Okay - Log from Option #2 first:
L2Mfix 1.02b
Running From:
C:\Documents and Settings\Gateway User\Desktop\l2mfix
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting registry permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Denying C access for really "Everyone"
- adding new ACCESS DENY entry
Registry Permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting up for Reboot
Starting Reboot!
C:\Documents and Settings\Gateway User\Desktop\l2mfix
System Rebooted!
Running From:
C:\Documents and Settings\Gateway User\Desktop\l2mfix
killing explorer and rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Killing PID 1524 'explorer.exe'
Killing PID 1524 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Error, Cannot find a process with an image name of rundll32.exe
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Backing Up: C:\WINDOWS\system32\nyshrui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\imrnonce.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\h20qlcd51f0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mbricons.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dnju0119e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cjrtmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lqfax11n.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m0ju0a19ed.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p84ulih9184.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hr0q05d5e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvrml9911.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mv2sl9f71.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hrl4053qe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en8ul1l91.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir26l5fs1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j04o0ah3ed4.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en44l1hq1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvlm0931e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\g8040idqe80e0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p6r40g9qe6.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp6403jqe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j64o0gh3e64.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\enn4l15q1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\u2rulc991f.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mDpistub.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp0003dme.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j66mlgj116o.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m6640gjqe6oe0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\f0l02a3mgd.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l62slgf7162.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\t8r8li9u18.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o0660ajsedo60.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvjml9111.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k6pm0g71e6.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\NOTAudioEditor.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\enr8l19u1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\e4jm0e11eh.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\n82ulif9182.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kt42l7ho1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\nyshrui.dll
Successfully Deleted: C:\WINDOWS\system32\nyshrui.dll
deleting: C:\WINDOWS\system32\imrnonce.dll
Successfully Deleted: C:\WINDOWS\system32\imrnonce.dll
deleting: C:\WINDOWS\system32\h20qlcd51f0.dll
Successfully Deleted: C:\WINDOWS\system32\h20qlcd51f0.dll
deleting: C:\WINDOWS\system32\mbricons.dll
Successfully Deleted: C:\WINDOWS\system32\mbricons.dll
deleting: C:\WINDOWS\system32\dnju0119e.dll
Successfully Deleted: C:\WINDOWS\system32\dnju0119e.dll
deleting: C:\WINDOWS\system32\cjrtmgr.dll
Successfully Deleted: C:\WINDOWS\system32\cjrtmgr.dll
deleting: C:\WINDOWS\system32\lqfax11n.dll
Successfully Deleted: C:\WINDOWS\system32\lqfax11n.dll
deleting: C:\WINDOWS\system32\m0ju0a19ed.dll
Successfully Deleted: C:\WINDOWS\system32\m0ju0a19ed.dll
deleting: C:\WINDOWS\system32\p84ulih9184.dll
Successfully Deleted: C:\WINDOWS\system32\p84ulih9184.dll
deleting: C:\WINDOWS\system32\hr0q05d5e.dll
Successfully Deleted: C:\WINDOWS\system32\hr0q05d5e.dll
deleting: C:\WINDOWS\system32\mvrml9911.dll
Successfully Deleted: C:\WINDOWS\system32\mvrml9911.dll
deleting: C:\WINDOWS\system32\mv2sl9f71.dll
Successfully Deleted: C:\WINDOWS\system32\mv2sl9f71.dll
deleting: C:\WINDOWS\system32\hrl4053qe.dll
Successfully Deleted: C:\WINDOWS\system32\hrl4053qe.dll
deleting: C:\WINDOWS\system32\en8ul1l91.dll
Successfully Deleted: C:\WINDOWS\system32\en8ul1l91.dll
deleting: C:\WINDOWS\system32\ir26l5fs1.dll
Successfully Deleted: C:\WINDOWS\system32\ir26l5fs1.dll
deleting: C:\WINDOWS\system32\j04o0ah3ed4.dll
Successfully Deleted: C:\WINDOWS\system32\j04o0ah3ed4.dll
deleting: C:\WINDOWS\system32\en44l1hq1.dll
Successfully Deleted: C:\WINDOWS\system32\en44l1hq1.dll
deleting: C:\WINDOWS\system32\lvlm0931e.dll
Successfully Deleted: C:\WINDOWS\system32\lvlm0931e.dll
deleting: C:\WINDOWS\system32\g8040idqe80e0.dll
Successfully Deleted: C:\WINDOWS\system32\g8040idqe80e0.dll
deleting: C:\WINDOWS\system32\p6r40g9qe6.dll
Successfully Deleted: C:\WINDOWS\system32\p6r40g9qe6.dll
deleting: C:\WINDOWS\system32\fp6403jqe.dll
Successfully Deleted: C:\WINDOWS\system32\fp6403jqe.dll
deleting: C:\WINDOWS\system32\j64o0gh3e64.dll
Successfully Deleted: C:\WINDOWS\system32\j64o0gh3e64.dll
deleting: C:\WINDOWS\system32\enn4l15q1.dll
Successfully Deleted: C:\WINDOWS\system32\enn4l15q1.dll
deleting: C:\WINDOWS\system32\u2rulc991f.dll
Successfully Deleted: C:\WINDOWS\system32\u2rulc991f.dll
deleting: C:\WINDOWS\system32\mDpistub.dll
Successfully Deleted: C:\WINDOWS\system32\mDpistub.dll
deleting: C:\WINDOWS\system32\fp0003dme.dll
Successfully Deleted: C:\WINDOWS\system32\fp0003dme.dll
deleting: C:\WINDOWS\system32\j66mlgj116o.dll
Successfully Deleted: C:\WINDOWS\system32\j66mlgj116o.dll
deleting: C:\WINDOWS\system32\m6640gjqe6oe0.dll
Successfully Deleted: C:\WINDOWS\system32\m6640gjqe6oe0.dll
deleting: C:\WINDOWS\system32\f0l02a3mgd.dll
Successfully Deleted: C:\WINDOWS\system32\f0l02a3mgd.dll
deleting: C:\WINDOWS\system32\l62slgf7162.dll
Successfully Deleted: C:\WINDOWS\system32\l62slgf7162.dll
deleting: C:\WINDOWS\system32\t8r8li9u18.dll
Successfully Deleted: C:\WINDOWS\system32\t8r8li9u18.dll
deleting: C:\WINDOWS\system32\o0660ajsedo60.dll
Successfully Deleted: C:\WINDOWS\system32\o0660ajsedo60.dll
deleting: C:\WINDOWS\system32\mvjml9111.dll
Successfully Deleted: C:\WINDOWS\system32\mvjml9111.dll
deleting: C:\WINDOWS\system32\k6pm0g71e6.dll
Successfully Deleted: C:\WINDOWS\system32\k6pm0g71e6.dll
deleting: C:\WINDOWS\system32\NOTAudioEditor.dll
Successfully Deleted: C:\WINDOWS\system32\NOTAudioEditor.dll
deleting: C:\WINDOWS\system32\enr8l19u1.dll
Successfully Deleted: C:\WINDOWS\system32\enr8l19u1.dll
deleting: C:\WINDOWS\system32\e4jm0e11eh.dll
Successfully Deleted: C:\WINDOWS\system32\e4jm0e11eh.dll
deleting: C:\WINDOWS\system32\n82ulif9182.dll
Successfully Deleted: C:\WINDOWS\system32\n82ulif9182.dll
deleting: C:\WINDOWS\system32\kt42l7ho1.dll
Successfully Deleted: C:\WINDOWS\system32\kt42l7ho1.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
Desktop.ini sucessfully removed
Zipping up files for submission:
adding: nyshrui.dll (deflated 5%)
adding: imrnonce.dll (deflated 4%)
adding: h20qlcd51f0.dll (deflated 5%)
adding: mbricons.dll (deflated 3%)
adding: dnju0119e.dll (deflated 3%)
adding: cjrtmgr.dll (deflated 5%)
adding: lqfax11n.dll (deflated 3%)
adding: m0ju0a19ed.dll (deflated 3%)
adding: p84ulih9184.dll (deflated 4%)
adding: hr0q05d5e.dll (deflated 5%)
adding: mvrml9911.dll (deflated 4%)
adding: mv2sl9f71.dll (deflated 3%)
adding: hrl4053qe.dll (deflated 4%)
adding: en8ul1l91.dll (deflated 4%)
adding: ir26l5fs1.dll (deflated 5%)
adding: j04o0ah3ed4.dll (deflated 4%)
adding: en44l1hq1.dll (deflated 3%)
adding: lvlm0931e.dll (deflated 4%)
adding: g8040idqe80e0.dll (deflated 5%)
adding: p6r40g9qe6.dll (deflated 5%)
adding: fp6403jqe.dll (deflated 5%)
adding: j64o0gh3e64.dll (deflated 5%)
adding: enn4l15q1.dll (deflated 5%)
adding: u2rulc991f.dll (deflated 5%)
adding: mDpistub.dll (deflated 5%)
adding: fp0003dme.dll (deflated 4%)
adding: j66mlgj116o.dll (deflated 4%)
adding: m6640gjqe6oe0.dll (deflated 4%)
adding: f0l02a3mgd.dll (deflated 4%)
adding: l62slgf7162.dll (deflated 3%)
adding: t8r8li9u18.dll (deflated 3%)
adding: o0660ajsedo60.dll (deflated 4%)
adding: mvjml9111.dll (deflated 5%)
adding: k6pm0g71e6.dll (deflated 5%)
adding: NOTAudioEditor.dll (deflated 5%)
adding: enr8l19u1.dll (deflated 5%)
adding: e4jm0e11eh.dll (deflated 5%)
adding: n82ulif9182.dll (deflated 5%)
adding: kt42l7ho1.dll (deflated 3%)
adding: guard.tmp (deflated 3%)
adding: echo.reg (deflated 9%)
adding: clear.reg (deflated 46%)
adding: desktop.ini (deflated 13%)
adding: readme.txt (deflated 49%)
adding: direct.txt (stored 0%)
adding: report.txt (deflated 67%)
adding: lo2.txt (deflated 84%)
adding: test2.txt (deflated 33%)
adding: test3.txt (deflated 25%)
adding: test5.txt (deflated 25%)
adding: test.txt (deflated 80%)
adding: xfind.txt (deflated 75%)
adding: backregs/shell.reg (deflated 74%)
adding: backregs/BD472F60-27FA-11cf-B8B4-444553540000.reg (deflated 64%)
adding: backregs/888DCA60-FC0A-11CF-8F0F-00C04FD7D062.reg (deflated 75%)
adding: backregs/66904C5C-51EA-4734-AF17-B6AF9242D228.reg (deflated 70%)
Restoring Registry Permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Revoking access for really "Everyone"
Registry permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
deleting local copy: nyshrui.dll
deleting local copy: imrnonce.dll
deleting local copy: h20qlcd51f0.dll
deleting local copy: mbricons.dll
deleting local copy: dnju0119e.dll
deleting local copy: cjrtmgr.dll
deleting local copy: lqfax11n.dll
deleting local copy: m0ju0a19ed.dll
deleting local copy: p84ulih9184.dll
deleting local copy: hr0q05d5e.dll
deleting local copy: mvrml9911.dll
deleting local copy: mv2sl9f71.dll
deleting local copy: hrl4053qe.dll
deleting local copy: en8ul1l91.dll
deleting local copy: ir26l5fs1.dll
deleting local copy: j04o0ah3ed4.dll
deleting local copy: en44l1hq1.dll
deleting local copy: lvlm0931e.dll
deleting local copy: g8040idqe80e0.dll
deleting local copy: p6r40g9qe6.dll
deleting local copy: fp6403jqe.dll
deleting local copy: j64o0gh3e64.dll
deleting local copy: enn4l15q1.dll
deleting local copy: u2rulc991f.dll
deleting local copy: mDpistub.dll
deleting local copy: fp0003dme.dll
deleting local copy: j66mlgj116o.dll
deleting local copy: m6640gjqe6oe0.dll
deleting local copy: f0l02a3mgd.dll
deleting local copy: l62slgf7162.dll
deleting local copy: t8r8li9u18.dll
deleting local copy: o0660ajsedo60.dll
deleting local copy: mvjml9111.dll
deleting local copy: k6pm0g71e6.dll
deleting local copy: NOTAudioEditor.dll
deleting local copy: enr8l19u1.dll
deleting local copy: e4jm0e11eh.dll
deleting local copy: n82ulif9182.dll
deleting local copy: kt42l7ho1.dll
deleting local copy: guard.tmp
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\nyshrui.dll
C:\WINDOWS\system32\imrnonce.dll
C:\WINDOWS\system32\h20qlcd51f0.dll
C:\WINDOWS\system32\mbricons.dll
C:\WINDOWS\system32\dnju0119e.dll
C:\WINDOWS\system32\cjrtmgr.dll
C:\WINDOWS\system32\lqfax11n.dll
C:\WINDOWS\system32\m0ju0a19ed.dll
C:\WINDOWS\system32\p84ulih9184.dll
C:\WINDOWS\system32\hr0q05d5e.dll
C:\WINDOWS\system32\mvrml9911.dll
C:\WINDOWS\system32\mv2sl9f71.dll
C:\WINDOWS\system32\hrl4053qe.dll
C:\WINDOWS\system32\en8ul1l91.dll
C:\WINDOWS\system32\ir26l5fs1.dll
C:\WINDOWS\system32\j04o0ah3ed4.dll
C:\WINDOWS\system32\en44l1hq1.dll
C:\WINDOWS\system32\lvlm0931e.dll
C:\WINDOWS\system32\g8040idqe80e0.dll
C:\WINDOWS\system32\p6r40g9qe6.dll
C:\WINDOWS\system32\fp6403jqe.dll
C:\WINDOWS\system32\j64o0gh3e64.dll
C:\WINDOWS\system32\enn4l15q1.dll
C:\WINDOWS\system32\u2rulc991f.dll
C:\WINDOWS\system32\mDpistub.dll
C:\WINDOWS\system32\fp0003dme.dll
C:\WINDOWS\system32\j66mlgj116o.dll
C:\WINDOWS\system32\m6640gjqe6oe0.dll
C:\WINDOWS\system32\f0l02a3mgd.dll
C:\WINDOWS\system32\l62slgf7162.dll
C:\WINDOWS\system32\t8r8li9u18.dll
C:\WINDOWS\system32\o0660ajsedo60.dll
C:\WINDOWS\system32\mvjml9111.dll
C:\WINDOWS\system32\k6pm0g71e6.dll
C:\WINDOWS\system32\NOTAudioEditor.dll
C:\WINDOWS\system32\enr8l19u1.dll
C:\WINDOWS\system32\e4jm0e11eh.dll
C:\WINDOWS\system32\n82ulif9182.dll
C:\WINDOWS\system32\kt42l7ho1.dll
C:\WINDOWS\system32\guard.tmp
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{BD472F60-27FA-11cf-B8B4-444553540000}"=-
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"=-
"{66904C5C-51EA-4734-AF17-B6AF9242D228}"=-
[-HKEY_CLASSES_ROOT\CLSID\{BD472F60-27FA-11cf-B8B4-444553540000}]
[-HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}]
[-HKEY_CLASSES_ROOT\CLSID\{66904C5C-51EA-4734-AF17-B6AF9242D228}]
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0A9F7617-BBB8-4E84-8A55-541B4D03BB4F}"=-
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{0A9F7617-BBB8-4E84-8A55-541B4D03BB4F}</IDone>
<IDtwo>DS3</IDtwo>
<VERSION>200</VERSION>
****************************************************************************
Now HJT log after Option #2 was run.
Logfile of HijackThis v1.99.1
Scan saved at 15:08:13, on 2/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\BITWARE\NT\bwprnmon.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\lxamsp32.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\dhnklxgg.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\system\qhcflqq.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BLUEXENON\Binn\sqlservr.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Gateway User\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\SYSTEM\Userinit.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [YPager.exe] C:\Program Files\Yahoo!\Messenger\YPager.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [bwprnmon.exe] C:\BITWARE\NT\bwprnmon.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [9QxjyF9fE] C:\WINDOWS\dhnklxgg.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O8 - Extra context menu item: RemindU - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: RemindU - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (file missing) (HKCU)
O12 - Plugin for .nwc: C:\Program Files\NoteWorthy Software\NWC Browser Plugin\npnwcw32.dll
O15 - Trusted Zone: www.lancome.com
O15 - Trusted Zone:
http://www.pokerroom.comO16 - DPF: Aces Up! by pogo -
http://game3.pogo.co...s-ob-assets.cabO16 - DPF: Backgammon by pogo -
http://gammon.pogo.c...n-ob-assets.cabO16 - DPF: Btax1099miscy4 -
http://www.taxsoftwa...x1099miscy4.CABO16 - DPF: BtaxBase -
http://www.taxsoftwa...om/BTAXBase.CABO16 - DPF: BtaxFIREy3 -
http://www.taxsoftwa.../BtaxFIREy4.CABO16 - DPF: Canasta by pogo -
http://canasta.pogo....a-ob-assets.cabO16 - DPF: Checkers by pogo -
http://game3.pogo.co...s-ob-assets.cabO16 - DPF: Chess by pogo -
http://game1.pogo.co...2-ob-assets.cabO16 - DPF: Cribbage by pogo -
http://crib.pogo.com...e-ob-assets.cabO16 - DPF: Dice Derby by pogo -
http://checkeredflag...g-ob-assets.cabO16 - DPF: Dominoes by pogo -
http://game4.pogo.co...o-ob-assets.cabO16 - DPF: First Class Solitaire by pogo -
http://game1.pogo.co...2-ob-assets.cabO16 - DPF: Fortune Bingo by pogo -
http://superbingo.po...o-ob-assets.cabO16 - DPF: Greenback Bayou by pogo -
http://greenback.pog...k-ob-assets.cabO16 - DPF: Hearts by pogo -
http://hearts.pogo.c...s-ob-assets.cabO16 - DPF: High Stakes Poker by pogo -
http://game5.pogo.co...r-ob-assets.cabO16 - DPF: High Stakes Pool by pogo -
http://game4.pogo.co...l-ob-assets.cabO16 - DPF: Jigsaw Detective by pogo -
http://game3.pogo.co...w-ob-assets.cabO16 - DPF: Jungle Gin by pogo -
http://gin.pogo.com/...n-ob-assets.cabO16 - DPF: Keno by pogo -
http://keno.pogo.com...o-ob-assets.cabO16 - DPF: Lottso by pogo -
http://game1.pogo.co...o-ob-assets.cabO16 - DPF: Mah Jong Garden by pogo -
http://game4.pogo.co...g-ob-assets.cabO16 - DPF: Multiline Slots by pogo -
http://game1.pogo.co...s-ob-assets.cabO16 - DPF: Pai Gow by pogo -
http://game3.pogo.co...w-ob-assets.cabO16 - DPF: Payday FreeCell by pogo -
http://freecell.pogo...l-ob-assets.cabO16 - DPF: Perfect Pair Solitaire by pogo -
http://waterwheel.po...l-ob-assets.cabO16 - DPF: Phlinx by pogo -
http://game4.pogo.co...r-ob-assets.cabO16 - DPF: Pinochle by pogo -
http://game4.pogo.co...e-ob-assets.cabO16 - DPF: Pirate's Gold by pogo -
http://swashbucks.po...d-ob-assets.cabO16 - DPF: Pop Fu by pogo -
http://popfu.pogo.co...u-ob-assets.cabO16 - DPF: Poppit TM by pogo -
http://game5.pogo.co...t-ob-assets.cabO16 - DPF: Ricochet by pogo -
http://game1.pogo.co...t-ob-assets.cabO16 - DPF: Spider Solitaire by pogo -
http://game4.pogo.co...r-ob-assets.cabO16 - DPF: Squelchies by pogo -
http://squelchies.po...s-ob-assets.cabO16 - DPF: Sweet Tooth TM by pogo -
http://sweettooth.po...h-ob-assets.cabO16 - DPF: Texas Hold'em Poker by pogo -
http://game4.pogo.co...m-ob-assets.cabO16 - DPF: The Sims Pinball by pogo -
http://game4.pogo.co...l-ob-assets.cabO16 - DPF: Tri-Peaks by pogo -
http://game4.pogo.co...s-ob-assets.cabO16 - DPF: Tumble Bees by pogo -
http://jumbee.pogo.c...e-ob-assets.cabO16 - DPF: Turbo 21 TM by pogo -
http://game5.pogo.co...1-ob-assets.cabO16 - DPF: Video Poker by pogo -
http://vpoker.pogo.c...r-ob-assets.cabO16 - DPF: Word Whomp by pogo -
http://game5.pogo.co...p-ob-assets.cabO16 - DPF: WordJong by pogo -
http://wordjong.pogo...g-ob-assets.cabO16 - DPF: World Class Solitaire by pogo -
http://klondike.pogo...s-ob-assets.cabO16 - DPF: Yahoo! Go Fish -
http://download.game...nts/y/zt3_x.cabO16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -
http://www.pcpitstop...p/PCPitStop.CABO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
http://security.syma...bin/AvSniff.cabO16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) -
http://www.ysbweb.co...ysb_regular.cabO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -
http://download.mcaf...84/mcinsctl.cabO16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) -
http://www.amiuptoda...pdatePortal.cabO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
http://security.syma...n/bin/cabsa.cabO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
http://download.mcaf...,21/mcgdmgr.cabO16 - DPF: {C3C9CB67-F453-479A-9AB0-94AE65F2EB2F} (QuickBooks Online Edition Import Utilities Class v3) -
https://accounting.q...04/qboimax3.cabO16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {D92D7607-05D9-4DD8-B68B-D458948FB883} (QuickBooks Online Edition Utilities Class v7) -
https://accounting.q....271/qboax7.cabO16 - DPF: {DBB177CC-6908-4B53-9BEE-F1C697818D65} (QuickBooks Online Edition Utilities Class v4a) -
https://accounting.q...167/qboax4a.cabO16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
http://download.mcaf...421/mcfscan.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{1AC94785-CFCD-41B2-816E-87E296840893}: NameServer = 204.117.214.10,199.2.252.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{1AC94785-CFCD-41B2-816E-87E296840893}: NameServer = 204.117.214.10,199.2.252.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{1AC94785-CFCD-41B2-816E-87E296840893}: NameServer = 204.117.214.10,199.2.252.10
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
Thanks again for your help!