Tech Support Forum - View Single Post

eric123 · 02-24-2005, 05:37 PM

Here is the result
thank you for help
the new log
L2Mfix 1.02b

Running From:
C:\Documents and Settings\Eric\桌面\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C access for really "Everyone"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Eric\桌面\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Eric\桌面\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 240 'explorer.exe'
Killing PID 240 'explorer.exe'
Killing PID 240 'explorer.exe'
Killing PID 240 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\wtpasf.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\dbnhupnp.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\mnprivs.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\dqintf.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\ndvdmd.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\ucrfaxa.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\ir2ql5f51.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\krdno1.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\mcvcirt.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\o0lu0a39ed.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\k0pmla711d.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\ir4ol5h31.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\wiadmoe.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\mycbase.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\doserial.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\oqjsel.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\ezcdec.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\dn2801fue.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\cqfview.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\j4j6le1s1h.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\ir68l5ju1.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\mTpi32.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\mawsock.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\akivtmxx.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\ir0ol5d31.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\n28olcl31fq.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\l08mlal11dq.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\r08slal71dq.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\ir08l5du1.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\lvl4093qe.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\lvpm0971e.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\en2ol1f31.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\wwnrulesak.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\hr0o05d3e.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\ir6ml5j11.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\o684lglq16qe.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\jHvaprxy.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\m0280afued280.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\h44mleh11h4.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\mv4ul9h91.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\h2j40c1qef.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\lvn2095oe.dll
複製了 1 個檔案。
Backing Up: C:\WINDOWS\system32\guard.tmp
複製了 1 個檔案。
deleting: C:\WINDOWS\system32\wtpasf.dll
Successfully Deleted: C:\WINDOWS\system32\wtpasf.dll
deleting: C:\WINDOWS\system32\dbnhupnp.dll
Successfully Deleted: C:\WINDOWS\system32\dbnhupnp.dll
deleting: C:\WINDOWS\system32\mnprivs.dll
Successfully Deleted: C:\WINDOWS\system32\mnprivs.dll
deleting: C:\WINDOWS\system32\dqintf.dll
Successfully Deleted: C:\WINDOWS\system32\dqintf.dll
deleting: C:\WINDOWS\system32\ndvdmd.dll
Successfully Deleted: C:\WINDOWS\system32\ndvdmd.dll
deleting: C:\WINDOWS\system32\ucrfaxa.dll
Successfully Deleted: C:\WINDOWS\system32\ucrfaxa.dll
deleting: C:\WINDOWS\system32\ir2ql5f51.dll
Successfully Deleted: C:\WINDOWS\system32\ir2ql5f51.dll
deleting: C:\WINDOWS\system32\krdno1.dll
Successfully Deleted: C:\WINDOWS\system32\krdno1.dll
deleting: C:\WINDOWS\system32\mcvcirt.dll
Successfully Deleted: C:\WINDOWS\system32\mcvcirt.dll
deleting: C:\WINDOWS\system32\o0lu0a39ed.dll
Successfully Deleted: C:\WINDOWS\system32\o0lu0a39ed.dll
deleting: C:\WINDOWS\system32\k0pmla711d.dll
Successfully Deleted: C:\WINDOWS\system32\k0pmla711d.dll
deleting: C:\WINDOWS\system32\ir4ol5h31.dll
Successfully Deleted: C:\WINDOWS\system32\ir4ol5h31.dll
deleting: C:\WINDOWS\system32\wiadmoe.dll
Successfully Deleted: C:\WINDOWS\system32\wiadmoe.dll
deleting: C:\WINDOWS\system32\mycbase.dll
Successfully Deleted: C:\WINDOWS\system32\mycbase.dll
deleting: C:\WINDOWS\system32\doserial.dll
Successfully Deleted: C:\WINDOWS\system32\doserial.dll
deleting: C:\WINDOWS\system32\oqjsel.dll
Successfully Deleted: C:\WINDOWS\system32\oqjsel.dll
deleting: C:\WINDOWS\system32\ezcdec.dll
Successfully Deleted: C:\WINDOWS\system32\ezcdec.dll
deleting: C:\WINDOWS\system32\dn2801fue.dll
Successfully Deleted: C:\WINDOWS\system32\dn2801fue.dll
deleting: C:\WINDOWS\system32\cqfview.dll
Successfully Deleted: C:\WINDOWS\system32\cqfview.dll
deleting: C:\WINDOWS\system32\j4j6le1s1h.dll
Successfully Deleted: C:\WINDOWS\system32\j4j6le1s1h.dll
deleting: C:\WINDOWS\system32\ir68l5ju1.dll
Successfully Deleted: C:\WINDOWS\system32\ir68l5ju1.dll
deleting: C:\WINDOWS\system32\mTpi32.dll
Successfully Deleted: C:\WINDOWS\system32\mTpi32.dll
deleting: C:\WINDOWS\system32\mawsock.dll
Successfully Deleted: C:\WINDOWS\system32\mawsock.dll
deleting: C:\WINDOWS\system32\akivtmxx.dll
Successfully Deleted: C:\WINDOWS\system32\akivtmxx.dll
deleting: C:\WINDOWS\system32\ir0ol5d31.dll
Successfully Deleted: C:\WINDOWS\system32\ir0ol5d31.dll
deleting: C:\WINDOWS\system32\n28olcl31fq.dll
Successfully Deleted: C:\WINDOWS\system32\n28olcl31fq.dll
deleting: C:\WINDOWS\system32\l08mlal11dq.dll
Successfully Deleted: C:\WINDOWS\system32\l08mlal11dq.dll
deleting: C:\WINDOWS\system32\r08slal71dq.dll
Successfully Deleted: C:\WINDOWS\system32\r08slal71dq.dll
deleting: C:\WINDOWS\system32\ir08l5du1.dll
Successfully Deleted: C:\WINDOWS\system32\ir08l5du1.dll
deleting: C:\WINDOWS\system32\lvl4093qe.dll
Successfully Deleted: C:\WINDOWS\system32\lvl4093qe.dll
deleting: C:\WINDOWS\system32\lvpm0971e.dll
Successfully Deleted: C:\WINDOWS\system32\lvpm0971e.dll
deleting: C:\WINDOWS\system32\en2ol1f31.dll
Successfully Deleted: C:\WINDOWS\system32\en2ol1f31.dll
deleting: C:\WINDOWS\system32\wwnrulesak.dll
Successfully Deleted: C:\WINDOWS\system32\wwnrulesak.dll
deleting: C:\WINDOWS\system32\hr0o05d3e.dll
Successfully Deleted: C:\WINDOWS\system32\hr0o05d3e.dll
deleting: C:\WINDOWS\system32\ir6ml5j11.dll
Successfully Deleted: C:\WINDOWS\system32\ir6ml5j11.dll
deleting: C:\WINDOWS\system32\o684lglq16qe.dll
Successfully Deleted: C:\WINDOWS\system32\o684lglq16qe.dll
deleting: C:\WINDOWS\system32\jHvaprxy.dll
Successfully Deleted: C:\WINDOWS\system32\jHvaprxy.dll
deleting: C:\WINDOWS\system32\m0280afued280.dll
Successfully Deleted: C:\WINDOWS\system32\m0280afued280.dll
deleting: C:\WINDOWS\system32\h44mleh11h4.dll
Successfully Deleted: C:\WINDOWS\system32\h44mleh11h4.dll
deleting: C:\WINDOWS\system32\mv4ul9h91.dll
Successfully Deleted: C:\WINDOWS\system32\mv4ul9h91.dll
deleting: C:\WINDOWS\system32\h2j40c1qef.dll
Successfully Deleted: C:\WINDOWS\system32\h2j40c1qef.dll
deleting: C:\WINDOWS\system32\lvn2095oe.dll
Successfully Deleted: C:\WINDOWS\system32\lvn2095oe.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: wtpasf.dll (deflated 5%)
adding: dbnhupnp.dll (deflated 4%)
adding: mnprivs.dll (deflated 5%)
adding: dqintf.dll (deflated 5%)
adding: ndvdmd.dll (deflated 5%)
adding: ucrfaxa.dll (deflated 5%)
adding: ir2ql5f51.dll (deflated 4%)
adding: krdno1.dll (deflated 4%)
adding: mcvcirt.dll (deflated 5%)
adding: o0lu0a39ed.dll (deflated 5%)
adding: k0pmla711d.dll (deflated 5%)
adding: ir4ol5h31.dll (deflated 4%)
adding: wiadmoe.dll (deflated 5%)
adding: mycbase.dll (deflated 4%)
adding: doserial.dll (deflated 4%)
adding: oqjsel.dll (deflated 5%)
adding: ezcdec.dll (deflated 5%)
adding: dn2801fue.dll (deflated 5%)
adding: cqfview.dll (deflated 5%)
adding: j4j6le1s1h.dll (deflated 5%)
adding: ir68l5ju1.dll (deflated 5%)
adding: mTpi32.dll (deflated 4%)
adding: mawsock.dll (deflated 6%)
adding: akivtmxx.dll (deflated 6%)
adding: ir0ol5d31.dll (deflated 4%)
adding: n28olcl31fq.dll (deflated 5%)
adding: l08mlal11dq.dll (deflated 4%)
adding: r08slal71dq.dll (deflated 4%)
adding: ir08l5du1.dll (deflated 6%)
adding: lvl4093qe.dll (deflated 5%)
adding: lvpm0971e.dll (deflated 4%)
adding: en2ol1f31.dll (deflated 4%)
adding: wwnrulesak.dll (deflated 4%)
adding: hr0o05d3e.dll (deflated 5%)
adding: ir6ml5j11.dll (deflated 5%)
adding: o684lglq16qe.dll (deflated 5%)
adding: jHvaprxy.dll (deflated 5%)
adding: m0280afued280.dll (deflated 5%)
adding: h44mleh11h4.dll (deflated 6%)
adding: mv4ul9h91.dll (deflated 6%)
adding: h2j40c1qef.dll (deflated 6%)
adding: lvn2095oe.dll (deflated 6%)
adding: guard.tmp (deflated 6%)
adding: echo.reg (deflated 5%)
adding: clear.reg (deflated 71%)
adding: desktop.ini (deflated 15%)
adding: readme.txt (deflated 49%)
adding: direct.txt (stored 0%)
adding: lo2.txt (deflated 84%)
adding: test2.txt (deflated 49%)
adding: test3.txt (deflated 49%)
adding: test5.txt (deflated 49%)
adding: test.txt (deflated 81%)
adding: xfind.txt (deflated 76%)
adding: backregs/shell.reg (deflated 71%)
adding: backregs/AB47B844-D0C9-4998-838C-8760882CA1DD.reg (deflated 70%)
adding: backregs/B89D61DB-9A14-4219-A679-5E36C0D0324A.reg (deflated 70%)
adding: backregs/0FE8608C-2370-41AA-A9F9-EAB8D93E07EA.reg (deflated 70%)
adding: backregs/97379452-C45B-46C7-866C-F91968BFCC57.reg (deflated 70%)
adding: backregs/481C2BEA-4713-42EB-B537-8849154F72E4.reg (deflated 70%)
adding: backregs/8C59129F-6C36-4B07-AF69-4E5DDF5CF617.reg (deflated 70%)
adding: backregs/284AF703-05F0-49DA-8AA1-129D4DC2A744.reg (deflated 70%)
adding: backregs/2408F199-49FC-444C-BF8F-16BA4A32283D.reg (deflated 70%)
adding: backregs/C50C031D-2DFB-457E-9D1D-0462548D6D38.reg (deflated 70%)
adding: backregs/A82A534D-7E87-4D81-BD72-10E504DA97FC.reg (deflated 70%)
adding: backregs/9E432968-855F-47A9-BFEC-1056386A1962.reg (deflated 70%)
adding: backregs/884C6471-F25D-4EF0-92FA-EFF4F55D1B3C.reg (deflated 70%)
adding: backregs/5E8F885C-E2B0-4AFC-A3C0-32B0F9A13686.reg (deflated 70%)
adding: backregs/1AB12896-1F2B-416E-A4A7-7F662F5C3B4E.reg (deflated 70%)
adding: backregs/84A38D76-CE38-4930-9B78-E05CF95D0633.reg (deflated 70%)
adding: backregs/6C3DAF95-BC56-446F-AD2E-6DF6C81E69AA.reg (deflated 70%)
adding: backregs/8258DC11-9079-4D6F-AE43-7C5DF31DEA80.reg (deflated 70%)
adding: backregs/2F89C6BC-B369-41D2-8B99-33B52A8584A9.reg (deflated 70%)
adding: backregs/331A41D9-F89B-46E2-AFD1-CAAA5F392F0B.reg (deflated 70%)
adding: backregs/C4B4D43E-D057-45A0-AF0E-9FA41EE08904.reg (deflated 70%)
adding: backregs/9636402F-BF5E-4AEC-8389-0C874BEADF3C.reg (deflated 70%)
adding: backregs/2841BEB3-CCFB-4E50-B15F-CFB325F161A0.reg (deflated 70%)
adding: backregs/5149B651-3A8A-47A0-BA13-34A2162375D9.reg (deflated 70%)
adding: backregs/121E72D0-B78D-4610-B165-2AB90D8E34B4.reg (deflated 70%)
adding: backregs/F8A0784A-949A-4B0E-8CEB-448B31170A2A.reg (deflated 70%)
adding: backregs/95615436-2354-4D59-B3D4-60134838FC40.reg (deflated 70%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for really "Everyone"

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: wtpasf.dll
deleting local copy: dbnhupnp.dll
deleting local copy: mnprivs.dll
deleting local copy: dqintf.dll
deleting local copy: ndvdmd.dll
deleting local copy: ucrfaxa.dll
deleting local copy: ir2ql5f51.dll
deleting local copy: krdno1.dll
deleting local copy: mcvcirt.dll
deleting local copy: o0lu0a39ed.dll
deleting local copy: k0pmla711d.dll
deleting local copy: ir4ol5h31.dll
deleting local copy: wiadmoe.dll
deleting local copy: mycbase.dll
deleting local copy: doserial.dll
deleting local copy: oqjsel.dll
deleting local copy: ezcdec.dll
deleting local copy: dn2801fue.dll
deleting local copy: cqfview.dll
deleting local copy: j4j6le1s1h.dll
deleting local copy: ir68l5ju1.dll
deleting local copy: mTpi32.dll
deleting local copy: mawsock.dll
deleting local copy: akivtmxx.dll
deleting local copy: ir0ol5d31.dll
deleting local copy: n28olcl31fq.dll
deleting local copy: l08mlal11dq.dll
deleting local copy: r08slal71dq.dll
deleting local copy: ir08l5du1.dll
deleting local copy: lvl4093qe.dll
deleting local copy: lvpm0971e.dll
deleting local copy: en2ol1f31.dll
deleting local copy: wwnrulesak.dll
deleting local copy: hr0o05d3e.dll
deleting local copy: ir6ml5j11.dll
deleting local copy: o684lglq16qe.dll
deleting local copy: jHvaprxy.dll
deleting local copy: m0280afued280.dll
deleting local copy: h44mleh11h4.dll
deleting local copy: mv4ul9h91.dll
deleting local copy: h2j40c1qef.dll
deleting local copy: lvn2095oe.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\wtpasf.dll
C:\WINDOWS\system32\dbnhupnp.dll
C:\WINDOWS\system32\mnprivs.dll
C:\WINDOWS\system32\dqintf.dll
C:\WINDOWS\system32\ndvdmd.dll
C:\WINDOWS\system32\ucrfaxa.dll
C:\WINDOWS\system32\ir2ql5f51.dll
C:\WINDOWS\system32\krdno1.dll
C:\WINDOWS\system32\mcvcirt.dll
C:\WINDOWS\system32\o0lu0a39ed.dll
C:\WINDOWS\system32\k0pmla711d.dll
C:\WINDOWS\system32\ir4ol5h31.dll
C:\WINDOWS\system32\wiadmoe.dll
C:\WINDOWS\system32\mycbase.dll
C:\WINDOWS\system32\doserial.dll
C:\WINDOWS\system32\oqjsel.dll
C:\WINDOWS\system32\ezcdec.dll
C:\WINDOWS\system32\dn2801fue.dll
C:\WINDOWS\system32\cqfview.dll
C:\WINDOWS\system32\j4j6le1s1h.dll
C:\WINDOWS\system32\ir68l5ju1.dll
C:\WINDOWS\system32\mTpi32.dll
C:\WINDOWS\system32\mawsock.dll
C:\WINDOWS\system32\akivtmxx.dll
C:\WINDOWS\system32\ir0ol5d31.dll
C:\WINDOWS\system32\n28olcl31fq.dll
C:\WINDOWS\system32\l08mlal11dq.dll
C:\WINDOWS\system32\r08slal71dq.dll
C:\WINDOWS\system32\ir08l5du1.dll
C:\WINDOWS\system32\lvl4093qe.dll
C:\WINDOWS\system32\lvpm0971e.dll
C:\WINDOWS\system32\en2ol1f31.dll
C:\WINDOWS\system32\wwnrulesak.dll
C:\WINDOWS\system32\hr0o05d3e.dll
C:\WINDOWS\system32\ir6ml5j11.dll
C:\WINDOWS\system32\o684lglq16qe.dll
C:\WINDOWS\system32\jHvaprxy.dll
C:\WINDOWS\system32\m0280afued280.dll
C:\WINDOWS\system32\h44mleh11h4.dll
C:\WINDOWS\system32\mv4ul9h91.dll
C:\WINDOWS\system32\h2j40c1qef.dll
C:\WINDOWS\system32\lvn2095oe.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{01089EC7-4BB9-408C-B3AF-C1BED3031FB2}"=-
"{AB47B844-D0C9-4998-838C-8760882CA1DD}"=-
"{B89D61DB-9A14-4219-A679-5E36C0D0324A}"=-
"{0FE8608C-2370-41AA-A9F9-EAB8D93E07EA}"=-
"{97379452-C45B-46C7-866C-F91968BFCC57}"=-
"{481C2BEA-4713-42EB-B537-8849154F72E4}"=-
"{8C59129F-6C36-4B07-AF69-4E5DDF5CF617}"=-
"{284AF703-05F0-49DA-8AA1-129D4DC2A744}"=-
"{2408F199-49FC-444C-BF8F-16BA4A32283D}"=-
"{C50C031D-2DFB-457E-9D1D-0462548D6D38}"=-
"{A82A534D-7E87-4D81-BD72-10E504DA97FC}"=-
"{9E432968-855F-47A9-BFEC-1056386A1962}"=-
"{884C6471-F25D-4EF0-92FA-EFF4F55D1B3C}"=-
"{5E8F885C-E2B0-4AFC-A3C0-32B0F9A13686}"=-
"{1AB12896-1F2B-416E-A4A7-7F662F5C3B4E}"=-
"{84A38D76-CE38-4930-9B78-E05CF95D0633}"=-
"{6C3DAF95-BC56-446F-AD2E-6DF6C81E69AA}"=-
"{8258DC11-9079-4D6F-AE43-7C5DF31DEA80}"=-
"{2F89C6BC-B369-41D2-8B99-33B52A8584A9}"=-
"{331A41D9-F89B-46E2-AFD1-CAAA5F392F0B}"=-
"{C4B4D43E-D057-45A0-AF0E-9FA41EE08904}"=-
"{9636402F-BF5E-4AEC-8389-0C874BEADF3C}"=-
"{2841BEB3-CCFB-4E50-B15F-CFB325F161A0}"=-
"{5149B651-3A8A-47A0-BA13-34A2162375D9}"=-
"{121E72D0-B78D-4610-B165-2AB90D8E34B4}"=-
"{F8A0784A-949A-4B0E-8CEB-448B31170A2A}"=-
"{95615436-2354-4D59-B3D4-60134838FC40}"=-
[-HKEY_CLASSES_ROOT\CLSID\{01089EC7-4BB9-408C-B3AF-C1BED3031FB2}]
[-HKEY_CLASSES_ROOT\CLSID\{AB47B844-D0C9-4998-838C-8760882CA1DD}]
[-HKEY_CLASSES_ROOT\CLSID\{B89D61DB-9A14-4219-A679-5E36C0D0324A}]
[-HKEY_CLASSES_ROOT\CLSID\{0FE8608C-2370-41AA-A9F9-EAB8D93E07EA}]
[-HKEY_CLASSES_ROOT\CLSID\{97379452-C45B-46C7-866C-F91968BFCC57}]
[-HKEY_CLASSES_ROOT\CLSID\{481C2BEA-4713-42EB-B537-8849154F72E4}]
[-HKEY_CLASSES_ROOT\CLSID\{8C59129F-6C36-4B07-AF69-4E5DDF5CF617}]
[-HKEY_CLASSES_ROOT\CLSID\{284AF703-05F0-49DA-8AA1-129D4DC2A744}]
[-HKEY_CLASSES_ROOT\CLSID\{2408F199-49FC-444C-BF8F-16BA4A32283D}]
[-HKEY_CLASSES_ROOT\CLSID\{C50C031D-2DFB-457E-9D1D-0462548D6D38}]
[-HKEY_CLASSES_ROOT\CLSID\{A82A534D-7E87-4D81-BD72-10E504DA97FC}]
[-HKEY_CLASSES_ROOT\CLSID\{9E432968-855F-47A9-BFEC-1056386A1962}]
[-HKEY_CLASSES_ROOT\CLSID\{884C6471-F25D-4EF0-92FA-EFF4F55D1B3C}]
[-HKEY_CLASSES_ROOT\CLSID\{5E8F885C-E2B0-4AFC-A3C0-32B0F9A13686}]
[-HKEY_CLASSES_ROOT\CLSID\{1AB12896-1F2B-416E-A4A7-7F662F5C3B4E}]
[-HKEY_CLASSES_ROOT\CLSID\{84A38D76-CE38-4930-9B78-E05CF95D0633}]
[-HKEY_CLASSES_ROOT\CLSID\{6C3DAF95-BC56-446F-AD2E-6DF6C81E69AA}]
[-HKEY_CLASSES_ROOT\CLSID\{8258DC11-9079-4D6F-AE43-7C5DF31DEA80}]
[-HKEY_CLASSES_ROOT\CLSID\{2F89C6BC-B369-41D2-8B99-33B52A8584A9}]
[-HKEY_CLASSES_ROOT\CLSID\{331A41D9-F89B-46E2-AFD1-CAAA5F392F0B}]
[-HKEY_CLASSES_ROOT\CLSID\{C4B4D43E-D057-45A0-AF0E-9FA41EE08904}]
[-HKEY_CLASSES_ROOT\CLSID\{9636402F-BF5E-4AEC-8389-0C874BEADF3C}]
[-HKEY_CLASSES_ROOT\CLSID\{2841BEB3-CCFB-4E50-B15F-CFB325F161A0}]
[-HKEY_CLASSES_ROOT\CLSID\{5149B651-3A8A-47A0-BA13-34A2162375D9}]
[-HKEY_CLASSES_ROOT\CLSID\{121E72D0-B78D-4610-B165-2AB90D8E34B4}]
[-HKEY_CLASSES_ROOT\CLSID\{F8A0784A-949A-4B0E-8CEB-448B31170A2A}]
[-HKEY_CLASSES_ROOT\CLSID\{95615436-2354-4D59-B3D4-60134838FC40}]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E1D1F89C-24F2-4A21-A8AA-CF95CF39EE04}"=-
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{E1D1F89C-24F2-4A21-A8AA-CF95CF39EE04}</IDone>
<IDtwo>VT00</IDtwo>
<VERSION>200</VERSION>
****************************************************************************

HJT LOG
Logfile of HijackThis v1.99.1
Scan saved at 下午 06:26:54, on 2005/2/24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\IC\Card Reader Driver v1.9e3\Disk_Monitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: MSN 工具列 - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\zh-tw\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_1_6_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\IC\Card Reader Driver v1.9e3\Disk_Monitor.exe
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Zhghbr] C:\Program Files\Jbvlqt\Scey.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {18000D07-72C4-11D4-B4BD-004026422A29} (Hot_net Control) - http://www.hitoriasobi.com/netidol/i...b/Hot_net2.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/TW/install.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/16ffe304...dxIE601_tw.cab
O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://pki.toptrade.com.tw/onsite/VSApps/vspta3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B6B7500-5A0C-4118-A7C4-AD77E0B4505F}: NameServer = 61.57.160.66,61.57.168.11
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\gpr4l39q1.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod 服務 (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus 自動防護服務 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

02-24-2005, 05:37 PM	#7 (permalink)
eric123 Registered User Join Date: Feb 2005 Posts: 10 OS: Win XP Home edition	Hi There Here is the result thank you for help the new log L2Mfix 1.02b Running From: C:\Documents and Settings\Eric\桌面\l2mfix RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Setting registry permissions: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Denying C access for really "Everyone" - adding new ACCESS DENY entry Registry Permissions set too: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (CI) DENY --C------- Everyone (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Setting up for Reboot Starting Reboot! C:\Documents and Settings\Eric\桌面\l2mfix System Rebooted! Running From: C:\Documents and Settings\Eric\桌面\l2mfix killing explorer and rundll32.exe Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 240 'explorer.exe' Killing PID 240 'explorer.exe' Killing PID 240 'explorer.exe' Killing PID 240 'explorer.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Error, Cannot find a process with an image name of rundll32.exe Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! Backing Up: C:\WINDOWS\system32\wtpasf.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\dbnhupnp.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\mnprivs.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\dqintf.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\ndvdmd.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\ucrfaxa.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\ir2ql5f51.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\krdno1.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\mcvcirt.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\o0lu0a39ed.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\k0pmla711d.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\ir4ol5h31.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\wiadmoe.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\mycbase.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\doserial.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\oqjsel.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\ezcdec.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\dn2801fue.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\cqfview.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\j4j6le1s1h.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\ir68l5ju1.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\mTpi32.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\mawsock.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\akivtmxx.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\ir0ol5d31.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\n28olcl31fq.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\l08mlal11dq.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\r08slal71dq.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\ir08l5du1.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\lvl4093qe.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\lvpm0971e.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\en2ol1f31.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\wwnrulesak.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\hr0o05d3e.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\ir6ml5j11.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\o684lglq16qe.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\jHvaprxy.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\m0280afued280.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\h44mleh11h4.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\mv4ul9h91.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\h2j40c1qef.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\lvn2095oe.dll 複製了 1 個檔案。 Backing Up: C:\WINDOWS\system32\guard.tmp 複製了 1 個檔案。 deleting: C:\WINDOWS\system32\wtpasf.dll Successfully Deleted: C:\WINDOWS\system32\wtpasf.dll deleting: C:\WINDOWS\system32\dbnhupnp.dll Successfully Deleted: C:\WINDOWS\system32\dbnhupnp.dll deleting: C:\WINDOWS\system32\mnprivs.dll Successfully Deleted: C:\WINDOWS\system32\mnprivs.dll deleting: C:\WINDOWS\system32\dqintf.dll Successfully Deleted: C:\WINDOWS\system32\dqintf.dll deleting: C:\WINDOWS\system32\ndvdmd.dll Successfully Deleted: C:\WINDOWS\system32\ndvdmd.dll deleting: C:\WINDOWS\system32\ucrfaxa.dll Successfully Deleted: C:\WINDOWS\system32\ucrfaxa.dll deleting: C:\WINDOWS\system32\ir2ql5f51.dll Successfully Deleted: C:\WINDOWS\system32\ir2ql5f51.dll deleting: C:\WINDOWS\system32\krdno1.dll Successfully Deleted: C:\WINDOWS\system32\krdno1.dll deleting: C:\WINDOWS\system32\mcvcirt.dll Successfully Deleted: C:\WINDOWS\system32\mcvcirt.dll deleting: C:\WINDOWS\system32\o0lu0a39ed.dll Successfully Deleted: C:\WINDOWS\system32\o0lu0a39ed.dll deleting: C:\WINDOWS\system32\k0pmla711d.dll Successfully Deleted: C:\WINDOWS\system32\k0pmla711d.dll deleting: C:\WINDOWS\system32\ir4ol5h31.dll Successfully Deleted: C:\WINDOWS\system32\ir4ol5h31.dll deleting: C:\WINDOWS\system32\wiadmoe.dll Successfully Deleted: C:\WINDOWS\system32\wiadmoe.dll deleting: C:\WINDOWS\system32\mycbase.dll Successfully Deleted: C:\WINDOWS\system32\mycbase.dll deleting: C:\WINDOWS\system32\doserial.dll Successfully Deleted: C:\WINDOWS\system32\doserial.dll deleting: C:\WINDOWS\system32\oqjsel.dll Successfully Deleted: C:\WINDOWS\system32\oqjsel.dll deleting: C:\WINDOWS\system32\ezcdec.dll Successfully Deleted: C:\WINDOWS\system32\ezcdec.dll deleting: C:\WINDOWS\system32\dn2801fue.dll Successfully Deleted: C:\WINDOWS\system32\dn2801fue.dll deleting: C:\WINDOWS\system32\cqfview.dll Successfully Deleted: C:\WINDOWS\system32\cqfview.dll deleting: C:\WINDOWS\system32\j4j6le1s1h.dll Successfully Deleted: C:\WINDOWS\system32\j4j6le1s1h.dll deleting: C:\WINDOWS\system32\ir68l5ju1.dll Successfully Deleted: C:\WINDOWS\system32\ir68l5ju1.dll deleting: C:\WINDOWS\system32\mTpi32.dll Successfully Deleted: C:\WINDOWS\system32\mTpi32.dll deleting: C:\WINDOWS\system32\mawsock.dll Successfully Deleted: C:\WINDOWS\system32\mawsock.dll deleting: C:\WINDOWS\system32\akivtmxx.dll Successfully Deleted: C:\WINDOWS\system32\akivtmxx.dll deleting: C:\WINDOWS\system32\ir0ol5d31.dll Successfully Deleted: C:\WINDOWS\system32\ir0ol5d31.dll deleting: C:\WINDOWS\system32\n28olcl31fq.dll Successfully Deleted: C:\WINDOWS\system32\n28olcl31fq.dll deleting: C:\WINDOWS\system32\l08mlal11dq.dll Successfully Deleted: C:\WINDOWS\system32\l08mlal11dq.dll deleting: C:\WINDOWS\system32\r08slal71dq.dll Successfully Deleted: C:\WINDOWS\system32\r08slal71dq.dll deleting: C:\WINDOWS\system32\ir08l5du1.dll Successfully Deleted: C:\WINDOWS\system32\ir08l5du1.dll deleting: C:\WINDOWS\system32\lvl4093qe.dll Successfully Deleted: C:\WINDOWS\system32\lvl4093qe.dll deleting: C:\WINDOWS\system32\lvpm0971e.dll Successfully Deleted: C:\WINDOWS\system32\lvpm0971e.dll deleting: C:\WINDOWS\system32\en2ol1f31.dll Successfully Deleted: C:\WINDOWS\system32\en2ol1f31.dll deleting: C:\WINDOWS\system32\wwnrulesak.dll Successfully Deleted: C:\WINDOWS\system32\wwnrulesak.dll deleting: C:\WINDOWS\system32\hr0o05d3e.dll Successfully Deleted: C:\WINDOWS\system32\hr0o05d3e.dll deleting: C:\WINDOWS\system32\ir6ml5j11.dll Successfully Deleted: C:\WINDOWS\system32\ir6ml5j11.dll deleting: C:\WINDOWS\system32\o684lglq16qe.dll Successfully Deleted: C:\WINDOWS\system32\o684lglq16qe.dll deleting: C:\WINDOWS\system32\jHvaprxy.dll Successfully Deleted: C:\WINDOWS\system32\jHvaprxy.dll deleting: C:\WINDOWS\system32\m0280afued280.dll Successfully Deleted: C:\WINDOWS\system32\m0280afued280.dll deleting: C:\WINDOWS\system32\h44mleh11h4.dll Successfully Deleted: C:\WINDOWS\system32\h44mleh11h4.dll deleting: C:\WINDOWS\system32\mv4ul9h91.dll Successfully Deleted: C:\WINDOWS\system32\mv4ul9h91.dll deleting: C:\WINDOWS\system32\h2j40c1qef.dll Successfully Deleted: C:\WINDOWS\system32\h2j40c1qef.dll deleting: C:\WINDOWS\system32\lvn2095oe.dll Successfully Deleted: C:\WINDOWS\system32\lvn2095oe.dll deleting: C:\WINDOWS\system32\guard.tmp Successfully Deleted: C:\WINDOWS\system32\guard.tmp Desktop.ini sucessfully removed Zipping up files for submission: adding: wtpasf.dll (deflated 5%) adding: dbnhupnp.dll (deflated 4%) adding: mnprivs.dll (deflated 5%) adding: dqintf.dll (deflated 5%) adding: ndvdmd.dll (deflated 5%) adding: ucrfaxa.dll (deflated 5%) adding: ir2ql5f51.dll (deflated 4%) adding: krdno1.dll (deflated 4%) adding: mcvcirt.dll (deflated 5%) adding: o0lu0a39ed.dll (deflated 5%) adding: k0pmla711d.dll (deflated 5%) adding: ir4ol5h31.dll (deflated 4%) adding: wiadmoe.dll (deflated 5%) adding: mycbase.dll (deflated 4%) adding: doserial.dll (deflated 4%) adding: oqjsel.dll (deflated 5%) adding: ezcdec.dll (deflated 5%) adding: dn2801fue.dll (deflated 5%) adding: cqfview.dll (deflated 5%) adding: j4j6le1s1h.dll (deflated 5%) adding: ir68l5ju1.dll (deflated 5%) adding: mTpi32.dll (deflated 4%) adding: mawsock.dll (deflated 6%) adding: akivtmxx.dll (deflated 6%) adding: ir0ol5d31.dll (deflated 4%) adding: n28olcl31fq.dll (deflated 5%) adding: l08mlal11dq.dll (deflated 4%) adding: r08slal71dq.dll (deflated 4%) adding: ir08l5du1.dll (deflated 6%) adding: lvl4093qe.dll (deflated 5%) adding: lvpm0971e.dll (deflated 4%) adding: en2ol1f31.dll (deflated 4%) adding: wwnrulesak.dll (deflated 4%) adding: hr0o05d3e.dll (deflated 5%) adding: ir6ml5j11.dll (deflated 5%) adding: o684lglq16qe.dll (deflated 5%) adding: jHvaprxy.dll (deflated 5%) adding: m0280afued280.dll (deflated 5%) adding: h44mleh11h4.dll (deflated 6%) adding: mv4ul9h91.dll (deflated 6%) adding: h2j40c1qef.dll (deflated 6%) adding: lvn2095oe.dll (deflated 6%) adding: guard.tmp (deflated 6%) adding: echo.reg (deflated 5%) adding: clear.reg (deflated 71%) adding: desktop.ini (deflated 15%) adding: readme.txt (deflated 49%) adding: direct.txt (stored 0%) adding: lo2.txt (deflated 84%) adding: test2.txt (deflated 49%) adding: test3.txt (deflated 49%) adding: test5.txt (deflated 49%) adding: test.txt (deflated 81%) adding: xfind.txt (deflated 76%) adding: backregs/shell.reg (deflated 71%) adding: backregs/AB47B844-D0C9-4998-838C-8760882CA1DD.reg (deflated 70%) adding: backregs/B89D61DB-9A14-4219-A679-5E36C0D0324A.reg (deflated 70%) adding: backregs/0FE8608C-2370-41AA-A9F9-EAB8D93E07EA.reg (deflated 70%) adding: backregs/97379452-C45B-46C7-866C-F91968BFCC57.reg (deflated 70%) adding: backregs/481C2BEA-4713-42EB-B537-8849154F72E4.reg (deflated 70%) adding: backregs/8C59129F-6C36-4B07-AF69-4E5DDF5CF617.reg (deflated 70%) adding: backregs/284AF703-05F0-49DA-8AA1-129D4DC2A744.reg (deflated 70%) adding: backregs/2408F199-49FC-444C-BF8F-16BA4A32283D.reg (deflated 70%) adding: backregs/C50C031D-2DFB-457E-9D1D-0462548D6D38.reg (deflated 70%) adding: backregs/A82A534D-7E87-4D81-BD72-10E504DA97FC.reg (deflated 70%) adding: backregs/9E432968-855F-47A9-BFEC-1056386A1962.reg (deflated 70%) adding: backregs/884C6471-F25D-4EF0-92FA-EFF4F55D1B3C.reg (deflated 70%) adding: backregs/5E8F885C-E2B0-4AFC-A3C0-32B0F9A13686.reg (deflated 70%) adding: backregs/1AB12896-1F2B-416E-A4A7-7F662F5C3B4E.reg (deflated 70%) adding: backregs/84A38D76-CE38-4930-9B78-E05CF95D0633.reg (deflated 70%) adding: backregs/6C3DAF95-BC56-446F-AD2E-6DF6C81E69AA.reg (deflated 70%) adding: backregs/8258DC11-9079-4D6F-AE43-7C5DF31DEA80.reg (deflated 70%) adding: backregs/2F89C6BC-B369-41D2-8B99-33B52A8584A9.reg (deflated 70%) adding: backregs/331A41D9-F89B-46E2-AFD1-CAAA5F392F0B.reg (deflated 70%) adding: backregs/C4B4D43E-D057-45A0-AF0E-9FA41EE08904.reg (deflated 70%) adding: backregs/9636402F-BF5E-4AEC-8389-0C874BEADF3C.reg (deflated 70%) adding: backregs/2841BEB3-CCFB-4E50-B15F-CFB325F161A0.reg (deflated 70%) adding: backregs/5149B651-3A8A-47A0-BA13-34A2162375D9.reg (deflated 70%) adding: backregs/121E72D0-B78D-4610-B165-2AB90D8E34B4.reg (deflated 70%) adding: backregs/F8A0784A-949A-4B0E-8CEB-448B31170A2A.reg (deflated 70%) adding: backregs/95615436-2354-4D59-B3D4-60134838FC40.reg (deflated 70%) Restoring Registry Permissions: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Revoking access for really "Everyone" Registry permissions set too: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successful deleting local copy: wtpasf.dll deleting local copy: dbnhupnp.dll deleting local copy: mnprivs.dll deleting local copy: dqintf.dll deleting local copy: ndvdmd.dll deleting local copy: ucrfaxa.dll deleting local copy: ir2ql5f51.dll deleting local copy: krdno1.dll deleting local copy: mcvcirt.dll deleting local copy: o0lu0a39ed.dll deleting local copy: k0pmla711d.dll deleting local copy: ir4ol5h31.dll deleting local copy: wiadmoe.dll deleting local copy: mycbase.dll deleting local copy: doserial.dll deleting local copy: oqjsel.dll deleting local copy: ezcdec.dll deleting local copy: dn2801fue.dll deleting local copy: cqfview.dll deleting local copy: j4j6le1s1h.dll deleting local copy: ir68l5ju1.dll deleting local copy: mTpi32.dll deleting local copy: mawsock.dll deleting local copy: akivtmxx.dll deleting local copy: ir0ol5d31.dll deleting local copy: n28olcl31fq.dll deleting local copy: l08mlal11dq.dll deleting local copy: r08slal71dq.dll deleting local copy: ir08l5du1.dll deleting local copy: lvl4093qe.dll deleting local copy: lvpm0971e.dll deleting local copy: en2ol1f31.dll deleting local copy: wwnrulesak.dll deleting local copy: hr0o05d3e.dll deleting local copy: ir6ml5j11.dll deleting local copy: o684lglq16qe.dll deleting local copy: jHvaprxy.dll deleting local copy: m0280afued280.dll deleting local copy: h44mleh11h4.dll deleting local copy: mv4ul9h91.dll deleting local copy: h2j40c1qef.dll deleting local copy: lvn2095oe.dll deleting local copy: guard.tmp The following Is the Current Export of the Winlogon notify key: ************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 The following are the files found: ************************************************************************ C:\WINDOWS\system32\wtpasf.dll C:\WINDOWS\system32\dbnhupnp.dll C:\WINDOWS\system32\mnprivs.dll C:\WINDOWS\system32\dqintf.dll C:\WINDOWS\system32\ndvdmd.dll C:\WINDOWS\system32\ucrfaxa.dll C:\WINDOWS\system32\ir2ql5f51.dll C:\WINDOWS\system32\krdno1.dll C:\WINDOWS\system32\mcvcirt.dll C:\WINDOWS\system32\o0lu0a39ed.dll C:\WINDOWS\system32\k0pmla711d.dll C:\WINDOWS\system32\ir4ol5h31.dll C:\WINDOWS\system32\wiadmoe.dll C:\WINDOWS\system32\mycbase.dll C:\WINDOWS\system32\doserial.dll C:\WINDOWS\system32\oqjsel.dll C:\WINDOWS\system32\ezcdec.dll C:\WINDOWS\system32\dn2801fue.dll C:\WINDOWS\system32\cqfview.dll C:\WINDOWS\system32\j4j6le1s1h.dll C:\WINDOWS\system32\ir68l5ju1.dll C:\WINDOWS\system32\mTpi32.dll C:\WINDOWS\system32\mawsock.dll C:\WINDOWS\system32\akivtmxx.dll C:\WINDOWS\system32\ir0ol5d31.dll C:\WINDOWS\system32\n28olcl31fq.dll C:\WINDOWS\system32\l08mlal11dq.dll C:\WINDOWS\system32\r08slal71dq.dll C:\WINDOWS\system32\ir08l5du1.dll C:\WINDOWS\system32\lvl4093qe.dll C:\WINDOWS\system32\lvpm0971e.dll C:\WINDOWS\system32\en2ol1f31.dll C:\WINDOWS\system32\wwnrulesak.dll C:\WINDOWS\system32\hr0o05d3e.dll C:\WINDOWS\system32\ir6ml5j11.dll C:\WINDOWS\system32\o684lglq16qe.dll C:\WINDOWS\system32\jHvaprxy.dll C:\WINDOWS\system32\m0280afued280.dll C:\WINDOWS\system32\h44mleh11h4.dll C:\WINDOWS\system32\mv4ul9h91.dll C:\WINDOWS\system32\h2j40c1qef.dll C:\WINDOWS\system32\lvn2095oe.dll C:\WINDOWS\system32\guard.tmp Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. ************************************************************************ REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{01089EC7-4BB9-408C-B3AF-C1BED3031FB2}"=- "{AB47B844-D0C9-4998-838C-8760882CA1DD}"=- "{B89D61DB-9A14-4219-A679-5E36C0D0324A}"=- "{0FE8608C-2370-41AA-A9F9-EAB8D93E07EA}"=- "{97379452-C45B-46C7-866C-F91968BFCC57}"=- "{481C2BEA-4713-42EB-B537-8849154F72E4}"=- "{8C59129F-6C36-4B07-AF69-4E5DDF5CF617}"=- "{284AF703-05F0-49DA-8AA1-129D4DC2A744}"=- "{2408F199-49FC-444C-BF8F-16BA4A32283D}"=- "{C50C031D-2DFB-457E-9D1D-0462548D6D38}"=- "{A82A534D-7E87-4D81-BD72-10E504DA97FC}"=- "{9E432968-855F-47A9-BFEC-1056386A1962}"=- "{884C6471-F25D-4EF0-92FA-EFF4F55D1B3C}"=- "{5E8F885C-E2B0-4AFC-A3C0-32B0F9A13686}"=- "{1AB12896-1F2B-416E-A4A7-7F662F5C3B4E}"=- "{84A38D76-CE38-4930-9B78-E05CF95D0633}"=- "{6C3DAF95-BC56-446F-AD2E-6DF6C81E69AA}"=- "{8258DC11-9079-4D6F-AE43-7C5DF31DEA80}"=- "{2F89C6BC-B369-41D2-8B99-33B52A8584A9}"=- "{331A41D9-F89B-46E2-AFD1-CAAA5F392F0B}"=- "{C4B4D43E-D057-45A0-AF0E-9FA41EE08904}"=- "{9636402F-BF5E-4AEC-8389-0C874BEADF3C}"=- "{2841BEB3-CCFB-4E50-B15F-CFB325F161A0}"=- "{5149B651-3A8A-47A0-BA13-34A2162375D9}"=- "{121E72D0-B78D-4610-B165-2AB90D8E34B4}"=- "{F8A0784A-949A-4B0E-8CEB-448B31170A2A}"=- "{95615436-2354-4D59-B3D4-60134838FC40}"=- [-HKEY_CLASSES_ROOT\CLSID\{01089EC7-4BB9-408C-B3AF-C1BED3031FB2}] [-HKEY_CLASSES_ROOT\CLSID\{AB47B844-D0C9-4998-838C-8760882CA1DD}] [-HKEY_CLASSES_ROOT\CLSID\{B89D61DB-9A14-4219-A679-5E36C0D0324A}] [-HKEY_CLASSES_ROOT\CLSID\{0FE8608C-2370-41AA-A9F9-EAB8D93E07EA}] [-HKEY_CLASSES_ROOT\CLSID\{97379452-C45B-46C7-866C-F91968BFCC57}] [-HKEY_CLASSES_ROOT\CLSID\{481C2BEA-4713-42EB-B537-8849154F72E4}] [-HKEY_CLASSES_ROOT\CLSID\{8C59129F-6C36-4B07-AF69-4E5DDF5CF617}] [-HKEY_CLASSES_ROOT\CLSID\{284AF703-05F0-49DA-8AA1-129D4DC2A744}] [-HKEY_CLASSES_ROOT\CLSID\{2408F199-49FC-444C-BF8F-16BA4A32283D}] [-HKEY_CLASSES_ROOT\CLSID\{C50C031D-2DFB-457E-9D1D-0462548D6D38}] [-HKEY_CLASSES_ROOT\CLSID\{A82A534D-7E87-4D81-BD72-10E504DA97FC}] [-HKEY_CLASSES_ROOT\CLSID\{9E432968-855F-47A9-BFEC-1056386A1962}] [-HKEY_CLASSES_ROOT\CLSID\{884C6471-F25D-4EF0-92FA-EFF4F55D1B3C}] [-HKEY_CLASSES_ROOT\CLSID\{5E8F885C-E2B0-4AFC-A3C0-32B0F9A13686}] [-HKEY_CLASSES_ROOT\CLSID\{1AB12896-1F2B-416E-A4A7-7F662F5C3B4E}] [-HKEY_CLASSES_ROOT\CLSID\{84A38D76-CE38-4930-9B78-E05CF95D0633}] [-HKEY_CLASSES_ROOT\CLSID\{6C3DAF95-BC56-446F-AD2E-6DF6C81E69AA}] [-HKEY_CLASSES_ROOT\CLSID\{8258DC11-9079-4D6F-AE43-7C5DF31DEA80}] [-HKEY_CLASSES_ROOT\CLSID\{2F89C6BC-B369-41D2-8B99-33B52A8584A9}] [-HKEY_CLASSES_ROOT\CLSID\{331A41D9-F89B-46E2-AFD1-CAAA5F392F0B}] [-HKEY_CLASSES_ROOT\CLSID\{C4B4D43E-D057-45A0-AF0E-9FA41EE08904}] [-HKEY_CLASSES_ROOT\CLSID\{9636402F-BF5E-4AEC-8389-0C874BEADF3C}] [-HKEY_CLASSES_ROOT\CLSID\{2841BEB3-CCFB-4E50-B15F-CFB325F161A0}] [-HKEY_CLASSES_ROOT\CLSID\{5149B651-3A8A-47A0-BA13-34A2162375D9}] [-HKEY_CLASSES_ROOT\CLSID\{121E72D0-B78D-4610-B165-2AB90D8E34B4}] [-HKEY_CLASSES_ROOT\CLSID\{F8A0784A-949A-4B0E-8CEB-448B31170A2A}] [-HKEY_CLASSES_ROOT\CLSID\{95615436-2354-4D59-B3D4-60134838FC40}] REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{E1D1F89C-24F2-4A21-A8AA-CF95CF39EE04}"=- "SV1"="" ************************************************************************ Desktop.ini Contents: ************************************************************************ [.ShellClassInfo] CLSID={645FF040-5081-101B-9F08-00AA002F954E} <IDone>{E1D1F89C-24F2-4A21-A8AA-CF95CF39EE04}</IDone> <IDtwo>VT00</IDtwo> <VERSION>200</VERSION> ************************************************************************** HJT LOG Logfile of HijackThis v1.99.1 Scan saved at 下午 06:26:54, on 2005/2/24 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe C:\Program Files\IC\Card Reader Driver v1.9e3\Disk_Monitor.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Messenger\msmsgs.exe C:\HJT\HijackThis.exe R3 - Default URLSearchHook is missing O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O3 - Toolbar: MSN 工具列 - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\zh-tw\msntb.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_1_6_0.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\IC\Card Reader Driver v1.9e3\Disk_Monitor.exe O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [Zhghbr] C:\Program Files\Jbvlqt\Scey.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/ O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409 O16 - DPF: {18000D07-72C4-11D4-B4BD-004026422A29} (Hot_net Control) - http://www.hitoriasobi.com/netidol/i...b/Hot_net2.CAB O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/TW/install.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/16ffe304...dxIE601_tw.cab O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://pki.toptrade.com.tw/onsite/VSApps/vspta3.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{6B6B7500-5A0C-4118-A7C4-AD77E0B4505F}: NameServer = 61.57.160.66,61.57.168.11 O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\gpr4l39q1.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: iPod 服務 (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Norton AntiVirus 自動防護服務 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)