Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Winfixer 2005 [CLOSED]


  • This topic is locked This topic is locked

#1
arjen

arjen

    New Member

  • Member
  • Pip
  • 5 posts
Another one who has problems with this annoying winfixer 2005, number 10.232 i think?? :tazz:

I feel a bit ashamed to ask this while im just a n00b but i hope someone can help. I've read many topics about it on this forum but it seems like every time there is a different approuch. I've tried some of the examples that people gave to fix it but none have worked so far, so this is my last hope.

Here's my logfile, i hope someone can help me

Logfile of HijackThis v1.99.1
Scan saved at 19:47:04, on 7-8-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PinkRoccade\RemCon VPN Client\cvpnd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Media Pass\MediaPass.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Media Pass\MediaPassK.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\cdfoon\trayapp.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\VundoFix\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TotalRecorderScheduler] C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPass.exe
O4 - HKLM\..\Run: [Fadjxwl] C:\Program Files\Swbphhc\Hcgeird.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [njsejj] c:\windows\system32\njsejj.exe
O4 - HKLM\..\Run: [yoevelkrt] C:\WINDOWS\qgvwzyjy.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CDFoon System-Tray] C:\cdfoon\trayapp.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PinkRoccade RemCon VPN Client.lnk = C:\Program Files\PinkRoccade\RemCon VPN Client\vpngui.exe
O4 - Global Startup: Poort voor Symantec Fax Starter Edition.lnk = C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postb...l/sesam/CAX.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://www.gvprc.nl/qp2.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - file://C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\dc492cf0\wficat.cab
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyh.../stream/mmp.cab
O16 - DPF: {D4928627-19AF-4701-8F1E-C7FFA901D5A5} (Novell NAL Plugin) - file://C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\dc492cf0\NALExec.CAB
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {F0BC061F-DAF9-4533-8011-53BCB4C10307} (Installations Assistent) - http://install.premi...nsAssistent.ocx
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\en8ql1l51.dll
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\r0r6la9s1d.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\PinkRoccade\RemCon VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Edited by arjen, 07 August 2005 - 11:50 AM.

  • 0

Advertisements


#2
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi arjen, welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your problem. Your system has some serious infections one of which is affecting your internet connection. So this is our first priority

Malicious .DLL file(s) has/have disrupted the LSP chain on your computer. This can be seen by the 010 entry(ies) in your HJT log. We need to get rid of it/them.

1. Backup the registry by going to Start>Run> and type ‘regedit’ without the quotes. Then on the file menu choose ‘export’ in XP.
2. Download the LSPfix.txt and read the readme file.
3. Download LSPfix.zip or LSPfix.exe
4. Close all windows except LSPfix
5. Launch LSPfix.zip and install to its own folder, then click on LSPfix.exe. Or click on LSPfix.exe and it will launch the program.
6. In the left hand (keep) LSPfix window there will be a list of files including the identified *.dll files that are listed on the O10 line in the HJT log. These are

aklsp.dll


7. Put a check mark in the box “I know what I am doing
8. Move all instances of the identified *.dll files that are listed on the O10 line, from the left window (keep) to the right window (remove) by highlighting the file or files and clicking the arrow.
9. Click ‘Finish
10. Now, using Windows Explorer, DELETE the following files:

c:\Windows\System32\aklsp.dll

11. REBOOT to complete the task.
12. Now Scan again with HijackThis (ALL windows closed except HJT) and POST a new log file in this thread using “Add Reply”.

Regards,

Trevuren

  • 0

#3
arjen

arjen

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Well that worked, lost my internet connection for a while but now it works fine again.
I already want to thank you for your time and input, if it all works perfect again i will donate some money for sure :tazz:

new scan :

Logfile of HijackThis v1.99.1
Scan saved at 23:07:34, on 7-8-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\PinkRoccade\RemCon VPN Client\cvpnd.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Media Pass\MediaPass.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Media Pass\MediaPassK.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\cdfoon\trayapp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\VundoFix\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TotalRecorderScheduler] C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPass.exe
O4 - HKLM\..\Run: [Fadjxwl] C:\Program Files\Swbphhc\Hcgeird.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [njsejj] c:\windows\system32\njsejj.exe
O4 - HKLM\..\Run: [yoevelkrt] C:\WINDOWS\qgvwzyjy.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CDFoon System-Tray] C:\cdfoon\trayapp.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PinkRoccade RemCon VPN Client.lnk = C:\Program Files\PinkRoccade\RemCon VPN Client\vpngui.exe
O4 - Global Startup: Poort voor Symantec Fax Starter Edition.lnk = C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postb...l/sesam/CAX.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://www.gvprc.nl/qp2.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - file://C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\dc492cf0\wficat.cab
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyh.../stream/mmp.cab
O16 - DPF: {D4928627-19AF-4701-8F1E-C7FFA901D5A5} (Novell NAL Plugin) - file://C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\dc492cf0\NALExec.CAB
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {F0BC061F-DAF9-4533-8011-53BCB4C10307} (Installations Assistent) - http://install.premi...nsAssistent.ocx
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\jt2607fse.dll
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\en8ql1l51.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\PinkRoccade\RemCon VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#4
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
You have the latest version of VX2.
  • Download L2mfix from one of these two locations:

    http://www.atribune....oads/l2mfix.exe
    http://www.downloads....org/l2mfix.exe

  • Save the file to your desktop and double click l2mfix.exe.
  • Click the Install button to extract the files and follow the prompts, then OPEN the newly added l2mfix folder on your desktop.
  • Double click l2mfix.bat and select option #"1" for Run Find Log by typing 1 and then pressing Enter.
  • This will scan your computer and it may appear as if nothing is happening, then, after a minute or 2, Notepad will open with a log.
  • Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!


Regards,

Trevuren

  • 0

#5
arjen

arjen

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Hints]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en8ql1l51.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"Logoff"="NavLogoffEvent"
"DllName"="C:\\WINDOWS\\system32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jt2607fse.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3B65F080-138E-ADFA-64D4-A16135A31BB1}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Eigenschappenvenster van multimediabestand"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM-scannerbeheer"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="Het tabblad Beveiliging"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Eigenschappenblad voor OLE-docbestand"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell-uitbreidingen voor delen"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Configuratiescherm-uitbreiding Beeldschermadapter"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Configuratiescherm-uitbreiding Monitor"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Configuratiescherm-uitbreiding Beeldscherm-panning"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="Het tabblad Beveiliging"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibiliteitspagina"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Knipselgegevensverwerker van shell"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Schijfkopieer-uitbreiding"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell-uitbreidingen voor Microsoft Windows Network-objecten"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM-monitorbeheer"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM-printerbeheer"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell-uitbreidingen voor bestandscompressie"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Shell-uitbreiding voor Web Printer"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Snelmenu Codering"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Werkmap"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal-pictogramuitbreiding"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-profiel"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Het tabblad Beveiliging voor printers"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell-uitbreidingen voor delen"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO-extensie"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto-handtekeningextensie"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Netwerkverbindingen"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Netwerkverbindingen"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners en camera's"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners en camera's"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners en camera's"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners en camera's"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners en camera's"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell-uitbreidingen voor Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Geplande taken"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taakbalk en menu Start"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Zoeken"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help en ondersteuning"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help en ondersteuning"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Uitvoeren..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Lettertypen"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Systeembeheer"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Eigenschappenpagina van vorige versies"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Vorige versies"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet-werkbalk"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Downloadstatus"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Uitgebreide shell-map"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Uitgebreide shell-map 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft-browserbalk"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Zoekbalk"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="Zoeken binnen deelvenster"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Zoeken op het web"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Hulpprogramma met opties voor registerboomstructuur"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adres"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoAanvullen"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU-lijst voor AutoAanvullen"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Aangepaste MRU-lijst voor AutoAanvullen"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Toegankelijk"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Pop-upbalk Volgen"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Lijst voor AutoAanvullen: Microsoft Geschiedenis"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Lijst voor AutoAanvullen: Microsoft Shell-map"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft-container met meervoudige lijst voor AutoAanvullen"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Sitemenu van shell-band"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Gebruikersondersteuning"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Globale mapinstellingen"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url-geschiedenisservice"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Geschiedenis"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Tijdelijke Internet-bestanden"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Tijdelijke Internet-bestanden"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url-zoeken Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite-welkomstscherm"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Het Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer-band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="Cachemap van ActiveX"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Map met abonnementen"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Toepassingsbeheer"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Programma voor inventarisatie van ge‹nstalleerde toepassingen"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI- en bestandsextractieprogramma voor miniaturen"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Informatie over de handler voor miniatuurweergaven (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML-extractie voor miniatuurweergaven"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Wizard Webpublicaties"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Afdrukken via het web bestellen"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell-object voor publicatiewizard"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Wizard Passport"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Gebruikersaccounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Kanaal-bestand"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Kanaal-snelkoppeling"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Handler-object voor kanalen"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Map Off line bestanden"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Personen..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Unbind"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{16281E95-7880-450F-8A46-C22CD0DAC28C}"=""
"{4D1BFEA5-EC3A-4A01-BC49-AFC2BCCAC1BB}"=""
"{7F64B892-CCBD-4E35-A34D-AA808DDD8EC4}"=""
"{EABC0F8C-0074-4D75-8610-6AE541C7456D}"=""
"{7D25A4FD-4904-42C6-8069-630A8B5960F9}"=""
"{F494E82D-3955-4526-9450-8633954EE4E0}"=""
"{55B2D54E-FC1E-4822-A9AC-C15F0E629257}"=""
"{A66A6A19-BA0C-47F3-947C-2B108D5C55EC}"=""
"{C78191B3-0341-4BA8-AEF9-E21BD74A4E33}"=""
"{39A1F52F-213A-41D2-8BFF-5A8426CF55E2}"=""
"{9614DBD9-C178-4D9E-A772-3B03B6CD5739}"=""
"{8DDA938E-3676-4184-9750-9BBBF452A891}"=""
"{AEA9CAEF-F31B-40FC-A889-B70C24001DC6}"=""
"{6046104C-ED41-42EC-B30D-8CB8F5910C46}"=""
"{52B6698E-A173-4A5C-80E6-18AFBFF81FF1}"=""
"{E49DFB8B-DFC5-4749-B643-8ADB03D1E990}"=""
"{4942C783-BC68-4139-AF13-67627886324F}"=""
"{A01F5614-FA20-48A7-828D-A5ECE1EF8A92}"=""
"{358AD978-91AB-4745-A98C-451E3DA5D0A1}"=""
"{A775EC6F-6C3C-4AD3-B605-85AD93909D61}"=""
"{894F516B-E48F-4B54-ABA0-840EE0275780}"=""
"{D5DC7776-49DC-4121-A896-4A2CBDB89F98}"=""
"{61534C06-E11C-4DC2-A89E-C2D21868CB68}"=""
"{D6799294-9D8E-42EF-AD70-1CB393A0737D}"=""
"{C1A40E8B-5A06-40E3-8903-CD1142BABAFA}"=""
"{6A5A9D07-F144-4BAE-A498-A5D6F38D5CB1}"=""
"{9251BF13-DA68-4DEB-BB2E-5AD9B3CEBC97}"=""
"{1BC7F32A-7A47-4B17-A7A9-750060ADD18F}"=""
"{281D9844-0225-4939-8726-7C0732A1EA40}"=""
"{A484F720-9501-4E0D-9B61-27BB83EE0131}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{16281E95-7880-450F-8A46-C22CD0DAC28C}]
@=""
"IDEx"="DS3"

[HKEY_CLASSES_ROOT\CLSID\{16281E95-7880-450F-8A46-C22CD0DAC28C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{16281E95-7880-450F-8A46-C22CD0DAC28C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{16281E95-7880-450F-8A46-C22CD0DAC28C}\InprocServer32]
@="C:\\WINDOWS\\system32\\RGLCPAPI.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4D1BFEA5-EC3A-4A01-BC49-AFC2BCCAC1BB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4D1BFEA5-EC3A-4A01-BC49-AFC2BCCAC1BB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4D1BFEA5-EC3A-4A01-BC49-AFC2BCCAC1BB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4D1BFEA5-EC3A-4A01-BC49-AFC2BCCAC1BB}\InprocServer32]
@="C:\\WINDOWS\\system32\\wwdtrace.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7F64B892-CCBD-4E35-A34D-AA808DDD8EC4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7F64B892-CCBD-4E35-A34D-AA808DDD8EC4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7F64B892-CCBD-4E35-A34D-AA808DDD8EC4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7F64B892-CCBD-4E35-A34D-AA808DDD8EC4}\InprocServer32]
@="C:\\WINDOWS\\system32\\mtports.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{EABC0F8C-0074-4D75-8610-6AE541C7456D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EABC0F8C-0074-4D75-8610-6AE541C7456D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EABC0F8C-0074-4D75-8610-6AE541C7456D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EABC0F8C-0074-4D75-8610-6AE541C7456D}\InprocServer32]
@="C:\\WINDOWS\\system32\\cimmdlg.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7D25A4FD-4904-42C6-8069-630A8B5960F9}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7D25A4FD-4904-42C6-8069-630A8B5960F9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7D25A4FD-4904-42C6-8069-630A8B5960F9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7D25A4FD-4904-42C6-8069-630A8B5960F9}\InprocServer32]
@="C:\\WINDOWS\\system32\\iVssam.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F494E82D-3955-4526-9450-8633954EE4E0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F494E82D-3955-4526-9450-8633954EE4E0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F494E82D-3955-4526-9450-8633954EE4E0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F494E82D-3955-4526-9450-8633954EE4E0}\InprocServer32]
@="C:\\WINDOWS\\system32\\merd3x40.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{55B2D54E-FC1E-4822-A9AC-C15F0E629257}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{55B2D54E-FC1E-4822-A9AC-C15F0E629257}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{55B2D54E-FC1E-4822-A9AC-C15F0E629257}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{55B2D54E-FC1E-4822-A9AC-C15F0E629257}\InprocServer32]
@="C:\\WINDOWS\\system32\\azledit.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A66A6A19-BA0C-47F3-947C-2B108D5C55EC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A66A6A19-BA0C-47F3-947C-2B108D5C55EC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A66A6A19-BA0C-47F3-947C-2B108D5C55EC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A66A6A19-BA0C-47F3-947C-2B108D5C55EC}\InprocServer32]
@="C:\\WINDOWS\\system32\\wtavusd.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C78191B3-0341-4BA8-AEF9-E21BD74A4E33}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C78191B3-0341-4BA8-AEF9-E21BD74A4E33}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C78191B3-0341-4BA8-AEF9-E21BD74A4E33}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C78191B3-0341-4BA8-AEF9-E21BD74A4E33}\InprocServer32]
@="C:\\WINDOWS\\system32\\rCsmontr.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{39A1F52F-213A-41D2-8BFF-5A8426CF55E2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{39A1F52F-213A-41D2-8BFF-5A8426CF55E2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{39A1F52F-213A-41D2-8BFF-5A8426CF55E2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{39A1F52F-213A-41D2-8BFF-5A8426CF55E2}\InprocServer32]
@="C:\\WINDOWS\\system32\\puflbmsg.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9614DBD9-C178-4D9E-A772-3B03B6CD5739}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9614DBD9-C178-4D9E-A772-3B03B6CD5739}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9614DBD9-C178-4D9E-A772-3B03B6CD5739}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9614DBD9-C178-4D9E-A772-3B03B6CD5739}\InprocServer32]
@="C:\\WINDOWS\\system32\\ifrtrmgr.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8DDA938E-3676-4184-9750-9BBBF452A891}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8DDA938E-3676-4184-9750-9BBBF452A891}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8DDA938E-3676-4184-9750-9BBBF452A891}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8DDA938E-3676-4184-9750-9BBBF452A891}\InprocServer32]
@="C:\\WINDOWS\\system32\\dicpmon.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{AEA9CAEF-F31B-40FC-A889-B70C24001DC6}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AEA9CAEF-F31B-40FC-A889-B70C24001DC6}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AEA9CAEF-F31B-40FC-A889-B70C24001DC6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AEA9CAEF-F31B-40FC-A889-B70C24001DC6}\InprocServer32]
@="C:\\WINDOWS\\system32\\ijitpki.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6046104C-ED41-42EC-B30D-8CB8F5910C46}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6046104C-ED41-42EC-B30D-8CB8F5910C46}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6046104C-ED41-42EC-B30D-8CB8F5910C46}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6046104C-ED41-42EC-B30D-8CB8F5910C46}\InprocServer32]
@="C:\\WINDOWS\\system32\\dddiagn.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{52B6698E-A173-4A5C-80E6-18AFBFF81FF1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{52B6698E-A173-4A5C-80E6-18AFBFF81FF1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{52B6698E-A173-4A5C-80E6-18AFBFF81FF1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{52B6698E-A173-4A5C-80E6-18AFBFF81FF1}\InprocServer32]
@="C:\\WINDOWS\\system32\\shtupdll.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E49DFB8B-DFC5-4749-B643-8ADB03D1E990}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E49DFB8B-DFC5-4749-B643-8ADB03D1E990}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E49DFB8B-DFC5-4749-B643-8ADB03D1E990}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E49DFB8B-DFC5-4749-B643-8ADB03D1E990}\InprocServer32]
@="C:\\WINDOWS\\system32\\dbdiagn.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4942C783-BC68-4139-AF13-67627886324F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4942C783-BC68-4139-AF13-67627886324F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4942C783-BC68-4139-AF13-67627886324F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4942C783-BC68-4139-AF13-67627886324F}\InprocServer32]
@="C:\\WINDOWS\\system32\\wxwfax.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A01F5614-FA20-48A7-828D-A5ECE1EF8A92}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A01F5614-FA20-48A7-828D-A5ECE1EF8A92}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A01F5614-FA20-48A7-828D-A5ECE1EF8A92}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A01F5614-FA20-48A7-828D-A5ECE1EF8A92}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{358AD978-91AB-4745-A98C-451E3DA5D0A1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{358AD978-91AB-4745-A98C-451E3DA5D0A1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{358AD978-91AB-4745-A98C-451E3DA5D0A1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{358AD978-91AB-4745-A98C-451E3DA5D0A1}\InprocServer32]
@="C:\\WINDOWS\\system32\\oqeprn.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A775EC6F-6C3C-4AD3-B605-85AD93909D61}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A775EC6F-6C3C-4AD3-B605-85AD93909D61}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A775EC6F-6C3C-4AD3-B605-85AD93909D61}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A775EC6F-6C3C-4AD3-B605-85AD93909D61}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{894F516B-E48F-4B54-ABA0-840EE0275780}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{894F516B-E48F-4B54-ABA0-840EE0275780}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{894F516B-E48F-4B54-ABA0-840EE0275780}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{894F516B-E48F-4B54-ABA0-840EE0275780}\InprocServer32]
@="C:\\WINDOWS\\system32\\noptools.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D5DC7776-49DC-4121-A896-4A2CBDB89F98}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D5DC7776-49DC-4121-A896-4A2CBDB89F98}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D5DC7776-49DC-4121-A896-4A2CBDB89F98}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D5DC7776-49DC-4121-A896-4A2CBDB89F98}\InprocServer32]
@="C:\\WINDOWS\\system32\\jrdw400.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{61534C06-E11C-4DC2-A89E-C2D21868CB68}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{61534C06-E11C-4DC2-A89E-C2D21868CB68}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{61534C06-E11C-4DC2-A89E-C2D21868CB68}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{61534C06-E11C-4DC2-A89E-C2D21868CB68}\InprocServer32]
@="C:\\WINDOWS\\system32\\ksdhept.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D6799294-9D8E-42EF-AD70-1CB393A0737D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D6799294-9D8E-42EF-AD70-1CB393A0737D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D6799294-9D8E-42EF-AD70-1CB393A0737D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D6799294-9D8E-42EF-AD70-1CB393A0737D}\InprocServer32]
@="C:\\WINDOWS\\system32\\wcvdmoe2.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C1A40E8B-5A06-40E3-8903-CD1142BABAFA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C1A40E8B-5A06-40E3-8903-CD1142BABAFA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C1A40E8B-5A06-40E3-8903-CD1142BABAFA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C1A40E8B-5A06-40E3-8903-CD1142BABAFA}\InprocServer32]
@="C:\\WINDOWS\\system32\\djiman32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6A5A9D07-F144-4BAE-A498-A5D6F38D5CB1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6A5A9D07-F144-4BAE-A498-A5D6F38D5CB1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6A5A9D07-F144-4BAE-A498-A5D6F38D5CB1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6A5A9D07-F144-4BAE-A498-A5D6F38D5CB1}\InprocServer32]
@="C:\\WINDOWS\\system32\\dncpmon.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9251BF13-DA68-4DEB-BB2E-5AD9B3CEBC97}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9251BF13-DA68-4DEB-BB2E-5AD9B3CEBC97}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9251BF13-DA68-4DEB-BB2E-5AD9B3CEBC97}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9251BF13-DA68-4DEB-BB2E-5AD9B3CEBC97}\InprocServer32]
@="C:\\WINDOWS\\system32\\wmnntbbu.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1BC7F32A-7A47-4B17-A7A9-750060ADD18F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1BC7F32A-7A47-4B17-A7A9-750060ADD18F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1BC7F32A-7A47-4B17-A7A9-750060ADD18F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1BC7F32A-7A47-4B17-A7A9-750060ADD18F}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{281D9844-0225-4939-8726-7C0732A1EA40}]
@=""
"IDEx"="DS3"

[HKEY_CLASSES_ROOT\CLSID\{281D9844-0225-4939-8726-7C0732A1EA40}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{281D9844-0225-4939-8726-7C0732A1EA40}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{281D9844-0225-4939-8726-7C0732A1EA40}\InprocServer32]
@="C:\\WINDOWS\\system32\\TAMode.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A484F720-9501-4E0D-9B61-27BB83EE0131}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A484F720-9501-4E0D-9B61-27BB83EE0131}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A484F720-9501-4E0D-9B61-27BB83EE0131}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A484F720-9501-4E0D-9B61-27BB83EE0131}\InprocServer32]
@="C:\\WINDOWS\\system32\\wnpcd.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
**********************************************************************************
Directory Listing of system files:
Het volume in station C heeft geen naam.
Het volumenummer is D4DB-BB25

Map van C:\WINDOWS\System32

08-08-2005 12:12 233.542 wnpcd.dll
08-08-2005 12:12 234.967 ir24l5fq1.dll
07-08-2005 23:04 234.356 l4j80e1ueh.dll
07-08-2005 22:51 233.542 jt2607fse.dll
07-08-2005 12:04 233.542 aza6l95s1.dll
06-08-2005 23:54 235.561 gp8sl3l71.dll
03-08-2005 15:57 233.248 k826lifs1826.dll
02-08-2005 23:15 233.248 madmo.dll
02-08-2005 22:15 233.248 prs.dll
02-08-2005 22:15 233.248 OFComC.dll
02-08-2005 22:13 233.248 lbcwmi.dll
02-08-2005 22:13 234.842 q4rqle951h.dll
02-08-2005 22:12 234.966 gp2ml3f11.dll
02-08-2005 22:09 233.307 lv4209hoe.dll
02-08-2005 22:09 233.248 TAMode.dll
21-07-2005 18:41 <DIR> dllcache
02-04-2005 13:09 233.177 mvn6l95s1.dll
02-04-2005 11:58 233.177 wmnntbbu.dll
01-04-2005 21:54 234.818 hp0023dmg.dll
01-04-2005 21:31 234.818 dncpmon.dll
01-04-2005 19:08 235.192 irp6l57s1.dll
01-04-2005 19:00 233.628 fp6003jme.dll
01-04-2005 18:59 236.059 j0j60a1sed.dll
01-04-2005 16:41 236.059 djiman32.dll
31-03-2005 16:07 236.059 wcvdmoe2.dll
31-03-2005 11:58 236.059 ksdhept.dll
30-03-2005 21:00 236.059 m0rmla911d.dll
30-03-2005 20:58 233.030 r48slel71hq.dll
30-03-2005 10:27 233.030 jrdw400.dll
29-03-2005 20:19 236.059 noptools.dll
29-03-2005 15:40 236.059 o6840glqe6qe0.dll
29-03-2005 12:03 235.685 i4240efqeh2e0.dll
28-03-2005 12:55 236.059 oqeprn.dll
27-03-2005 22:48 236.059 wxwfax.dll
27-03-2005 12:19 235.685 dbdiagn.dll
27-03-2005 12:13 232.648 azaq0335e.dll
26-03-2005 13:00 235.685 shtupdll.dll
25-03-2005 22:15 236.122 dddiagn.dll
25-03-2005 12:44 235.685 ijitpki.dll
25-03-2005 12:30 236.296 dnj6011se.dll
25-03-2005 02:40 234.871 aza80e1ueh.dll
24-03-2005 13:33 234.871 dicpmon.dll
23-03-2005 16:53 234.871 ifrtrmgr.dll
23-03-2005 15:27 234.902 dnjm0111e.dll
23-03-2005 10:15 234.902 puflbmsg.dll
23-03-2005 00:12 233.245 rCsmontr.dll
22-03-2005 23:38 234.619 gpnsl3571.dll
22-03-2005 15:43 233.791 mv4ql9h51.dll
22-03-2005 15:41 234.016 fplq0335e.dll
21-03-2005 13:21 233.245 wtavusd.dll
20-03-2005 13:22 233.090 azledit.dll
20-03-2005 13:01 234.104 jtr2079oe.dll
19-03-2005 22:49 235.075 mvp0l97m1.dll
19-03-2005 22:17 235.075 merd3x40.dll
19-03-2005 14:47 232.966 iVssam.dll
19-03-2005 11:37 235.075 cimmdlg.dll
19-03-2005 11:10 234.483 k4lqle351h.dll
19-03-2005 10:36 234.483 mtports.dll
18-03-2005 23:05 234.872 wwdtrace.dll
18-03-2005 18:19 233.248 RGLCPAPI.dll
18-03-2005 18:15 233.248 dwserver.dll
18-03-2005 15:11 234.458 p04ulah91d4.dll
12-02-2005 22:33 <DIR> Microsoft
61 bestand(en) 14.304.830 bytes
2 map(pen) 16.704.753.664 bytes beschikbaar
  • 0

#6
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Close any programs you have open since this step requires a reboot.
  • From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing "2" and then pressing ENTER.
  • Then press any key to reboot your computer.
  • After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer.
  • When it's finished, Notepad will open with a log.
  • Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.
IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Regards,

Trevuren

  • 0

#7
arjen

arjen

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
L2Mfix 1.03a

Running From:
C:\Documents and Settings\Eigenaar\Bureaublad\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read INGEBOUWD\Gebruikers
(ID-IO) ALLOW Read INGEBOUWD\Gebruikers
(ID-NI) ALLOW Full access INGEBOUWD\Administrators
(ID-IO) ALLOW Full access INGEBOUWD\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access MAKER EIGENAAR



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- INGEBOUWD\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read INGEBOUWD\Gebruikers
(ID-IO) ALLOW Read INGEBOUWD\Gebruikers
(ID-NI) ALLOW Full access INGEBOUWD\Administrators
(ID-IO) ALLOW Full access INGEBOUWD\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access MAKER EIGENAAR



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Eigenaar\Bureaublad\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Eigenaar\Bureaublad\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1656 'explorer.exe'
Killing PID 1656 'explorer.exe'
Killing PID 1656 'explorer.exe'
Killing PID 1656 'explorer.exe'
Killing PID 1656 'explorer.exe'
Killing PID 1656 'explorer.exe'
Killing PID 1656 'explorer.exe'
Killing PID 1656 'explorer.exe'
Killing PID 1656 'explorer.exe'
Killing PID 1656 'explorer.exe'
Killing PID 1656 'explorer.exe'
Killing PID 1656 'explorer.exe'
Killing PID 1656 'explorer.exe'
Killing PID 1656 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 496 'rundll32.exe'
Killing PID 396 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\aza6l95s1.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\aza80e1ueh.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\azaq0335e.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\azledit.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\cimmdlg.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\dbdiagn.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\dddiagn.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\dicpmon.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\djiman32.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\dncpmon.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\dnj6011se.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\dnjm0111e.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\dwserver.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\fp6003jme.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\fplq0335e.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\gp2ml3f11.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\gp8sl3l71.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\gpnsl3571.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\hp0023dmg.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\i4240efqeh2e0.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\ifrtrmgr.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\ijitpki.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\irp6l57s1.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\iVssam.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\j0j60a1sed.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\jrdw400.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\jtr2079oe.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\k4lqle351h.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\k826lifs1826.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\ksdhept.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\l4j80e1ueh.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\lbcwmi.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\lv4209hoe.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\m0rmla911d.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\madmo.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\merd3x40.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\mtports.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\mv4ql9h51.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\mvn6l95s1.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\mvp0l97m1.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\n0l8la3u1d.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\noptools.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\o6840glqe6qe0.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\OFComC.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\oqeprn.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\p04ulah91d4.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\prs.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\puflbmsg.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\q4rqle951h.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\qadwipes.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\r48slel71hq.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\rCsmontr.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\RGLCPAPI.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\shtupdll.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\TAMode.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\wcvdmoe2.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\wladmod.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\wmnntbbu.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\wtavusd.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\wwdtrace.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\wxwfax.dll
1 bestand(en) gekopieerd.
deleting: C:\WINDOWS\system32\aza6l95s1.dll
Successfully Deleted: C:\WINDOWS\system32\aza6l95s1.dll
deleting: C:\WINDOWS\system32\aza80e1ueh.dll
Successfully Deleted: C:\WINDOWS\system32\aza80e1ueh.dll
deleting: C:\WINDOWS\system32\azaq0335e.dll
Successfully Deleted: C:\WINDOWS\system32\azaq0335e.dll
deleting: C:\WINDOWS\system32\azledit.dll
Successfully Deleted: C:\WINDOWS\system32\azledit.dll
deleting: C:\WINDOWS\system32\cimmdlg.dll
Successfully Deleted: C:\WINDOWS\system32\cimmdlg.dll
deleting: C:\WINDOWS\system32\dbdiagn.dll
Successfully Deleted: C:\WINDOWS\system32\dbdiagn.dll
deleting: C:\WINDOWS\system32\dddiagn.dll
Successfully Deleted: C:\WINDOWS\system32\dddiagn.dll
deleting: C:\WINDOWS\system32\dicpmon.dll
Successfully Deleted: C:\WINDOWS\system32\dicpmon.dll
deleting: C:\WINDOWS\system32\djiman32.dll
Successfully Deleted: C:\WINDOWS\system32\djiman32.dll
deleting: C:\WINDOWS\system32\dncpmon.dll
Successfully Deleted: C:\WINDOWS\system32\dncpmon.dll
deleting: C:\WINDOWS\system32\dnj6011se.dll
Successfully Deleted: C:\WINDOWS\system32\dnj6011se.dll
deleting: C:\WINDOWS\system32\dnjm0111e.dll
Successfully Deleted: C:\WINDOWS\system32\dnjm0111e.dll
deleting: C:\WINDOWS\system32\dwserver.dll
Successfully Deleted: C:\WINDOWS\system32\dwserver.dll
deleting: C:\WINDOWS\system32\fp6003jme.dll
Successfully Deleted: C:\WINDOWS\system32\fp6003jme.dll
deleting: C:\WINDOWS\system32\fplq0335e.dll
Successfully Deleted: C:\WINDOWS\system32\fplq0335e.dll
deleting: C:\WINDOWS\system32\gp2ml3f11.dll
Successfully Deleted: C:\WINDOWS\system32\gp2ml3f11.dll
deleting: C:\WINDOWS\system32\gp8sl3l71.dll
Successfully Deleted: C:\WINDOWS\system32\gp8sl3l71.dll
deleting: C:\WINDOWS\system32\gpnsl3571.dll
Successfully Deleted: C:\WINDOWS\system32\gpnsl3571.dll
deleting: C:\WINDOWS\system32\hp0023dmg.dll
Successfully Deleted: C:\WINDOWS\system32\hp0023dmg.dll
deleting: C:\WINDOWS\system32\i4240efqeh2e0.dll
Successfully Deleted: C:\WINDOWS\system32\i4240efqeh2e0.dll
deleting: C:\WINDOWS\system32\ifrtrmgr.dll
Successfully Deleted: C:\WINDOWS\system32\ifrtrmgr.dll
deleting: C:\WINDOWS\system32\ijitpki.dll
Successfully Deleted: C:\WINDOWS\system32\ijitpki.dll
deleting: C:\WINDOWS\system32\irp6l57s1.dll
Successfully Deleted: C:\WINDOWS\system32\irp6l57s1.dll
deleting: C:\WINDOWS\system32\iVssam.dll
Successfully Deleted: C:\WINDOWS\system32\iVssam.dll
deleting: C:\WINDOWS\system32\j0j60a1sed.dll
Successfully Deleted: C:\WINDOWS\system32\j0j60a1sed.dll
deleting: C:\WINDOWS\system32\jrdw400.dll
Successfully Deleted: C:\WINDOWS\system32\jrdw400.dll
deleting: C:\WINDOWS\system32\jtr2079oe.dll
Successfully Deleted: C:\WINDOWS\system32\jtr2079oe.dll
deleting: C:\WINDOWS\system32\k4lqle351h.dll
Successfully Deleted: C:\WINDOWS\system32\k4lqle351h.dll
deleting: C:\WINDOWS\system32\k826lifs1826.dll
Successfully Deleted: C:\WINDOWS\system32\k826lifs1826.dll
deleting: C:\WINDOWS\system32\ksdhept.dll
Successfully Deleted: C:\WINDOWS\system32\ksdhept.dll
deleting: C:\WINDOWS\system32\l4j80e1ueh.dll
Successfully Deleted: C:\WINDOWS\system32\l4j80e1ueh.dll
deleting: C:\WINDOWS\system32\lbcwmi.dll
Successfully Deleted: C:\WINDOWS\system32\lbcwmi.dll
deleting: C:\WINDOWS\system32\lv4209hoe.dll
Successfully Deleted: C:\WINDOWS\system32\lv4209hoe.dll
deleting: C:\WINDOWS\system32\m0rmla911d.dll
Successfully Deleted: C:\WINDOWS\system32\m0rmla911d.dll
deleting: C:\WINDOWS\system32\madmo.dll
Successfully Deleted: C:\WINDOWS\system32\madmo.dll
deleting: C:\WINDOWS\system32\merd3x40.dll
Successfully Deleted: C:\WINDOWS\system32\merd3x40.dll
deleting: C:\WINDOWS\system32\mtports.dll
Successfully Deleted: C:\WINDOWS\system32\mtports.dll
deleting: C:\WINDOWS\system32\mv4ql9h51.dll
Successfully Deleted: C:\WINDOWS\system32\mv4ql9h51.dll
deleting: C:\WINDOWS\system32\mvn6l95s1.dll
Successfully Deleted: C:\WINDOWS\system32\mvn6l95s1.dll
deleting: C:\WINDOWS\system32\mvp0l97m1.dll
Successfully Deleted: C:\WINDOWS\system32\mvp0l97m1.dll
deleting: C:\WINDOWS\system32\n0l8la3u1d.dll
Successfully Deleted: C:\WINDOWS\system32\n0l8la3u1d.dll
deleting: C:\WINDOWS\system32\noptools.dll
Successfully Deleted: C:\WINDOWS\system32\noptools.dll
deleting: C:\WINDOWS\system32\o6840glqe6qe0.dll
Successfully Deleted: C:\WINDOWS\system32\o6840glqe6qe0.dll
deleting: C:\WINDOWS\system32\OFComC.dll
Successfully Deleted: C:\WINDOWS\system32\OFComC.dll
deleting: C:\WINDOWS\system32\oqeprn.dll
Successfully Deleted: C:\WINDOWS\system32\oqeprn.dll
deleting: C:\WINDOWS\system32\p04ulah91d4.dll
Successfully Deleted: C:\WINDOWS\system32\p04ulah91d4.dll
deleting: C:\WINDOWS\system32\prs.dll
Successfully Deleted: C:\WINDOWS\system32\prs.dll
deleting: C:\WINDOWS\system32\puflbmsg.dll
Successfully Deleted: C:\WINDOWS\system32\puflbmsg.dll
deleting: C:\WINDOWS\system32\q4rqle951h.dll
Successfully Deleted: C:\WINDOWS\system32\q4rqle951h.dll
deleting: C:\WINDOWS\system32\qadwipes.dll
Successfully Deleted: C:\WINDOWS\system32\qadwipes.dll
deleting: C:\WINDOWS\system32\r48slel71hq.dll
Successfully Deleted: C:\WINDOWS\system32\r48slel71hq.dll
deleting: C:\WINDOWS\system32\rCsmontr.dll
Successfully Deleted: C:\WINDOWS\system32\rCsmontr.dll
deleting: C:\WINDOWS\system32\RGLCPAPI.dll
Successfully Deleted: C:\WINDOWS\system32\RGLCPAPI.dll
deleting: C:\WINDOWS\system32\shtupdll.dll
Successfully Deleted: C:\WINDOWS\system32\shtupdll.dll
deleting: C:\WINDOWS\system32\TAMode.dll
Successfully Deleted: C:\WINDOWS\system32\TAMode.dll
deleting: C:\WINDOWS\system32\wcvdmoe2.dll
Successfully Deleted: C:\WINDOWS\system32\wcvdmoe2.dll
deleting: C:\WINDOWS\system32\wladmod.dll
Successfully Deleted: C:\WINDOWS\system32\wladmod.dll
deleting: C:\WINDOWS\system32\wmnntbbu.dll
Successfully Deleted: C:\WINDOWS\system32\wmnntbbu.dll
deleting: C:\WINDOWS\system32\wtavusd.dll
Successfully Deleted: C:\WINDOWS\system32\wtavusd.dll
deleting: C:\WINDOWS\system32\wwdtrace.dll
Successfully Deleted: C:\WINDOWS\system32\wwdtrace.dll
deleting: C:\WINDOWS\system32\wxwfax.dll
Successfully Deleted: C:\WINDOWS\system32\wxwfax.dll


Zipping up files for submission:
adding: aza6l95s1.dll (164 bytes security) (deflated 4%)
adding: aza80e1ueh.dll (164 bytes security) (deflated 5%)
adding: azaq0335e.dll (164 bytes security) (deflated 4%)
adding: azledit.dll (164 bytes security) (deflated 4%)
adding: cimmdlg.dll (164 bytes security) (deflated 5%)
adding: dbdiagn.dll (164 bytes security) (deflated 5%)
adding: dddiagn.dll (164 bytes security) (deflated 6%)
adding: dicpmon.dll (164 bytes security) (deflated 5%)
adding: djiman32.dll (164 bytes security) (deflated 6%)
adding: dncpmon.dll (164 bytes security) (deflated 5%)
adding: dnj6011se.dll (164 bytes security) (deflated 6%)
adding: dnjm0111e.dll (164 bytes security) (deflated 5%)
adding: dwserver.dll (164 bytes security) (deflated 4%)
adding: fp6003jme.dll (164 bytes security) (deflated 5%)
adding: fplq0335e.dll (164 bytes security) (deflated 5%)
adding: gp2ml3f11.dll (164 bytes security) (deflated 5%)
adding: gp8sl3l71.dll (164 bytes security) (deflated 5%)
adding: gpnsl3571.dll (164 bytes security) (deflated 5%)
adding: hp0023dmg.dll (164 bytes security) (deflated 5%)
adding: i4240efqeh2e0.dll (164 bytes security) (deflated 5%)
adding: ifrtrmgr.dll (164 bytes security) (deflated 5%)
adding: ijitpki.dll (164 bytes security) (deflated 5%)
adding: irp6l57s1.dll (164 bytes security) (deflated 5%)
adding: iVssam.dll (164 bytes security) (deflated 4%)
adding: j0j60a1sed.dll (164 bytes security) (deflated 6%)
adding: jrdw400.dll (164 bytes security) (deflated 4%)
adding: jtr2079oe.dll (164 bytes security) (deflated 5%)
adding: k4lqle351h.dll (164 bytes security) (deflated 5%)
adding: k826lifs1826.dll (164 bytes security) (deflated 4%)
adding: ksdhept.dll (164 bytes security) (deflated 6%)
adding: l4j80e1ueh.dll (164 bytes security) (deflated 5%)
adding: lbcwmi.dll (164 bytes security) (deflated 4%)
adding: lv4209hoe.dll (164 bytes security) (deflated 4%)
adding: m0rmla911d.dll (164 bytes security) (deflated 6%)
adding: madmo.dll (164 bytes security) (deflated 4%)
adding: merd3x40.dll (164 bytes security) (deflated 5%)
adding: mtports.dll (164 bytes security) (deflated 5%)
adding: mv4ql9h51.dll (164 bytes security) (deflated 5%)
adding: mvn6l95s1.dll (164 bytes security) (deflated 4%)
adding: mvp0l97m1.dll (164 bytes security) (deflated 5%)
adding: n0l8la3u1d.dll (164 bytes security) (deflated 6%)
adding: noptools.dll (164 bytes security) (deflated 6%)
adding: o6840glqe6qe0.dll (164 bytes security) (deflated 6%)
adding: OFComC.dll (164 bytes security) (deflated 4%)
adding: oqeprn.dll (164 bytes security) (deflated 6%)
adding: p04ulah91d4.dll (164 bytes security) (deflated 5%)
adding: prs.dll (164 bytes security) (deflated 4%)
adding: puflbmsg.dll (164 bytes security) (deflated 5%)
adding: q4rqle951h.dll (164 bytes security) (deflated 5%)
adding: qadwipes.dll (164 bytes security) (deflated 5%)
adding: r48slel71hq.dll (164 bytes security) (deflated 4%)
adding: rCsmontr.dll (164 bytes security) (deflated 4%)
adding: RGLCPAPI.dll (164 bytes security) (deflated 4%)
adding: shtupdll.dll (164 bytes security) (deflated 5%)
adding: TAMode.dll (164 bytes security) (deflated 4%)
adding: wcvdmoe2.dll (164 bytes security) (deflated 6%)
adding: wladmod.dll (164 bytes security) (deflated 5%)
adding: wmnntbbu.dll (164 bytes security) (deflated 4%)
adding: wtavusd.dll (164 bytes security) (deflated 4%)
adding: wwdtrace.dll (164 bytes security) (deflated 5%)
adding: wxwfax.dll (164 bytes security) (deflated 6%)
adding: clear.reg (164 bytes security) (deflated 71%)
adding: echo.reg (164 bytes security) (deflated 10%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 88%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 75%)
adding: test.txt (164 bytes security) (deflated 83%)
adding: test2.txt (164 bytes security) (deflated 49%)
adding: test3.txt (164 bytes security) (deflated 49%)
adding: test5.txt (164 bytes security) (deflated 49%)
adding: xfind.txt (164 bytes security) (deflated 78%)
adding: backregs/16281E95-7880-450F-8A46-C22CD0DAC28C.reg (164 bytes security) (deflated 69%)
adding: backregs/1BC7F32A-7A47-4B17-A7A9-750060ADD18F.reg (164 bytes security) (deflated 70%)
adding: backregs/281D9844-0225-4939-8726-7C0732A1EA40.reg (164 bytes security) (deflated 69%)
adding: backregs/358AD978-91AB-4745-A98C-451E3DA5D0A1.reg (164 bytes security) (deflated 70%)
adding: backregs/39A1F52F-213A-41D2-8BFF-5A8426CF55E2.reg (164 bytes security) (deflated 70%)
adding: backregs/4942C783-BC68-4139-AF13-67627886324F.reg (164 bytes security) (deflated 70%)
adding: backregs/4D1BFEA5-EC3A-4A01-BC49-AFC2BCCAC1BB.reg (164 bytes security) (deflated 70%)
adding: backregs/52B6698E-A173-4A5C-80E6-18AFBFF81FF1.reg (164 bytes security) (deflated 70%)
adding: backregs/55B2D54E-FC1E-4822-A9AC-C15F0E629257.reg (164 bytes security) (deflated 70%)
adding: backregs/6046104C-ED41-42EC-B30D-8CB8F5910C46.reg (164 bytes security) (deflated 71%)
adding: backregs/61534C06-E11C-4DC2-A89E-C2D21868CB68.reg (164 bytes security) (deflated 70%)
adding: backregs/6A5A9D07-F144-4BAE-A498-A5D6F38D5CB1.reg (164 bytes security) (deflated 70%)
adding: backregs/7D25A4FD-4904-42C6-8069-630A8B5960F9.reg (164 bytes security) (deflated 70%)
adding: backregs/7F64B892-CCBD-4E35-A34D-AA808DDD8EC4.reg (164 bytes security) (deflated 70%)
adding: backregs/894F516B-E48F-4B54-ABA0-840EE0275780.reg (164 bytes security) (deflated 70%)
adding: backregs/8DDA938E-3676-4184-9750-9BBBF452A891.reg (164 bytes security) (deflated 70%)
adding: backregs/9251BF13-DA68-4DEB-BB2E-5AD9B3CEBC97.reg (164 bytes security) (deflated 70%)
adding: backregs/9614DBD9-C178-4D9E-A772-3B03B6CD5739.reg (164 bytes security) (deflated 70%)
adding: backregs/A01F5614-FA20-48A7-828D-A5ECE1EF8A92.reg (164 bytes security) (deflated 70%)
adding: backregs/A484F720-9501-4E0D-9B61-27BB83EE0131.reg (164 bytes security) (deflated 70%)
adding: backregs/A66A6A19-BA0C-47F3-947C-2B108D5C55EC.reg (164 bytes security) (deflated 70%)
adding: backregs/A775EC6F-6C3C-4AD3-B605-85AD93909D61.reg (164 bytes security) (deflated 70%)
adding: backregs/AEA9CAEF-F31B-40FC-A889-B70C24001DC6.reg (164 bytes security) (deflated 70%)
adding: backregs/C1A40E8B-5A06-40E3-8903-CD1142BABAFA.reg (164 bytes security) (deflated 70%)
adding: backregs/C78191B3-0341-4BA8-AEF9-E21BD74A4E33.reg (164 bytes security) (deflated 70%)
adding: backregs/D5DC7776-49DC-4121-A896-4A2CBDB89F98.reg (164 bytes security) (deflated 70%)
adding: backregs/D6799294-9D8E-42EF-AD70-1CB393A0737D.reg (164 bytes security) (deflated 70%)
adding: backregs/E49DFB8B-DFC5-4749-B643-8ADB03D1E990.reg (164 bytes security) (deflated 70%)
adding: backregs/EABC0F8C-0074-4D75-8610-6AE541C7456D.reg (164 bytes security) (deflated 70%)
adding: backregs/F494E82D-3955-4526-9450-8633954EE4E0.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 72%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read INGEBOUWD\Gebruikers
(ID-IO) ALLOW Read INGEBOUWD\Gebruikers
(ID-NI) ALLOW Full access INGEBOUWD\Administrators
(ID-IO) ALLOW Full access INGEBOUWD\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access MAKER EIGENAAR


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: aza6l95s1.dll
deleting local copy: aza80e1ueh.dll
deleting local copy: azaq0335e.dll
deleting local copy: azledit.dll
deleting local copy: cimmdlg.dll
deleting local copy: dbdiagn.dll
deleting local copy: dddiagn.dll
deleting local copy: dicpmon.dll
deleting local copy: djiman32.dll
deleting local copy: dncpmon.dll
deleting local copy: dnj6011se.dll
deleting local copy: dnjm0111e.dll
deleting local copy: dwserver.dll
deleting local copy: fp6003jme.dll
deleting local copy: fplq0335e.dll
deleting local copy: gp2ml3f11.dll
deleting local copy: gp8sl3l71.dll
deleting local copy: gpnsl3571.dll
deleting local copy: hp0023dmg.dll
deleting local copy: i4240efqeh2e0.dll
deleting local copy: ifrtrmgr.dll
deleting local copy: ijitpki.dll
deleting local copy: irp6l57s1.dll
deleting local copy: iVssam.dll
deleting local copy: j0j60a1sed.dll
deleting local copy: jrdw400.dll
deleting local copy: jtr2079oe.dll
deleting local copy: k4lqle351h.dll
deleting local copy: k826lifs1826.dll
deleting local copy: ksdhept.dll
deleting local copy: l4j80e1ueh.dll
deleting local copy: lbcwmi.dll
deleting local copy: lv4209hoe.dll
deleting local copy: m0rmla911d.dll
deleting local copy: madmo.dll
deleting local copy: merd3x40.dll
deleting local copy: mtports.dll
deleting local copy: mv4ql9h51.dll
deleting local copy: mvn6l95s1.dll
deleting local copy: mvp0l97m1.dll
deleting local copy: n0l8la3u1d.dll
deleting local copy: noptools.dll
deleting local copy: o6840glqe6qe0.dll
deleting local copy: OFComC.dll
deleting local copy: oqeprn.dll
deleting local copy: p04ulah91d4.dll
deleting local copy: prs.dll
deleting local copy: puflbmsg.dll
deleting local copy: q4rqle951h.dll
deleting local copy: qadwipes.dll
deleting local copy: r48slel71hq.dll
deleting local copy: rCsmontr.dll
deleting local copy: RGLCPAPI.dll
deleting local copy: shtupdll.dll
deleting local copy: TAMode.dll
deleting local copy: wcvdmoe2.dll
deleting local copy: wladmod.dll
deleting local copy: wmnntbbu.dll
deleting local copy: wtavusd.dll
deleting local copy: wwdtrace.dll
deleting local copy: wxwfax.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Hints]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en8ql1l51.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"Logoff"="NavLogoffEvent"
"DllName"="C:\\WINDOWS\\system32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\aza6l95s1.dll
C:\WINDOWS\system32\aza80e1ueh.dll
C:\WINDOWS\system32\azaq0335e.dll
C:\WINDOWS\system32\azledit.dll
C:\WINDOWS\system32\cimmdlg.dll
C:\WINDOWS\system32\dbdiagn.dll
C:\WINDOWS\system32\dddiagn.dll
C:\WINDOWS\system32\dicpmon.dll
C:\WINDOWS\system32\djiman32.dll
C:\WINDOWS\system32\dncpmon.dll
C:\WINDOWS\system32\dnj6011se.dll
C:\WINDOWS\system32\dnjm0111e.dll
C:\WINDOWS\system32\dwserver.dll
C:\WINDOWS\system32\fp6003jme.dll
C:\WINDOWS\system32\fplq0335e.dll
C:\WINDOWS\system32\gp2ml3f11.dll
C:\WINDOWS\system32\gp8sl3l71.dll
C:\WINDOWS\system32\gpnsl3571.dll
C:\WINDOWS\system32\hp0023dmg.dll
C:\WINDOWS\system32\i4240efqeh2e0.dll
C:\WINDOWS\system32\ifrtrmgr.dll
C:\WINDOWS\system32\ijitpki.dll
C:\WINDOWS\system32\irp6l57s1.dll
C:\WINDOWS\system32\iVssam.dll
C:\WINDOWS\system32\j0j60a1sed.dll
C:\WINDOWS\system32\jrdw400.dll
C:\WINDOWS\system32\jtr2079oe.dll
C:\WINDOWS\system32\k4lqle351h.dll
C:\WINDOWS\system32\k826lifs1826.dll
C:\WINDOWS\system32\ksdhept.dll
C:\WINDOWS\system32\l4j80e1ueh.dll
C:\WINDOWS\system32\lbcwmi.dll
C:\WINDOWS\system32\lv4209hoe.dll
C:\WINDOWS\system32\m0rmla911d.dll
C:\WINDOWS\system32\madmo.dll
C:\WINDOWS\system32\merd3x40.dll
C:\WINDOWS\system32\mtports.dll
C:\WINDOWS\system32\mv4ql9h51.dll
C:\WINDOWS\system32\mvn6l95s1.dll
C:\WINDOWS\system32\mvp0l97m1.dll
C:\WINDOWS\system32\n0l8la3u1d.dll
C:\WINDOWS\system32\noptools.dll
C:\WINDOWS\system32\o6840glqe6qe0.dll
C:\WINDOWS\system32\OFComC.dll
C:\WINDOWS\system32\oqeprn.dll
C:\WINDOWS\system32\p04ulah91d4.dll
C:\WINDOWS\system32\prs.dll
C:\WINDOWS\system32\puflbmsg.dll
C:\WINDOWS\system32\q4rqle951h.dll
C:\WINDOWS\system32\qadwipes.dll
C:\WINDOWS\system32\r48slel71hq.dll
C:\WINDOWS\system32\rCsmontr.dll
C:\WINDOWS\system32\RGLCPAPI.dll
C:\WINDOWS\system32\shtupdll.dll
C:\WINDOWS\system32\TAMode.dll
C:\WINDOWS\system32\wcvdmoe2.dll
C:\WINDOWS\system32\wladmod.dll
C:\WINDOWS\system32\wmnntbbu.dll
C:\WINDOWS\system32\wtavusd.dll
C:\WINDOWS\system32\wwdtrace.dll
C:\WINDOWS\system32\wxwfax.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{16281E95-7880-450F-8A46-C22CD0DAC28C}"=-
"{4D1BFEA5-EC3A-4A01-BC49-AFC2BCCAC1BB}"=-
"{7F64B892-CCBD-4E35-A34D-AA808DDD8EC4}"=-
"{EABC0F8C-0074-4D75-8610-6AE541C7456D}"=-
"{7D25A4FD-4904-42C6-8069-630A8B5960F9}"=-
"{F494E82D-3955-4526-9450-8633954EE4E0}"=-
"{55B2D54E-FC1E-4822-A9AC-C15F0E629257}"=-
"{A66A6A19-BA0C-47F3-947C-2B108D5C55EC}"=-
"{C78191B3-0341-4BA8-AEF9-E21BD74A4E33}"=-
"{39A1F52F-213A-41D2-8BFF-5A8426CF55E2}"=-
"{9614DBD9-C178-4D9E-A772-3B03B6CD5739}"=-
"{8DDA938E-3676-4184-9750-9BBBF452A891}"=-
"{AEA9CAEF-F31B-40FC-A889-B70C24001DC6}"=-
"{6046104C-ED41-42EC-B30D-8CB8F5910C46}"=-
"{52B6698E-A173-4A5C-80E6-18AFBFF81FF1}"=-
"{E49DFB8B-DFC5-4749-B643-8ADB03D1E990}"=-
"{4942C783-BC68-4139-AF13-67627886324F}"=-
"{A01F5614-FA20-48A7-828D-A5ECE1EF8A92}"=-
"{358AD978-91AB-4745-A98C-451E3DA5D0A1}"=-
"{A775EC6F-6C3C-4AD3-B605-85AD93909D61}"=-
"{894F516B-E48F-4B54-ABA0-840EE0275780}"=-
"{D5DC7776-49DC-4121-A896-4A2CBDB89F98}"=-
"{61534C06-E11C-4DC2-A89E-C2D21868CB68}"=-
"{D6799294-9D8E-42EF-AD70-1CB393A0737D}"=-
"{C1A40E8B-5A06-40E3-8903-CD1142BABAFA}"=-
"{6A5A9D07-F144-4BAE-A498-A5D6F38D5CB1}"=-
"{9251BF13-DA68-4DEB-BB2E-5AD9B3CEBC97}"=-
"{1BC7F32A-7A47-4B17-A7A9-750060ADD18F}"=-
"{281D9844-0225-4939-8726-7C0732A1EA40}"=-
"{A484F720-9501-4E0D-9B61-27BB83EE0131}"=-
[-HKEY_CLASSES_ROOT\CLSID\{16281E95-7880-450F-8A46-C22CD0DAC28C}]
[-HKEY_CLASSES_ROOT\CLSID\{4D1BFEA5-EC3A-4A01-BC49-AFC2BCCAC1BB}]
[-HKEY_CLASSES_ROOT\CLSID\{7F64B892-CCBD-4E35-A34D-AA808DDD8EC4}]
[-HKEY_CLASSES_ROOT\CLSID\{EABC0F8C-0074-4D75-8610-6AE541C7456D}]
[-HKEY_CLASSES_ROOT\CLSID\{7D25A4FD-4904-42C6-8069-630A8B5960F9}]
[-HKEY_CLASSES_ROOT\CLSID\{F494E82D-3955-4526-9450-8633954EE4E0}]
[-HKEY_CLASSES_ROOT\CLSID\{55B2D54E-FC1E-4822-A9AC-C15F0E629257}]
[-HKEY_CLASSES_ROOT\CLSID\{A66A6A19-BA0C-47F3-947C-2B108D5C55EC}]
[-HKEY_CLASSES_ROOT\CLSID\{C78191B3-0341-4BA8-AEF9-E21BD74A4E33}]
[-HKEY_CLASSES_ROOT\CLSID\{39A1F52F-213A-41D2-8BFF-5A8426CF55E2}]
[-HKEY_CLASSES_ROOT\CLSID\{9614DBD9-C178-4D9E-A772-3B03B6CD5739}]
[-HKEY_CLASSES_ROOT\CLSID\{8DDA938E-3676-4184-9750-9BBBF452A891}]
[-HKEY_CLASSES_ROOT\CLSID\{AEA9CAEF-F31B-40FC-A889-B70C24001DC6}]
[-HKEY_CLASSES_ROOT\CLSID\{6046104C-ED41-42EC-B30D-8CB8F5910C46}]
[-HKEY_CLASSES_ROOT\CLSID\{52B6698E-A173-4A5C-80E6-18AFBFF81FF1}]
[-HKEY_CLASSES_ROOT\CLSID\{E49DFB8B-DFC5-4749-B643-8ADB03D1E990}]
[-HKEY_CLASSES_ROOT\CLSID\{4942C783-BC68-4139-AF13-67627886324F}]
[-HKEY_CLASSES_ROOT\CLSID\{A01F5614-FA20-48A7-828D-A5ECE1EF8A92}]
[-HKEY_CLASSES_ROOT\CLSID\{358AD978-91AB-4745-A98C-451E3DA5D0A1}]
[-HKEY_CLASSES_ROOT\CLSID\{A775EC6F-6C3C-4AD3-B605-85AD93909D61}]
[-HKEY_CLASSES_ROOT\CLSID\{894F516B-E48F-4B54-ABA0-840EE0275780}]
[-HKEY_CLASSES_ROOT\CLSID\{D5DC7776-49DC-4121-A896-4A2CBDB89F98}]
[-HKEY_CLASSES_ROOT\CLSID\{61534C06-E11C-4DC2-A89E-C2D21868CB68}]
[-HKEY_CLASSES_ROOT\CLSID\{D6799294-9D8E-42EF-AD70-1CB393A0737D}]
[-HKEY_CLASSES_ROOT\CLSID\{C1A40E8B-5A06-40E3-8903-CD1142BABAFA}]
[-HKEY_CLASSES_ROOT\CLSID\{6A5A9D07-F144-4BAE-A498-A5D6F38D5CB1}]
[-HKEY_CLASSES_ROOT\CLSID\{9251BF13-DA68-4DEB-BB2E-5AD9B3CEBC97}]
[-HKEY_CLASSES_ROOT\CLSID\{1BC7F32A-7A47-4B17-A7A9-750060ADD18F}]
[-HKEY_CLASSES_ROOT\CLSID\{281D9844-0225-4939-8726-7C0732A1EA40}]
[-HKEY_CLASSES_ROOT\CLSID\{A484F720-9501-4E0D-9B61-27BB83EE0131}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


New hijack this log :

Logfile of HijackThis v1.99.1
Scan saved at 21:51:25, on 8-8-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\PinkRoccade\RemCon VPN Client\cvpnd.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\svchost.exe
C:\program files\180searchassistant\salm.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\0gtcbrj2.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Media Gateway\MediaGateway.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\cdfoon\trayapp.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\VundoFix\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\salmhook.dll


O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TotalRecorderScheduler] C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Fadjxwl] C:\Program Files\Swbphhc\Hcgeird.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [njsejj] c:\windows\system32\njsejj.exe
O4 - HKLM\..\Run: [yoevelkrt] C:\WINDOWS\qgvwzyjy.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [salm] c:\program files\180searchassistant\salm.exe
O4 - HKLM\..\Run: [jcl] C:\WINDOWS\jcl.exe
O4 - HKLM\..\Run: [0gtcbrj2] C:\WINDOWS\system32\0gtcbrj2.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CDFoon System-Tray] C:\cdfoon\trayapp.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PinkRoccade RemCon VPN Client.lnk = C:\Program Files\PinkRoccade\RemCon VPN Client\vpngui.exe
O4 - Global Startup: Poort voor Symantec Fax Starter Edition.lnk = C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postb...l/sesam/CAX.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://www.gvprc.nl/qp2.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - file://C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\dc492cf0\wficat.cab
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyh.../stream/mmp.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180search...com/180saax.cab
O16 - DPF: {D4928627-19AF-4701-8F1E-C7FFA901D5A5} (Novell NAL Plugin) - file://C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\dc492cf0\NALExec.CAB
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {F0BC061F-DAF9-4533-8011-53BCB4C10307} (Installations Assistent) - http://install.premi...nsAssistent.ocx
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\en8ql1l51.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\PinkRoccade\RemCon VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#8
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Next, we will work on your Isearch infection:

1. Run HijackThis. Click on "Config...", "Misc Tools", "Open process manager". Select the following files and click on "Kill process". Answer Yes to the "Are you sure..." question.
  • desktop.exe
  • edmond.exe
  • ffisearch.exe
2. Launch Notepad, and copy/paste the text in the codebox below into a new text file. Save it as fixme.reg and "All Files" as type on your Desktop.



REGEDIT4

[-HKEY_CLASSES_ROOT\clsid\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}]

[-HKEY_CLASSES_ROOT\clsid\{950238fb-c706-4791-8674-4d429f85897e}]

[-HKEY_CLASSES_ROOT\mfiltis]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\ext\clsid\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}]

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_delprot]

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\services\delprot]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"desktop search"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ffis"=-


3. Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

4. Restart your computer.

5. Launch Notepad, and copy/paste the text in the codebox below into a new text file. Save it as Unreg.bat and "*All Files" as type on your Desktop.

regsvr32 /u C:\Windows\isrvs\msfiltis.dll
regsvr32 /u C:\Windows\isrvs\msdbhk.dll
regsvr32 /u C:\Windows\isrvs\sysupd.dll


6. Locate Unreg.bat on your Desktop and double-click on it.


7. Delete the following files/folders (if present) in C:\Windows or C:\Windows\System32
  • delprot.ini
  • delprot.log
  • desktop.exe
  • isrvs (delete the entire folder)
8. Delete the following file: C:\Windows\System32\Drivers\Delprot.sys


9. Delete the following files/folder (if present) in C:\Documents and Settings\<your user name>\Desktop
  • anal exploits.url
  • big d*** school for 2.95.url
  • evidence eraser.lnk
  • popup blocker stops popups.lnk
  • spyware avenger.lnk
  • virus hunter security.lnk
  • your platinum visa.lnk
10. . REBOOT your system

11. . Run HJT, click SCAN, produce a LOG and Post it into this thread for review.

Regards

Trevuren

  • 0

#9
arjen

arjen

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I noticed that winfixer2005 has been removed, great. Did all the steps below but encountered some problems, dont know it thats a big problem, here are they :

1. hijack this couldnt find any of those .exe files

6. didnt worked, it gave an error

7. deleted delprot.ini, other files couldnt be found

8. delprot.sys couldnt be found

9. couldnt find any of those files


new hijack this


Logfile of HijackThis v1.99.1
Scan saved at 17:32:58, on 9-8-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Media Gateway\MediaGateway.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\cdfoon\trayapp.exe
C:\Program Files\PinkRoccade\RemCon VPN Client\cvpnd.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\VundoFix\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CDFoon System-Tray] C:\cdfoon\trayapp.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PinkRoccade RemCon VPN Client.lnk = C:\Program Files\PinkRoccade\RemCon VPN Client\vpngui.exe
O4 - Global Startup: Poort voor Symantec Fax Starter Edition.lnk = C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postb...l/sesam/CAX.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://www.gvprc.nl/qp2.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - file://C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\dc492cf0\wficat.cab
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyh.../stream/mmp.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180search...com/180saax.cab
O16 - DPF: {D4928627-19AF-4701-8F1E-C7FFA901D5A5} (Novell NAL Plugin) - file://C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\dc492cf0\NALExec.CAB
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {F0BC061F-DAF9-4533-8011-53BCB4C10307} (Installations Assistent) - http://install.premi...nsAssistent.ocx
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\en8ql1l51.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\PinkRoccade\RemCon VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#10
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
  • First we need to make all files and folders VISIBLE:
    • Go to start>control panel>folder options>view (tab)
    • Choose to "show hidden files and folders,"
    • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
    • Close the window with ok
  • Please RUN HijackThis.
    . Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
    O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyh.../stream/mmp.cab
    O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180search...com/180saax.cab
    O16 - DPF: {D4928627-19AF-4701-8F1E-C7FFA901D5A5} (Novell NAL Plugin) - file://C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\dc492cf0\NALExec.CAB
    O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\en8ql1l51.dll (file missing)




  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System in Safe Mode

    How to use the F8 method to Start Your Computer in Safe Mode
    • Restart the computer.
    • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
    • Use the arrow keys to select the Safe mode menu item
    • Press Enter.
  • Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

    C:\Program Files\Media Gateway<===Folder
    C:\WINDOWS\nem220.dll
    C:\Program Files\Ebates_MoeMoneyMaker<===Folder
    C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\dc492cf0<===Folder
    C:\WINDOWS\system32\en8ql1l51.dll

  • Exit Explorer, and REBOOT BACK INTO NORMAL MODE

  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.
Regards,

Trevuren

  • 0

#11
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP