L2Mfix 1.03
Running From:
C:\Documents and Settings\ALEX11\Desktop\l2mfix
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting registry permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry
Registry Permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting up for Reboot
Starting Reboot!
C:\Documents and Settings\ALEX11\Desktop\l2mfix
System Rebooted!
Running From:
C:\Documents and Settings\ALEX11\Desktop\l2mfix
killing explorer and rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Killing PID 1264 'explorer.exe'
Killing PID 1264 'explorer.exe'
Error 0x5 : Access is denied.
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Killing PID 1304 'rundll32.exe'
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Backing Up: C:\WINNT\system32\aoi2edxx.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\aoi2edxx.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\aoi3d1ag.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\aoi3d1ag.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\aucups.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\aucups.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\CMYPTUI.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\CMYPTUI.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\fPxevent.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\fPxevent.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\kudit142.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\kudit142.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\lsrt.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\lsrt.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\lyexpand.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\lyexpand.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mw3216.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mw3216.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\RQSigProc.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\RQSigProc.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\shi.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\shi.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\SYP32.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\SYP32.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\twfflt.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\twfflt.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wanrnr.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wanrnr.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINNT\system32\aoi2edxx.dll
Successfully Deleted: C:\WINNT\system32\aoi2edxx.dll
deleting: C:\WINNT\system32\aoi2edxx.dll
Successfully Deleted: C:\WINNT\system32\aoi2edxx.dll
deleting: C:\WINNT\system32\aoi3d1ag.dll
Successfully Deleted: C:\WINNT\system32\aoi3d1ag.dll
deleting: C:\WINNT\system32\aoi3d1ag.dll
Successfully Deleted: C:\WINNT\system32\aoi3d1ag.dll
deleting: C:\WINNT\system32\aucups.dll
Successfully Deleted: C:\WINNT\system32\aucups.dll
deleting: C:\WINNT\system32\aucups.dll
Successfully Deleted: C:\WINNT\system32\aucups.dll
deleting: C:\WINNT\system32\CMYPTUI.DLL
Successfully Deleted: C:\WINNT\system32\CMYPTUI.DLL
deleting: C:\WINNT\system32\CMYPTUI.DLL
Successfully Deleted: C:\WINNT\system32\CMYPTUI.DLL
deleting: C:\WINNT\system32\fPxevent.dll
Successfully Deleted: C:\WINNT\system32\fPxevent.dll
deleting: C:\WINNT\system32\fPxevent.dll
Successfully Deleted: C:\WINNT\system32\fPxevent.dll
deleting: C:\WINNT\system32\kudit142.dll
Successfully Deleted: C:\WINNT\system32\kudit142.dll
deleting: C:\WINNT\system32\kudit142.dll
Successfully Deleted: C:\WINNT\system32\kudit142.dll
deleting: C:\WINNT\system32\lsrt.dll
Successfully Deleted: C:\WINNT\system32\lsrt.dll
deleting: C:\WINNT\system32\lsrt.dll
Successfully Deleted: C:\WINNT\system32\lsrt.dll
deleting: C:\WINNT\system32\lyexpand.dll
Successfully Deleted: C:\WINNT\system32\lyexpand.dll
deleting: C:\WINNT\system32\lyexpand.dll
Successfully Deleted: C:\WINNT\system32\lyexpand.dll
deleting: C:\WINNT\system32\mw3216.dll
Successfully Deleted: C:\WINNT\system32\mw3216.dll
deleting: C:\WINNT\system32\mw3216.dll
Successfully Deleted: C:\WINNT\system32\mw3216.dll
deleting: C:\WINNT\system32\RQSigProc.dll
Successfully Deleted: C:\WINNT\system32\RQSigProc.dll
deleting: C:\WINNT\system32\RQSigProc.dll
Successfully Deleted: C:\WINNT\system32\RQSigProc.dll
deleting: C:\WINNT\system32\shi.dll
Successfully Deleted: C:\WINNT\system32\shi.dll
deleting: C:\WINNT\system32\shi.dll
Successfully Deleted: C:\WINNT\system32\shi.dll
deleting: C:\WINNT\system32\SYP32.DLL
Successfully Deleted: C:\WINNT\system32\SYP32.DLL
deleting: C:\WINNT\system32\SYP32.DLL
Successfully Deleted: C:\WINNT\system32\SYP32.DLL
deleting: C:\WINNT\system32\twfflt.dll
Successfully Deleted: C:\WINNT\system32\twfflt.dll
deleting: C:\WINNT\system32\twfflt.dll
Successfully Deleted: C:\WINNT\system32\twfflt.dll
deleting: C:\WINNT\system32\wanrnr.dll
Successfully Deleted: C:\WINNT\system32\wanrnr.dll
deleting: C:\WINNT\system32\wanrnr.dll
Successfully Deleted: C:\WINNT\system32\wanrnr.dll
deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp
deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp
Zipping up files for submission:
adding: aoi2edxx.dll (152 bytes security) (deflated 48%)
adding: aoi3d1ag.dll (152 bytes security) (deflated 48%)
adding: aucups.dll (152 bytes security) (deflated 48%)
adding: CMYPTUI.DLL (152 bytes security) (deflated 48%)
adding: fPxevent.dll (152 bytes security) (deflated 48%)
adding: kudit142.dll (152 bytes security) (deflated 48%)
adding: lsrt.dll (152 bytes security) (deflated 48%)
adding: lyexpand.dll (152 bytes security) (deflated 48%)
adding: mw3216.dll (152 bytes security) (deflated 48%)
adding: RQSigProc.dll (152 bytes security) (deflated 48%)
adding: shi.dll (152 bytes security) (deflated 48%)
adding: SYP32.DLL (152 bytes security) (deflated 48%)
adding: twfflt.dll (152 bytes security) (deflated 48%)
adding: wanrnr.dll (152 bytes security) (deflated 48%)
adding: guard.tmp (152 bytes security) (deflated 48%)
adding: clear.reg (152 bytes security) (deflated 22%)
adding: echo.reg (152 bytes security) (deflated 8%)
adding: direct.txt (152 bytes security) (stored 0%)
adding: lo2.txt (152 bytes security) (deflated 86%)
adding: readme.txt (152 bytes security) (deflated 49%)
adding: report.txt (152 bytes security) (deflated 76%)
adding: test.txt (152 bytes security) (deflated 87%)
adding: test2.txt (152 bytes security) (stored 0%)
adding: test3.txt (152 bytes security) (stored 0%)
adding: test5.txt (152 bytes security) (stored 0%)
adding: xfind.txt (152 bytes security) (deflated 83%)
adding: backregs/4D4E063A-2908-4469-8FC7-1F8C623836EE.reg (152 bytes security) (deflated 70%)
adding: backregs/shell.reg (152 bytes security) (deflated 74%)
Restoring Registry Permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Registry permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
deleting local copy: aoi2edxx.dll
deleting local copy: aoi2edxx.dll
deleting local copy: aoi3d1ag.dll
deleting local copy: aoi3d1ag.dll
deleting local copy: aucups.dll
deleting local copy: aucups.dll
deleting local copy: CMYPTUI.DLL
deleting local copy: CMYPTUI.DLL
deleting local copy: fPxevent.dll
deleting local copy: fPxevent.dll
deleting local copy: kudit142.dll
deleting local copy: kudit142.dll
deleting local copy: lsrt.dll
deleting local copy: lsrt.dll
deleting local copy: lyexpand.dll
deleting local copy: lyexpand.dll
deleting local copy: mw3216.dll
deleting local copy: mw3216.dll
deleting local copy: RQSigProc.dll
deleting local copy: RQSigProc.dll
deleting local copy: shi.dll
deleting local copy: shi.dll
deleting local copy: SYP32.DLL
deleting local copy: SYP32.DLL
deleting local copy: twfflt.dll
deleting local copy: twfflt.dll
deleting local copy: wanrnr.dll
deleting local copy: wanrnr.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000
The following are the files found:
****************************************************************************
C:\WINNT\system32\aoi2edxx.dll
C:\WINNT\system32\aoi2edxx.dll
C:\WINNT\system32\aoi3d1ag.dll
C:\WINNT\system32\aoi3d1ag.dll
C:\WINNT\system32\aucups.dll
C:\WINNT\system32\aucups.dll
C:\WINNT\system32\CMYPTUI.DLL
C:\WINNT\system32\CMYPTUI.DLL
C:\WINNT\system32\fPxevent.dll
C:\WINNT\system32\fPxevent.dll
C:\WINNT\system32\kudit142.dll
C:\WINNT\system32\kudit142.dll
C:\WINNT\system32\lsrt.dll
C:\WINNT\system32\lsrt.dll
C:\WINNT\system32\lyexpand.dll
C:\WINNT\system32\lyexpand.dll
C:\WINNT\system32\mw3216.dll
C:\WINNT\system32\mw3216.dll
C:\WINNT\system32\RQSigProc.dll
C:\WINNT\system32\RQSigProc.dll
C:\WINNT\system32\shi.dll
C:\WINNT\system32\shi.dll
C:\WINNT\system32\SYP32.DLL
C:\WINNT\system32\SYP32.DLL
C:\WINNT\system32\twfflt.dll
C:\WINNT\system32\twfflt.dll
C:\WINNT\system32\wanrnr.dll
C:\WINNT\system32\wanrnr.dll
C:\WINNT\system32\guard.tmp
C:\WINNT\system32\guard.tmp
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{4D4E063A-2908-4469-8FC7-1F8C623836EE}"=-
[-HKEY_CLASSES_ROOT\CLSID\{4D4E063A-2908-4469-8FC7-1F8C623836EE}]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Logfile of HijackThis v1.99.1
Scan saved at 5:10:57 PM, on 6/28/2002
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\Tablet.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://usatoday.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ALEX11\Application Data\Mozilla\Profiles\default\te2uwnao.slt\prefs.js)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) -
http://www.alternati.../00/alttiff.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft....204&clcid=0x409O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) -
http://us.chat1.yimg...v45/yacscom.cabO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
http://security.syma...bin/AvSniff.cabO16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) -
http://www.fileplane...DC_1_0_0_44.cabO16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) -
http://www.icannnews.../ST/ActiveX.ocxO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
http://security.syma...n/bin/cabsa.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cabO16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) -
http://chat.yahoo.com/cab/yacsui.cabO16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) -
http://web1.shutterf...ds/Uploader.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
http://messenger.msn...pDownloader.cabO16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) -
http://chat.yahoo.com/cab/yvwrctl.cabO16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) -
http://chat.msn.com/bin/msnchat45.cabO23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe