.dll 76bd0000 122880 C:\WINDOWS\system32\SHSVCS.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Shell Services Dll
sfc.dll 76bb0000 16384 C:\WINDOWS\system32\sfc.dll 5.1.2600.0 (xpclient.010817-1148) Windows File Protection
sfc_os.dll 76c60000 167936 C:\WINDOWS\system32\sfc_os.dll 5.1.2600.0 (xpclient.010817-1148) Windows File Protection
WINTRUST.dll 76c30000 176128 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs
ole32.dll 771b0000 1126400 C:\WINDOWS\system32\ole32.dll 5.1.2600.136 (xpclnt_qfe.021108-2107) Microsoft OLE for Windows
IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.0 (XPClient.010817-1148) Windows NT Image Helper
WINSCARD.DLL 723d0000 106496 C:\WINDOWS\system32\WINSCARD.DLL 5.1.2600.0 (xpclient.010817-1148) Microsoft Smart Card API
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\system32\WTSAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Terminal Server SDK APIs
uxtheme.dll 5ad70000 212992 C:\WINDOWS\system32\uxtheme.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft UxTheme Library
WINMM.dll 76b40000 180224 C:\WINDOWS\system32\WINMM.dll 5.1.2600.0 (xpclient.010817-1148) MCI API DLL
cscdll.dll 76600000 110592 C:\WINDOWS\system32\cscdll.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
WlNotify.dll 75950000 102400 C:\WINDOWS\system32\WlNotify.dll 5.1.2600.0 (XPClient.010817-1148) Common DLL to receive Winlogon notifications
WINSPOOL.DRV 73000000 143360 C:\WINDOWS\system32\WINSPOOL.DRV 5.1.2600.0 (XPClient.010817-1148) Windows Spooler Driver
MPR.dll 71b20000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL
rsaenh.dll ffd0000 139264 C:\WINDOWS\System32\rsaenh.dll 5.1.2518.0 (main.010714-2114) Microsoft Base Cryptographic Provider
SAMLIB.dll 71bf0000 69632 C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.0 (xpclient.010817-1148) SAM Library DLL
msv1_0.dll 76d10000 118784 C:\WINDOWS\system32\msv1_0.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Authentication Package v1.0
fpl0033me.dll 10000000 479232 C:\WINDOWS\system32\fpl0033me.dll
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5014.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
oledlg.dll 74d30000 131072 C:\WINDOWS\system32\oledlg.dll 1.0 (XPClient.010817-1148) Microsoft Windows(TM) OLE 2.0 User Interface Support
urlmon.dll 1a400000 503808 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1474 OLE32 Extensions for Win32
WININET.dll 63000000 614400 C:\WINDOWS\system32\WININET.dll 6.00.2800.1468 Internet Extensions for Win32
cscui.dll 76620000 319488 C:\WINDOWS\system32\cscui.dll 5.1.2600.0 (xpclient.010817-1148) Client Side Caching UI
RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\system32\RASAPI32.DLL 5.1.2600.0 (xpclient.010817-1148) Remote Access API
rasman.dll 76e90000 69632 C:\WINDOWS\system32\rasman.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access Connection Manager
TAPI32.dll 76eb0000 172032 C:\WINDOWS\system32\TAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Windows(TM) Telephony API Client DLL
rtutils.dll 76e80000 53248 C:\WINDOWS\system32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
sxs.dll 75e90000 663552 C:\WINDOWS\system32\sxs.dll 5.1.2600.136 (xpclnt_qfe.021108-2107) Fusion 2.5
NTMARTA.DLL 76ce0000 126976 C:\WINDOWS\system32\NTMARTA.DLL 5.1.2600.0 (xpclient.010817-1148) Windows NT MARTA provider
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.0 (xpclient.010817-1148) Win32 LDAP API DLL
wdmaud.drv 72d20000 36864 C:\WINDOWS\system32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77be0000 81920 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter
midimap.dll 77bd0000 28672 C:\WINDOWS\system32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.42
CLBCATQ.DLL 7c620000 528384 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.53
sensapi.dll 722b0000 20480 C:\WINDOWS\system32\sensapi.dll 5.1.2600.0 (XPClient.010817-1148) SENS Connectivity API DLL
mswsock.dll 71a50000 241664 C:\WINDOWS\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL
DNSAPI.dll 76f20000 151552 C:\WINDOWS\system32\DNSAPI.dll 5.1.2600.0 (xpclient.010817-1148) DNS Client API DLL
winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL
rasadhlp.dll 76fc0000 20480 C:\WINDOWS\system32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper
tabhook.dll c60000 65536 C:\WINDOWS\System32\tabhook.dll 4.76-8 TabHook
Apphelp.dll 75f40000 118784 C:\WINDOWS\system32\Apphelp.dll 5.1.2600.0 (xpclient.010817-1148) Application Compatibility Client Library

notify.bat log

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\fpl0033me.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown&qu