Logfile of HijackThis v1.99.1
Scan saved at 11:23:34 PM, on 9/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\TightVNC-unstable\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = server1:8081
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -
http://tools.ebayimg.com/eps/wl/activex ... 0-3-36.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} -
http://sc.communities.msn.com/controls/ ... chat42.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) -
http://sc.communities.msn.com/controls/ ... snUpld.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) -
http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) -
http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = overview.com
O17 - HKLM\Software\..\Telephony: DomainName = overview.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = overview.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = overview.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\ePOAgent\FrameworkService.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC-unstable\WinVNC.exe" -service (file missing)
TrackQ
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
Subkey --- EditPlus
{63AFBDFB-5EF8-4791-AF79-9A3C0DE48974}
C:\Program Files\EditPlus 2\eppshell.dll
Subkey --- mtxmgxmn
{c2806b30-d55c-45ce-a3d0-55b8f45937da}
C:\WINDOWS\system32\eoaed.dll
Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll
Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll
=====================
HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers
Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll
==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
DESKTOP.INI
==============================
C:\Documents and Settings\steve\Start Menu\Programs\Startup
DESKTOP.INI
DESKTOP.INI
==============================
C:\WINDOWS\SYSTEM32 cpl files
access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
FINDFAST.CPL Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
MAIN.CPL Microsoft Corporation
mmsys.cpl Microsoft Corporation
NCPA.CPL Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
NWC.CPL Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
sysdm.cpl Microsoft Corporation
TELEPHON.CPL Microsoft Corporation
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 11:16:18 PM, 9/29/2005
+ Report-Checksum: B8DA4855
+ Scan result:
C:\Documents and Settings\steve\Cookies\steve@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\steve\Cookies\steve@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\steve\Cookies\steve@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\steve\Cookies\steve@qksrv[1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
::Report End
L2MFix==========================================
Setting Directory
C:\
C:\
System Rebooted!
Running From:
C:\
killing explorer and rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003
Craig.Peacock@beyondlogic.org
Killing PID 592 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003
Craig.Peacock@beyondlogic.org
Killing PID 1560 'rundll32.exe'
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Backing Up: C:\WINDOWS\system32\aeroles.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\aeroles.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\CDUSAPI.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\CDUSAPI.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\DKOCX.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\DKOCX.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\IUSADS.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\IUSADS.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\IVSUTIL.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\IVSUTIL.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\KODIR.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\KODIR.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\KUDLA.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\KUDLA.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\KYDLT.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\KYDLT.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lhtga11n.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lhtga11n.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\Lwkrn11n.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\Lwkrn11n.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lyrt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lyrt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MCTIME.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MCTIME.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MUTASK.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MUTASK.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\NCMARTA.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\NCMARTA.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ofengl32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ofengl32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\QKDIT.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\QKDIT.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\RCCDLL.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\RCCDLL.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\RNGSVC.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\RNGSVC.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\RXPSND.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\RXPSND.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\TZBYUV.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\TZBYUV.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\UQANDLG.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\UQANDLG.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\vzmdbg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\vzmdbg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wavcore.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wavcore.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\WOECEDIT.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\WOECEDIT.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\zrpfldr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\zrpfldr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\aeroles.dll
Successfully Deleted: C:\WINDOWS\system32\aeroles.dll
deleting: C:\WINDOWS\system32\aeroles.dll
Successfully Deleted: C:\WINDOWS\system32\aeroles.dll
deleting: C:\WINDOWS\system32\CDUSAPI.DLL
Successfully Deleted: C:\WINDOWS\system32\CDUSAPI.DLL
deleting: C:\WINDOWS\system32\CDUSAPI.DLL
Successfully Deleted: C:\WINDOWS\system32\CDUSAPI.DLL
deleting: C:\WINDOWS\system32\DKOCX.DLL
Successfully Deleted: C:\WINDOWS\system32\DKOCX.DLL
deleting: C:\WINDOWS\system32\DKOCX.DLL
Successfully Deleted: C:\WINDOWS\system32\DKOCX.DLL
deleting: C:\WINDOWS\system32\IUSADS.DLL
Successfully Deleted: C:\WINDOWS\system32\IUSADS.DLL
deleting: C:\WINDOWS\system32\IUSADS.DLL
Successfully Deleted: C:\WINDOWS\system32\IUSADS.DLL
deleting: C:\WINDOWS\system32\IVSUTIL.DLL
Successfully Deleted: C:\WINDOWS\system32\IVSUTIL.DLL
deleting: C:\WINDOWS\system32\IVSUTIL.DLL
Successfully Deleted: C:\WINDOWS\system32\IVSUTIL.DLL
deleting: C:\WINDOWS\system32\KODIR.DLL
Successfully Deleted: C:\WINDOWS\system32\KODIR.DLL
deleting: C:\WINDOWS\system32\KODIR.DLL
Successfully Deleted: C:\WINDOWS\system32\KODIR.DLL
deleting: C:\WINDOWS\system32\KUDLA.DLL
Successfully Deleted: C:\WINDOWS\system32\KUDLA.DLL
deleting: C:\WINDOWS\system32\KUDLA.DLL
Successfully Deleted: C:\WINDOWS\system32\KUDLA.DLL
deleting: C:\WINDOWS\system32\KYDLT.DLL
Successfully Deleted: C:\WINDOWS\system32\KYDLT.DLL
deleting: C:\WINDOWS\system32\KYDLT.DLL
Successfully Deleted: C:\WINDOWS\system32\KYDLT.DLL
deleting: C:\WINDOWS\system32\lhtga11n.dll
Successfully Deleted: C:\WINDOWS\system32\lhtga11n.dll
deleting: C:\WINDOWS\system32\lhtga11n.dll
Successfully Deleted: C:\WINDOWS\system32\lhtga11n.dll
deleting: C:\WINDOWS\system32\Lwkrn11n.dll
Successfully Deleted: C:\WINDOWS\system32\Lwkrn11n.dll
deleting: C:\WINDOWS\system32\Lwkrn11n.dll
Successfully Deleted: C:\WINDOWS\system32\Lwkrn11n.dll
deleting: C:\WINDOWS\system32\lyrt.dll
Successfully Deleted: C:\WINDOWS\system32\lyrt.dll
deleting: C:\WINDOWS\system32\lyrt.dll
Successfully Deleted: C:\WINDOWS\system32\lyrt.dll
deleting: C:\WINDOWS\system32\MCTIME.DLL
Successfully Deleted: C:\WINDOWS\system32\MCTIME.DLL
deleting: C:\WINDOWS\system32\MCTIME.DLL
Successfully Deleted: C:\WINDOWS\system32\MCTIME.DLL
deleting: C:\WINDOWS\system32\MUTASK.DLL
Successfully Deleted: C:\WINDOWS\system32\MUTASK.DLL
deleting: C:\WINDOWS\system32\MUTASK.DLL
Successfully Deleted: C:\WINDOWS\system32\MUTASK.DLL
deleting: C:\WINDOWS\system32\NCMARTA.DLL
Successfully Deleted: C:\WINDOWS\system32\NCMARTA.DLL
deleting: C:\WINDOWS\system32\NCMARTA.DLL
Successfully Deleted: C:\WINDOWS\system32\NCMARTA.DLL
deleting: C:\WINDOWS\system32\ofengl32.dll
Successfully Deleted: C:\WINDOWS\system32\ofengl32.dll
deleting: C:\WINDOWS\system32\ofengl32.dll
Successfully Deleted: C:\WINDOWS\system32\ofengl32.dll
deleting: C:\WINDOWS\system32\QKDIT.DLL
Successfully Deleted: C:\WINDOWS\system32\QKDIT.DLL
deleting: C:\WINDOWS\system32\QKDIT.DLL
Successfully Deleted: C:\WINDOWS\system32\QKDIT.DLL
deleting: C:\WINDOWS\system32\RCCDLL.DLL
Successfully Deleted: C:\WINDOWS\system32\RCCDLL.DLL
deleting: C:\WINDOWS\system32\RCCDLL.DLL
Successfully Deleted: C:\WINDOWS\system32\RCCDLL.DLL
deleting: C:\WINDOWS\system32\RNGSVC.DLL
Successfully Deleted: C:\WINDOWS\system32\RNGSVC.DLL
deleting: C:\WINDOWS\system32\RNGSVC.DLL
Successfully Deleted: C:\WINDOWS\system32\RNGSVC.DLL
deleting: C:\WINDOWS\system32\RXPSND.DLL
Successfully Deleted: C:\WINDOWS\system32\RXPSND.DLL
deleting: C:\WINDOWS\system32\RXPSND.DLL
Successfully Deleted: C:\WINDOWS\system32\RXPSND.DLL
deleting: C:\WINDOWS\system32\TZBYUV.DLL
Successfully Deleted: C:\WINDOWS\system32\TZBYUV.DLL
deleting: C:\WINDOWS\system32\TZBYUV.DLL
Successfully Deleted: C:\WINDOWS\system32\TZBYUV.DLL
deleting: C:\WINDOWS\system32\UQANDLG.DLL
Successfully Deleted: C:\WINDOWS\system32\UQANDLG.DLL
deleting: C:\WINDOWS\system32\UQANDLG.DLL
Successfully Deleted: C:\WINDOWS\system32\UQANDLG.DLL
deleting: C:\WINDOWS\system32\vzmdbg.dll
Successfully Deleted: C:\WINDOWS\system32\vzmdbg.dll
deleting: C:\WINDOWS\system32\vzmdbg.dll
Successfully Deleted: C:\WINDOWS\system32\vzmdbg.dll
deleting: C:\WINDOWS\system32\wavcore.dll
Successfully Deleted: C:\WINDOWS\system32\wavcore.dll
deleting: C:\WINDOWS\system32\wavcore.dll
Successfully Deleted: C:\WINDOWS\system32\wavcore.dll
deleting: C:\WINDOWS\system32\WOECEDIT.DLL
Successfully Deleted: C:\WINDOWS\system32\WOECEDIT.DLL
deleting: C:\WINDOWS\system32\WOECEDIT.DLL
Successfully Deleted: C:\WINDOWS\system32\WOECEDIT.DLL
deleting: C:\WINDOWS\system32\zrpfldr.dll
Successfully Deleted: C:\WINDOWS\system32\zrpfldr.dll
deleting: C:\WINDOWS\system32\zrpfldr.dll
Successfully Deleted: C:\WINDOWS\system32\zrpfldr.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
Zipping up files for submission:
adding: aeroles.dll (188 bytes security) (deflated 48%)
adding: CDUSAPI.DLL (188 bytes security) (deflated 48%)
adding: DKOCX.DLL (188 bytes security) (deflated 48%)
adding: IUSADS.DLL (188 bytes security) (deflated 48%)
adding: IVSUTIL.DLL (188 bytes security) (deflated 48%)
adding: KODIR.DLL (188 bytes security) (deflated 48%)
adding: KUDLA.DLL (188 bytes security) (deflated 48%)
adding: KYDLT.DLL (188 bytes security) (deflated 48%)
adding: lhtga11n.dll (188 bytes security) (deflated 48%)
adding: Lwkrn11n.dll (188 bytes security) (deflated 48%)
adding: lyrt.dll (188 bytes security) (deflated 48%)
adding: MCTIME.DLL (188 bytes security) (deflated 48%)
adding: MUTASK.DLL (188 bytes security) (deflated 48%)
adding: NCMARTA.DLL (188 bytes security) (deflated 48%)
adding: ofengl32.dll (188 bytes security) (deflated 48%)
adding: QKDIT.DLL (188 bytes security) (deflated 48%)
adding: RCCDLL.DLL (188 bytes security) (deflated 48%)
adding: RNGSVC.DLL (188 bytes security) (deflated 48%)
adding: RXPSND.DLL (188 bytes security) (deflated 48%)
adding: TZBYUV.DLL (188 bytes security) (deflated 48%)
adding: UQANDLG.DLL (188 bytes security) (deflated 48%)
adding: vzmdbg.dll (188 bytes security) (deflated 48%)
adding: wavcore.dll (188 bytes security) (deflated 48%)
adding: WOECEDIT.DLL (188 bytes security) (deflated 48%)
adding: zrpfldr.dll (188 bytes security) (deflated 48%)
adding: guard.tmp (188 bytes security) (deflated 48%)
adding: clear.reg (188 bytes security) (deflated 36%)
adding: DD-GUI2.ini (188 bytes security) (deflated 73%)
adding: asdf.txt (188 bytes security) (deflated 64%)
adding: Debug.txt (188 bytes security) (stored 0%)
adding: lo2.txt (188 bytes security) (deflated 91%)
adding: test.txt (188 bytes security) (deflated 89%)
adding: test2.txt (188 bytes security) (deflated 14%)
adding: test3.txt (188 bytes security) (deflated 14%)
adding: test5.txt (188 bytes security) (deflated 14%)
adding: xfind.txt (188 bytes security) (deflated 86%)
Restoring Registry Permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Registry permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
Restoring Windows Update Certificates.:
deleting local copy: aeroles.dll
deleting local copy: aeroles.dll
deleting local copy: CDUSAPI.DLL
deleting local copy: CDUSAPI.DLL
deleting local copy: DKOCX.DLL
deleting local copy: DKOCX.DLL
deleting local copy: IUSADS.DLL
deleting local copy: IUSADS.DLL
deleting local copy: IVSUTIL.DLL
deleting local copy: IVSUTIL.DLL
deleting local copy: KODIR.DLL
deleting local copy: KODIR.DLL
deleting local copy: KUDLA.DLL
deleting local copy: KUDLA.DLL
deleting local copy: KYDLT.DLL
deleting local copy: KYDLT.DLL
deleting local copy: lhtga11n.dll
deleting local copy: lhtga11n.dll
deleting local copy: Lwkrn11n.dll
deleting local copy: Lwkrn11n.dll
deleting local copy: lyrt.dll
deleting local copy: lyrt.dll
deleting local copy: MCTIME.DLL
deleting local copy: MCTIME.DLL
deleting local copy: MUTASK.DLL
deleting local copy: MUTASK.DLL
deleting local copy: NCMARTA.DLL
deleting local copy: NCMARTA.DLL
deleting local copy: ofengl32.dll
deleting local copy: ofengl32.dll
deleting local copy: QKDIT.DLL
deleting local copy: QKDIT.DLL
deleting local copy: RCCDLL.DLL
deleting local copy: RCCDLL.DLL
deleting local copy: RNGSVC.DLL
deleting local copy: RNGSVC.DLL
deleting local copy: RXPSND.DLL
deleting local copy: RXPSND.DLL
deleting local copy: TZBYUV.DLL
deleting local copy: TZBYUV.DLL
deleting local copy: UQANDLG.DLL
deleting local copy: UQANDLG.DLL
deleting local copy: vzmdbg.dll
deleting local copy: vzmdbg.dll
deleting local copy: wavcore.dll
deleting local copy: wavcore.dll
deleting local copy: WOECEDIT.DLL
deleting local copy: WOECEDIT.DLL
deleting local copy: zrpfldr.dll
deleting local copy: zrpfldr.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\aeroles.dll
C:\WINDOWS\system32\aeroles.dll
C:\WINDOWS\system32\CDUSAPI.DLL
C:\WINDOWS\system32\CDUSAPI.DLL
C:\WINDOWS\system32\DKOCX.DLL
C:\WINDOWS\system32\DKOCX.DLL
C:\WINDOWS\system32\IUSADS.DLL
C:\WINDOWS\system32\IUSADS.DLL
C:\WINDOWS\system32\IVSUTIL.DLL
C:\WINDOWS\system32\IVSUTIL.DLL
C:\WINDOWS\system32\KODIR.DLL
C:\WINDOWS\system32\KODIR.DLL
C:\WINDOWS\system32\KUDLA.DLL
C:\WINDOWS\system32\KUDLA.DLL
C:\WINDOWS\system32\KYDLT.DLL
C:\WINDOWS\system32\KYDLT.DLL
C:\WINDOWS\system32\lhtga11n.dll
C:\WINDOWS\system32\lhtga11n.dll
C:\WINDOWS\system32\Lwkrn11n.dll
C:\WINDOWS\system32\Lwkrn11n.dll
C:\WINDOWS\system32\lyrt.dll
C:\WINDOWS\system32\lyrt.dll
C:\WINDOWS\system32\MCTIME.DLL
C:\WINDOWS\system32\MCTIME.DLL
C:\WINDOWS\system32\MUTASK.DLL
C:\WINDOWS\system32\MUTASK.DLL
C:\WINDOWS\system32\NCMARTA.DLL
C:\WINDOWS\system32\NCMARTA.DLL
C:\WINDOWS\system32\ofengl32.dll
C:\WINDOWS\system32\ofengl32.dll
C:\WINDOWS\system32\QKDIT.DLL
C:\WINDOWS\system32\QKDIT.DLL
C:\WINDOWS\system32\RCCDLL.DLL
C:\WINDOWS\system32\RCCDLL.DLL
C:\WINDOWS\system32\RNGSVC.DLL
C:\WINDOWS\system32\RNGSVC.DLL
C:\WINDOWS\system32\RXPSND.DLL
C:\WINDOWS\system32\RXPSND.DLL
C:\WINDOWS\system32\TZBYUV.DLL
C:\WINDOWS\system32\TZBYUV.DLL
C:\WINDOWS\system32\UQANDLG.DLL
C:\WINDOWS\system32\UQANDLG.DLL
C:\WINDOWS\system32\vzmdbg.dll
C:\WINDOWS\system32\vzmdbg.dll
C:\WINDOWS\system32\wavcore.dll
C:\WINDOWS\system32\wavcore.dll
C:\WINDOWS\system32\WOECEDIT.DLL
C:\WINDOWS\system32\WOECEDIT.DLL
C:\WINDOWS\system32\zrpfldr.dll
C:\WINDOWS\system32\zrpfldr.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{584EF118-3DFB-4BC5-AA94-84BC067F45E2}"=-
"{FC7FB912-6FDF-4F9C-9B68-6EEFC9B3326A}"=-
[-HKEY_CLASSES_ROOT\CLSID\{584EF118-3DFB-4BC5-AA94-84BC067F45E2}]
[-HKEY_CLASSES_ROOT\CLSID\{FC7FB912-6FDF-4F9C-9B68-6EEFC9B3326A}]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************