Windows is up and running and here is the l2mfix log:
L2Mfix 1.03
Running From:
C:\Documents and Settings\Administrator\Desktop\l2mfix
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting registry permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry
- removing existing ACCESS DENY entry
Registry Permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting up for Reboot
Starting Reboot!
C:\Documents and Settings\Administrator\Desktop\l2mfix
System Rebooted!
Running From:
C:\Documents and Settings\Administrator\Desktop\l2mfix
killing explorer and rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Killing PID 1460 'explorer.exe'
Killing PID 1460 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Error, Cannot find a process with an image name of rundll32.exe
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Backing Up: C:\WINNT\system32\aatapi.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\AMDCXC32.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\cym.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dn6801jue.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dnns0157e.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dqrpsetu.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dumap.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\fp0s03d7e.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\gp68l3ju1.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\gplql3351.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\h0n0la5m1d.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\hkink.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\j2j60c1sef.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\kcdsg.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\ktrql7951.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\kwdit.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\l4j80e1ueh.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\LCAUT13n.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\LRDWF13N.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\m0460ahsed460.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mfglibnt.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mhcertui.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mjieftp.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mntlsapi.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\o2ns0c57ef.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\o2nslc571f.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\pwrfproc.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\qksname.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\rCsdlg.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\sqmpapi.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\sqndmail.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\sznceng.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\ugerenv.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wgd_ci.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wustream.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\xesp3res.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\xwsp3res.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINNT\system32\aatapi.dll
Successfully Deleted: C:\WINNT\system32\aatapi.dll
deleting: C:\WINNT\system32\AMDCXC32.DLL
Successfully Deleted: C:\WINNT\system32\AMDCXC32.DLL
deleting: C:\WINNT\system32\cym.dll
Successfully Deleted: C:\WINNT\system32\cym.dll
deleting: C:\WINNT\system32\dn6801jue.dll
Successfully Deleted: C:\WINNT\system32\dn6801jue.dll
deleting: C:\WINNT\system32\dnns0157e.dll
Successfully Deleted: C:\WINNT\system32\dnns0157e.dll
deleting: C:\WINNT\system32\dqrpsetu.dll
Successfully Deleted: C:\WINNT\system32\dqrpsetu.dll
deleting: C:\WINNT\system32\dumap.dll
Successfully Deleted: C:\WINNT\system32\dumap.dll
deleting: C:\WINNT\system32\fp0s03d7e.dll
Successfully Deleted: C:\WINNT\system32\fp0s03d7e.dll
deleting: C:\WINNT\system32\gp68l3ju1.dll
Successfully Deleted: C:\WINNT\system32\gp68l3ju1.dll
deleting: C:\WINNT\system32\gplql3351.dll
Successfully Deleted: C:\WINNT\system32\gplql3351.dll
deleting: C:\WINNT\system32\h0n0la5m1d.dll
Successfully Deleted: C:\WINNT\system32\h0n0la5m1d.dll
deleting: C:\WINNT\system32\hkink.dll
Successfully Deleted: C:\WINNT\system32\hkink.dll
deleting: C:\WINNT\system32\j2j60c1sef.dll
Successfully Deleted: C:\WINNT\system32\j2j60c1sef.dll
deleting: C:\WINNT\system32\kcdsg.dll
Successfully Deleted: C:\WINNT\system32\kcdsg.dll
deleting: C:\WINNT\system32\ktrql7951.dll
Successfully Deleted: C:\WINNT\system32\ktrql7951.dll
deleting: C:\WINNT\system32\kwdit.dll
Successfully Deleted: C:\WINNT\system32\kwdit.dll
deleting: C:\WINNT\system32\l4j80e1ueh.dll
Successfully Deleted: C:\WINNT\system32\l4j80e1ueh.dll
deleting: C:\WINNT\system32\LCAUT13n.dll
Successfully Deleted: C:\WINNT\system32\LCAUT13n.dll
deleting: C:\WINNT\system32\LRDWF13N.DLL
Successfully Deleted: C:\WINNT\system32\LRDWF13N.DLL
deleting: C:\WINNT\system32\m0460ahsed460.dll
Successfully Deleted: C:\WINNT\system32\m0460ahsed460.dll
deleting: C:\WINNT\system32\mfglibnt.dll
Successfully Deleted: C:\WINNT\system32\mfglibnt.dll
deleting: C:\WINNT\system32\mhcertui.dll
Successfully Deleted: C:\WINNT\system32\mhcertui.dll
deleting: C:\WINNT\system32\mjieftp.dll
Successfully Deleted: C:\WINNT\system32\mjieftp.dll
deleting: C:\WINNT\system32\mntlsapi.dll
Successfully Deleted: C:\WINNT\system32\mntlsapi.dll
deleting: C:\WINNT\system32\o2ns0c57ef.dll
Successfully Deleted: C:\WINNT\system32\o2ns0c57ef.dll
deleting: C:\WINNT\system32\o2nslc571f.dll
Successfully Deleted: C:\WINNT\system32\o2nslc571f.dll
deleting: C:\WINNT\system32\pwrfproc.dll
Successfully Deleted: C:\WINNT\system32\pwrfproc.dll
deleting: C:\WINNT\system32\qksname.dll
Successfully Deleted: C:\WINNT\system32\qksname.dll
deleting: C:\WINNT\system32\rCsdlg.dll
Successfully Deleted: C:\WINNT\system32\rCsdlg.dll
deleting: C:\WINNT\system32\sqmpapi.dll
Successfully Deleted: C:\WINNT\system32\sqmpapi.dll
deleting: C:\WINNT\system32\sqndmail.dll
Successfully Deleted: C:\WINNT\system32\sqndmail.dll
deleting: C:\WINNT\system32\sznceng.dll
Successfully Deleted: C:\WINNT\system32\sznceng.dll
deleting: C:\WINNT\system32\ugerenv.dll
Successfully Deleted: C:\WINNT\system32\ugerenv.dll
deleting: C:\WINNT\system32\wgd_ci.dll
Successfully Deleted: C:\WINNT\system32\wgd_ci.dll
deleting: C:\WINNT\system32\wustream.dll
Successfully Deleted: C:\WINNT\system32\wustream.dll
deleting: C:\WINNT\system32\xesp3res.dll
Successfully Deleted: C:\WINNT\system32\xesp3res.dll
deleting: C:\WINNT\system32\xwsp3res.dll
Successfully Deleted: C:\WINNT\system32\xwsp3res.dll
deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp
Zipping up files for submission:
adding: aatapi.dll (164 bytes security) (deflated 4%)
adding: AMDCXC32.DLL (164 bytes security) (deflated 4%)
adding: cym.dll (164 bytes security) (deflated 4%)
adding: dn6801jue.dll (164 bytes security) (deflated 5%)
adding: dnns0157e.dll (164 bytes security) (deflated 4%)
adding: dqrpsetu.dll (164 bytes security) (deflated 4%)
adding: dumap.dll (164 bytes security) (deflated 4%)
adding: fp0s03d7e.dll (164 bytes security) (deflated 5%)
adding: gp68l3ju1.dll (164 bytes security) (deflated 4%)
adding: gplql3351.dll (164 bytes security) (deflated 3%)
adding: h0n0la5m1d.dll (164 bytes security) (deflated 4%)
adding: hkink.dll (164 bytes security) (deflated 5%)
adding: j2j60c1sef.dll (164 bytes security) (deflated 4%)
adding: kcdsg.dll (164 bytes security) (deflated 5%)
adding: ktrql7951.dll (164 bytes security) (deflated 5%)
adding: kwdit.dll (164 bytes security) (deflated 4%)
adding: l4j80e1ueh.dll (164 bytes security) (deflated 5%)
adding: LCAUT13n.dll (164 bytes security) (deflated 4%)
adding: LRDWF13N.DLL (164 bytes security) (deflated 4%)
adding: m0460ahsed460.dll (164 bytes security) (deflated 5%)
adding: mfglibnt.dll (164 bytes security) (deflated 5%)
adding: mhcertui.dll (164 bytes security) (deflated 4%)
adding: mjieftp.dll (164 bytes security) (deflated 5%)
adding: mntlsapi.dll (164 bytes security) (deflated 5%)
adding: o2ns0c57ef.dll (164 bytes security) (deflated 4%)
adding: o2nslc571f.dll (164 bytes security) (deflated 4%)
adding: pwrfproc.dll (164 bytes security) (deflated 4%)
adding: qksname.dll (164 bytes security) (deflated 4%)
adding: rCsdlg.dll (164 bytes security) (deflated 5%)
adding: sqmpapi.dll (164 bytes security) (deflated 5%)
adding: sqndmail.dll (164 bytes security) (deflated 4%)
adding: sznceng.dll (164 bytes security) (deflated 4%)
adding: ugerenv.dll (164 bytes security) (deflated 5%)
adding: wgd_ci.dll (164 bytes security) (deflated 4%)
adding: wustream.dll (164 bytes security) (deflated 5%)
adding: xesp3res.dll (164 bytes security) (deflated 6%)
adding: xwsp3res.dll (164 bytes security) (deflated 5%)
adding: guard.tmp (164 bytes security) (deflated 4%)
adding: clear.reg (164 bytes security) (deflated 2%)
adding: echo.reg (164 bytes security) (deflated 10%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 85%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 66%)
adding: test.txt (164 bytes security) (deflated 81%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: xfind.txt (164 bytes security) (deflated 75%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)
Restoring Registry Permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Registry permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
deleting local copy: aatapi.dll
deleting local copy: AMDCXC32.DLL
deleting local copy: cym.dll
deleting local copy: dn6801jue.dll
deleting local copy: dnns0157e.dll
deleting local copy: dqrpsetu.dll
deleting local copy: dumap.dll
deleting local copy: fp0s03d7e.dll
deleting local copy: gp68l3ju1.dll
deleting local copy: gplql3351.dll
deleting local copy: h0n0la5m1d.dll
deleting local copy: hkink.dll
deleting local copy: j2j60c1sef.dll
deleting local copy: kcdsg.dll
deleting local copy: ktrql7951.dll
deleting local copy: kwdit.dll
deleting local copy: l4j80e1ueh.dll
deleting local copy: LCAUT13n.dll
deleting local copy: LRDWF13N.DLL
deleting local copy: m0460ahsed460.dll
deleting local copy: mfglibnt.dll
deleting local copy: mhcertui.dll
deleting local copy: mjieftp.dll
deleting local copy: mntlsapi.dll
deleting local copy: o2ns0c57ef.dll
deleting local copy: o2nslc571f.dll
deleting local copy: pwrfproc.dll
deleting local copy: qksname.dll
deleting local copy: rCsdlg.dll
deleting local copy: sqmpapi.dll
deleting local copy: sqndmail.dll
deleting local copy: sznceng.dll
deleting local copy: ugerenv.dll
deleting local copy: wgd_ci.dll
deleting local copy: wustream.dll
deleting local copy: xesp3res.dll
deleting local copy: xwsp3res.dll
deleting local copy: guard.tmp
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
The following are the files found:
****************************************************************************
C:\WINNT\system32\aatapi.dll
C:\WINNT\system32\AMDCXC32.DLL
C:\WINNT\system32\cym.dll
C:\WINNT\system32\dn6801jue.dll
C:\WINNT\system32\dnns0157e.dll
C:\WINNT\system32\dqrpsetu.dll
C:\WINNT\system32\dumap.dll
C:\WINNT\system32\fp0s03d7e.dll
C:\WINNT\system32\gp68l3ju1.dll
C:\WINNT\system32\gplql3351.dll
C:\WINNT\system32\h0n0la5m1d.dll
C:\WINNT\system32\hkink.dll
C:\WINNT\system32\j2j60c1sef.dll
C:\WINNT\system32\kcdsg.dll
C:\WINNT\system32\ktrql7951.dll
C:\WINNT\system32\kwdit.dll
C:\WINNT\system32\l4j80e1ueh.dll
C:\WINNT\system32\LCAUT13n.dll
C:\WINNT\system32\LRDWF13N.DLL
C:\WINNT\system32\m0460ahsed460.dll
C:\WINNT\system32\mfglibnt.dll
C:\WINNT\system32\mhcertui.dll
C:\WINNT\system32\mjieftp.dll
C:\WINNT\system32\mntlsapi.dll
C:\WINNT\system32\o2ns0c57ef.dll
C:\WINNT\system32\o2nslc571f.dll
C:\WINNT\system32\pwrfproc.dll
C:\WINNT\system32\qksname.dll
C:\WINNT\system32\rCsdlg.dll
C:\WINNT\system32\sqmpapi.dll
C:\WINNT\system32\sqndmail.dll
C:\WINNT\system32\sznceng.dll
C:\WINNT\system32\ugerenv.dll
C:\WINNT\system32\wgd_ci.dll
C:\WINNT\system32\wustream.dll
C:\WINNT\system32\xesp3res.dll
C:\WINNT\system32\xwsp3res.dll
C:\WINNT\system32\guard.tmp
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Heres the new Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 8:56:23 PM, on 6/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\misc\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.uscellular.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.uscellular.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.uscellular.com/O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: TBT Popup Blocker - {3950E0E8-58DC-467E-9EE4-21A0E0B142C4} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ShowBarObj Class - {79A002FB-C126-462D-B4A7-81D6B42D1666} - F:\BIZZZZ\New Folder\Traffic_Toolbar\ShowMyBar.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: StockBar Class - {07A3D336-90D3-4C90-922D-7257D56434BF} - F:\BIZZZZ\New Folder\Traffic_Toolbar\htmlbar.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Traffic Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Traffic Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 -
http://download.game...ts/y/pote_x.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft....467&clcid=0x409O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) -
http://us.chat1.yimg...v45/yacscom.cabO16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) -
http://www.cult3d.co...wnload/cult.cabO16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) -
http://zone.msn.com/...bGameLoader.cabO16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) -
http://zone.msn.com/...t/atomaders.cabO16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) -
http://chat.yahoo.com/cab/yacsui.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://zone.msn.com/...ro.cab34246.cabO16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) -
http://www.stopzilla...ller/dwnldr.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
http://download.game...aploader_v6.cabO20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINNT\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
Thanks a bunch!!