So here is the log from the V2 program:
L2Mfix 1.02
Running From:
C:\Documents and Settings\Administrator\Desktop\l2mfix
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting registry permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Denying C access for really "Everyone"
- adding new ACCESS DENY entry
Registry Permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting up for Reboot
Starting Reboot!
C:\Documents and Settings\Administrator\Desktop\l2mfix
System Rebooted!
Running From:
C:\Documents and Settings\Administrator\Desktop\l2mfix
killing explorer and rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Killing PID 2012 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Killing PID 260 'rundll32.exe'
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Backing Up: C:\windows\system32\agifile.dll
1 file(s) copied.
Backing Up: C:\windows\system32\az16l3hs1.dll
1 file(s) copied.
Backing Up: C:\windows\system32\aza001lme.dll
1 file(s) copied.
Backing Up: C:\windows\system32\aza2035oe.dll
1 file(s) copied.
Backing Up: C:\windows\system32\aza60ajsedo60.dll
1 file(s) copied.
Backing Up: C:\windows\system32\aza6l3hs1.dll
1 file(s) copied.
Backing Up: C:\windows\system32\aza8059ue.dll
1 file(s) copied.
Backing Up: C:\windows\system32\bDsesrv.dll
1 file(s) copied.
Backing Up: C:\windows\system32\cnmrepl.dll
1 file(s) copied.
Backing Up: C:\windows\system32\d8j02i1mg8.dll
1 file(s) copied.
Backing Up: C:\windows\system32\ddactfrm.dll
1 file(s) copied.
Backing Up: C:\windows\system32\dn4401hqe.dll
1 file(s) copied.
Backing Up: C:\windows\system32\dn4u01h9e.dll
1 file(s) copied.
Backing Up: C:\windows\system32\dn8001lme.dll
1 file(s) copied.
Backing Up: C:\windows\system32\dnj6011se.dll
1 file(s) copied.
Backing Up: C:\windows\system32\dnl8013ue.dll
1 file(s) copied.
Backing Up: C:\windows\system32\dwnput8.dll
1 file(s) copied.
Backing Up: C:\windows\system32\e0202afmgd2a2.dll
1 file(s) copied.
Backing Up: C:\windows\system32\e2jmlc111f.dll
1 file(s) copied.
Backing Up: C:\windows\system32\enj4l11q1.dll
1 file(s) copied.
Backing Up: C:\windows\system32\f82mlif1182.dll
1 file(s) copied.
Backing Up: C:\windows\system32\fp4403hqe.dll
1 file(s) copied.
Backing Up: C:\windows\system32\fpn2035oe.dll
1 file(s) copied.
Backing Up: C:\windows\system32\g804lidq180e.dll
1 file(s) copied.
Backing Up: C:\windows\system32\gp22l3fo1.dll
1 file(s) copied.
Backing Up: C:\windows\system32\gp46l3hs1.dll
1 file(s) copied.
Backing Up: C:\windows\system32\gp80l3lm1.dll
1 file(s) copied.
Backing Up: C:\windows\system32\gpn0l35m1.dll
1 file(s) copied.
Backing Up: C:\windows\system32\h2n0lc5m1f.dll
1 file(s) copied.
Backing Up: C:\windows\system32\h64mlgh1164.dll
1 file(s) copied.
Backing Up: C:\windows\system32\h8l2li3o18.dll
1 file(s) copied.
Backing Up: C:\windows\system32\hr4805hue.dll
1 file(s) copied.
Backing Up: C:\windows\system32\hrj8051ue.dll
1 file(s) copied.
Backing Up: C:\windows\system32\hrr8059ue.dll
1 file(s) copied.
Backing Up: C:\windows\system32\irr8l59u1.dll
1 file(s) copied.
Backing Up: C:\windows\system32\j02q0af5ed2.dll
1 file(s) copied.
Backing Up: C:\windows\system32\k044lahq1d4e.dll
1 file(s) copied.
Backing Up: C:\windows\system32\k0800almedqa0.dll
1 file(s) copied.
Backing Up: C:\windows\system32\k4080edueh080.dll
1 file(s) copied.
Backing Up: C:\windows\system32\kjdru.dll
1 file(s) copied.
Backing Up: C:\windows\system32\kldca.dll
1 file(s) copied.
Backing Up: C:\windows\system32\kxdhela2.dll
1 file(s) copied.
Backing Up: C:\windows\system32\kzdes.dll
1 file(s) copied.
Backing Up: C:\windows\system32\l6j80g1ue6.dll
1 file(s) copied.
Backing Up: C:\windows\system32\m4820eloehqc0.dll
1 file(s) copied.
Backing Up: C:\windows\system32\mclbui.dll
1 file(s) copied.
Backing Up: C:\windows\system32\mlxml3a.dll
1 file(s) copied.
Backing Up: C:\windows\system32\mudemui.dll
1 file(s) copied.
Backing Up: C:\windows\system32\mv48l9hu1.dll
1 file(s) copied.
Backing Up: C:\windows\system32\mxcomput.dll
1 file(s) copied.
Backing Up: C:\windows\system32\n8n60i5se8.dll
1 file(s) copied.
Backing Up: C:\windows\system32\ndwrszht.dll
1 file(s) copied.
Backing Up: C:\windows\system32\nerszht.dll
1 file(s) copied.
Backing Up: C:\windows\system32\norsesm.dll
1 file(s) copied.
Backing Up: C:\windows\system32\nqrshu.dll
1 file(s) copied.
Backing Up: C:\windows\system32\o0660ajsedo60.dll
1 file(s) copied.
Backing Up: C:\windows\system32\o466lejs1ho6.dll
1 file(s) copied.
Backing Up: C:\windows\system32\oM660ajsedo60.dll
1 file(s) copied.
Backing Up: C:\windows\system32\p4p60e7seh.dll
1 file(s) copied.
Backing Up: C:\windows\system32\pIp60e7seh.dll
1 file(s) copied.
Backing Up: C:\windows\system32\rnutetab.dll
1 file(s) copied.
Backing Up: C:\windows\system32\s6880glue6q80.dll
1 file(s) copied.
Backing Up: C:\windows\system32\shclient.dll
1 file(s) copied.
Backing Up: C:\windows\system32\sjclient.dll
1 file(s) copied.
Backing Up: C:\windows\system32\smcbase.dll
1 file(s) copied.
Backing Up: C:\windows\system32\sVfrcdlg.dll
1 file(s) copied.
Backing Up: C:\windows\system32\svncui.dll
1 file(s) copied.
Backing Up: C:\windows\system32\wfaueng1.dll
1 file(s) copied.
Backing Up: C:\windows\system32\whecedit.dll
1 file(s) copied.
Backing Up: C:\windows\system32\wjn87em.dll
1 file(s) copied.
Backing Up: C:\windows\system32\wpavusd.dll
1 file(s) copied.
deleting: C:\windows\system32\agifile.dll
Successfully Deleted: C:\windows\system32\agifile.dll
deleting: C:\windows\system32\az16l3hs1.dll
Successfully Deleted: C:\windows\system32\az16l3hs1.dll
deleting: C:\windows\system32\aza001lme.dll
Successfully Deleted: C:\windows\system32\aza001lme.dll
deleting: C:\windows\system32\aza2035oe.dll
Successfully Deleted: C:\windows\system32\aza2035oe.dll
deleting: C:\windows\system32\aza60ajsedo60.dll
Successfully Deleted: C:\windows\system32\aza60ajsedo60.dll
deleting: C:\windows\system32\aza6l3hs1.dll
Successfully Deleted: C:\windows\system32\aza6l3hs1.dll
deleting: C:\windows\system32\aza8059ue.dll
Successfully Deleted: C:\windows\system32\aza8059ue.dll
deleting: C:\windows\system32\bDsesrv.dll
Successfully Deleted: C:\windows\system32\bDsesrv.dll
deleting: C:\windows\system32\cnmrepl.dll
Successfully Deleted: C:\windows\system32\cnmrepl.dll
deleting: C:\windows\system32\d8j02i1mg8.dll
Successfully Deleted: C:\windows\system32\d8j02i1mg8.dll
deleting: C:\windows\system32\ddactfrm.dll
Successfully Deleted: C:\windows\system32\ddactfrm.dll
deleting: C:\windows\system32\dn4401hqe.dll
Successfully Deleted: C:\windows\system32\dn4401hqe.dll
deleting: C:\windows\system32\dn4u01h9e.dll
Successfully Deleted: C:\windows\system32\dn4u01h9e.dll
deleting: C:\windows\system32\dn8001lme.dll
Successfully Deleted: C:\windows\system32\dn8001lme.dll
deleting: C:\windows\system32\dnj6011se.dll
Successfully Deleted: C:\windows\system32\dnj6011se.dll
deleting: C:\windows\system32\dnl8013ue.dll
Successfully Deleted: C:\windows\system32\dnl8013ue.dll
deleting: C:\windows\system32\dwnput8.dll
Successfully Deleted: C:\windows\system32\dwnput8.dll
deleting: C:\windows\system32\e0202afmgd2a2.dll
Successfully Deleted: C:\windows\system32\e0202afmgd2a2.dll
deleting: C:\windows\system32\e2jmlc111f.dll
Successfully Deleted: C:\windows\system32\e2jmlc111f.dll
deleting: C:\windows\system32\enj4l11q1.dll
Successfully Deleted: C:\windows\system32\enj4l11q1.dll
deleting: C:\windows\system32\f82mlif1182.dll
Successfully Deleted: C:\windows\system32\f82mlif1182.dll
deleting: C:\windows\system32\fp4403hqe.dll
Successfully Deleted: C:\windows\system32\fp4403hqe.dll
deleting: C:\windows\system32\fpn2035oe.dll
Successfully Deleted: C:\windows\system32\fpn2035oe.dll
deleting: C:\windows\system32\g804lidq180e.dll
Successfully Deleted: C:\windows\system32\g804lidq180e.dll
deleting: C:\windows\system32\gp22l3fo1.dll
Successfully Deleted: C:\windows\system32\gp22l3fo1.dll
deleting: C:\windows\system32\gp46l3hs1.dll
Successfully Deleted: C:\windows\system32\gp46l3hs1.dll
deleting: C:\windows\system32\gp80l3lm1.dll
Successfully Deleted: C:\windows\system32\gp80l3lm1.dll
deleting: C:\windows\system32\gpn0l35m1.dll
Successfully Deleted: C:\windows\system32\gpn0l35m1.dll
deleting: C:\windows\system32\h2n0lc5m1f.dll
Successfully Deleted: C:\windows\system32\h2n0lc5m1f.dll
deleting: C:\windows\system32\h64mlgh1164.dll
Successfully Deleted: C:\windows\system32\h64mlgh1164.dll
deleting: C:\windows\system32\h8l2li3o18.dll
Successfully Deleted: C:\windows\system32\h8l2li3o18.dll
deleting: C:\windows\system32\hr4805hue.dll
Successfully Deleted: C:\windows\system32\hr4805hue.dll
deleting: C:\windows\system32\hrj8051ue.dll
Successfully Deleted: C:\windows\system32\hrj8051ue.dll
deleting: C:\windows\system32\hrr8059ue.dll
Successfully Deleted: C:\windows\system32\hrr8059ue.dll
deleting: C:\windows\system32\irr8l59u1.dll
Successfully Deleted: C:\windows\system32\irr8l59u1.dll
deleting: C:\windows\system32\j02q0af5ed2.dll
Successfully Deleted: C:\windows\system32\j02q0af5ed2.dll
deleting: C:\windows\system32\k044lahq1d4e.dll
Successfully Deleted: C:\windows\system32\k044lahq1d4e.dll
deleting: C:\windows\system32\k0800almedqa0.dll
Successfully Deleted: C:\windows\system32\k0800almedqa0.dll
deleting: C:\windows\system32\k4080edueh080.dll
Successfully Deleted: C:\windows\system32\k4080edueh080.dll
deleting: C:\windows\system32\kjdru.dll
Successfully Deleted: C:\windows\system32\kjdru.dll
deleting: C:\windows\system32\kldca.dll
Successfully Deleted: C:\windows\system32\kldca.dll
deleting: C:\windows\system32\kxdhela2.dll
Successfully Deleted: C:\windows\system32\kxdhela2.dll
deleting: C:\windows\system32\kzdes.dll
Successfully Deleted: C:\windows\system32\kzdes.dll
deleting: C:\windows\system32\l6j80g1ue6.dll
Successfully Deleted: C:\windows\system32\l6j80g1ue6.dll
deleting: C:\windows\system32\m4820eloehqc0.dll
Successfully Deleted: C:\windows\system32\m4820eloehqc0.dll
deleting: C:\windows\system32\mclbui.dll
Successfully Deleted: C:\windows\system32\mclbui.dll
deleting: C:\windows\system32\mlxml3a.dll
Successfully Deleted: C:\windows\system32\mlxml3a.dll
deleting: C:\windows\system32\mudemui.dll
Successfully Deleted: C:\windows\system32\mudemui.dll
deleting: C:\windows\system32\mv48l9hu1.dll
Successfully Deleted: C:\windows\system32\mv48l9hu1.dll
deleting: C:\windows\system32\mxcomput.dll
Successfully Deleted: C:\windows\system32\mxcomput.dll
deleting: C:\windows\system32\n8n60i5se8.dll
Successfully Deleted: C:\windows\system32\n8n60i5se8.dll
deleting: C:\windows\system32\ndwrszht.dll
Successfully Deleted: C:\windows\system32\ndwrszht.dll
deleting: C:\windows\system32\nerszht.dll
Successfully Deleted: C:\windows\system32\nerszht.dll
deleting: C:\windows\system32\norsesm.dll
Successfully Deleted: C:\windows\system32\norsesm.dll
deleting: C:\windows\system32\nqrshu.dll
Successfully Deleted: C:\windows\system32\nqrshu.dll
deleting: C:\windows\system32\o0660ajsedo60.dll
Successfully Deleted: C:\windows\system32\o0660ajsedo60.dll
deleting: C:\windows\system32\o466lejs1ho6.dll
Successfully Deleted: C:\windows\system32\o466lejs1ho6.dll
deleting: C:\windows\system32\oM660ajsedo60.dll
Successfully Deleted: C:\windows\system32\oM660ajsedo60.dll
deleting: C:\windows\system32\p4p60e7seh.dll
Successfully Deleted: C:\windows\system32\p4p60e7seh.dll
deleting: C:\windows\system32\pIp60e7seh.dll
Successfully Deleted: C:\windows\system32\pIp60e7seh.dll
deleting: C:\windows\system32\rnutetab.dll
Successfully Deleted: C:\windows\system32\rnutetab.dll
deleting: C:\windows\system32\s6880glue6q80.dll
Successfully Deleted: C:\windows\system32\s6880glue6q80.dll
deleting: C:\windows\system32\shclient.dll
Successfully Deleted: C:\windows\system32\shclient.dll
deleting: C:\windows\system32\sjclient.dll
Successfully Deleted: C:\windows\system32\sjclient.dll
deleting: C:\windows\system32\smcbase.dll
Successfully Deleted: C:\windows\system32\smcbase.dll
deleting: C:\windows\system32\sVfrcdlg.dll
Successfully Deleted: C:\windows\system32\sVfrcdlg.dll
deleting: C:\windows\system32\svncui.dll
Successfully Deleted: C:\windows\system32\svncui.dll
deleting: C:\windows\system32\wfaueng1.dll
Successfully Deleted: C:\windows\system32\wfaueng1.dll
deleting: C:\windows\system32\whecedit.dll
Successfully Deleted: C:\windows\system32\whecedit.dll
deleting: C:\windows\system32\wjn87em.dll
Successfully Deleted: C:\windows\system32\wjn87em.dll
deleting: C:\windows\system32\wpavusd.dll
Successfully Deleted: C:\windows\system32\wpavusd.dll
Desktop.ini sucessfully removed
Zipping up files for submission:
adding: agifile.dll (164 bytes security) (deflated 3%)
adding: az16l3hs1.dll (164 bytes security) (deflated 5%)
adding: aza001lme.dll (164 bytes security) (deflated 4%)
adding: aza2035oe.dll (164 bytes security) (deflated 4%)
adding: aza60ajsedo60.dll (164 bytes security) (deflated 4%)
adding: aza6l3hs1.dll (164 bytes security) (deflated 4%)
adding: aza8059ue.dll (164 bytes security) (deflated 4%)
adding: bDsesrv.dll (164 bytes security) (deflated 4%)
adding: cnmrepl.dll (164 bytes security) (deflated 5%)
adding: d8j02i1mg8.dll (164 bytes security) (deflated 3%)
adding: ddactfrm.dll (164 bytes security) (deflated 3%)
adding: dn4401hqe.dll (164 bytes security) (deflated 4%)
adding: dn4u01h9e.dll (164 bytes security) (deflated 4%)
adding: dn8001lme.dll (164 bytes security) (deflated 4%)
adding: dnj6011se.dll (164 bytes security) (deflated 4%)
adding: dnl8013ue.dll (164 bytes security) (deflated 4%)
adding: dwnput8.dll (164 bytes security) (deflated 4%)
adding: e0202afmgd2a2.dll (164 bytes security) (deflated 4%)
adding: e2jmlc111f.dll (164 bytes security) (deflated 3%)
adding: enj4l11q1.dll (164 bytes security) (deflated 4%)
adding: f82mlif1182.dll (164 bytes security) (deflated 4%)
adding: fp4403hqe.dll (164 bytes security) (deflated 4%)
adding: fpn2035oe.dll (164 bytes security) (deflated 4%)
adding: g804lidq180e.dll (164 bytes security) (deflated 5%)
adding: gp22l3fo1.dll (164 bytes security) (deflated 5%)
adding: gp46l3hs1.dll (164 bytes security) (deflated 4%)
adding: gp80l3lm1.dll (164 bytes security) (deflated 4%)
adding: gpn0l35m1.dll (164 bytes security) (deflated 4%)
adding: h2n0lc5m1f.dll (164 bytes security) (deflated 3%)
adding: h64mlgh1164.dll (164 bytes security) (deflated 3%)
adding: h8l2li3o18.dll (164 bytes security) (deflated 3%)
adding: hr4805hue.dll (164 bytes security) (deflated 4%)
adding: hrj8051ue.dll (164 bytes security) (deflated 3%)
adding: hrr8059ue.dll (164 bytes security) (deflated 4%)
adding: irr8l59u1.dll (164 bytes security) (deflated 4%)
adding: j02q0af5ed2.dll (164 bytes security) (deflated 4%)
adding: k044lahq1d4e.dll (164 bytes security) (deflated 5%)
adding: k0800almedqa0.dll (164 bytes security) (deflated 4%)
adding: k4080edueh080.dll (164 bytes security) (deflated 3%)
adding: kjdru.dll (164 bytes security) (deflated 3%)
adding: kldca.dll (164 bytes security) (deflated 5%)
adding: kxdhela2.dll (164 bytes security) (deflated 3%)
adding: kzdes.dll (164 bytes security) (deflated 4%)
adding: l6j80g1ue6.dll (164 bytes security) (deflated 4%)
adding: m4820eloehqc0.dll (164 bytes security) (deflated 4%)
adding: mclbui.dll (164 bytes security) (deflated 4%)
adding: mlxml3a.dll (164 bytes security) (deflated 4%)
adding: mudemui.dll (164 bytes security) (deflated 4%)
adding: mv48l9hu1.dll (164 bytes security) (deflated 4%)
adding: mxcomput.dll (164 bytes security) (deflated 5%)
adding: n8n60i5se8.dll (164 bytes security) (deflated 4%)
adding: ndwrszht.dll (164 bytes security) (deflated 4%)
adding: nerszht.dll (164 bytes security) (deflated 4%)
adding: norsesm.dll (164 bytes security) (deflated 4%)
adding: nqrshu.dll (164 bytes security) (deflated 4%)
adding: o0660ajsedo60.dll (164 bytes security) (deflated 4%)
adding: o466lejs1ho6.dll (164 bytes security) (deflated 4%)
adding: oM660ajsedo60.dll (164 bytes security) (deflated 4%)
adding: p4p60e7seh.dll (164 bytes security) (deflated 4%)
adding: pIp60e7seh.dll (164 bytes security) (deflated 3%)
adding: rnutetab.dll (164 bytes security) (deflated 4%)
adding: s6880glue6q80.dll (164 bytes security) (deflated 3%)
adding: shclient.dll (164 bytes security) (deflated 4%)
adding: sjclient.dll (164 bytes security) (deflated 3%)
adding: smcbase.dll (164 bytes security) (deflated 3%)
adding: sVfrcdlg.dll (164 bytes security) (deflated 5%)
adding: svncui.dll (164 bytes security) (deflated 5%)
adding: wfaueng1.dll (164 bytes security) (deflated 4%)
adding: whecedit.dll (164 bytes security) (deflated 3%)
adding: wjn87em.dll (164 bytes security) (deflated 3%)
adding: wpavusd.dll (164 bytes security) (deflated 4%)
adding: cecho.reg (164 bytes security) (deflated 2%)
adding: clear.reg (164 bytes security) (deflated 73%)
adding: echo.reg (164 bytes security) (deflated 10%)
adding: desktop.ini (164 bytes security) (deflated 15%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 88%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 80%)
adding: test.txt (164 bytes security) (deflated 84%)
adding: test2.txt (164 bytes security) (deflated 50%)
adding: xfind.txt (164 bytes security) (deflated 80%)
adding: backregs/01D2CA25-33DB-4FDD-BA94-07BF6BEBC952.reg (164 bytes security) (deflated 71%)
adding: backregs/04234BCF-97A0-4DF6-AD0F-4244F692982F.reg (164 bytes security) (deflated 70%)
adding: backregs/04B769AF-D5F4-4F38-BCD4-969C1C0A530E.reg (164 bytes security) (deflated 70%)
adding: backregs/07B4DA4A-4462-4890-96B7-7C65CA7C078D.reg (164 bytes security) (deflated 71%)
adding: backregs/07F9E0B2-8FA6-45FD-8D64-0EDA39F02A36.reg (164 bytes security) (deflated 71%)
adding: backregs/0A8CD7D2-9DCE-495D-94BE-665D3EDBD0EC.reg (164 bytes security) (deflated 70%)
adding: backregs/0CD4212F-2EA6-4E17-A8CA-D510F8C6DBB6.reg (164 bytes security) (deflated 71%)
adding: backregs/11026DD6-97B6-409C-9A21-D3872BD4A5EC.reg (164 bytes security) (deflated 71%)
adding: backregs/22B6C308-56BC-4FCD-A36D-0025534FFADD.reg (164 bytes security) (deflated 70%)
adding: backregs/2721BCC5-0E70-49C3-BDD2-33A310B936CB.reg (164 bytes security) (deflated 70%)
adding: backregs/38EBF1C3-1A14-4AE7-BB0D-688188039FC8.reg (164 bytes security) (deflated 70%)
adding: backregs/41F1DF0E-92FC-4878-9FB0-48312C4D21CF.reg (164 bytes security) (deflated 70%)
adding: backregs/439860C2-9E02-4CF9-99C7-ADE8EE2E5F54.reg (164 bytes security) (deflated 71%)
adding: backregs/45267070-2A7E-4C19-9281-6C6D013D7A56.reg (164 bytes security) (deflated 71%)
adding: backregs/53EE268D-AB2F-4129-A038-8BC660D5BF72.reg (164 bytes security) (deflated 70%)
adding: backregs/5D57E14A-391A-4CEC-838E-0756C871E789.reg (164 bytes security) (deflated 70%)
adding: backregs/5D745B30-5F8A-44A0-AE9E-38C2186C8D3F.reg (164 bytes security) (deflated 70%)
adding: backregs/612366A0-9589-4BD0-8227-48FF5519ACDB.reg (164 bytes security) (deflated 70%)
adding: backregs/628FE5CE-CF37-461D-9F2A-E4EE5A90F2AC.reg (164 bytes security) (deflated 70%)
adding: backregs/62F31764-0DD2-4C96-9B8B-B1FC08BDB0BA.reg (164 bytes security) (deflated 71%)
adding: backregs/6BF03125-4B92-4A55-9839-1F3005280256.reg (164 bytes security) (deflated 70%)
adding: backregs/6C274724-0BEE-4349-850A-BC0EC244342F.reg (164 bytes security) (deflated 71%)
adding: backregs/6E3ED636-A456-48E9-99CB-A77F7E4D5BF5.reg (164 bytes security) (deflated 70%)
adding: backregs/6E9E9579-5E27-4C0F-982A-5D8062544FF5.reg (164 bytes security) (deflated 70%)
adding: backregs/732B6AB8-C924-4ED9-B51F-47EBFC30E59A.reg (164 bytes security) (deflated 70%)
adding: backregs/74149F52-03AD-4BB5-A11F-62724DBFC7C3.reg (164 bytes security) (deflated 70%)
adding: backregs/799FE7B2-867C-4BFE-B742-2EB0905FC4BD.reg (164 bytes security) (deflated 70%)
adding: backregs/7A1CF427-96AE-44BD-8A40-C8D02D6797F3.reg (164 bytes security) (deflated 70%)
adding: backregs/801B5642-C53D-4EE5-861A-2AD09D2C7495.reg (164 bytes security) (deflated 70%)
adding: backregs/82316E02-D6B4-4816-9CCE-D792626531BC.reg (164 bytes security) (deflated 71%)
adding: backregs/8563138D-4193-4CC7-8201-0F5BC0D9DB2F.reg (164 bytes security) (deflated 70%)
adding: backregs/88C20FFB-922F-40D6-9CCA-FF1FCB041D0F.reg (164 bytes security) (deflated 71%)
adding: backregs/8B57870C-9D4A-4FEE-885D-74B2A26F989B.reg (164 bytes security) (deflated 70%)
adding: backregs/8FDA8A9C-6C23-46D7-8497-D7C549C9BC87.reg (164 bytes security) (deflated 70%)
adding: backregs/92ECAB46-5A91-452A-9CF0-E940E5A202CB.reg (164 bytes security) (deflated 70%)
adding: backregs/95177885-1B06-47F3-9A58-0D6C86405409.reg (164 bytes security) (deflated 70%)
adding: backregs/96CBFD0A-F7FD-4383-8482-083F5B9B8579.reg (164 bytes security) (deflated 70%)
adding: backregs/9A617E7C-D0C7-48D9-A030-45B1BD06BF8E.reg (164 bytes security) (deflated 70%)
adding: backregs/9B8C93D2-50B3-43CC-A0F4-4CA8F68E4D97.reg (164 bytes security) (deflated 70%)
adding: backregs/9FA15F77-AF4A-42EA-9787-A76913FF4C7E.reg (164 bytes security) (deflated 70%)
adding: backregs/A0823282-E68E-4D57-B5E6-BF1734F4370C.reg (164 bytes security) (deflated 71%)
adding: backregs/B5641B09-B29D-4F37-9E49-EE354E4391C2.reg (164 bytes security) (deflated 70%)
adding: backregs/B8AD05D9-EDCA-413B-8BC9-D4C50CB05208.reg (164 bytes security) (deflated 70%)
adding: backregs/B9488BBF-D8E6-4020-BD5E-690381B2D74A.reg (164 bytes security) (deflated 70%)
adding: backregs/BB5C6130-10ED-45DA-B85B-29ACD72EC8A1.reg (164 bytes security) (deflated 70%)
adding: backregs/BCD22B67-848A-4C4A-9B2D-15E91E141187.reg (164 bytes security) (deflated 70%)
adding: backregs/BE4973F6-8D78-4FEE-B7D3-114A1A205702.reg (164 bytes security) (deflated 70%)
adding: backregs/BEF2EBF7-1A5A-4FEE-84CE-2FE9F93B14E0.reg (164 bytes security) (deflated 70%)
adding: backregs/BF480E6B-8ADB-405D-AF49-14FC897CA1FA.reg (164 bytes security) (deflated 70%)
adding: backregs/C78E7261-4C08-4665-AF45-91184508C1A5.reg (164 bytes security) (deflated 71%)
adding: backregs/C8D7E26B-838F-43ED-A851-E23382B67FB5.reg (164 bytes security) (deflated 70%)
adding: backregs/CB7F2241-7DEB-4B60-A5AC-A5701EAFE9C9.reg (164 bytes security) (deflated 70%)
adding: backregs/D1059B75-3C37-434F-B258-40E24385EFFC.reg (164 bytes security) (deflated 70%)
adding: backregs/D70FEE8F-3B31-40F6-8093-C963187F7511.reg (164 bytes security) (deflated 70%)
adding: backregs/DC39EC82-F11D-4387-99FC-639BC56877E8.reg (164 bytes security) (deflated 70%)
adding: backregs/DC5F4494-B0DF-4016-995F-73DB0941ED95.reg (164 bytes security) (deflated 70%)
adding: backregs/DEEBC5DF-9F61-4ADA-80ED-39C98ED24A84.reg (164 bytes security) (deflated 71%)
adding: backregs/DF47BAA9-05FA-4A42-8F81-045BA6FD3854.reg (164 bytes security) (deflated 70%)
adding: backregs/DF4FB5F1-D6C3-4BF8-A902-7D270A554E1B.reg (164 bytes security) (deflated 70%)
adding: backregs/E0F0D78F-7836-44F7-A1AB-327FA1B2D172.reg (164 bytes security) (deflated 71%)
adding: backregs/E1A22BAE-F9A7-4611-8B5A-52897F3A0022.reg (164 bytes security) (deflated 70%)
adding: backregs/F6A37604-48BE-4606-A34A-9FF91EA86D94.reg (164 bytes security) (deflated 71%)
adding: backregs/shell.reg (164 bytes security) (deflated 72%)
Restoring Registry Permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Revoking access for really "Everyone"
Registry permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
deleting local copy: agifile.dll
deleting local copy: az16l3hs1.dll
deleting local copy: aza001lme.dll
deleting local copy: aza2035oe.dll
deleting local copy: aza60ajsedo60.dll
deleting local copy: aza6l3hs1.dll
deleting local copy: aza8059ue.dll
deleting local copy: bDsesrv.dll
deleting local copy: cnmrepl.dll
deleting local copy: d8j02i1mg8.dll
deleting local copy: ddactfrm.dll
deleting local copy: dn4401hqe.dll
deleting local copy: dn4u01h9e.dll
deleting local copy: dn8001lme.dll
deleting local copy: dnj6011se.dll
deleting local copy: dnl8013ue.dll
deleting local copy: dwnput8.dll
deleting local copy: e0202afmgd2a2.dll
deleting local copy: e2jmlc111f.dll
deleting local copy: enj4l11q1.dll
deleting local copy: f82mlif1182.dll
deleting local copy: fp4403hqe.dll
deleting local copy: fpn2035oe.dll
deleting local copy: g804lidq180e.dll
deleting local copy: gp22l3fo1.dll
deleting local copy: gp46l3hs1.dll
deleting local copy: gp80l3lm1.dll
deleting local copy: gpn0l35m1.dll
deleting local copy: h2n0lc5m1f.dll
deleting local copy: h64mlgh1164.dll
deleting local copy: h8l2li3o18.dll
deleting local copy: hr4805hue.dll
deleting local copy: hrj8051ue.dll
deleting local copy: hrr8059ue.dll
deleting local copy: irr8l59u1.dll
deleting local copy: j02q0af5ed2.dll
deleting local copy: k044lahq1d4e.dll
deleting local copy: k0800almedqa0.dll
deleting local copy: k4080edueh080.dll
deleting local copy: kjdru.dll
deleting local copy: kldca.dll
deleting local copy: kxdhela2.dll
deleting local copy: kzdes.dll
deleting local copy: l6j80g1ue6.dll
deleting local copy: m4820eloehqc0.dll
deleting local copy: mclbui.dll
deleting local copy: mlxml3a.dll
deleting local copy: mudemui.dll
deleting local copy: mv48l9hu1.dll
deleting local copy: mxcomput.dll
deleting local copy: n8n60i5se8.dll
deleting local copy: ndwrszht.dll
deleting local copy: nerszht.dll
deleting local copy: norsesm.dll
deleting local copy: nqrshu.dll
deleting local copy: o0660ajsedo60.dll
deleting local copy: o466lejs1ho6.dll
deleting local copy: oM660ajsedo60.dll
deleting local copy: p4p60e7seh.dll
deleting local copy: pIp60e7seh.dll
deleting local copy: rnutetab.dll
deleting local copy: s6880glue6q80.dll
deleting local copy: shclient.dll
deleting local copy: sjclient.dll
deleting local copy: smcbase.dll
deleting local copy: sVfrcdlg.dll
deleting local copy: svncui.dll
deleting local copy: wfaueng1.dll
deleting local copy: whecedit.dll
deleting local copy: wjn87em.dll
deleting local copy: wpavusd.dll
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
The following are the files found:
****************************************************************************
C:\windows\system32\agifile.dll
C:\windows\system32\az16l3hs1.dll
C:\windows\system32\aza001lme.dll
C:\windows\system32\aza2035oe.dll
C:\windows\system32\aza60ajsedo60.dll
C:\windows\system32\aza6l3hs1.dll
C:\windows\system32\aza8059ue.dll
C:\windows\system32\bDsesrv.dll
C:\windows\system32\cnmrepl.dll
C:\windows\system32\d8j02i1mg8.dll
C:\windows\system32\ddactfrm.dll
C:\windows\system32\dn4401hqe.dll
C:\windows\system32\dn4u01h9e.dll
C:\windows\system32\dn8001lme.dll
C:\windows\system32\dnj6011se.dll
C:\windows\system32\dnl8013ue.dll
C:\windows\system32\dwnput8.dll
C:\windows\system32\e0202afmgd2a2.dll
C:\windows\system32\e2jmlc111f.dll
C:\windows\system32\enj4l11q1.dll
C:\windows\system32\f82mlif1182.dll
C:\windows\system32\fp4403hqe.dll
C:\windows\system32\fpn2035oe.dll
C:\windows\system32\g804lidq180e.dll
C:\windows\system32\gp22l3fo1.dll
C:\windows\system32\gp46l3hs1.dll
C:\windows\system32\gp80l3lm1.dll
C:\windows\system32\gpn0l35m1.dll
C:\windows\system32\h2n0lc5m1f.dll
C:\windows\system32\h64mlgh1164.dll
C:\windows\system32\h8l2li3o18.dll
C:\windows\system32\hr4805hue.dll
C:\windows\system32\hrj8051ue.dll
C:\windows\system32\hrr8059ue.dll
C:\windows\system32\irr8l59u1.dll
C:\windows\system32\j02q0af5ed2.dll
C:\windows\system32\k044lahq1d4e.dll
C:\windows\system32\k0800almedqa0.dll
C:\windows\system32\k4080edueh080.dll
C:\windows\system32\kjdru.dll
C:\windows\system32\kldca.dll
C:\windows\system32\kxdhela2.dll
C:\windows\system32\kzdes.dll
C:\windows\system32\l6j80g1ue6.dll
C:\windows\system32\m4820eloehqc0.dll
C:\windows\system32\mclbui.dll
C:\windows\system32\mlxml3a.dll
C:\windows\system32\mudemui.dll
C:\windows\system32\mv48l9hu1.dll
C:\windows\system32\mxcomput.dll
C:\windows\system32\n8n60i5se8.dll
C:\windows\system32\ndwrszht.dll
C:\windows\system32\nerszht.dll
C:\windows\system32\norsesm.dll
C:\windows\system32\nqrshu.dll
C:\windows\system32\o0660ajsedo60.dll
C:\windows\system32\o466lejs1ho6.dll
C:\windows\system32\oM660ajsedo60.dll
C:\windows\system32\p4p60e7seh.dll
C:\windows\system32\pIp60e7seh.dll
C:\windows\system32\rnutetab.dll
C:\windows\system32\s6880glue6q80.dll
C:\windows\system32\shclient.dll
C:\windows\system32\sjclient.dll
C:\windows\system32\smcbase.dll
C:\windows\system32\sVfrcdlg.dll
C:\windows\system32\svncui.dll
C:\windows\system32\wfaueng1.dll
C:\windows\system32\whecedit.dll
C:\windows\system32\wjn87em.dll
C:\windows\system32\wpavusd.dll
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{E0F0D78F-7836-44F7-A1AB-327FA1B2D172}"=-
"{DF47BAA9-05FA-4A42-8F81-045BA6FD3854}"=-
"{6BF03125-4B92-4A55-9839-1F3005280256}"=-
"{439860C2-9E02-4CF9-99C7-ADE8EE2E5F54}"=-
"{DEEBC5DF-9F61-4ADA-80ED-39C98ED24A84}"=-
"{95177885-1B06-47F3-9A58-0D6C86405409}"=-
"{45267070-2A7E-4C19-9281-6C6D013D7A56}"=-
"{62F31764-0DD2-4C96-9B8B-B1FC08BDB0BA}"=-
"{96CBFD0A-F7FD-4383-8482-083F5B9B8579}"=-
"{0A8CD7D2-9DCE-495D-94BE-665D3EDBD0EC}"=-
"{5D57E14A-391A-4CEC-838E-0756C871E789}"=-
"{92ECAB46-5A91-452A-9CF0-E940E5A202CB}"=-
"{8B57870C-9D4A-4FEE-885D-74B2A26F989B}"=-
"{C8D7E26B-838F-43ED-A851-E23382B67FB5}"=-
"{11026DD6-97B6-409C-9A21-D3872BD4A5EC}"=-
"{82316E02-D6B4-4816-9CCE-D792626531BC}"=-
"{A0823282-E68E-4D57-B5E6-BF1734F4370C}"=-
"{9B8C93D2-50B3-43CC-A0F4-4CA8F68E4D97}"=-
"{5D745B30-5F8A-44A0-AE9E-38C2186C8D3F}"=-
"{22B6C308-56BC-4FCD-A36D-0025534FFADD}"=-
"{B9488BBF-D8E6-4020-BD5E-690381B2D74A}"=-
"{732B6AB8-C924-4ED9-B51F-47EBFC30E59A}"=-
"{628FE5CE-CF37-461D-9F2A-E4EE5A90F2AC}"=-
"{E1A22BAE-F9A7-4611-8B5A-52897F3A0022}"=-
"{07F9E0B2-8FA6-45FD-8D64-0EDA39F02A36}"=-
"{DC39EC82-F11D-4387-99FC-639BC56877E8}"=-
"{0CD4212F-2EA6-4E17-A8CA-D510F8C6DBB6}"=-
"{C78E7261-4C08-4665-AF45-91184508C1A5}"=-
"{B8AD05D9-EDCA-413B-8BC9-D4C50CB05208}"=-
"{7A1CF427-96AE-44BD-8A40-C8D02D6797F3}"=-
"{799FE7B2-867C-4BFE-B742-2EB0905FC4BD}"=-
"{74149F52-03AD-4BB5-A11F-62724DBFC7C3}"=-
"{04234BCF-97A0-4DF6-AD0F-4244F692982F}"=-
"{01D2CA25-33DB-4FDD-BA94-07BF6BEBC952}"=-
"{9A617E7C-D0C7-48D9-A030-45B1BD06BF8E}"=-
"{F6A37604-48BE-4606-A34A-9FF91EA86D94}"=-
"{BE4973F6-8D78-4FEE-B7D3-114A1A205702}"=-
"{CB7F2241-7DEB-4B60-A5AC-A5701EAFE9C9}"=-
"{D1059B75-3C37-434F-B258-40E24385EFFC}"=-
"{D70FEE8F-3B31-40F6-8093-C963187F7511}"=-
"{38EBF1C3-1A14-4AE7-BB0D-688188039FC8}"=-
"{6C274724-0BEE-4349-850A-BC0EC244342F}"=-
"{801B5642-C53D-4EE5-861A-2AD09D2C7495}"=-
"{41F1DF0E-92FC-4878-9FB0-48312C4D21CF}"=-
"{BEF2EBF7-1A5A-4FEE-84CE-2FE9F93B14E0}"=-
"{8FDA8A9C-6C23-46D7-8497-D7C549C9BC87}"=-
"{53EE268D-AB2F-4129-A038-8BC660D5BF72}"=-
"{9FA15F77-AF4A-42EA-9787-A76913FF4C7E}"=-
"{BB5C6130-10ED-45DA-B85B-29ACD72EC8A1}"=-
"{2721BCC5-0E70-49C3-BDD2-33A310B936CB}"=-
"{6E3ED636-A456-48E9-99CB-A77F7E4D5BF5}"=-
"{07B4DA4A-4462-4890-96B7-7C65CA7C078D}"=-
"{BF480E6B-8ADB-405D-AF49-14FC897CA1FA}"=-
"{6E9E9579-5E27-4C0F-982A-5D8062544FF5}"=-
"{88C20FFB-922F-40D6-9CCA-FF1FCB041D0F}"=-
"{8563138D-4193-4CC7-8201-0F5BC0D9DB2F}"=-
"{BCD22B67-848A-4C4A-9B2D-15E91E141187}"=-
"{DC5F4494-B0DF-4016-995F-73DB0941ED95}"=-
"{04B769AF-D5F4-4F38-BCD4-969C1C0A530E}"=-
"{612366A0-9589-4BD0-8227-48FF5519ACDB}"=-
"{DF4FB5F1-D6C3-4BF8-A902-7D270A554E1B}"=-
"{B5641B09-B29D-4F37-9E49-EE354E4391C2}"=-
[-HKEY_CLASSES_ROOT\CLSID\{E0F0D78F-7836-44F7-A1AB-327FA1B2D172}]
[-HKEY_CLASSES_ROOT\CLSID\{DF47BAA9-05FA-4A42-8F81-045BA6FD3854}]
[-HKEY_CLASSES_ROOT\CLSID\{6BF03125-4B92-4A55-9839-1F3005280256}]
[-HKEY_CLASSES_ROOT\CLSID\{439860C2-9E02-4CF9-99C7-ADE8EE2E5F54}]
[-HKEY_CLASSES_ROOT\CLSID\{DEEBC5DF-9F61-4ADA-80ED-39C98ED24A84}]
[-HKEY_CLASSES_ROOT\CLSID\{95177885-1B06-47F3-9A58-0D6C86405409}]
[-HKEY_CLASSES_ROOT\CLSID\{45267070-2A7E-4C19-9281-6C6D013D7A56}]
[-HKEY_CLASSES_ROOT\CLSID\{62F31764-0DD2-4C96-9B8B-B1FC08BDB0BA}]
[-HKEY_CLASSES_ROOT\CLSID\{96CBFD0A-F7FD-4383-8482-083F5B9B8579}]
[-HKEY_CLASSES_ROOT\CLSID\{0A8CD7D2-9DCE-495D-94BE-665D3EDBD0EC}]
[-HKEY_CLASSES_ROOT\CLSID\{5D57E14A-391A-4CEC-838E-0756C871E789}]
[-HKEY_CLASSES_ROOT\CLSID\{92ECAB46-5A91-452A-9CF0-E940E5A202CB}]
[-HKEY_CLASSES_ROOT\CLSID\{8B57870C-9D4A-4FEE-885D-74B2A26F989B}]
[-HKEY_CLASSES_ROOT\CLSID\{C8D7E26B-838F-43ED-A851-E23382B67FB5}]
[-HKEY_CLASSES_ROOT\CLSID\{11026DD6-97B6-409C-9A21-D3872BD4A5EC}]
[-HKEY_CLASSES_ROOT\CLSID\{82316E02-D6B4-4816-9CCE-D792626531BC}]
[-HKEY_CLASSES_ROOT\CLSID\{A0823282-E68E-4D57-B5E6-BF1734F4370C}]
[-HKEY_CLASSES_ROOT\CLSID\{9B8C93D2-50B3-43CC-A0F4-4CA8F68E4D97}]
[-HKEY_CLASSES_ROOT\CLSID\{5D745B30-5F8A-44A0-AE9E-38C2186C8D3F}]
[-HKEY_CLASSES_ROOT\CLSID\{22B6C308-56BC-4FCD-A36D-0025534FFADD}]
[-HKEY_CLASSES_ROOT\CLSID\{B9488BBF-D8E6-4020-BD5E-690381B2D74A}]
[-HKEY_CLASSES_ROOT\CLSID\{732B6AB8-C924-4ED9-B51F-47EBFC30E59A}]
[-HKEY_CLASSES_ROOT\CLSID\{628FE5CE-CF37-461D-9F2A-E4EE5A90F2AC}]
[-HKEY_CLASSES_ROOT\CLSID\{E1A22BAE-F9A7-4611-8B5A-52897F3A0022}]
[-HKEY_CLASSES_ROOT\CLSID\{07F9E0B2-8FA6-45FD-8D64-0EDA39F02A36}]
[-HKEY_CLASSES_ROOT\CLSID\{DC39EC82-F11D-4387-99FC-639BC56877E8}]
[-HKEY_CLASSES_ROOT\CLSID\{0CD4212F-2EA6-4E17-A8CA-D510F8C6DBB6}]
[-HKEY_CLASSES_ROOT\CLSID\{C78E7261-4C08-4665-AF45-91184508C1A5}]
[-HKEY_CLASSES_ROOT\CLSID\{B8AD05D9-EDCA-413B-8BC9-D4C50CB05208}]
[-HKEY_CLASSES_ROOT\CLSID\{7A1CF427-96AE-44BD-8A40-C8D02D6797F3}]
[-HKEY_CLASSES_ROOT\CLSID\{799FE7B2-867C-4BFE-B742-2EB0905FC4BD}]
[-HKEY_CLASSES_ROOT\CLSID\{74149F52-03AD-4BB5-A11F-62724DBFC7C3}]
[-HKEY_CLASSES_ROOT\CLSID\{04234BCF-97A0-4DF6-AD0F-4244F692982F}]
[-HKEY_CLASSES_ROOT\CLSID\{01D2CA25-33DB-4FDD-BA94-07BF6BEBC952}]
[-HKEY_CLASSES_ROOT\CLSID\{9A617E7C-D0C7-48D9-A030-45B1BD06BF8E}]
[-HKEY_CLASSES_ROOT\CLSID\{F6A37604-48BE-4606-A34A-9FF91EA86D94}]
[-HKEY_CLASSES_ROOT\CLSID\{BE4973F6-8D78-4FEE-B7D3-114A1A205702}]
[-HKEY_CLASSES_ROOT\CLSID\{CB7F2241-7DEB-4B60-A5AC-A5701EAFE9C9}]
[-HKEY_CLASSES_ROOT\CLSID\{D1059B75-3C37-434F-B258-40E24385EFFC}]
[-HKEY_CLASSES_ROOT\CLSID\{D70FEE8F-3B31-40F6-8093-C963187F7511}]
[-HKEY_CLASSES_ROOT\CLSID\{38EBF1C3-1A14-4AE7-BB0D-688188039FC8}]
[-HKEY_CLASSES_ROOT\CLSID\{6C274724-0BEE-4349-850A-BC0EC244342F}]
[-HKEY_CLASSES_ROOT\CLSID\{801B5642-C53D-4EE5-861A-2AD09D2C7495}]
[-HKEY_CLASSES_ROOT\CLSID\{41F1DF0E-92FC-4878-9FB0-48312C4D21CF}]
[-HKEY_CLASSES_ROOT\CLSID\{BEF2EBF7-1A5A-4FEE-84CE-2FE9F93B14E0}]
[-HKEY_CLASSES_ROOT\CLSID\{8FDA8A9C-6C23-46D7-8497-D7C549C9BC87}]
[-HKEY_CLASSES_ROOT\CLSID\{53EE268D-AB2F-4129-A038-8BC660D5BF72}]
[-HKEY_CLASSES_ROOT\CLSID\{9FA15F77-AF4A-42EA-9787-A76913FF4C7E}]
[-HKEY_CLASSES_ROOT\CLSID\{BB5C6130-10ED-45DA-B85B-29ACD72EC8A1}]
[-HKEY_CLASSES_ROOT\CLSID\{2721BCC5-0E70-49C3-BDD2-33A310B936CB}]
[-HKEY_CLASSES_ROOT\CLSID\{6E3ED636-A456-48E9-99CB-A77F7E4D5BF5}]
[-HKEY_CLASSES_ROOT\CLSID\{07B4DA4A-4462-4890-96B7-7C65CA7C078D}]
[-HKEY_CLASSES_ROOT\CLSID\{BF480E6B-8ADB-405D-AF49-14FC897CA1FA}]
[-HKEY_CLASSES_ROOT\CLSID\{6E9E9579-5E27-4C0F-982A-5D8062544FF5}]
[-HKEY_CLASSES_ROOT\CLSID\{88C20FFB-922F-40D6-9CCA-FF1FCB041D0F}]
[-HKEY_CLASSES_ROOT\CLSID\{8563138D-4193-4CC7-8201-0F5BC0D9DB2F}]
[-HKEY_CLASSES_ROOT\CLSID\{BCD22B67-848A-4C4A-9B2D-15E91E141187}]
[-HKEY_CLASSES_ROOT\CLSID\{DC5F4494-B0DF-4016-995F-73DB0941ED95}]
[-HKEY_CLASSES_ROOT\CLSID\{04B769AF-D5F4-4F38-BCD4-969C1C0A530E}]
[-HKEY_CLASSES_ROOT\CLSID\{612366A0-9589-4BD0-8227-48FF5519ACDB}]
[-HKEY_CLASSES_ROOT\CLSID\{DF4FB5F1-D6C3-4BF8-A902-7D270A554E1B}]
[-HKEY_CLASSES_ROOT\CLSID\{B5641B09-B29D-4F37-9E49-EE354E4391C2}]
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{7D0BE6E4-2451-42B8-9084-FD000EC19D16}"=-
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{7D0BE6E4-2451-42B8-9084-FD000EC19D16}</IDone>
<IDtwo>VT00</IDtwo>
<VERSION>200</VERSION>
****************************************************************************
Classid's found from regsearch:
****************************************************************************
And here is the browser hijacking report:
Logfile of HijackThis v1.96.2
Scan saved at 11:32:40 AM, on 1/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\UCLA STC\STCPE\STCPE.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\windows\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\windows\System32\wsxsvc\wsxsvc.exe
C:\windows\SysCheckBop32.exe
C:\windows\sys02734108825-1.exe
C:\windows\System32\rnubact.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Sophos\Remote Update\imonitor.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ytugpt.exe
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\windows\System32\msupd5.exe
C:\windows\System32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\System32\MsPMSPSv.exe
C:\windows\System32\wuauclt.exe
C:\windows\explorer.exe
C:\windows\System32\wuauclt.exe
C:\Program Files\hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://red.clientapp...//www.yahoo.comR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {0BAD4B22-90AF-85CC-30D8-ACBBCB8B42B1} - (no file)
O2 - BHO: (no name) - {2559A890-B736-FADE-F0C6-A3B09041D2B5} - (no file)
O2 - BHO: (no name) - {B75E5983-B263-885C-9C65-7DF5B8492566} - C:\windows\System32\qazgqecr.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Windows Loader] windat32.exe
O4 - HKLM\..\Run: [STCPE] "C:\Program Files\UCLA STC\STCPE\STCPE.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\windows\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [C:\windows\pielyu.exe] C:\windows\pielyu.exe
O4 - HKLM\..\Run: [Dvx] C:\windows\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [icuwwc] C:\windows\System32\icuwwc.exe
O4 - HKLM\..\Run: [SystemCheck] C:\windows\SysCheckBop32
O4 - HKLM\..\Run: [sys02734108825-1] C:\windows\sys02734108825-1.exe
O4 - HKLM\..\Run: [chpkic] C:\windows\System32\chpkic.exe
O4 - HKLM\..\Run: [yqjwnc] C:\windows\System32\yqjwnc.exe
O4 - HKLM\..\Run: [xsducc] C:\windows\System32\xsducc.exe
O4 - HKLM\..\Run: [bfmtic] C:\windows\System32\bfmtic.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ntechin] C:\windows\system32\n20050308.exe
O4 - HKLM\..\Run: [wFrU3EP] rnubact.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Loader] windat32.exe
O4 - HKLM\..\RunServices: [Window Monitor] winmon32.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Dste] C:\Documents and Settings\user\Application Data\x????.exe
O4 - HKCU\..\Run: [Dbsnnm] C:\WINDOWS\System32\w?nlogon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O4 - Global Startup: STCPE.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O15 - Trusted Zone:
http://*.windowsupdate.comO16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
http://download.macr...director/sw.cabO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -
http://download.mcaf...84/mcinsctl.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupd...b?1095181545625O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cabO16 - DPF: {7935ACFD-5007-4C61-B603-3FEA6097871C} (stcpeX.stcpeocx) -
http://phi.resnet.uc...Reg2/stcpeX.CABO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://www.pandasoft.../as5/asinst.cabO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
http://download.mcaf...,21/mcgdmgr.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-44455354