Ok I played with it some more rebooted it again and the reboot process worked. I rebooted and the txt file opened up. Even after doing all of this I still can't get a taskbar or icons. Thanks for the help guys.
L2Mfix 1.02a
Running From:
C:\Documents and Settings\The D-Show\Desktop\l2mfix
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting registry permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Denying C access for really "Everyone"
- adding new ACCESS DENY entry
Registry Permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting up for Reboot
Starting Reboot!
C:\Documents and Settings\The D-Show\Desktop\l2mfix
System Rebooted!
Running From:
C:\Documents and Settings\The D-Show\Desktop\l2mfix
killing explorer and rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Killing PID 1252 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Killing PID 744 'rundll32.exe'
Killing PID 844 'rundll32.exe'
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Backing Up: C:\WINDOWS\system32\cjpbk32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cnutil.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\csfview.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\d20mlcd11f0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dcauth.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dcmodemx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dfeml.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dnp6017se.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dnsshlex.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dsdlgs.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dtdmo.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\f0j20a1oed.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gp2ql3f51.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hE23msp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir8ql5l51.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ItkEd.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j26mlcj11fo.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jst500.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k2080cduef080.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k408ledu1h08.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kcdgae.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktjol7131.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\Lbwvc11n.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MBCTF.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mchtml.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mfacm32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mnjter40.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mtc40u.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mv0sl9d71.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvvbvm50.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mzdex.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\oybccp32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p44uleh91h4.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p8p60i7se8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pmlmon.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\r2p8lc7u1f.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rjpcfgex.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\snsvcs.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\syeio.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\tSpiperf.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\u0ru0a99ed.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ujrlbva.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wccsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\weigest.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\WIDRMdev.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wtbcheck.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\cjpbk32.dll
Successfully Deleted: C:\WINDOWS\system32\cjpbk32.dll
deleting: C:\WINDOWS\system32\cnutil.dll
Successfully Deleted: C:\WINDOWS\system32\cnutil.dll
deleting: C:\WINDOWS\system32\csfview.dll
Successfully Deleted: C:\WINDOWS\system32\csfview.dll
deleting: C:\WINDOWS\system32\d20mlcd11f0.dll
Successfully Deleted: C:\WINDOWS\system32\d20mlcd11f0.dll
deleting: C:\WINDOWS\system32\dcauth.dll
Successfully Deleted: C:\WINDOWS\system32\dcauth.dll
deleting: C:\WINDOWS\system32\dcmodemx.dll
Successfully Deleted: C:\WINDOWS\system32\dcmodemx.dll
deleting: C:\WINDOWS\system32\dfeml.dll
Successfully Deleted: C:\WINDOWS\system32\dfeml.dll
deleting: C:\WINDOWS\system32\dnp6017se.dll
Successfully Deleted: C:\WINDOWS\system32\dnp6017se.dll
deleting: C:\WINDOWS\system32\dnsshlex.dll
Successfully Deleted: C:\WINDOWS\system32\dnsshlex.dll
deleting: C:\WINDOWS\system32\dsdlgs.dll
Successfully Deleted: C:\WINDOWS\system32\dsdlgs.dll
deleting: C:\WINDOWS\system32\dtdmo.dll
Successfully Deleted: C:\WINDOWS\system32\dtdmo.dll
deleting: C:\WINDOWS\system32\f0j20a1oed.dll
Successfully Deleted: C:\WINDOWS\system32\f0j20a1oed.dll
deleting: C:\WINDOWS\system32\gp2ql3f51.dll
Successfully Deleted: C:\WINDOWS\system32\gp2ql3f51.dll
deleting: C:\WINDOWS\system32\hE23msp.dll
Successfully Deleted: C:\WINDOWS\system32\hE23msp.dll
deleting: C:\WINDOWS\system32\ir8ql5l51.dll
Successfully Deleted: C:\WINDOWS\system32\ir8ql5l51.dll
deleting: C:\WINDOWS\system32\ItkEd.dll
Successfully Deleted: C:\WINDOWS\system32\ItkEd.dll
deleting: C:\WINDOWS\system32\j26mlcj11fo.dll
Successfully Deleted: C:\WINDOWS\system32\j26mlcj11fo.dll
deleting: C:\WINDOWS\system32\jst500.dll
Successfully Deleted: C:\WINDOWS\system32\jst500.dll
deleting: C:\WINDOWS\system32\k2080cduef080.dll
Successfully Deleted: C:\WINDOWS\system32\k2080cduef080.dll
deleting: C:\WINDOWS\system32\k408ledu1h08.dll
Successfully Deleted: C:\WINDOWS\system32\k408ledu1h08.dll
deleting: C:\WINDOWS\system32\kcdgae.dll
Successfully Deleted: C:\WINDOWS\system32\kcdgae.dll
deleting: C:\WINDOWS\system32\ktjol7131.dll
Successfully Deleted: C:\WINDOWS\system32\ktjol7131.dll
deleting: C:\WINDOWS\system32\Lbwvc11n.dll
Successfully Deleted: C:\WINDOWS\system32\Lbwvc11n.dll
deleting: C:\WINDOWS\system32\MBCTF.dll
Successfully Deleted: C:\WINDOWS\system32\MBCTF.dll
deleting: C:\WINDOWS\system32\mchtml.dll
Successfully Deleted: C:\WINDOWS\system32\mchtml.dll
deleting: C:\WINDOWS\system32\mfacm32.dll
Successfully Deleted: C:\WINDOWS\system32\mfacm32.dll
deleting: C:\WINDOWS\system32\mnjter40.dll
Successfully Deleted: C:\WINDOWS\system32\mnjter40.dll
deleting: C:\WINDOWS\system32\mtc40u.dll
Successfully Deleted: C:\WINDOWS\system32\mtc40u.dll
deleting: C:\WINDOWS\system32\mv0sl9d71.dll
Successfully Deleted: C:\WINDOWS\system32\mv0sl9d71.dll
deleting: C:\WINDOWS\system32\mvvbvm50.dll
Successfully Deleted: C:\WINDOWS\system32\mvvbvm50.dll
deleting: C:\WINDOWS\system32\mzdex.dll
Successfully Deleted: C:\WINDOWS\system32\mzdex.dll
deleting: C:\WINDOWS\system32\oybccp32.dll
Successfully Deleted: C:\WINDOWS\system32\oybccp32.dll
deleting: C:\WINDOWS\system32\p44uleh91h4.dll
Successfully Deleted: C:\WINDOWS\system32\p44uleh91h4.dll
deleting: C:\WINDOWS\system32\p8p60i7se8.dll
Successfully Deleted: C:\WINDOWS\system32\p8p60i7se8.dll
deleting: C:\WINDOWS\system32\pmlmon.dll
Successfully Deleted: C:\WINDOWS\system32\pmlmon.dll
deleting: C:\WINDOWS\system32\r2p8lc7u1f.dll
Successfully Deleted: C:\WINDOWS\system32\r2p8lc7u1f.dll
deleting: C:\WINDOWS\system32\rjpcfgex.dll
Successfully Deleted: C:\WINDOWS\system32\rjpcfgex.dll
deleting: C:\WINDOWS\system32\snsvcs.dll
Successfully Deleted: C:\WINDOWS\system32\snsvcs.dll
deleting: C:\WINDOWS\system32\syeio.dll
Successfully Deleted: C:\WINDOWS\system32\syeio.dll
deleting: C:\WINDOWS\system32\tSpiperf.dll
Successfully Deleted: C:\WINDOWS\system32\tSpiperf.dll
deleting: C:\WINDOWS\system32\u0ru0a99ed.dll
Successfully Deleted: C:\WINDOWS\system32\u0ru0a99ed.dll
deleting: C:\WINDOWS\system32\ujrlbva.dll
Successfully Deleted: C:\WINDOWS\system32\ujrlbva.dll
deleting: C:\WINDOWS\system32\wccsvc.dll
Successfully Deleted: C:\WINDOWS\system32\wccsvc.dll
deleting: C:\WINDOWS\system32\weigest.dll
Successfully Deleted: C:\WINDOWS\system32\weigest.dll
deleting: C:\WINDOWS\system32\WIDRMdev.dll
Successfully Deleted: C:\WINDOWS\system32\WIDRMdev.dll
deleting: C:\WINDOWS\system32\wtbcheck.dll
Successfully Deleted: C:\WINDOWS\system32\wtbcheck.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
Desktop.ini sucessfully removed
Zipping up files for submission:
adding: cjpbk32.dll (164 bytes security) (deflated 5%)
adding: cnutil.dll (164 bytes security) (deflated 5%)
adding: csfview.dll (164 bytes security) (deflated 5%)
adding: d20mlcd11f0.dll (164 bytes security) (deflated 5%)
adding: dcauth.dll (164 bytes security) (deflated 5%)
adding: dcmodemx.dll (164 bytes security) (deflated 5%)
adding: dfeml.dll (164 bytes security) (deflated 5%)
adding: dnp6017se.dll (164 bytes security) (deflated 6%)
adding: dnsshlex.dll (164 bytes security) (deflated 5%)
adding: dsdlgs.dll (164 bytes security) (deflated 5%)
adding: dtdmo.dll (164 bytes security) (deflated 5%)
adding: f0j20a1oed.dll (164 bytes security) (deflated 4%)
adding: gp2ql3f51.dll (164 bytes security) (deflated 5%)
adding: hE23msp.dll (164 bytes security) (deflated 5%)
adding: ir8ql5l51.dll (164 bytes security) (deflated 5%)
adding: ItkEd.dll (164 bytes security) (deflated 5%)
adding: j26mlcj11fo.dll (164 bytes security) (deflated 4%)
adding: jst500.dll (164 bytes security) (deflated 5%)
adding: k2080cduef080.dll (164 bytes security) (deflated 5%)
adding: k408ledu1h08.dll (164 bytes security) (deflated 5%)
adding: kcdgae.dll (164 bytes security) (deflated 5%)
adding: ktjol7131.dll (164 bytes security) (deflated 5%)
adding: Lbwvc11n.dll (164 bytes security) (deflated 5%)
adding: MBCTF.dll (164 bytes security) (deflated 4%)
adding: mchtml.dll (164 bytes security) (deflated 5%)
adding: mfacm32.dll (164 bytes security) (deflated 5%)
adding: mnjter40.dll (164 bytes security) (deflated 5%)
adding: mtc40u.dll (164 bytes security) (deflated 5%)
adding: mv0sl9d71.dll (164 bytes security) (deflated 5%)
adding: mvvbvm50.dll (164 bytes security) (deflated 5%)
adding: mzdex.dll (164 bytes security) (deflated 5%)
adding: oybccp32.dll (164 bytes security) (deflated 5%)
adding: p44uleh91h4.dll (164 bytes security) (deflated 5%)
adding: p8p60i7se8.dll (164 bytes security) (deflated 5%)
adding: pmlmon.dll (164 bytes security) (deflated 5%)
adding: r2p8lc7u1f.dll (164 bytes security) (deflated 4%)
adding: rjpcfgex.dll (164 bytes security) (deflated 5%)
adding: snsvcs.dll (164 bytes security) (deflated 5%)
adding: syeio.dll (164 bytes security) (deflated 5%)
adding: tSpiperf.dll (164 bytes security) (deflated 5%)
adding: u0ru0a99ed.dll (164 bytes security) (deflated 5%)
adding: ujrlbva.dll (164 bytes security) (deflated 5%)
adding: wccsvc.dll (164 bytes security) (deflated 5%)
adding: weigest.dll (164 bytes security) (deflated 4%)
adding: WIDRMdev.dll (164 bytes security) (deflated 5%)
adding: wtbcheck.dll (164 bytes security) (deflated 5%)
adding: guard.tmp (164 bytes security) (deflated 5%)
adding: clear.reg (164 bytes security) (deflated 46%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: desktop.ini (164 bytes security) (deflated 15%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 86%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 68%)
adding: test.txt (164 bytes security) (deflated 82%)
adding: test2.txt (164 bytes security) (deflated 27%)
adding: test3.txt (164 bytes security) (deflated 27%)
adding: test5.txt (164 bytes security) (deflated 27%)
adding: xfind.txt (164 bytes security) (deflated 77%)
adding: backregs/B348A52B-5240-4B36-ACD8-34EAD43B2D4B.reg (164 bytes security) (deflated 70%)
adding: backregs/DEFB5D62-5178-43DA-8CCD-B73A56617CAA.reg (164 bytes security) (deflated 70%)
adding: backregs/F91DC4DE-0E26-4D91-961E-95CA7AA473AD.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)
Restoring Registry Permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Revoking access for really "Everyone"
Registry permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
deleting local copy: cjpbk32.dll
deleting local copy: cnutil.dll
deleting local copy: csfview.dll
deleting local copy: d20mlcd11f0.dll
deleting local copy: dcauth.dll
deleting local copy: dcmodemx.dll
deleting local copy: dfeml.dll
deleting local copy: dnp6017se.dll
deleting local copy: dnsshlex.dll
deleting local copy: dsdlgs.dll
deleting local copy: dtdmo.dll
deleting local copy: f0j20a1oed.dll
deleting local copy: gp2ql3f51.dll
deleting local copy: hE23msp.dll
deleting local copy: ir8ql5l51.dll
deleting local copy: ItkEd.dll
deleting local copy: j26mlcj11fo.dll
deleting local copy: jst500.dll
deleting local copy: k2080cduef080.dll
deleting local copy: k408ledu1h08.dll
deleting local copy: kcdgae.dll
deleting local copy: ktjol7131.dll
deleting local copy: Lbwvc11n.dll
deleting local copy: MBCTF.dll
deleting local copy: mchtml.dll
deleting local copy: mfacm32.dll
deleting local copy: mnjter40.dll
deleting local copy: mtc40u.dll
deleting local copy: mv0sl9d71.dll
deleting local copy: mvvbvm50.dll
deleting local copy: mzdex.dll
deleting local copy: oybccp32.dll
deleting local copy: p44uleh91h4.dll
deleting local copy: p8p60i7se8.dll
deleting local copy: pmlmon.dll
deleting local copy: r2p8lc7u1f.dll
deleting local copy: rjpcfgex.dll
deleting local copy: snsvcs.dll
deleting local copy: syeio.dll
deleting local copy: tSpiperf.dll
deleting local copy: u0ru0a99ed.dll
deleting local copy: ujrlbva.dll
deleting local copy: wccsvc.dll
deleting local copy: weigest.dll
deleting local copy: WIDRMdev.dll
deleting local copy: wtbcheck.dll
deleting local copy: guard.tmp
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\cjpbk32.dll
C:\WINDOWS\system32\cnutil.dll
C:\WINDOWS\system32\csfview.dll
C:\WINDOWS\system32\d20mlcd11f0.dll
C:\WINDOWS\system32\dcauth.dll
C:\WINDOWS\system32\dcmodemx.dll
C:\WINDOWS\system32\dfeml.dll
C:\WINDOWS\system32\dnp6017se.dll
C:\WINDOWS\system32\dnsshlex.dll
C:\WINDOWS\system32\dsdlgs.dll
C:\WINDOWS\system32\dtdmo.dll
C:\WINDOWS\system32\f0j20a1oed.dll
C:\WINDOWS\system32\gp2ql3f51.dll
C:\WINDOWS\system32\hE23msp.dll
C:\WINDOWS\system32\ir8ql5l51.dll
C:\WINDOWS\system32\ItkEd.dll
C:\WINDOWS\system32\j26mlcj11fo.dll
C:\WINDOWS\system32\jst500.dll
C:\WINDOWS\system32\k2080cduef080.dll
C:\WINDOWS\system32\k408ledu1h08.dll
C:\WINDOWS\system32\kcdgae.dll
C:\WINDOWS\system32\ktjol7131.dll
C:\WINDOWS\system32\Lbwvc11n.dll
C:\WINDOWS\system32\MBCTF.dll
C:\WINDOWS\system32\mchtml.dll
C:\WINDOWS\system32\mfacm32.dll
C:\WINDOWS\system32\mnjter40.dll
C:\WINDOWS\system32\mtc40u.dll
C:\WINDOWS\system32\mv0sl9d71.dll
C:\WINDOWS\system32\mvvbvm50.dll
C:\WINDOWS\system32\mzdex.dll
C:\WINDOWS\system32\oybccp32.dll
C:\WINDOWS\system32\p44uleh91h4.dll
C:\WINDOWS\system32\p8p60i7se8.dll
C:\WINDOWS\system32\pmlmon.dll
C:\WINDOWS\system32\r2p8lc7u1f.dll
C:\WINDOWS\system32\rjpcfgex.dll
C:\WINDOWS\system32\snsvcs.dll
C:\WINDOWS\system32\syeio.dll
C:\WINDOWS\system32\tSpiperf.dll
C:\WINDOWS\system32\u0ru0a99ed.dll
C:\WINDOWS\system32\ujrlbva.dll
C:\WINDOWS\system32\wccsvc.dll
C:\WINDOWS\system32\weigest.dll
C:\WINDOWS\system32\WIDRMdev.dll
C:\WINDOWS\system32\wtbcheck.dll
C:\WINDOWS\system32\guard.tmp
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{DEFB5D62-5178-43DA-8CCD-B73A56617CAA}"=-
"{F91DC4DE-0E26-4D91-961E-95CA7AA473AD}"=-
"{B348A52B-5240-4B36-ACD8-34EAD43B2D4B}"=-
[-HKEY_CLASSES_ROOT\CLSID\{DEFB5D62-5178-43DA-8CCD-B73A56617CAA}]
[-HKEY_CLASSES_ROOT\CLSID\{F91DC4DE-0E26-4D91-961E-95CA7AA473AD}]
[-HKEY_CLASSES_ROOT\CLSID\{B348A52B-5240-4B36-ACD8-34EAD43B2D4B}]
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{543D96F8-1799-4262-8B3A-25901A3686DF}"=-
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{543D96F8-1799-4262-8B3A-25901A3686DF}</IDone>
<IDtwo>VT00</IDtwo>
<VERSION>200</VERSION>
****************************************************************************
Here is the Hijack this log I did right after that:
Logfile of HijackThis v1.99.0
Scan saved at 2:10:21 AM, on 2/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\The D-Show\Desktop\New Folder\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.averatec.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {828BE76F-B95A-D00D-3CF9-9F1B2133245E} - C:\WINDOWS\system32\eykzempt.dll (file missing)
O2 - BHO: (no name) - {CAA89E69-4C56-67FD-7F0D-50220876E91A} - C:\WINDOWS\system32\eksynble.dll (file missing)
O2 - BHO: (no name) - {DB8608A4-AA08-5558-925E-76ACF8C2ADD0} - C:\WINDOWS\system32\zubfvomd.dll (file missing)
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\yivyoy.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: yukypy.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\dolsp.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cabO23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Unknown - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: SAVScan - Unknown - C:\Program Files\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ldtwidtkzbok - Unknown - C:\WINDOWS\system32\ehmkjvaf5.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe