L2Mfix 1.03
Running From:
C:\Documents and Settings\JG\Desktop\l2mfix
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting registry permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry
Registry Permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting up for Reboot
Starting Reboot!
C:\Documents and Settings\JG\Desktop\l2mfix
System Rebooted!
Running From:
C:\Documents and Settings\JG\Desktop\l2mfix
killing explorer and rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Killing PID 588 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Killing PID 984 'rundll32.exe'
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Backing Up: C:\WINDOWS\system32\CKCUI.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en06l1ds1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gp2ql3f51.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\HHBHealr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iGlmrnt5.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j46mlej11ho.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\KCDBENE.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kt8sl7l71.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktl0l73m1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lt0027dmg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvrq0995e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MBC71ITA.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mxdad.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o2660cjsefo60.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\OMEXL32.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\PWNShare.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\SILGNTFY.DLL
1 file(s) copied.
deleting: C:\WINDOWS\system32\CKCUI.DLL
Successfully Deleted: C:\WINDOWS\system32\CKCUI.DLL
deleting: C:\WINDOWS\system32\en06l1ds1.dll
Successfully Deleted: C:\WINDOWS\system32\en06l1ds1.dll
deleting: C:\WINDOWS\system32\gp2ql3f51.dll
Successfully Deleted: C:\WINDOWS\system32\gp2ql3f51.dll
deleting: C:\WINDOWS\system32\HHBHealr.dll
Successfully Deleted: C:\WINDOWS\system32\HHBHealr.dll
deleting: C:\WINDOWS\system32\iGlmrnt5.dll
Successfully Deleted: C:\WINDOWS\system32\iGlmrnt5.dll
deleting: C:\WINDOWS\system32\j46mlej11ho.dll
Successfully Deleted: C:\WINDOWS\system32\j46mlej11ho.dll
deleting: C:\WINDOWS\system32\KCDBENE.DLL
Successfully Deleted: C:\WINDOWS\system32\KCDBENE.DLL
deleting: C:\WINDOWS\system32\kt8sl7l71.dll
Successfully Deleted: C:\WINDOWS\system32\kt8sl7l71.dll
deleting: C:\WINDOWS\system32\ktl0l73m1.dll
Successfully Deleted: C:\WINDOWS\system32\ktl0l73m1.dll
deleting: C:\WINDOWS\system32\lt0027dmg.dll
Successfully Deleted: C:\WINDOWS\system32\lt0027dmg.dll
deleting: C:\WINDOWS\system32\lvrq0995e.dll
Successfully Deleted: C:\WINDOWS\system32\lvrq0995e.dll
deleting: C:\WINDOWS\system32\MBC71ITA.DLL
Successfully Deleted: C:\WINDOWS\system32\MBC71ITA.DLL
deleting: C:\WINDOWS\system32\mxdad.dll
Successfully Deleted: C:\WINDOWS\system32\mxdad.dll
deleting: C:\WINDOWS\system32\o2660cjsefo60.dll
Successfully Deleted: C:\WINDOWS\system32\o2660cjsefo60.dll
deleting: C:\WINDOWS\system32\OMEXL32.DLL
Successfully Deleted: C:\WINDOWS\system32\OMEXL32.DLL
deleting: C:\WINDOWS\system32\PWNShare.dll
Successfully Deleted: C:\WINDOWS\system32\PWNShare.dll
deleting: C:\WINDOWS\system32\SILGNTFY.DLL
Successfully Deleted: C:\WINDOWS\system32\SILGNTFY.DLL
Zipping up files for submission:
adding: CKCUI.DLL (164 bytes security) (deflated 5%)
adding: en06l1ds1.dll (164 bytes security) (deflated 5%)
adding: gp2ql3f51.dll (164 bytes security) (deflated 4%)
adding: HHBHealr.dll (164 bytes security) (deflated 4%)
adding: iGlmrnt5.dll (164 bytes security) (deflated 4%)
adding: j46mlej11ho.dll (164 bytes security) (deflated 5%)
adding: KCDBENE.DLL (164 bytes security) (deflated 4%)
adding: kt8sl7l71.dll (164 bytes security) (deflated 4%)
adding: ktl0l73m1.dll (164 bytes security) (deflated 5%)
adding: lt0027dmg.dll (164 bytes security) (deflated 5%)
adding: lvrq0995e.dll (164 bytes security) (deflated 6%)
adding: MBC71ITA.DLL (164 bytes security) (deflated 4%)
adding: mxdad.dll (164 bytes security) (deflated 5%)
adding: o2660cjsefo60.dll (164 bytes security) (deflated 5%)
adding: OMEXL32.DLL (164 bytes security) (deflated 5%)
adding: PWNShare.dll (164 bytes security) (deflated 5%)
adding: SILGNTFY.DLL (164 bytes security) (deflated 4%)
adding: clear.reg (164 bytes security) (deflated 37%)
adding: echo.reg (164 bytes security) (deflated 8%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 82%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 67%)
adding: test.txt (164 bytes security) (deflated 74%)
adding: test2.txt (164 bytes security) (deflated 17%)
adding: test3.txt (164 bytes security) (deflated 17%)
adding: test5.txt (164 bytes security) (deflated 17%)
adding: xfind.txt (164 bytes security) (deflated 68%)
adding: backregs/50C5122A-1294-437F-AF01-2441D20DDCBC.reg (164 bytes security) (deflated 70%)
adding: backregs/65DA74EC-194A-422E-BEF1-74F1C2828190.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)
Restoring Registry Permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Registry permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
deleting local copy: CKCUI.DLL
deleting local copy: en06l1ds1.dll
deleting local copy: gp2ql3f51.dll
deleting local copy: HHBHealr.dll
deleting local copy: iGlmrnt5.dll
deleting local copy: j46mlej11ho.dll
deleting local copy: KCDBENE.DLL
deleting local copy: kt8sl7l71.dll
deleting local copy: ktl0l73m1.dll
deleting local copy: lt0027dmg.dll
deleting local copy: lvrq0995e.dll
deleting local copy: MBC71ITA.DLL
deleting local copy: mxdad.dll
deleting local copy: o2660cjsefo60.dll
deleting local copy: OMEXL32.DLL
deleting local copy: PWNShare.dll
deleting local copy: SILGNTFY.DLL
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"
"StartShell"="NavStartShellEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\CKCUI.DLL
C:\WINDOWS\system32\en06l1ds1.dll
C:\WINDOWS\system32\gp2ql3f51.dll
C:\WINDOWS\system32\HHBHealr.dll
C:\WINDOWS\system32\iGlmrnt5.dll
C:\WINDOWS\system32\j46mlej11ho.dll
C:\WINDOWS\system32\KCDBENE.DLL
C:\WINDOWS\system32\kt8sl7l71.dll
C:\WINDOWS\system32\ktl0l73m1.dll
C:\WINDOWS\system32\lt0027dmg.dll
C:\WINDOWS\system32\lvrq0995e.dll
C:\WINDOWS\system32\MBC71ITA.DLL
C:\WINDOWS\system32\mxdad.dll
C:\WINDOWS\system32\o2660cjsefo60.dll
C:\WINDOWS\system32\OMEXL32.DLL
C:\WINDOWS\system32\PWNShare.dll
C:\WINDOWS\system32\SILGNTFY.DLL
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{50C5122A-1294-437F-AF01-2441D20DDCBC}"=-
"{65DA74EC-194A-422E-BEF1-74F1C2828190}"=-
[-HKEY_CLASSES_ROOT\CLSID\{50C5122A-1294-437F-AF01-2441D20DDCBC}]
[-HKEY_CLASSES_ROOT\CLSID\{65DA74EC-194A-422E-BEF1-74F1C2828190}]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
New HJT logLogfile of HijackThis v1.99.1
Scan saved at 1:44:24 PM, on 4/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\hpb2ksrv.exe
C:\WINDOWS\System32\hpbhksrv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\System32\nlnrzm.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\hpnra.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\PROGRA~1\ezula\mmod.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\3M\PSNotes2\Psn2.exe
C:\PROGRA~1\3M\PSNotes2\PSNGive.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dell.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dell.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.dell.comO1 - Hosts: 64.91.255.87 www.dcsresearch.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\nlnrzm.exe
O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-itŪ Software Notes.lnk = C:\Program Files\3M\PSNotes2\Psn2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
http://security.syma...bin/AvSniff.cabO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
http://security.syma...n/bin/cabsa.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cabO18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: HP Status - Hewlett-Packard Company - C:\WINDOWS\System32\hpb2ksrv.exe
O23 - Service: HP Status Print - Unknown owner - C:\WINDOWS\System32\hpbhksrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe