Ok, steps completed, and here are the files:
L2Mfix 1.03b
Running From:
C:\Documents and Settings\Michael Wood\Desktop\l2mfix
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting registry permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry
Registry Permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting up for Reboot
Starting Reboot!
C:\Documents and Settings\Michael Wood\Desktop\l2mfix
System Rebooted!
Running From:
C:\Documents and Settings\Michael Wood\Desktop\l2mfix
killing explorer and rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Killing PID 160 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Killing PID 292 'rundll32.exe'
Killing PID 448 'rundll32.exe'
Killing PID 480 'rundll32.exe'
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Backing Up: C:\WINDOWS\system32\alstream.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\alstream.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cuyptdll.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cuyptdll.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dcauth.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dcauth.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dNdxof.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dNdxof.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dUd9.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dUd9.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mcawt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mcawt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\medrv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\medrv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\morapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\morapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\qldit.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\qldit.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sfi_ci.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sfi_ci.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\spripto.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\spripto.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\swell.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\swell.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wedconns.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wedconns.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wkninet(3).dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wkninet(3).dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wlnbrand.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wlnbrand.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wtavideo.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wtavideo.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wukex.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wukex.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\xrob2res.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\xrob2res.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\alstream.dll
Successfully Deleted: C:\WINDOWS\system32\alstream.dll
deleting: C:\WINDOWS\system32\alstream.dll
Successfully Deleted: C:\WINDOWS\system32\alstream.dll
deleting: C:\WINDOWS\system32\cuyptdll.dll
Successfully Deleted: C:\WINDOWS\system32\cuyptdll.dll
deleting: C:\WINDOWS\system32\cuyptdll.dll
Successfully Deleted: C:\WINDOWS\system32\cuyptdll.dll
deleting: C:\WINDOWS\system32\dcauth.dll
Successfully Deleted: C:\WINDOWS\system32\dcauth.dll
deleting: C:\WINDOWS\system32\dcauth.dll
Successfully Deleted: C:\WINDOWS\system32\dcauth.dll
deleting: C:\WINDOWS\system32\dNdxof.dll
Successfully Deleted: C:\WINDOWS\system32\dNdxof.dll
deleting: C:\WINDOWS\system32\dNdxof.dll
Successfully Deleted: C:\WINDOWS\system32\dNdxof.dll
deleting: C:\WINDOWS\system32\dUd9.dll
Successfully Deleted: C:\WINDOWS\system32\dUd9.dll
deleting: C:\WINDOWS\system32\dUd9.dll
Successfully Deleted: C:\WINDOWS\system32\dUd9.dll
deleting: C:\WINDOWS\system32\mcawt.dll
Successfully Deleted: C:\WINDOWS\system32\mcawt.dll
deleting: C:\WINDOWS\system32\mcawt.dll
Successfully Deleted: C:\WINDOWS\system32\mcawt.dll
deleting: C:\WINDOWS\system32\medrv.dll
Successfully Deleted: C:\WINDOWS\system32\medrv.dll
deleting: C:\WINDOWS\system32\medrv.dll
Successfully Deleted: C:\WINDOWS\system32\medrv.dll
deleting: C:\WINDOWS\system32\morapi.dll
Successfully Deleted: C:\WINDOWS\system32\morapi.dll
deleting: C:\WINDOWS\system32\morapi.dll
Successfully Deleted: C:\WINDOWS\system32\morapi.dll
deleting: C:\WINDOWS\system32\qldit.dll
Successfully Deleted: C:\WINDOWS\system32\qldit.dll
deleting: C:\WINDOWS\system32\qldit.dll
Successfully Deleted: C:\WINDOWS\system32\qldit.dll
deleting: C:\WINDOWS\system32\sfi_ci.dll
Successfully Deleted: C:\WINDOWS\system32\sfi_ci.dll
deleting: C:\WINDOWS\system32\sfi_ci.dll
Successfully Deleted: C:\WINDOWS\system32\sfi_ci.dll
deleting: C:\WINDOWS\system32\spripto.dll
Successfully Deleted: C:\WINDOWS\system32\spripto.dll
deleting: C:\WINDOWS\system32\spripto.dll
Successfully Deleted: C:\WINDOWS\system32\spripto.dll
deleting: C:\WINDOWS\system32\swell.dll
Successfully Deleted: C:\WINDOWS\system32\swell.dll
deleting: C:\WINDOWS\system32\swell.dll
Successfully Deleted: C:\WINDOWS\system32\swell.dll
deleting: C:\WINDOWS\system32\wedconns.dll
Successfully Deleted: C:\WINDOWS\system32\wedconns.dll
deleting: C:\WINDOWS\system32\wedconns.dll
Successfully Deleted: C:\WINDOWS\system32\wedconns.dll
deleting: C:\WINDOWS\system32\wkninet(3).dll
Successfully Deleted: C:\WINDOWS\system32\wkninet(3).dll
deleting: C:\WINDOWS\system32\wkninet(3).dll
Successfully Deleted: C:\WINDOWS\system32\wkninet(3).dll
deleting: C:\WINDOWS\system32\wlnbrand.dll
Successfully Deleted: C:\WINDOWS\system32\wlnbrand.dll
deleting: C:\WINDOWS\system32\wlnbrand.dll
Successfully Deleted: C:\WINDOWS\system32\wlnbrand.dll
deleting: C:\WINDOWS\system32\wtavideo.dll
Successfully Deleted: C:\WINDOWS\system32\wtavideo.dll
deleting: C:\WINDOWS\system32\wtavideo.dll
Successfully Deleted: C:\WINDOWS\system32\wtavideo.dll
deleting: C:\WINDOWS\system32\wukex.dll
Successfully Deleted: C:\WINDOWS\system32\wukex.dll
deleting: C:\WINDOWS\system32\wukex.dll
Successfully Deleted: C:\WINDOWS\system32\wukex.dll
deleting: C:\WINDOWS\system32\xrob2res.dll
Successfully Deleted: C:\WINDOWS\system32\xrob2res.dll
deleting: C:\WINDOWS\system32\xrob2res.dll
Successfully Deleted: C:\WINDOWS\system32\xrob2res.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
Zipping up files for submission:
adding: alstream.dll (140 bytes security) (deflated 48%)
adding: cuyptdll.dll (140 bytes security) (deflated 48%)
adding: dcauth.dll (140 bytes security) (deflated 48%)
adding: dNdxof.dll (140 bytes security) (deflated 48%)
adding: dUd9.dll (140 bytes security) (deflated 48%)
adding: mcawt.dll (140 bytes security) (deflated 48%)
adding: medrv.dll (140 bytes security) (deflated 48%)
adding: morapi.dll (140 bytes security) (deflated 48%)
adding: qldit.dll (140 bytes security) (deflated 48%)
adding: sfi_ci.dll (140 bytes security) (deflated 48%)
adding: spripto.dll (140 bytes security) (deflated 48%)
adding: swell.dll (140 bytes security) (deflated 48%)
adding: wedconns.dll (140 bytes security) (deflated 48%)
adding: wkninet(3).dll (140 bytes security) (deflated 48%)
adding: wlnbrand.dll (140 bytes security) (deflated 48%)
adding: wtavideo.dll (140 bytes security) (deflated 48%)
adding: wukex.dll (140 bytes security) (deflated 48%)
adding: xrob2res.dll (140 bytes security) (deflated 48%)
adding: guard.tmp (140 bytes security) (deflated 48%)
adding: clear.reg (140 bytes security) (deflated 58%)
adding: echo.reg (140 bytes security) (deflated 10%)
adding: direct.txt (140 bytes security) (stored 0%)
adding: lo2.txt (140 bytes security) (deflated 88%)
adding: readme.txt (140 bytes security) (deflated 50%)
adding: report.txt (140 bytes security) (deflated 68%)
adding: test.txt (140 bytes security) (deflated 89%)
adding: test2.txt (140 bytes security) (deflated 39%)
adding: test3.txt (140 bytes security) (deflated 39%)
adding: test5.txt (140 bytes security) (deflated 39%)
adding: xfind.txt (140 bytes security) (deflated 86%)
adding: backregs/0E9456D6-86E7-4ECA-961B-7A6D404A10D6.reg (140 bytes security)
(deflated 70%)
adding: backregs/2E59905D-8939-4FC9-9610-CD322B899A31.reg (140 bytes security)
(deflated 70%)
adding: backregs/AF6DDE31-4CF1-4302-ACBE-E83F3FA07EEF.reg (140 bytes security)
(deflated 70%)
adding: backregs/B1D7A1AB-0304-4FA5-BE04-69297229935B.reg (140 bytes security)
(deflated 70%)
adding: backregs/F1461E36-66D5-4D36-A388-F426BEF5FA5F.reg (140 bytes security)
(deflated 70%)
adding: backregs/F76BF92A-0B0C-401E-BDBB-BB4241834FB4.reg (140 bytes security)
(deflated 70%)
adding: backregs/notibac.reg (140 bytes security) (deflated 87%)
adding: backregs/shell.reg (140 bytes security) (deflated 73%)
Restoring Registry Permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Registry permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
deleting local copy: alstream.dll
deleting local copy: alstream.dll
deleting local copy: cuyptdll.dll
deleting local copy: cuyptdll.dll
deleting local copy: dcauth.dll
deleting local copy: dcauth.dll
deleting local copy: dNdxof.dll
deleting local copy: dNdxof.dll
deleting local copy: dUd9.dll
deleting local copy: dUd9.dll
deleting local copy: mcawt.dll
deleting local copy: mcawt.dll
deleting local copy: medrv.dll
deleting local copy: medrv.dll
deleting local copy: morapi.dll
deleting local copy: morapi.dll
deleting local copy: qldit.dll
deleting local copy: qldit.dll
deleting local copy: sfi_ci.dll
deleting local copy: sfi_ci.dll
deleting local copy: spripto.dll
deleting local copy: spripto.dll
deleting local copy: swell.dll
deleting local copy: swell.dll
deleting local copy: wedconns.dll
deleting local copy: wedconns.dll
deleting local copy: wkninet(3).dll
deleting local copy: wkninet(3).dll
deleting local copy: wlnbrand.dll
deleting local copy: wlnbrand.dll
deleting local copy: wtavideo.dll
deleting local copy: wtavideo.dll
deleting local copy: wukex.dll
deleting local copy: wukex.dll
deleting local copy: xrob2res.dll
deleting local copy: xrob2res.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\alstream.dll
C:\WINDOWS\system32\alstream.dll
C:\WINDOWS\system32\cuyptdll.dll
C:\WINDOWS\system32\cuyptdll.dll
C:\WINDOWS\system32\dcauth.dll
C:\WINDOWS\system32\dcauth.dll
C:\WINDOWS\system32\dNdxof.dll
C:\WINDOWS\system32\dNdxof.dll
C:\WINDOWS\system32\dUd9.dll
C:\WINDOWS\system32\dUd9.dll
C:\WINDOWS\system32\mcawt.dll
C:\WINDOWS\system32\mcawt.dll
C:\WINDOWS\system32\medrv.dll
C:\WINDOWS\system32\medrv.dll
C:\WINDOWS\system32\morapi.dll
C:\WINDOWS\system32\morapi.dll
C:\WINDOWS\system32\qldit.dll
C:\WINDOWS\system32\qldit.dll
C:\WINDOWS\system32\sfi_ci.dll
C:\WINDOWS\system32\sfi_ci.dll
C:\WINDOWS\system32\spripto.dll
C:\WINDOWS\system32\spripto.dll
C:\WINDOWS\system32\swell.dll
C:\WINDOWS\system32\swell.dll
C:\WINDOWS\system32\wedconns.dll
C:\WINDOWS\system32\wedconns.dll
C:\WINDOWS\system32\wkninet(3).dll
C:\WINDOWS\system32\wkninet(3).dll
C:\WINDOWS\system32\wlnbrand.dll
C:\WINDOWS\system32\wlnbrand.dll
C:\WINDOWS\system32\wtavideo.dll
C:\WINDOWS\system32\wtavideo.dll
C:\WINDOWS\system32\wukex.dll
C:\WINDOWS\system32\wukex.dll
C:\WINDOWS\system32\xrob2res.dll
C:\WINDOWS\system32\xrob2res.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved]
"{B1D7A1AB-0304-4FA5-BE04-69297229935B}"=-
"{F76BF92A-0B0C-401E-BDBB-BB4241834FB4}"=-
"{2E59905D-8939-4FC9-9610-CD322B899A31}"=-
"{0E9456D6-86E7-4ECA-961B-7A6D404A10D6}"=-
"{AF6DDE31-4CF1-4302-ACBE-E83F3FA07EEF}"=-
"{F1461E36-66D5-4D36-A388-F426BEF5FA5F}"=-
[-HKEY_CLASSES_ROOT\CLSID\{B1D7A1AB-0304-4FA5-BE04-69297229935B}]
[-HKEY_CLASSES_ROOT\CLSID\{F76BF92A-0B0C-401E-BDBB-BB4241834FB4}]
[-HKEY_CLASSES_ROOT\CLSID\{2E59905D-8939-4FC9-9610-CD322B899A31}]
[-HKEY_CLASSES_ROOT\CLSID\{0E9456D6-86E7-4ECA-961B-7A6D404A10D6}]
[-HKEY_CLASSES_ROOT\CLSID\{AF6DDE31-4CF1-4302-ACBE-E83F3FA07EEF}]
[-HKEY_CLASSES_ROOT\CLSID\{F1461E36-66D5-4D36-A388-F426BEF5FA5F}]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Logfile of HijackThis v1.99.1
Scan saved at 10:33:31 AM, on 8/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\wecssvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\msole32.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\agwyenc.EXE
C:\Program Files\Common Files\eAcceleration\eanthology.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CMAPP\Client\cmappclient.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.espn.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.comcast.net/R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet
Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} -
C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll (file missing)
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} -
C:\WINDOWS\System32\idmctjhg.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} -
C:\WINDOWS\System32\nshFF.dll
O4 - HKLM\..\Run: [eanth_system_patcher] "C:\Program Files\Acceleration
Software\SystemPatcher\sys_alert.exe" /Startup
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\dpkspd.exe reg_run
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32\lanbrup.exe
O4 - HKLM\..\Run: [agwyenc] C:\WINDOWS\agwyenc.EXE
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration
Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration
Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [sginst] C:\PROGRA~1\ACCELE~1\SCRIPT~1\sginst.exe /upd
O4 - HKLM\..\Run: [dguard] C:\PROGRA~1\ACCELE~1\DOWNLO~1\dguard.exe
O4 - HKLM\..\Run: [EanthologyApp] "C:\Program Files\Common
Files\eAcceleration\eanthology.exe" /b Startup
O4 - HKLM\..\RunServices: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update Machine] svshost.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Mwp4RgYth] mgmmmgr.exe
O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft
Works\WkDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} -
C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} -
C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra button: (no name) - {2F099F5D-7003-4441-82C2-707C7C273FEB} -
C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll (file missing)
O9 - Extra 'Tools' menuitem: Block This Page - {2F099F5D-7003-4441-82C2-707C7C273FEB} -
C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll (file missing)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} -
http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} -
http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} -
http://online.comcast.net/help/ (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} -
C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
- C:\Program Files\PartyPoker\PartyPoker.exe
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: Yahoo! Cribbage -
http://download.game...nts/y/it1_x.cabO16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) -
http://www.creative....119/CTSUEng.cabO16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
http://ak.imgfarm.co...itialSetup1.0.0.8-2.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) -
http://musicstore.co...ALStreaming.cabO16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) -
http://www.icannnews.../ST/ActiveX.ocxO16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://software-dl.r...ip/RdxIE601.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://zone.msn.com/...ro.cab34246.cabO16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
http://us.dl1.yimg.c...utocomplete.cabO16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -
http://ax.phobos.app.../ITDetector.cabO16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) -
http://fdl.msn.com/z...s/heartbeat.cabO16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate
Support Package) -
http://www.creative....12119/CTPID.cabO16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} -
http://download.reds...ller/rssoft.cabO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o -
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -
C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FWService - Unknown owner - C:\Program Files\Acceleration
Software\StopSignProducts\Firewall\FWService.exe (file missing)
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\wecssvc.exe
O23 - Service: Network Security Service (%AF夶À¨) - Unknown owner -
C:\WINDOWS\apprp32.exe (file missing)
Once again, many thanks!