L2MFIX find log 1.02a These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent] "DLLName"="Ati2evxx.dll" "Asynchronous"=dword:00000000 "Impersonate"=dword:00000001 "Lock"="AtiLockEvent" "Logoff"="AtiLogoffEvent" "Logon"="AtiLogonEvent" "Disconnect"="AtiDisConnectEvent" "Reconnect"="AtiReConnectEvent" "Safe"=dword:00000000 "Shutdown"="AtiShutdownEvent" "StartScreenSaver"="AtiStartScreenSaverEvent" "StartShell"="AtiStartShellEvent" "Startup"="AtiStartupEvent" "StopScreenSaver"="AtiStopScreenSaverEvent" "Unlock"="AtiUnLockEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCPClient] "Asynchronous"=dword:00000000 "DllName"="C:\\Program Files\\Common Files\\Stardock\\mcpstub.dll" "Startup"="MCPSystemStartup" "Logon"="MCPLogonStartup" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB] "Asynchronous"=dword:00000000 "DllName"="C:\\Program Files\\Stardock\\Object Desktop\\WindowBlinds\\fastload.dll" "Startup"="StartSys" "Logon"="StartWB" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate] "Asynchronous"=dword:00000000 "DllName"="C:\\WINNT\\system32\\h0l20a3oed.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{22256C5F-E561-411D-ACF7-598064228D4A}"="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{B2E4ACA1-0B0A-4C9B-966A-B5667E510A61}"="" "{5DF86925-AD72-4D36-99D3-909783015714}"="" "{17117398-A506-4E9C-99B3-7C0B625D2A4A}"="" "{BE44CC93-3C08-48BA-BB13-298D8E7AF4FD}"="" "{7805C39A-A7B6-468A-9E62-8AF77EE59970}"="" ********************************************************************************** HKEY ROOT CLASSIDS: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{B2E4ACA1-0B0A-4C9B-966A-B5667E510A61}] @="" [HKEY_CLASSES_ROOT\CLSID\{B2E4ACA1-0B0A-4C9B-966A-B5667E510A61}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{B2E4ACA1-0B0A-4C9B-966A-B5667E510A61}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{B2E4ACA1-0B0A-4C9B-966A-B5667E510A61}\InprocServer32] @="C:\\WINNT\\system32\\guard.tmp" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{5DF86925-AD72-4D36-99D3-909783015714}] @="" [HKEY_CLASSES_ROOT\CLSID\{5DF86925-AD72-4D36-99D3-909783015714}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{5DF86925-AD72-4D36-99D3-909783015714}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{5DF86925-AD72-4D36-99D3-909783015714}\InprocServer32] @="C:\\WINNT\\system32\\eifpixio130.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{17117398-A506-4E9C-99B3-7C0B625D2A4A}] @="" [HKEY_CLASSES_ROOT\CLSID\{17117398-A506-4E9C-99B3-7C0B625D2A4A}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{17117398-A506-4E9C-99B3-7C0B625D2A4A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{17117398-A506-4E9C-99B3-7C0B625D2A4A}\InprocServer32] @="C:\\WINNT\\system32\\rivpmsg.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{BE44CC93-3C08-48BA-BB13-298D8E7AF4FD}] @="" [HKEY_CLASSES_ROOT\CLSID\{BE44CC93-3C08-48BA-BB13-298D8E7AF4FD}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{BE44CC93-3C08-48BA-BB13-298D8E7AF4FD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{BE44CC93-3C08-48BA-BB13-298D8E7AF4FD}\InprocServer32] @="C:\\WINNT\\system32\\guard.tmp" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{7805C39A-A7B6-468A-9E62-8AF77EE59970}] @="" [HKEY_CLASSES_ROOT\CLSID\{7805C39A-A7B6-468A-9E62-8AF77EE59970}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{7805C39A-A7B6-468A-9E62-8AF77EE59970}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{7805C39A-A7B6-468A-9E62-8AF77EE59970}\InprocServer32] @="C:\\WINNT\\system32\\guard.tmp" "ThreadingModel"="Apartment" ********************************************************************************** Files Found are not all bad files: C:\WINNT\SYSTEM32\ docore.dll Mon Jan 24 2005 12:19:38p A.... 151,552 148.00 K dolsp.dll Mon Jan 24 2005 12:19:38p A.... 139,264 136.00 K dosync.dll Tue Jan 25 2005 9:28:14p A.... 114,688 112.00 K eifpix~1.dll Thu Feb 3 2005 4:00:40p A.... 229,736 224.35 K f02mla~1.dll Thu Feb 3 2005 6:27:48p ..S.R 230,927 225.51 K h0l20a~1.dll Thu Feb 3 2005 6:19:20p A.... 230,927 225.51 K hypertrm.dll Wed Nov 17 2004 10:41:24a A.... 347,136 339.00 K irj2l5~1.dll Thu Feb 3 2005 5:58:34p ..S.R 230,394 224.99 K pulzpo.dll Mon Jan 31 2005 1:03:04p A.... 5,632 5.50 K 9 items found: 9 files (2 H/S), 0 directories. Total of file sizes: 1,680,256 bytes 1.60 M Locate .tmp files: C:\WINNT\SYSTEM32\ guard.tmp Thu Feb 3 2005 6:30:50p A.... 230,927 225.51 K 1 item found: 1 file, 0 directories. Total of file sizes: 230,927 bytes 225.51 K ********************************************************************************** Directory Listing of system files: Volume in drive C is DRIVE_C Volume Serial Number is F0B5-FF63 Directory of C:\WINNT\System32 02/03/2005 06:27 PM 230,927 f02mlaf11d2.dll 02/03/2005 05:58 PM 230,394 irj2l51o1.dll 10/13/2004 11:12 PM dllcache 02/05/2002 03:21 PM Microsoft 2 File(s) 461,321 bytes 2 Dir(s) 91,438,505,984 bytes free