Thanks for the quick response. Here is the updated L2Mfix log
L2Mfix 1.02
Running From:
C:\Documents and Settings\user\Desktop\l2mfix
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting registry permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Denying C access for really "Everyone"
- adding new ACCESS DENY entry
Registry Permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting up for Reboot
Starting Reboot!
C:\Documents and Settings\user\Desktop\l2mfix
System Rebooted!
Running From:
C:\Documents and Settings\user\Desktop\l2mfix
killing explorer and rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Killing PID 1484 'explorer.exe'
Killing PID 1484 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Killing PID 1724 'rundll32.exe'
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Backing Up: C:\WINDOWS\system32\acl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\amledit.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\aovpack.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dhvvox.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dneml.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\drlayx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dxcompos.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\EEAPI2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en20l1fm1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fprq0395e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\g6jolg1316.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ihxsap.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\irrql5951.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j4n20e5oeh.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jtpl400.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k0080adued080.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\khdaze.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l02s0af7ed2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\miapsspc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MLHTML.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\muvidctl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\NPSMsg.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\PTDLIB32.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rIsapi32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rtpwsx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sinike.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sxlwoa.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\t88ulil918q.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wonsta.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\acl.dll
Successfully Deleted: C:\WINDOWS\system32\acl.dll
deleting: C:\WINDOWS\system32\amledit.dll
Successfully Deleted: C:\WINDOWS\system32\amledit.dll
deleting: C:\WINDOWS\system32\aovpack.dll
Successfully Deleted: C:\WINDOWS\system32\aovpack.dll
deleting: C:\WINDOWS\system32\dhvvox.dll
Successfully Deleted: C:\WINDOWS\system32\dhvvox.dll
deleting: C:\WINDOWS\system32\dneml.dll
Successfully Deleted: C:\WINDOWS\system32\dneml.dll
deleting: C:\WINDOWS\system32\drlayx.dll
Successfully Deleted: C:\WINDOWS\system32\drlayx.dll
deleting: C:\WINDOWS\system32\dxcompos.dll
Successfully Deleted: C:\WINDOWS\system32\dxcompos.dll
deleting: C:\WINDOWS\system32\EEAPI2.dll
Successfully Deleted: C:\WINDOWS\system32\EEAPI2.dll
deleting: C:\WINDOWS\system32\en20l1fm1.dll
Successfully Deleted: C:\WINDOWS\system32\en20l1fm1.dll
deleting: C:\WINDOWS\system32\fprq0395e.dll
Successfully Deleted: C:\WINDOWS\system32\fprq0395e.dll
deleting: C:\WINDOWS\system32\g6jolg1316.dll
Successfully Deleted: C:\WINDOWS\system32\g6jolg1316.dll
deleting: C:\WINDOWS\system32\ihxsap.dll
Successfully Deleted: C:\WINDOWS\system32\ihxsap.dll
deleting: C:\WINDOWS\system32\irrql5951.dll
Successfully Deleted: C:\WINDOWS\system32\irrql5951.dll
deleting: C:\WINDOWS\system32\j4n20e5oeh.dll
Successfully Deleted: C:\WINDOWS\system32\j4n20e5oeh.dll
deleting: C:\WINDOWS\system32\jtpl400.dll
Successfully Deleted: C:\WINDOWS\system32\jtpl400.dll
deleting: C:\WINDOWS\system32\k0080adued080.dll
Successfully Deleted: C:\WINDOWS\system32\k0080adued080.dll
deleting: C:\WINDOWS\system32\khdaze.dll
Successfully Deleted: C:\WINDOWS\system32\khdaze.dll
deleting: C:\WINDOWS\system32\l02s0af7ed2.dll
Successfully Deleted: C:\WINDOWS\system32\l02s0af7ed2.dll
deleting: C:\WINDOWS\system32\miapsspc.dll
Successfully Deleted: C:\WINDOWS\system32\miapsspc.dll
deleting: C:\WINDOWS\system32\MLHTML.DLL
Successfully Deleted: C:\WINDOWS\system32\MLHTML.DLL
deleting: C:\WINDOWS\system32\muvidctl.dll
Successfully Deleted: C:\WINDOWS\system32\muvidctl.dll
deleting: C:\WINDOWS\system32\NPSMsg.DLL
Successfully Deleted: C:\WINDOWS\system32\NPSMsg.DLL
deleting: C:\WINDOWS\system32\PTDLIB32.DLL
Successfully Deleted: C:\WINDOWS\system32\PTDLIB32.DLL
deleting: C:\WINDOWS\system32\rIsapi32.dll
Successfully Deleted: C:\WINDOWS\system32\rIsapi32.dll
deleting: C:\WINDOWS\system32\rtpwsx.dll
Successfully Deleted: C:\WINDOWS\system32\rtpwsx.dll
deleting: C:\WINDOWS\system32\sinike.dll
Successfully Deleted: C:\WINDOWS\system32\sinike.dll
deleting: C:\WINDOWS\system32\sxlwoa.dll
Successfully Deleted: C:\WINDOWS\system32\sxlwoa.dll
deleting: C:\WINDOWS\system32\t88ulil918q.dll
Successfully Deleted: C:\WINDOWS\system32\t88ulil918q.dll
deleting: C:\WINDOWS\system32\wonsta.dll
Successfully Deleted: C:\WINDOWS\system32\wonsta.dll
Desktop.ini sucessfully removed
Zipping up files for submission:
adding: acl.dll (164 bytes security) (deflated 4%)
adding: amledit.dll (164 bytes security) (deflated 4%)
adding: aovpack.dll (164 bytes security) (deflated 4%)
adding: dhvvox.dll (164 bytes security) (deflated 4%)
adding: dneml.dll (164 bytes security) (deflated 4%)
adding: drlayx.dll (164 bytes security) (deflated 4%)
adding: dxcompos.dll (164 bytes security) (deflated 4%)
adding: EEAPI2.dll (164 bytes security) (deflated 5%)
adding: en20l1fm1.dll (164 bytes security) (deflated 5%)
adding: fprq0395e.dll (164 bytes security) (deflated 4%)
adding: g6jolg1316.dll (164 bytes security) (deflated 4%)
adding: ihxsap.dll (164 bytes security) (deflated 3%)
adding: irrql5951.dll (164 bytes security) (deflated 4%)
adding: j4n20e5oeh.dll (164 bytes security) (deflated 4%)
adding: jtpl400.dll (164 bytes security) (deflated 3%)
adding: k0080adued080.dll (164 bytes security) (deflated 5%)
adding: khdaze.dll (164 bytes security) (deflated 4%)
adding: l02s0af7ed2.dll (164 bytes security) (deflated 4%)
adding: miapsspc.dll (164 bytes security) (deflated 4%)
adding: MLHTML.DLL (164 bytes security) (deflated 4%)
adding: muvidctl.dll (164 bytes security) (deflated 4%)
adding: NPSMsg.DLL (164 bytes security) (deflated 4%)
adding: PTDLIB32.DLL (164 bytes security) (deflated 4%)
adding: rIsapi32.dll (164 bytes security) (deflated 5%)
adding: rtpwsx.dll (164 bytes security) (deflated 3%)
adding: sinike.dll (164 bytes security) (deflated 3%)
adding: sxlwoa.dll (164 bytes security) (deflated 4%)
adding: t88ulil918q.dll (164 bytes security) (deflated 4%)
adding: wonsta.dll (164 bytes security) (deflated 4%)
adding: cecho.reg (164 bytes security) (deflated 2%)
adding: clear.reg (164 bytes security) (deflated 63%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: desktop.ini (164 bytes security) (deflated 15%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 84%)
adding: readme.txt (164 bytes security) (deflated 48%)
adding: report.txt (164 bytes security) (deflated 67%)
adding: test.txt (164 bytes security) (deflated 80%)
adding: test2.txt (164 bytes security) (deflated 44%)
adding: xfind.txt (164 bytes security) (deflated 74%)
adding: backregs/6BE537BA-237F-412C-9637-57E0AC086C66.reg (164 bytes security) (deflated 70%)
adding: backregs/AD31A2D4-DD44-4014-B81C-4F22A8F7E02E.reg (164 bytes security) (deflated 70%)
adding: backregs/ADDE43B7-39E4-4B41-8F93-4FE79DC5A8AC.reg (164 bytes security) (deflated 70%)
adding: backregs/DD3901F3-09BD-4AF4-8941-B741EEA2F9E3.reg (164 bytes security) (deflated 70%)
adding: backregs/FC714565-C08A-4E38-A9B8-642C6FF624DE.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)
Restoring Registry Permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Revoking access for really "Everyone"
Registry permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
deleting local copy: acl.dll
deleting local copy: amledit.dll
deleting local copy: aovpack.dll
deleting local copy: dhvvox.dll
deleting local copy: dneml.dll
deleting local copy: drlayx.dll
deleting local copy: dxcompos.dll
deleting local copy: EEAPI2.dll
deleting local copy: en20l1fm1.dll
deleting local copy: fprq0395e.dll
deleting local copy: g6jolg1316.dll
deleting local copy: ihxsap.dll
deleting local copy: irrql5951.dll
deleting local copy: j4n20e5oeh.dll
deleting local copy: jtpl400.dll
deleting local copy: k0080adued080.dll
deleting local copy: khdaze.dll
deleting local copy: l02s0af7ed2.dll
deleting local copy: miapsspc.dll
deleting local copy: MLHTML.DLL
deleting local copy: muvidctl.dll
deleting local copy: NPSMsg.DLL
deleting local copy: PTDLIB32.DLL
deleting local copy: rIsapi32.dll
deleting local copy: rtpwsx.dll
deleting local copy: sinike.dll
deleting local copy: sxlwoa.dll
deleting local copy: t88ulil918q.dll
deleting local copy: wonsta.dll
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\acl.dll
C:\WINDOWS\system32\amledit.dll
C:\WINDOWS\system32\aovpack.dll
C:\WINDOWS\system32\dhvvox.dll
C:\WINDOWS\system32\dneml.dll
C:\WINDOWS\system32\drlayx.dll
C:\WINDOWS\system32\dxcompos.dll
C:\WINDOWS\system32\EEAPI2.dll
C:\WINDOWS\system32\en20l1fm1.dll
C:\WINDOWS\system32\fprq0395e.dll
C:\WINDOWS\system32\g6jolg1316.dll
C:\WINDOWS\system32\ihxsap.dll
C:\WINDOWS\system32\irrql5951.dll
C:\WINDOWS\system32\j4n20e5oeh.dll
C:\WINDOWS\system32\jtpl400.dll
C:\WINDOWS\system32\k0080adued080.dll
C:\WINDOWS\system32\khdaze.dll
C:\WINDOWS\system32\l02s0af7ed2.dll
C:\WINDOWS\system32\miapsspc.dll
C:\WINDOWS\system32\MLHTML.DLL
C:\WINDOWS\system32\muvidctl.dll
C:\WINDOWS\system32\NPSMsg.DLL
C:\WINDOWS\system32\PTDLIB32.DLL
C:\WINDOWS\system32\rIsapi32.dll
C:\WINDOWS\system32\rtpwsx.dll
C:\WINDOWS\system32\sinike.dll
C:\WINDOWS\system32\sxlwoa.dll
C:\WINDOWS\system32\t88ulil918q.dll
C:\WINDOWS\system32\wonsta.dll
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{AD31A2D4-DD44-4014-B81C-4F22A8F7E02E}"=-
"{C89C69E2-4AAC-45EE-B31D-093EAD498F30}"=-
"{9F24CB14-4434-4C95-AC1C-121544E169D0}"=-
"{AC35D345-BB5B-4093-A6DF-EAE5D5CEC961}"=-
"{E8E3E0B4-0843-41E9-AE59-7B00784EBF09}"=-
"{FC714565-C08A-4E38-A9B8-642C6FF624DE}"=-
"{ADDE43B7-39E4-4B41-8F93-4FE79DC5A8AC}"=-
"{6BE537BA-237F-412C-9637-57E0AC086C66}"=-
"{DD3901F3-09BD-4AF4-8941-B741EEA2F9E3}"=-
[-HKEY_CLASSES_ROOT\CLSID\{AD31A2D4-DD44-4014-B81C-4F22A8F7E02E}]
[-HKEY_CLASSES_ROOT\CLSID\{C89C69E2-4AAC-45EE-B31D-093EAD498F30}]
[-HKEY_CLASSES_ROOT\CLSID\{9F24CB14-4434-4C95-AC1C-121544E169D0}]
[-HKEY_CLASSES_ROOT\CLSID\{AC35D345-BB5B-4093-A6DF-EAE5D5CEC961}]
[-HKEY_CLASSES_ROOT\CLSID\{E8E3E0B4-0843-41E9-AE59-7B00784EBF09}]
[-HKEY_CLASSES_ROOT\CLSID\{FC714565-C08A-4E38-A9B8-642C6FF624DE}]
[-HKEY_CLASSES_ROOT\CLSID\{ADDE43B7-39E4-4B41-8F93-4FE79DC5A8AC}]
[-HKEY_CLASSES_ROOT\CLSID\{6BE537BA-237F-412C-9637-57E0AC086C66}]
[-HKEY_CLASSES_ROOT\CLSID\{DD3901F3-09BD-4AF4-8941-B741EEA2F9E3}]
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{BF4041CD-5EC4-478C-82EE-7F10D76891EF}"=-
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{BF4041CD-5EC4-478C-82EE-7F10D76891EF}</IDone>
<IDtwo>VT00</IDtwo>
<VERSION>200</VERSION>
****************************************************************************
Classid's found from regsearch:
****************************************************************************
Here is the updated Hijackthis log
Logfile of HijackThis v1.99.0
Scan saved at 7:49:06 PM, on 1/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\PROMon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Yahoo!\Messenger\YPAGER.EXE
C:\Documents and Settings\All Users\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft....738&clcid=0x409O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cabO16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) -
http://photos.yahoo....plorer1_9us.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
https://download.mac...ash/swflash.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{8886DF84-BD1D-439A-B69F-3646B9C30C90}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{8886DF84-BD1D-439A-B69F-3646B9C30C90}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{8886DF84-BD1D-439A-B69F-3646B9C30C90}: NameServer = 192.168.0.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
Thanks again