I did it. It was pretty funny seeing stuff install as l2mfix was running. Here is the log l2mfix generated:L2Mfix 1.02a
Running From:
C:\Documents and Settings\Owner\Desktop\l2mfix
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting registry permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Denying C access for really "Everyone"
- adding new ACCESS DENY entry
Registry Permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting up for Reboot
Starting Reboot!
C:\Documents and Settings\Owner\Desktop\l2mfix
System Rebooted!
Running From:
C:\Documents and Settings\Owner\Desktop\l2mfix
killing explorer and rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Killing PID 1916 'explorer.exe'
Killing PID 1916 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Error, Cannot find a process with an image name of rundll32.exe
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Backing Up: C:\WINNT\system32\cbosys.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dSdim.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\i0nmla511d.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\i460lejm1hoa.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\ihfgnt5.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\k808lidu1808.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\kgdkaz.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\l42s0ef7eh2.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\l64qlgh5164.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\l8l60i3se8.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\lbgif11n.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\lvp6097se.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mqoert2.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\n4l8le3u1h.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\o484lelq1hqe.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\pqlepixl.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\q4nule591h.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\sgrvdeps.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINNT\system32\cbosys.dll
Successfully Deleted: C:\WINNT\system32\cbosys.dll
deleting: C:\WINNT\system32\dSdim.dll
Successfully Deleted: C:\WINNT\system32\dSdim.dll
deleting: C:\WINNT\system32\i0nmla511d.dll
Successfully Deleted: C:\WINNT\system32\i0nmla511d.dll
deleting: C:\WINNT\system32\i460lejm1hoa.dll
Successfully Deleted: C:\WINNT\system32\i460lejm1hoa.dll
deleting: C:\WINNT\system32\ihfgnt5.dll
Successfully Deleted: C:\WINNT\system32\ihfgnt5.dll
deleting: C:\WINNT\system32\k808lidu1808.dll
Successfully Deleted: C:\WINNT\system32\k808lidu1808.dll
deleting: C:\WINNT\system32\kgdkaz.dll
Successfully Deleted: C:\WINNT\system32\kgdkaz.dll
deleting: C:\WINNT\system32\l42s0ef7eh2.dll
Successfully Deleted: C:\WINNT\system32\l42s0ef7eh2.dll
deleting: C:\WINNT\system32\l64qlgh5164.dll
Successfully Deleted: C:\WINNT\system32\l64qlgh5164.dll
deleting: C:\WINNT\system32\l8l60i3se8.dll
Successfully Deleted: C:\WINNT\system32\l8l60i3se8.dll
deleting: C:\WINNT\system32\lbgif11n.dll
Successfully Deleted: C:\WINNT\system32\lbgif11n.dll
deleting: C:\WINNT\system32\lvp6097se.dll
Successfully Deleted: C:\WINNT\system32\lvp6097se.dll
deleting: C:\WINNT\system32\mqoert2.dll
Successfully Deleted: C:\WINNT\system32\mqoert2.dll
deleting: C:\WINNT\system32\n4l8le3u1h.dll
Successfully Deleted: C:\WINNT\system32\n4l8le3u1h.dll
deleting: C:\WINNT\system32\o484lelq1hqe.dll
Successfully Deleted: C:\WINNT\system32\o484lelq1hqe.dll
deleting: C:\WINNT\system32\pqlepixl.dll
Successfully Deleted: C:\WINNT\system32\pqlepixl.dll
deleting: C:\WINNT\system32\q4nule591h.dll
Successfully Deleted: C:\WINNT\system32\q4nule591h.dll
deleting: C:\WINNT\system32\sgrvdeps.dll
Successfully Deleted: C:\WINNT\system32\sgrvdeps.dll
deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp
Desktop.ini sucessfully removed
Zipping up files for submission:
adding: cbosys.dll (164 bytes security) (deflated 4%)
adding: dSdim.dll (164 bytes security) (deflated 4%)
adding: i0nmla511d.dll (164 bytes security) (deflated 4%)
adding: i460lejm1hoa.dll (164 bytes security) (deflated 4%)
adding: ihfgnt5.dll (164 bytes security) (deflated 4%)
adding: k808lidu1808.dll (164 bytes security) (deflated 4%)
adding: kgdkaz.dll (164 bytes security) (deflated 4%)
adding: l42s0ef7eh2.dll (164 bytes security) (deflated 4%)
adding: l64qlgh5164.dll (164 bytes security) (deflated 4%)
adding: l8l60i3se8.dll (164 bytes security) (deflated 4%)
adding: lbgif11n.dll (164 bytes security) (deflated 4%)
adding: lvp6097se.dll (164 bytes security) (deflated 4%)
adding: mqoert2.dll (164 bytes security) (deflated 4%)
adding: n4l8le3u1h.dll (164 bytes security) (deflated 4%)
adding: o484lelq1hqe.dll (164 bytes security) (deflated 4%)
adding: pqlepixl.dll (164 bytes security) (deflated 4%)
adding: q4nule591h.dll (164 bytes security) (deflated 4%)
adding: sgrvdeps.dll (164 bytes security) (deflated 4%)
adding: guard.tmp (164 bytes security) (deflated 4%)
adding: clear.reg (164 bytes security) (deflated 55%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: desktop.ini (164 bytes security) (deflated 14%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 81%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 67%)
adding: test.txt (164 bytes security) (deflated 76%)
adding: test2.txt (164 bytes security) (deflated 38%)
adding: test3.txt (164 bytes security) (deflated 38%)
adding: test5.txt (164 bytes security) (deflated 38%)
adding: xfind.txt (164 bytes security) (deflated 69%)
adding: backregs/8DBFF6DB-94F3-40F1-B9D6-F6ACFF281DCC.reg (164 bytes security) (deflated 71%)
adding: backregs/C6D1EE1B-27FA-4800-B5A8-0027EB869C7B.reg (164 bytes security) (deflated 70%)
adding: backregs/CD467A43-F10E-4A6F-9F86-A228A99F2FEE.reg (164 bytes security) (deflated 70%)
adding: backregs/D6161D8F-085C-4743-94ED-9EA4CA30743B.reg (164 bytes security) (deflated 70%)
adding: backregs/E7BA30AA-3E10-47C8-BA5C-69127702C2C3.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)
Restoring Registry Permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Revoking access for really "Everyone"
Registry permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
deleting local copy: cbosys.dll
deleting local copy: dSdim.dll
deleting local copy: i0nmla511d.dll
deleting local copy: i460lejm1hoa.dll
deleting local copy: ihfgnt5.dll
deleting local copy: k808lidu1808.dll
deleting local copy: kgdkaz.dll
deleting local copy: l42s0ef7eh2.dll
deleting local copy: l64qlgh5164.dll
deleting local copy: l8l60i3se8.dll
deleting local copy: lbgif11n.dll
deleting local copy: lvp6097se.dll
deleting local copy: mqoert2.dll
deleting local copy: n4l8le3u1h.dll
deleting local copy: o484lelq1hqe.dll
deleting local copy: pqlepixl.dll
deleting local copy: q4nule591h.dll
deleting local copy: sgrvdeps.dll
deleting local copy: guard.tmp
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
The following are the files found:
****************************************************************************
C:\WINNT\system32\cbosys.dll
C:\WINNT\system32\dSdim.dll
C:\WINNT\system32\i0nmla511d.dll
C:\WINNT\system32\i460lejm1hoa.dll
C:\WINNT\system32\ihfgnt5.dll
C:\WINNT\system32\k808lidu1808.dll
C:\WINNT\system32\kgdkaz.dll
C:\WINNT\system32\l42s0ef7eh2.dll
C:\WINNT\system32\l64qlgh5164.dll
C:\WINNT\system32\l8l60i3se8.dll
C:\WINNT\system32\lbgif11n.dll
C:\WINNT\system32\lvp6097se.dll
C:\WINNT\system32\mqoert2.dll
C:\WINNT\system32\n4l8le3u1h.dll
C:\WINNT\system32\o484lelq1hqe.dll
C:\WINNT\system32\pqlepixl.dll
C:\WINNT\system32\q4nule591h.dll
C:\WINNT\system32\sgrvdeps.dll
C:\WINNT\system32\guard.tmp
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{E7BA30AA-3E10-47C8-BA5C-69127702C2C3}"=-
"{CD467A43-F10E-4A6F-9F86-A228A99F2FEE}"=-
"{8DBFF6DB-94F3-40F1-B9D6-F6ACFF281DCC}"=-
"{D6161D8F-085C-4743-94ED-9EA4CA30743B}"=-
"{C6D1EE1B-27FA-4800-B5A8-0027EB869C7B}"=-
[-HKEY_CLASSES_ROOT\CLSID\{E7BA30AA-3E10-47C8-BA5C-69127702C2C3}]
[-HKEY_CLASSES_ROOT\CLSID\{CD467A43-F10E-4A6F-9F86-A228A99F2FEE}]
[-HKEY_CLASSES_ROOT\CLSID\{8DBFF6DB-94F3-40F1-B9D6-F6ACFF281DCC}]
[-HKEY_CLASSES_ROOT\CLSID\{D6161D8F-085C-4743-94ED-9EA4CA30743B}]
[-HKEY_CLASSES_ROOT\CLSID\{C6D1EE1B-27FA-4800-B5A8-0027EB869C7B}]
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{66896F06-A88D-4021-AB73-F36E1907DF99}"=-
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{66896F06-A88D-4021-AB73-F36E1907DF99}</IDone>
<IDtwo>VT09</IDtwo>
<VERSION>200</VERSION>
****************************************************************************
Here is the hijackthis log:Logfile of HijackThis v1.99.0
Scan saved at 9:24:13 PM, on 2/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\msupd5.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\WINNT\mmups.exe
C:\WINNT\System32\wsxsvc\wsxsvc.exe
C:\WINNT\System32\explore1.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINNT\System32\ragyvjlt.exe
C:\WINNT\system32\hhoagu.exe
C:\WINNT\isrvs\desktop.exe
C:\Documents and Settings\Owner\Application Data\dees.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ypgghy.exe
C:\WINNT\System32\imapi.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\System32\winupdt.exe
C:\WINNT\System32\winupdt.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\My Documents\HijackThisLog\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://red.clientapp...//www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {19B0DC47-AA83-DA29-150F-78CD85A939C5} - C:\WINNT\System32\xrfdjorg.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
O2 - BHO: (no name) - {71CE8682-B895-C99F-8CF4-FCEC66448A0D} - C:\WINNT\System32\afsoneic.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [eAr4jueH] C:\WINNT\yuyhxe.exe
O4 - HKLM\..\Run: [mediamotor.exe] C:\WINNT\mmups.exe
O4 - HKLM\..\Run: [lgrazkh] C:\WINNT\lgrazkh.exe
O4 - HKLM\..\Run: [Dvx] C:\WINNT\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [tzxqva] C:\WINNT\System32\fdjfocv.exe
O4 - HKLM\..\Run: [Explore1] C:\WINNT\System32\explore1.exe
O4 - HKLM\..\Run: [o7sX3qO] srrmo.exe
O4 - HKLM\..\Run: [ragyvjlt] C:\WINNT\System32\ragyvjlt.exe
O4 - HKLM\..\Run: [hhoagu] C:\WINNT\system32\hhoagu.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINNT\Temp\TBuninst.exe /remove
O4 - HKLM\..\Run: [AutoLoadero03d1WTWaIPd] "C:\WINNT\System32\srrmo.exe"
O4 - HKLM\..\Run: [stcloader] C:\WINNT\System32\stcloader.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\System32\winupdtl.exe
O4 - HKCU\..\Run: [mspmsp] C:\WINNT\System32\mspmsp.exe
O4 - HKCU\..\Run: [Ltho] C:\Documents and Settings\Owner\Application Data\dees.exe
O4 - HKCU\..\Run: [Ochpes] C:\WINNT\System32\w?auboot.exe
O4 - HKCU\..\Run: [Zw37Rki2l] spxecsnp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msafd] C:\WINNT\System32\msafd.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O15 - Trusted Zone:
http://www.neededware.comO16 - DPF: NDWCab -
http://www.neededware.com/NDWCab.CABO16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -
http://www.symantec....sa/LSSupCtl.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupd...b?1106146227953O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} -
http://www.nick.com/.../GrooveAX25.cabO16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) -
http://us.dl1.yimg.c...utocomplete.cabO16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
http://www.symantec....sa/SymAData.cabO16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} -
http://www.trueswitc...eInstallSBC.exeO18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: fuwbjiebiifi - Unknown - C:\WINNT\System32\msupd5.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINNT\system32\YPCSER~1.EXE
Let me know what to do next, I await your instructions.
texican