L2Mfix 1.02b
Running From:
C:\Documents and Settings\Administrator\Desktop\12mfix-save2
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting registry permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Denying C access for really "Everyone"
- adding new ACCESS DENY entry
Registry Permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting up for Reboot
Starting Reboot!
C:\Documents and Settings\Administrator\Desktop\12mfix-save2
System Rebooted!
Running From:
C:\Documents and Settings\Administrator\Desktop\12mfix-save2
killing explorer and rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Killing PID 1720 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Error, Cannot find a process with an image name of rundll32.exe
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Backing Up: C:\WINDOWS\system32\azas0ij7e8o.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\BKINSS147.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dn0801due.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp4m03h1e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gp0ql3d51.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hr8s05l7e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hrjo0513e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jt8u07l9e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktdit.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kxduzb.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l6j8lg1u16.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m0nqla551d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m8po0i73e8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mnrd3x40.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\n2p4lc7q1f.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p04u0ah9ed4.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p86s0ij7e8o.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\s2pu0c79ef.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wpspdmod.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\azas0ij7e8o.dll
Successfully Deleted: C:\WINDOWS\system32\azas0ij7e8o.dll
deleting: C:\WINDOWS\system32\BKINSS147.DLL
Successfully Deleted: C:\WINDOWS\system32\BKINSS147.DLL
deleting: C:\WINDOWS\system32\dn0801due.dll
Successfully Deleted: C:\WINDOWS\system32\dn0801due.dll
deleting: C:\WINDOWS\system32\fp4m03h1e.dll
Successfully Deleted: C:\WINDOWS\system32\fp4m03h1e.dll
deleting: C:\WINDOWS\system32\gp0ql3d51.dll
Successfully Deleted: C:\WINDOWS\system32\gp0ql3d51.dll
deleting: C:\WINDOWS\system32\hr8s05l7e.dll
Successfully Deleted: C:\WINDOWS\system32\hr8s05l7e.dll
deleting: C:\WINDOWS\system32\hrjo0513e.dll
Successfully Deleted: C:\WINDOWS\system32\hrjo0513e.dll
deleting: C:\WINDOWS\system32\jt8u07l9e.dll
Successfully Deleted: C:\WINDOWS\system32\jt8u07l9e.dll
deleting: C:\WINDOWS\system32\ktdit.dll
Successfully Deleted: C:\WINDOWS\system32\ktdit.dll
deleting: C:\WINDOWS\system32\kxduzb.dll
Successfully Deleted: C:\WINDOWS\system32\kxduzb.dll
deleting: C:\WINDOWS\system32\l6j8lg1u16.dll
Successfully Deleted: C:\WINDOWS\system32\l6j8lg1u16.dll
deleting: C:\WINDOWS\system32\m0nqla551d.dll
Successfully Deleted: C:\WINDOWS\system32\m0nqla551d.dll
deleting: C:\WINDOWS\system32\m8po0i73e8.dll
Successfully Deleted: C:\WINDOWS\system32\m8po0i73e8.dll
deleting: C:\WINDOWS\system32\mnrd3x40.dll
Successfully Deleted: C:\WINDOWS\system32\mnrd3x40.dll
deleting: C:\WINDOWS\system32\n2p4lc7q1f.dll
Successfully Deleted: C:\WINDOWS\system32\n2p4lc7q1f.dll
deleting: C:\WINDOWS\system32\p04u0ah9ed4.dll
Successfully Deleted: C:\WINDOWS\system32\p04u0ah9ed4.dll
deleting: C:\WINDOWS\system32\p86s0ij7e8o.dll
Successfully Deleted: C:\WINDOWS\system32\p86s0ij7e8o.dll
deleting: C:\WINDOWS\system32\s2pu0c79ef.dll
Successfully Deleted: C:\WINDOWS\system32\s2pu0c79ef.dll
deleting: C:\WINDOWS\system32\wpspdmod.dll
Successfully Deleted: C:\WINDOWS\system32\wpspdmod.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
Desktop.ini sucessfully removed
Zipping up files for submission:
adding: azas0ij7e8o.dll (164 bytes security) (deflated 4%)
adding: BKINSS147.DLL (164 bytes security) (deflated 4%)
adding: dn0801due.dll (164 bytes security) (deflated 4%)
adding: fp4m03h1e.dll (164 bytes security) (deflated 4%)
adding: gp0ql3d51.dll (164 bytes security) (deflated 5%)
adding: hr8s05l7e.dll (164 bytes security) (deflated 5%)
adding: hrjo0513e.dll (164 bytes security) (deflated 3%)
adding: jt8u07l9e.dll (164 bytes security) (deflated 4%)
adding: ktdit.dll (164 bytes security) (deflated 4%)
adding: kxduzb.dll (164 bytes security) (deflated 4%)
adding: l6j8lg1u16.dll (164 bytes security) (deflated 5%)
adding: m0nqla551d.dll (164 bytes security) (deflated 4%)
adding: m8po0i73e8.dll (164 bytes security) (deflated 5%)
adding: mnrd3x40.dll (164 bytes security) (deflated 4%)
adding: n2p4lc7q1f.dll (164 bytes security) (deflated 4%)
adding: p04u0ah9ed4.dll (164 bytes security) (deflated 5%)
adding: p86s0ij7e8o.dll (164 bytes security) (deflated 4%)
adding: s2pu0c79ef.dll (164 bytes security) (deflated 5%)
adding: wpspdmod.dll (164 bytes security) (deflated 4%)
adding: guard.tmp (164 bytes security) (deflated 5%)
adding: clear.reg (164 bytes security) (deflated 63%)
adding: echo.reg (164 bytes security) (deflated 11%)
adding: desktop.ini (164 bytes security) (deflated 13%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 82%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: test.txt (164 bytes security) (deflated 76%)
adding: test2.txt (164 bytes security) (deflated 43%)
adding: test3.txt (164 bytes security) (deflated 43%)
adding: test5.txt (164 bytes security) (deflated 43%)
adding: xfind.txt (164 bytes security) (deflated 70%)
adding: backregs/563124B6-1915-4340-92CD-8D271404347B.reg (164 bytes security) (deflated 70%)
adding: backregs/57F44477-5DA2-4650-B24F-8AADC76B39C7.reg (164 bytes security) (deflated 70%)
adding: backregs/7629E2F1-2103-4A5B-A11D-9C15FD12CD38.reg (164 bytes security) (deflated 70%)
adding: backregs/8FC9FF69-66D2-4282-A98B-C52AE77EFF1D.reg (164 bytes security) (deflated 70%)
adding: backregs/9829C4C0-B26C-4BDB-968E-45EFD471CB50.reg (164 bytes security) (deflated 70%)
adding: backregs/A5B5D610-F86F-48C7-AFBE-967C50DF99AF.reg (164 bytes security) (deflated 70%)
adding: backregs/B085B34B-AE02-4145-9903-8A3CFACCAFDB.reg (164 bytes security) (deflated 70%)
adding: backregs/E883FFE4-D708-41F7-B26B-2A55F4A31B34.reg (164 bytes security) (deflated 70%)
adding: backregs/FB061040-C363-4345-B32B-CFC9B0A4832A.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)
Restoring Registry Permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Revoking access for really "Everyone"
Registry permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
deleting local copy: azas0ij7e8o.dll
deleting local copy: BKINSS147.DLL
deleting local copy: dn0801due.dll
deleting local copy: fp4m03h1e.dll
deleting local copy: gp0ql3d51.dll
deleting local copy: hr8s05l7e.dll
deleting local copy: hrjo0513e.dll
deleting local copy: jt8u07l9e.dll
deleting local copy: ktdit.dll
deleting local copy: kxduzb.dll
deleting local copy: l6j8lg1u16.dll
deleting local copy: m0nqla551d.dll
deleting local copy: m8po0i73e8.dll
deleting local copy: mnrd3x40.dll
deleting local copy: n2p4lc7q1f.dll
deleting local copy: p04u0ah9ed4.dll
deleting local copy: p86s0ij7e8o.dll
deleting local copy: s2pu0c79ef.dll
deleting local copy: wpspdmod.dll
deleting local copy: guard.tmp
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\azas0ij7e8o.dll
C:\WINDOWS\system32\BKINSS147.DLL
C:\WINDOWS\system32\dn0801due.dll
C:\WINDOWS\system32\fp4m03h1e.dll
C:\WINDOWS\system32\gp0ql3d51.dll
C:\WINDOWS\system32\hr8s05l7e.dll
C:\WINDOWS\system32\hrjo0513e.dll
C:\WINDOWS\system32\jt8u07l9e.dll
C:\WINDOWS\system32\ktdit.dll
C:\WINDOWS\system32\kxduzb.dll
C:\WINDOWS\system32\l6j8lg1u16.dll
C:\WINDOWS\system32\m0nqla551d.dll
C:\WINDOWS\system32\m8po0i73e8.dll
C:\WINDOWS\system32\mnrd3x40.dll
C:\WINDOWS\system32\n2p4lc7q1f.dll
C:\WINDOWS\system32\p04u0ah9ed4.dll
C:\WINDOWS\system32\p86s0ij7e8o.dll
C:\WINDOWS\system32\s2pu0c79ef.dll
C:\WINDOWS\system32\wpspdmod.dll
C:\WINDOWS\system32\guard.tmp
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{A5B5D610-F86F-48C7-AFBE-967C50DF99AF}"=-
"{7629E2F1-2103-4A5B-A11D-9C15FD12CD38}"=-
"{57F44477-5DA2-4650-B24F-8AADC76B39C7}"=-
"{8FC9FF69-66D2-4282-A98B-C52AE77EFF1D}"=-
"{FB061040-C363-4345-B32B-CFC9B0A4832A}"=-
"{E883FFE4-D708-41F7-B26B-2A55F4A31B34}"=-
"{563124B6-1915-4340-92CD-8D271404347B}"=-
"{B085B34B-AE02-4145-9903-8A3CFACCAFDB}"=-
"{9829C4C0-B26C-4BDB-968E-45EFD471CB50}"=-
[-HKEY_CLASSES_ROOT\CLSID\{A5B5D610-F86F-48C7-AFBE-967C50DF99AF}]
[-HKEY_CLASSES_ROOT\CLSID\{7629E2F1-2103-4A5B-A11D-9C15FD12CD38}]
[-HKEY_CLASSES_ROOT\CLSID\{57F44477-5DA2-4650-B24F-8AADC76B39C7}]
[-HKEY_CLASSES_ROOT\CLSID\{8FC9FF69-66D2-4282-A98B-C52AE77EFF1D}]
[-HKEY_CLASSES_ROOT\CLSID\{FB061040-C363-4345-B32B-CFC9B0A4832A}]
[-HKEY_CLASSES_ROOT\CLSID\{E883FFE4-D708-41F7-B26B-2A55F4A31B34}]
[-HKEY_CLASSES_ROOT\CLSID\{563124B6-1915-4340-92 CD-8D271404347B}]
[-HKEY_CLASSES_ROOT\CLSID\{B085B34B-AE02-4145-9903-8A3CFACCAFDB}]
[-HKEY_CLASSES_ROOT\CLSID\{9829C4C0-B26C-4BDB-968E-45EFD471CB50}]
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{60F970ED-CEEF-4793-9FC4-FB615A792863}"=-
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{60F970ED-CEEF-4793-9FC4-FB615A792863}</IDone>
<IDtwo>DS3</IDtwo>
<VERSION>200</VERSION>
****************************************************************************
HJT LOG!Logfile of HijackThis v1.99.1
Scan saved at 3:01:15 PM, on 2/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Quest On Demand\Lightning.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\Program Files\Merge eFilm\eFilm\efPMNT.exe
C:\Program Files\Merge eFilm\eFilm\efServer.exe
C:\Program Files\Merge eFilm\eFilm\SCSIACC.EXE
C:\Program Files\Merge eFilm\eFilm\efDM.exe
C:\Program Files\Merge eFilm\eFilm\efDicomM.exe
C:\Program Files\Merge eFilm\eFilm\efDBM.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://urologychannel.com/fauer-yogel/O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdt.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32\n20050308.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\system32\sysmonnt
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Quest On Demand - Lightning.LNK = C:\Program Files\Quest On Demand\Lightning.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15772FF0-B907-4D98-B770-0000B63DB314} (VBPrinter.VBPrinterCtrl) -
https://cas2.questdi...s/VBPrinter.CABO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft....467&clcid=0x409O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupd...b?1093632233192O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cabO16 - DPF: {756BEC7B-ADF4-4931-A519-B513B32CFC1B} (BarCodeLabelActiveX.SpecimenLabels) -
https://cas2.questdi...abelControl.CABO16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) -
http://www.installen...gine/isetup.cabO16 - DPF: {FDCC1518-6A63-11D9-AAC8-91EC5E497716} -
http://www.ouchvideo...iewer_emg11.cabO20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DM1Service - OLYMPUS OPTICAL CO.,LTD - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: eFilmProcessManagerNT - Unknown owner - C:\Program Files\Merge eFilm\eFilm\efPMNT.exe
O23 - Service: ScsiAcc - Unknown owner - C:\Program Files\Merge eFilm\eFilm\SCSIACC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe