mgkct
1 Nickel

Re: Help Interpreting Hijack This Log

Mike,

Well, I went to run VX2Finder(126)  -- I had downloaded onto my machine yesterday trying to fix my problem.  Anyway, I hit "Restore Policy" and I got a prompt telling me that I needed to reboot to effect the change.  I said yes, but now when I go back in and run VX2Finder again, the User Agent button is grayed out so I can't click it.  I tried hitting restore policy again, and then NOT allowing the reboot, but I still can't click the User Agent button. Uggh -- did I do something wrong?  What next?

Mona

0 Kudos
Midnight Star
5 Rhenium

Re: Help Interpreting Hijack This Log

mona,

No, your doing just fine. Go ahead and run those two programs, then post back a new log and we'll see if anything is left to clean up.

Mike.

 

0 Kudos
mgkct
1 Nickel

Blue Screens...

Mike,
This is what has happened:
- I went through the regedit process you specified (results below)
- I downloaded and run Ad Aware Personal, updated definitions, and then ran a full scan.  I got a blue screen about 30 seconds into the process. 
- I then went back to regedit and something changed (see note below)
- I ran Ad Aware again and did the full scan, and again got a blue screen.
- I've posted below the regedit results as well as a new Hijack This Log.
 
Here are my notes on the regedit results:
There are two entries in the Notify directory that have the pattern you
specify. The weird thing is that although the App Management entry has
remained the same from the original check through the two times I've had
to reboot, the second entry has been different.  The actual c:\windows
file name is the same, but the registry to which this refers has
permutated twice.  The first time it was under "App Paths." After the
first reboot it became "Policies." And after this last reboot it is
"Unimodem."
1. App Management: DLLName = C:\windows\system32\irj0l51m1.dll
2. Unimodem: DLLNAme = c:\windows\system32\mavcp71.dll
 
HIJACK THIS LOG:
 
Logfile of HijackThis v1.99.0
Scan saved at 1:35:59 PM, on 12/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\rundll32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Optimizer\optimize.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdui.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: RemindU - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm (HKCU)
O16 - DPF: DigiChat Applet - http://chat2.alllearn.org/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {05CE4481-8015-11D3-9811-C4DA9F000000} - http://www.topmoxie.com/external/builds/upromise/upromise_moxie0.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {43B70AAD-23F4-4FD8-ADD9-441D8592EEB8} (Snapfish Fix Photo Control) - http://www.snapfish.com/SnapfishImageEditor.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://live.landsend.com/webline/applets/msie40x.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\Tcpip\..\windows: NameServer = 216.127.92.38
O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38
O17 - HKLM\System\CS3\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer = 216.127.92.38
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Gear Security Service - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee.com Personal Firewall Service - McAfee.com Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WLTRYSVC - Unknown - C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe (file missing)
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe
 
thanks,
Mona
0 Kudos
Midnight Star
5 Rhenium

Re: Blue Screens...

mona,
 
Ok, we've must still have one left.
 
-
 
See if you can locate this file using killbox and remove it, leave the other one alone:
 
C:\windows\system32\irj0l51m1.dll
-
 
The run VX2Finder again and see if those two buttons are avaialble, if so, click them again.
 
-
 
Post back the results.
 
Mike.
 
 
 
0 Kudos
mgkct
1 Nickel

Re: Blue Screens...

Mike,
I tried to delete the file you specified, to no avail (killbox tells me the file doesn't exist).
 
I then went to VX2Finder.  Just to confirm -- I haven't been clicking on the button labeled "Click to Find VX2 Better Internet." I just went in, and the UserAgent button was still grayed out.  I hit Restore Policy, but again it is prompting me to reboot to effect the change -- so I didn't do this.
 
Not sure what to do next. 
 
Thanks so much for all this help,
Mona
0 Kudos
Midnight Star
5 Rhenium

Re: Blue Screens...

mona,

Ok, there's either a VX2 file located somewhere, or something is locked somehow. Let me research this more. While i'm doing that...

Let's try this to see what HiJackThis can remove, and what is going to come back - it might 'crash' out when trying to delete the 01 entry(s).


Go to Add/Remove programs and remove(uninstall) the following:

  • Bullseye Network
  • Web Related

I've included the steps to manually remove these along with the other entry(s), just in case they're not present.



Now, let's run HiJackThis, then:

1.  click "Config..."
2.  click "Misc Tools"
3.  click "Delete a file on reboot"
4.  browse to, then double-click on each of the file(s) below, one at a time:

   C:\Program Files\BullsEye Network\bin\bargains.exe
    C:\WINDOWS\System32\angelex.exe
    C:\WINDOWS\zeta.exe

5.  when prompted to "Reboot Now", after selecting each file, select "No"



Run HiJackThis and click "Scan", then check(tick) the following, if present:


O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: RemindU - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm (HKCU)

O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe
O23 - Service: WLTRYSVC - Unknown - C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe (file missing)
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe


Now, with all windows closed except HiJackThis, click "Fix checked".


Post back a new log with the results.

Mike.

 

0 Kudos
Midnight Star
5 Rhenium

Re: Blue Screens...

mona,

Let's try this angle...

-

Download "FindIt" here and unzip it to your desktop. Double-click on the "Findit" folder then the "Find.bat" file. When it completes, post back the results in the log.

-

Mike. 

0 Kudos
mgkct
1 Nickel

Re: Blue Screens...

Mike,
 
I did all the steps in the previous reply (re deleting files).  However, I wasn't able to delete the Bullseyenetwork file -- it neither appeared through add/remove programs, nor was I able to browse to it through Hijack This (there weren't any files in the Bullseyenetwork folder).
 
In any case, I ran findit... here is the log:
 
Warning! This utility will find legitimate files in addition to malware. 
Do not remove anything unless you are sure you know what you're doing.
 ------- System Files in System32 Directory -------
 Volume in drive C has no label.
 Volume Serial Number is 8438-0356
 Directory of C:\WINDOWS\System32
12/28/2004  05:45 PM           224,457 AQRACE.DLL
12/28/2004  05:44 PM           223,232 lvr4099qe.dll
12/28/2004  01:27 PM           224,457 ir22l5fo1.dll
12/28/2004  01:19 PM           223,726 p4r40e9qeh.dll
12/28/2004  12:29 PM           223,232 lv8409lqe.dll
12/03/2004  03:04 AM    <DIR>          DLLCACHE
05/19/2003  10:12 AM    <DIR>          Microsoft
               5 File(s)      1,119,104 bytes
               2 Dir(s)  17,146,322,944 bytes free
 ------- Hidden Files in System32 Directory -------
 Volume in drive C has no label.
 Volume Serial Number is 8438-0356
 Directory of C:\WINDOWS\System32
12/03/2004  03:04 AM    <DIR>          DLLCACHE
09/03/2002  08:57 AM               488 logonui.exe.manifest
09/03/2002  08:57 AM               488 WindowsLogon.manifest
09/03/2002  08:57 AM               749 nwc.cpl.manifest
09/03/2002  08:57 AM               749 sapi.cpl.manifest
09/03/2002  08:57 AM               749 ncpa.cpl.manifest
09/03/2002  08:57 AM               749 wuaucpl.cpl.manifest
09/03/2002  08:57 AM               749 cdplayer.exe.manifest
               7 File(s)          4,721 bytes
               1 Dir(s)  17,146,318,848 bytes free
 ---------- Files Named "Guard" -------------
 
Thanks,
Mona
0 Kudos
mgkct
1 Nickel

Re: Blue Screens...

I just realized I didn't copy the full log... here it is:

 

Warning! This utility will find legitimate files in addition to malware. 
Do not remove anything unless you are sure you know what you're doing.

 ------- System Files in System32 Directory -------

 Volume in drive C has no label.
 Volume Serial Number is 8438-0356

 Directory of C:\WINDOWS\System32

12/28/2004  05:45 PM           224,457 AQRACE.DLL
12/28/2004  05:44 PM           223,232 lvr4099qe.dll
12/28/2004  01:27 PM           224,457 ir22l5fo1.dll
12/28/2004  01:19 PM           223,726 p4r40e9qeh.dll
12/28/2004  12:29 PM           223,232 lv8409lqe.dll
12/03/2004  03:04 AM    <DIR>          DLLCACHE
05/19/2003  10:12 AM    <DIR>          Microsoft
               5 File(s)      1,119,104 bytes
               2 Dir(s)  17,146,322,944 bytes free

 ------- Hidden Files in System32 Directory -------

 Volume in drive C has no label.
 Volume Serial Number is 8438-0356

 Directory of C:\WINDOWS\System32

12/03/2004  03:04 AM    <DIR>          DLLCACHE
09/03/2002  08:57 AM               488 logonui.exe.manifest
09/03/2002  08:57 AM               488 WindowsLogon.manifest
09/03/2002  08:57 AM               749 nwc.cpl.manifest
09/03/2002  08:57 AM               749 sapi.cpl.manifest
09/03/2002  08:57 AM               749 ncpa.cpl.manifest
09/03/2002  08:57 AM               749 wuaucpl.cpl.manifest
09/03/2002  08:57 AM               749 cdplayer.exe.manifest
               7 File(s)          4,721 bytes
               1 Dir(s)  17,146,318,848 bytes free

 ---------- Files Named "Guard" -------------

 Volume in drive C has no label.
 Volume Serial Number is 8438-0356

 Directory of C:\WINDOWS\System32


 --------- Temp Files in System32 Directory --------

 Volume in drive C has no label.
 Volume Serial Number is 8438-0356

 Directory of C:\WINDOWS\System32

08/29/2002  05:00 AM             2,577 CONFIG.TMP
               1 File(s)          2,577 bytes
               0 Dir(s)  17,146,318,848 bytes free

 ---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F1CF1EA4-A4BF-4233-9622-0F56C81E63CC}"=""


 ------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Controls Folder]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ir22l5fo1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


 ---------------- Xfind Locked Files -----------------

C:\WINDOWS\System32\AQRACE.DLL +++ File read error

 -------------- XFind Qoologic Results --------------

C:\WINDOWS\System32\AQRACE.DLL +++ File read error

 -------------- XFind Aspack Results ---------------

C:\WINDOWS\System32\AQRACE.DLL +++ File read error

 -------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
   aqrace.dll     Tue Dec 28 2004   5:45:30p  ..S.R        224,457   219.20 K
   ir22l5~1.dll   Tue Dec 28 2004   1:27:24p  ..S.R        224,457   219.20 K
   lv8409~1.dll   Tue Dec 28 2004  12:29:48p  ..S.R        223,232   218.00 K
   lvr409~1.dll   Tue Dec 28 2004   5:44:30p  ..S.R        223,232   218.00 K
   p4r40e~1.dll   Tue Dec 28 2004   1:19:14p  ..S.R        223,726   218.48 K

5 items found:  5 files, 0 directories.
   Total of file sizes:  1,119,104 bytes      1.07 M


0 Kudos
Midnight Star
5 Rhenium

Re: Blue Screens...

mona,
 
Ok, I think these will be the files that we need to fix with killbox, but before you do:
 
12/28/2004  05:44 PM           223,232 lvr4099qe.dll
12/28/2004  01:27 PM           224,457 ir22l5fo1.dll
12/28/2004  01:19 PM           223,726 p4r40e9qeh.dll
12/28/2004  12:29 PM           223,232 lv8409lqe.dll
 
Let's double-check by running DLLCompare again and see if these turn up.
 
Remember not to reboot your computer until we are completely done.
 
Mike.
 

Message Edited by Midnight Star on 12-28-2004 06:27 PM

0 Kudos