• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 829
  • Last Modified:

unable to remove Troj_agent.fz

Hi,

I have a pc which is infected with the above virus, problem is its part of mfcdoc.dll which is part of the winlogon service, how can i get rid of it (the virus that is) :)
0
wanstor
Asked:
wanstor
  • 12
  • 11
1 Solution
 
rossfingalCommented:
What operating system?
XP Home - Pro - Win 2000 - 98 - ME

RF
0
 
wanstorAuthor Commented:
sorry XP professional, Is it possible to fix remotely via Network streaming?
0
 
wanstorAuthor Commented:
have tried latest trend office scan eng and ptn, and house call with no luck
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
rossfingalCommented:
Hi!

Download HijackThis (version 1.99.1) from:
http://www.gatesofdelirium.com/ee/tools/
Place it into a folder of it's own - something like:
C:\HJT\hijackthis.exe or C:\Program Files\HJT\hijackthis.exe
Do not run it directly from the "Zip" file, a "temp" folder, or the Desktop.
HijackThis makes "backups" and it's good to have them in a centralized location.

With all browser windows closed - run HijackThis and
copy and paste the log file into the Analysis site here:
http://www.hijackthis.de/en

Click on the "Analyze" button; and when the analysis is done -
Click on the "Save Analysis" button -
A page will be generated with your saved analysis -
Post a LINK to that page back here.

Please, do not post your log file here!

We'll take a look at it!  :)
It may not show anything - but, maybe it will.

Good luck!
RF
0
 
rossfingalCommented:
Try this on-line scan:
Kaspersky
http://www.kaspersky.com/remoteviruschk.html

RF
0
 
wanstorAuthor Commented:
0
 
rossfingalCommented:
Yes, thats right - I'm looking at it now.

RF
0
 
rossfingalCommented:
I don't see much of anything wrong in your log file - a 02 entry (we'll deal with that later) -
the one entry I'm wondering about is:
O20 - Winlogon Notify: mfcdoc - C:\WINDOWS\repair\mfcdoc.dll

Let's try this -
Make sure "Show all Files and Folders", including hidden and system, is enabled.

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click "l2mfix.exe".
Click the "Install" button to extract the files and follow the prompts -
then open the newly added l2mfix folder on your desktop.
Double click "l2mfix.bat" and select option #1 for "Run Find Log" by typing 1 and then pressing enter.
This will scan your computer and it may appear nothing is happening -
then, after a minute or 2 (the time varies), notepad will open with a log.
Copy the contents of that log and paste it into this thread.

->-> IMPORTANT: <-<-
DO NOT run option #2 OR any other files in the l2mfix folder -
until you are asked to do so!

RF
0
 
wanstorAuthor Commented:
L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mfcdoc]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\repair\\mfcdoc.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{40E85620-3DCB-11D3-8A0D-0060080C1EFA}"="ZipCentral"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}"="Universal Plug and Play Devices"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
   authz.dll      Wed  2 Mar 2005  19:09:30   A....         56,832    55.50 K
   browseui.dll   Thu 10 Mar 2005   9:02:34   A....      1,016,832   993.00 K
   cdfview.dll    Thu 10 Mar 2005   9:02:34   A....        151,040   147.50 K
   iepeers.dll    Thu 10 Mar 2005   9:02:34   A....        250,880   245.00 K
   inseng.dll     Thu 10 Mar 2005   9:02:34   A....         96,256    94.00 K
   mshtml.dll     Thu 10 Mar 2005   9:02:34   A....      3,010,560     2.87 M
   msi.dll        Mon 21 Mar 2005  15:00:20   A....      2,890,240     2.75 M
   msihnd.dll     Mon 21 Mar 2005  15:00:22   A....        271,360   265.00 K
   msimsg.dll     Mon 21 Mar 2005  15:00:22   A....        884,736   864.00 K
   msisip.dll     Mon 21 Mar 2005  15:00:22   A....         15,360    15.00 K
   msrating.dll   Thu 10 Mar 2005   9:02:34   A....        146,432   143.00 K
   shdocvw.dll    Thu 10 Mar 2005   9:02:34   A....      1,483,264     1.41 M
   shell32.dll    Tue  1 Mar 2005   0:11:18   A....      8,450,048     8.06 M
   shlwapi.dll    Thu 10 Mar 2005   9:02:34   A....        473,600   462.50 K
   spmsg.dll      Thu 24 Feb 2005  19:35:06   .....         14,048    13.72 K
   urlmon.dll     Thu 10 Mar 2005   9:02:36   A....        607,744   593.50 K
   user32.dll     Wed  2 Mar 2005  19:09:30   A....        577,024   563.50 K
   wininet.dll    Thu 10 Mar 2005   9:02:36   A....        656,896   641.50 K
   winsrv.dll     Wed  2 Mar 2005  19:09:30   A....        291,328   284.50 K

19 items found:  19 files, 0 directories.
   Total of file sizes:  21,344,480 bytes     20.36 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
 Volume in drive C has no label.
 Volume Serial Number is 7594-4EC0

 Directory of C:\WINDOWS\System32

18/05/2005  12:14             4,096 psc.exe
19/04/2005  20:39    <DIR>          dllcache
05/07/2004  22:57    <DIR>          Microsoft
               1 File(s)          4,096 bytes
               2 Dir(s)   1,931,616,256 bytes free
0
 
rossfingalCommented:
Navigate to this file:
C:\WINDOWS\repair\mfcdoc.dll  
Check it's properties.
Let me know what they are.
It's very unusual to see a "Winlogon" entry running from the "repair" folder -
let me know what other files are in there - the "repair" folder.

RF
0
 
wanstorAuthor Commented:
autoexec.nt
codcfm.bak1
codcfm.bak2
codcfm.ini
config.nt
default
DS_SAM
DS_SECURITY
DS_SOFTWARE
mfcdoc.dll
moveonb.exe
ntuser.dat
sam
secsetup.inf
security
setup.log
software
system.bak
zap.exe
0
 
rossfingalCommented:
Check the properties on:
moveonb.exe
mfcdoc.dll
zap.exe
codcfm.ini
Let me know what they are.


RF
0
 
wanstorAuthor Commented:
moveonb.exe and zap.exe was my attempt to kill the winlogon service.
mfcdoc.dll Unknown application
codcfm.ini opens with note pad and is hidden
0
 
rossfingalCommented:
Can you open codcfm.ini in Notepad and copy and paste the contents back here.
0
 
wanstorAuthor Commented:
­âpRÓ   Š   `   ê       ê       ê      
     "      "  «b  Íc     ác      ác      ác  4   d      d      d      d      !d     Ï694ÄdŠ8¨²v4ec0V/Pv4ec0[Pv4ec03594Tc0·Û4,ec0759449E57594Yec0X=\v4ec075944e“75944e{p6P]]UK _rRZsvs T'      u URs  S V/Pv4ec0V/Pv4ec015944ec0LVXYD
WYwUB QC\VZq_EUWa7/cL\@
 K[]L\@AJGLXQMJNZUYYP[gq$1sjxxxGA  UTbgugOEAXCAIJG@JQU XW[LCRTKW\KXG
X]PXGDGCME@UQGKBRR\LDGMLJ@V      JRiW[e HCJF@\FMGSOo;EmHWRMINDPXFW?TZTIOKlIE^KlkiAG\SQBUVUVGZ\hK _ZH9\L@QCKXM      8nhILKBRR\LDGMLT[[A?TZTIOKlI@ ]DBojC>JF UOE\[AQQC lVVYIKIk
EMLF@\FML^KlkiAG\SQBUXF^FMUhK _ZH9\LEHQKTHDH_BojC>JF UOEUkXX@YDAXh ]JhZHHULVDIHU 
Nbj8HMFQHGODVCPG@?TZeAe HCJFIXEUAGIXE[L^KlkiAG\SQBUY_YiW[e HMELMUUF\UF le R \SRQM BSF      H@PTNbj8HMFQHGOQMZWhMh KK LKGRWJQU Xkh 
U[Q_Q_EQJ      FSBojC>JF UOE]VOVZhKBJhZILJ@P[GQS_ihZYRY]_ GXG]GXQOo;EmHWRMINQZTC[Z9MSXiA_MiHCRDPXFW?iR] T^\MC
TDHVLngiNKQS @OU G_ZeW
Mh EDKMHoFIXGk AKTJk[\VFMZU
Nbj8HMFQHGO \kZ[YMiHLKABPKMHoFIXGk AKTJk[JLngiNKQS @OU
lQ\IOKlIEXkidIGJEP^QLANX[X9MVEH9\LEHUELEUD<DRGTGXkidIGJEP^QLANX[X9MSXiA_MiHLKAKDLQFQGFf@QCBojC>JF UOEBPZJh l@RIOKlIG BT]MQFLngiNKQS @OUZRPOQG9MSXXDM?KULFOo;EmHWRMINQD^SQQCkZ[hK[JhZXG_
Nbj8HMFQHGO_ZOeW
Mh EDEE      8nhILKBRR\LDGMLTM@hKUCH9\LEFQDjHHU<_FIXGk ABojC>JF UOERTiW[9ME\H9\LH      O>=jDMUPPADKHKUPJ@UYCPJIOKlI_XkidIGJEP^QLAN[QGENiW[e HCJCABojC>JF UOEYMGX@Q9MSXXDM?K_Q_EQOo;EmHWRMINR[@\M[ UEiW[9ME\H9\LH      O>=jDMUPPADKHKUTKZQ^S[VVX ?TZTIOKlI\KTM\HTKAP@X QBAQ[FUNBVFP^PIPZGR[IWYQSCI]F@GEOo;EmHWRMINRCZIQZ B[QeW
Mh EF@\FMXkidIGJEP^QLAN[AM9MSXXDM?KEAXkidIGJEP^QLANZ]FYCVP@M9MSXXDM?KGQS_BojC>JF UOE ^RAeW
Mh EFBojC>JF UOE ^YiW[e HCJABPKM      8nhILKBRR\LDGMLVVYQIDA\YG9MSXXDM?KEF^KlkiAG\SQBW[EDTeW
Mh E\P@C[LngiNKQS @OW
@BF\FB ?TZTIOKlIEBNBojC>JF UOE BV\^GX DkVFSMiHLERG@      O>=jDMUPPADKHKTCJh ]JhZDLQF^KlkiAG\SQBPQD^X\h ]JhZ^\MC
T
Nbj8HMFQHGO
^XVZX Uk]QIKIk
EMERG@HCABojC>JF UOEYEPZ@\ lVVYIKIk
EI
Nbj8HMFQHGO_Mi[Fe HCJCRTKW\XkidIGJEP^QLAN][S
\RiW[e HCJFIH_CL^KlkiAG\SQBP[EGiW[e HCJ[
Nbj8HMFQHGOEPFM[F ?TZTIOKlIG BT]Oo;EmHWRMINUVGM\X [kWQ@MiHLLngiNKQS @OQIkZ[YMiHLKCX\WWXU@ZKPGQC\MXQERG@hZJ H@QiOo;EmHWRMINUUT@hMh EDLQFQlIJ[]  \BQ\C[CKFX@]UWh 8nhILKBRR\LDGMLP[UM9MVEH9\LEA IiHG

^TYLPQ BSFEGU
D[P      @QK 9\KlkiAG\SQBQVlVVhMh EFV]ZESPN[FLDTM]@      LF@\FMW?Wh 8nhILKBRR\LDGMLPWS] iW[e HCJA
Nbj8HMFQHGO YY\VZG9MSXXDM?KGQS_jJ@F W
Nbj8HMFQHGO S^A\h ]JhZH_C
Nbj8HMFQHGO
^STK@]UDiW[e HCJ[RLOo;EmHWRMINV^[]]U9M^RADM?KEA I
Nbj8HMFQHGO
BRWXXX9MTRH9\LH      O>=jDMUPPADKHKQG\QR TkZ[YMiHLERG@      O>=jDMUPPADKHKQG\QG FRiW[e HCJA
Nbj8HMFQHGODXGeW
M9\L^@kI@ZKPGXJLRLO^NLkidIGJEP^QLAN^]@
?TZTIOKlIEBNBojC>JF UOE_TYPW_9MSXXDM?KGQS_BojC>JF UOE__\Ih ]JhZFZ      O>=jDMUPPADKHK_TURhKRVLeW
Mh E\P@C[LngiNKQS @O\lVVYIKIk
E D
Nbj8HMFQHGO VXFIUW ?TZTIOKlIGKDWHEJLngiNKQS @O]
\[T^QhK _ZH9\LHFMXkidIGJEP^QLANPC[ ?TZTIOKlIG BT]_[FXkidIGJEP^QLANPLE
S\iW[e HCJABPKM      8nhILKBRR\LDGML_ZDQ UNiW[e HCJCRTKW\B^[^      O>=jDMUPPADKHK\TW[[UkZ[YMiHLERG@      O>=jDMUPPADKHK\PU_[
?TZeAe HCJC^A\GQS_DLQF^KlkiAG\SQB_XD@Z\Q ?SPDM?KEA I
Nbj8HMFQHGO      
^\OeW
Mh ECPKY      8nhILKBRR\LDGMLYV[_QEAeW
Mh E\P@      O>=jDMUPPADKHK[ZV_GBCiW[9ME\H9\LRQMXkidIGJEP^QLANUAWXXX\DUlVVYIKIk
E^KlkiAG\SQBXM CkZ[YMiHLKABPKMHAKRMk_ GXG]GXkidIGJEP^QLANUMW
lQ\IOKlIUELEDGJLngiNKQS @OX _DiW[9ME\H9\LEA IKEJPXkidIGJEP^QLANTUYlVVYIKIk
EUELOo;EmHWRMIN]VFMQF9MSXXDM?KE      8nhILKBRR\LDGMLX\SU lVVYIKIlNbj8HMFQHGOWVB\VhK _ZHhZkidIGJEP^QLANTQFZP]W[9MSXXDM?KGQS_A\L@XkidIGJEP^QLANTQ@ BVBUQF9MSXXDM?KE      8nhILKBRR\LDGMLXVZP
UVGZ\hK _ZH9\LHAQLngiNKQS @OY
CCPKh ]JhZDOo;EmHWRMIN]D[eW
Mh EFBojC>JF UOECYiPQMiHLLngiNKQS @OYlPJIOKlIEXkidIGJEP^QLANTGZ9MCRH9\LH      O>=jDMUPPADKHKZFWh l@RIOKlIEXkidIGJEP^QLAN^h^kZ[YL BFQDTSihMJF UOEUVGZ\hKCYiW[EPJAXo C>A
Nbj8HMFQHGOCRTKW\9MSXXDM?KG BT]_[FChDEUG:@FIXGk

Nbj8HMFQHGOC^XVZhK _ZH9\LEHL^[IA@I@ZKPXkidIGJEP^QLANWQ@ QGPeW
Mh EF@\FMXkidIGJEP^QLANWQLWkZ[YMiHLUVGZ\      8nhILKBRR\LDGML[VF@BYYPS\?TZTIOKlIE^KlkiAG\SQBZ@      _EY]h ]JhZDOo;EmHWRMIN_APK@AlVVYIKIk
EI@ZKPGXkidIGJEP^QLANIUS UR^\FhK _ZH9\LJQU X
Nbj8HMFQHGOYTP^FUUEiW[e HCJVXGTk_ GXG]      O>=jDMUPPADKHKDPXFWRiW[e HCJABPKM      8nhILKBRR\LDGMLF\UF [^[^h ]JhZ^\MC
T
Nbj8HMFQHGOQEVQFQ\CiZQe HCJCPKYHJLngiNKQS @OG
_BBXZZ?TZTIOKlIC
TDBojC>JF UOEET]\ZhK _ZH9\LH      O>=jDMUPPADKHKD@IQFWRFeW
Mh E[EWXkidIGJEP^QLANJAF UR^\FhK _ZH9\LJQU X
Nbj8HMFQHGOBPPMh ]JhZSPQXKK PI@ZKPGXkidIGJEP^QLANMQWQER\@hK _ZH9\LHAQLngiNKQS @O@ ]ViW[e HCJkFAd      O>=jDMUPPADKHKC\Z_QQDA\FhK _ZH9\LRQM BSBojC>JF UOEYDVXX]Mh E\P@      O>=jDMUPPADKHKC\JWU      
YCH9\LRQMXkidIGJEP^QLANM]G\^iW[9ME\H9\LHAQLngiNKQS @O@RXSPZP9MSXXDM?K@QC
Nbj8HMFQHGO
BP\U][9MYCH9\LHG      8nhILKBRR\LDGMLBXXYDkZ[YMiHLUVGZ\kUELOo;EmHWRMINGRWeP e HCJCBBojC>JF UOEUUX]h ]JhZDLQF^KlkiAG\SQBC\EDP\_hK _ZH9\LEA IKTKSXkidIGJEP^QLANAAD UEiW[e HCJDRGTG      8nhILKBRR\LDGMLMLDD?TZTIOKlI_ GXG]      O>=jDMUPPADKHKNTQ[[9MSXXDM?KBFGIO[HJLngiNKQS @OP ?NTQ[[9MSXXDM?KBFGIO[HJLngiNKQS @OM _XiGQMiHLKFVIODH LGOo;EmHWRMINIV]V[hK _kL_IKIk
EMQKCIHB
@BojC>JF UOEUVGZ\XXZW[DPXFWMl
iDXkidIGJEP^QLANU[[?TZTIOKlIEXkidIGJEP^QLANQ[@ DkZ[YMiHLERG@      O>=jDMUPPADKHKDPXFW?TZTIOKlIEXkidIGJEP^QLANVZQ       _\iW[e HCJG
Nbj8HMFQHGOC^[\GG9MSXXDM?KEA I
Nbj8HMFQHGO^kZ[YMiHLDCBojC>JF UOEID\T[Z9MSXXDM?KE@XkidIGJEP^QLAN\D]
_YFeW
Mh EDPXFW<CCGPZSXkidIGJEP^QLANJ\[UEJQU XkZZQ?TZTIOKlIEXkidIGJEP^QLANZ]@UVGZ\hK _ZH9\LN\QLngiNKQS @OZYX[XXhK YCLJQU XkZ[YMiHLERG@      O>=jDMUPPADKHKRCP@Q9MSXXDM?K_Q_EQJ      O>=jDMUPPADKHKP\_@G9MSXXDM?KEA I
Nbj8HMFQHGOQGiW[e HCJABPKM      8nhILKBRR\LDGMLFZ]FlVVYIKIk
E^KlkiAG\SQBUX QkZ[YMiHLLngiNKQS @OV [RY\MhKTBH9\LRQM BSFOo;EmHWRMINWXZ^XQ9MSXXDM?KE      8nhIL_GAP[ZGZJ]@ ^EVDAAVVAZADF B^A@UAJHB_Q_EQJg BT]GAWXZ^XQGACRTKW\KQ_ZVW
F\UF ZFWW
BNC \DPXFWMSXXG BT]JW[TZT^XZ]XQK _ZGQS_\VUMSXXG BT] G @YTOW
PXFWM\NVVG ]NCCKYEF\UF TZTG      QEVQW
BNC QTAJQU X[\@GG@JX[ XVVYGG@JQQUR^W[A^FC CRTKW\K _ZKQTVJQU XE\FR  DYTOW
JQU XVVYGIDPXFWM]NBXM ]NQVKC\Z[YGAG@BFQBR[ZQ ]UUZ
^P][Y
^DEVZG
TZTGLV[S TZTFFKW\K _ZVXUQ\WP ] WPTV NCCKUDA@R] TZTGENFG XVVYGG@JQU XVFJ]G^CWQ@GAG@BUXF^FMU ]NCCKIDPXFWMSXXY][\LW UVVYGUVGZ\QEAPAYK _ZFQ^BPZQA@BNR TC]\CQYCP@[A USZ[YGAG@BRF UDPXFWMSXXCYAJQU XVVYGUVGZ\ DMPK[ D_]ZMYYA\X]TZTGZOQFBRZ[YGACRTKW\KQAPKW
XJLY      MR[ZNGQS_Z[YGAG@BP[Y[PW[APYVVU      NV^[]QFK _ZGQS_Z[Y CNFMQYMSXXC^F\UF TZTGR\@R
^SZ[YGAG@BCQ BVBUZ BNCGRWJQU XVVYGG@_QUBRQFQ\CFW[AZFKIDPXFWMSXXC@]@DDMSXXCUYXNQ
^SZ[YGACRTKW\WRZWGUVGZ\ VXGTU@ ^VVYGTX@GQS_TMCTZTGF\QEK _ZAGU\Z[YGAG@BWX BDPXFWMSTCCMCRTKW\ W[\@GG@XXY XCLJQU XVVYGUVGZ\ BC]U]ZM^RAG BT]U[      MSXXCOEJZ ]JQU X[\@G@RZ[YGAG@BYUV^[]W
BNCKUR^ W
BNC
]GYPW
@JGQS_Z[YGARRFMG BT]WWGACRTKW\ TZT ]V\W\[MSXXUCV]Z TZTG[\C@
C^A\G ]JQU XVEAZTZTGF\UF BRFU@ ]NCCKRF\UF QDFPG@DVVYGG@JAFIDVVA@K _ZCCMV[TJ\X XCF\UF TZT W^[\Y QT]XFS MSXXUMCRTKW\E^G\W
JNRQM BSFd[@vQJWAPZVSX ADPXFWMIV]V[ ]JQU XXJZ ]NCCK_[F\UF TZTQEVQGW
DVVYGQYZVPX MSXXG BT]QVTZTQEVQ _G[XB ]\UF [LZ[GK _ZCCMC^GJQU XVVYGG@ UUVGZ\ ]NCCKHVVMGQS_WQ@GAG@BGX
S_Z[YGAG@BGQ CRPRW
\JRDPXFWMSXXSMKR GQS_IQFSC[XB ]GQS_Z[YGA]NF\UF ZLNUMK _ZCQMQD^W[A@BNF UEPWWQK _ZXU YYRP[YYFI[Z BVVYGG@@[[UVVYG @DJFWMSXXV      JRSPZPK _Z KQ  KRCCMJRFMMR TVVYGG@ICFS_Z[YGAG@BGQS_TJG]QYAZQA@BNU      QA\J@UK _ZCCM]NF\UF TZTHZYQL
DRZ[YGACRTKW\KDVGM]AMSXXF UY@\Z BNC
^SAQQC C^A\M[URQW[A@BNRURF\UF TZTG[MGQS_Z[YGACRTKW\KUCO\F[KUCR] ^[MQX CVVYGG@VBQEEPW[ADPXFWM^VC\F ]TGLUYVCG BT]W[A@BNP
@^Y\W
RU[VQ\WPQMSXXG BT]W[DDLJ@QTZTG\JQU XVVYGG@^Q@ EYQW[A@BNC SETNX DNCCKI@P[GQS_Z[YGAG@BRQEEP]F E[AJW
XJTM]NF\UF TZTGBQMD TZTGWUUN YYQW[ADPXFWQPPWWGACRTKW\K
^QZKYU
_YZ[YGA[STMG BT]YMIVVYGG@JQQMSXXAUR^W[A@BNW      QEF\UF TVCDPXFW
^PWQ@GAG@BUX
W_A@GQS_Z[YGACRTKW\KQEAQX] YPMQEVQU
TZTGMIGZK _ZGQS_WQ@ QGPW[A@BNYCQ\WP ]NCCWMCRPR ]NCCKYZEU] ]LGG BT]W[AUPJ@QEVQWADPXFW _VVYG_ZTPZ\
TZT@D [] _VVYGG@WQC @D\MQGK _ZGQS_TIA TVVYGG@JQU XEPJX@K _ZCCMJQU XVFJ]G^CZ[YGAG@BGAUNFZ[AMSXXCQYXG\      
W_AJQU XVVYG^P\WQDVVQUFTZTDPXFWAB\KQ ]PYUCAKUR
SZEW[AMUPBAPKW
T]GKUAPWAQKUCUPK_BWUQW      
S\WQ@GAQSF\FB D]XFQBRZWX] TZT^DWM _EZ[YGAGRWIPDKQCZKW
VVAZMUO\MQL QYR\W
WXZZ VVGTUVQOQF
C^[^W
FKUQAPW[AXTJW DETUF \ZP]]UK _ZUPMS[\Z_U^CFW[A@BN^QSW[AUTWZQGPWZMRVVYG O\P[K _Z^V @XEJW[\@GYCGVAGKH^A_AQ      MSXXUU\]WX TZTCM ]W]@ EDPZ@ ^RA_AQ      MSXXUGTK@Z GGVR]MSXXUTPW@F]RQPUPFZTRTZT UVQ]@S\P@GTB\U@BU@^W
BNC @BEIQFMSXXUMDET_R]@VVYGTDXPPQZ\AW
T]GU[Z[YGA@XELD^VVYGTDPKB DRGWQ@U[Z[YGAYDR      CVY\YQ
QVVYGTDJDQ
V^VI[DK _ZUYUTURA
_YZ[YGAZC]\PQ      YYZ^@TM^RA] ZUGUZP]]UK _Z]GSVXGU      ]RQPU ]I[DCT]X
YTFW[A^F^ K QDTUQY YVZ[YGAYDR      CVY\YQ
QVVYGTD]QU       U[E\F ]SYQ
QU@@      DWQ@GASQZ[ZKC[]NGAQSSXFYKUS\XDX TZTGZ]MGEDXXF_ YYRW[ATTZ\QK^^VXG@K _ZWKUSZW[AVS_C D_PKVAMSXXV^RGJBERT]W
BNCQQSPWQ\XG\F ]PWWK
^CPUX]F[\@GUS\XRDTYPW_KUCGQUSW@UUEAPG] TZTSXX_SPUQYXG\QT^ZQAXOBU      UTYPW_K _ZUFKD@ZUU ]ZX] DDOUXS[\Z_ ]ZU      ]GZ[YGASYAFU
TUYXG@ TZTG@QGFRGM]G WVVYGRVF\K _ZCCM^RMMUSK _ZCCMQSCW@TMSXXWQMJRQVW
Z[^QGTJG@
CX[W[ABFFPKQ_ZVW
@JRTMIV]V[RMSXXFNTQ[[K _ZAGKLX\[
CVVYGG@DU_G@IW
QVCZ       QSFUURCTG\QZFRGJW
BNCKQNEVDAMSXXG FRXXW QVVYGG@ZX_QMSXXCL\GUUEAPG] TZTFYA       ]XGGVC\W
EKQB GGZIG ]I[DKYEVAW
BNCKUDT]BQYD\WS ]JC DRGI[X      TZTB\U@BU@^W
BNCC_ZV@QMSXXWK QDTUQY YVZ[YGAS CQP
MSXXCGT@D[@VVYG
]VR\G ^M\W[AVQJCQSZVFQ
UVVYGS\P MR^OV^RGJP
C^CUGXBQ DVVYG      S[\Z_GYYRW^RYPMGIUM @BEW[ADE@FV^VTUFDGYXWQK _Z\[MS[\Z_V[[\@GG@H_GYPMGWQLWVVYG \\X@PTZTGTC[[UVQJW
_PWY YVZ^@TM^RAY YVXPF _[C\F ]XPGK]Y\W[A_AMDUSRQ^QVVYGQY[\FGK_CPTQ ]NCCK _YFLYD
_Y_LZW
_YZ[YGAEDXFPKQ_ZVW
_PYQ T_M DNCCK\XB^[ ][UZ BPZQNDET_R]MSXXUUEAPG] GTU@U      TZTCRGOQFKBUZ[YGAG@BCQXRG[ASK _Z^UDVGW^RYPMBAPKCEC\W
T]GOMYWM^RA[SR[MFU      MST\XPGKCNCC\M@VLI[DTZTT[Z^]LK ZCZQATYPW_MDXA\YQK _ZRUNZ AXFS ^RAW[A@BNX
[X\W
BNCTXZKW
SXPQRXMX KQER\@Z TZTGPTUFDZTRQFMSXXR       SMUFDYPMW
_I Z[YGAQSF F UY@\Z TC[[UVQJW
BNCQQSPW ^APK@QMSXXR YAXFS ^RAW[AVQJP UTADF
YPLZQAVS_]X DR]@]BAZ[YGAVVQU[YLZBPPMZQMSXXW      
S\U]ZIYPKSMK _ZCCMQSFKBQK _Z@FD@[X] VQPKW
\TUS MQCQT@ ]NCCK
^Q\W]@ NQSFW[A@BNV S[\AW
EXMD
EGZ[YGAS[\Z_]MWXWQ@K _ZCCMVQI[C TZT^[J]SUOEKQGMSXXU      G[      D^ZWG ]HB\[V^Y\u!0ozj`GUVVM][ KVUQUA_UTUPA][\@GY[P[VTBLXY D][C _VQ_UQVVYG \^XNUMSXXWC]XC@ MSXXWAPK]G ^VVYGUD^M[DKQMTXW
VKXB^FPSZK _ZUVMWTRUY
YPMU^U]V\ZQA~[_[GSRZ[YGA}DMAYXK
^QZJDUTZTR      SQZTPZ [X[T]GBVI@RTZTWSWP

C^ZWU]BFW[A  ] T[ [\@GTCRTKW\K _ZuPK_BWUQW      
S\WQ@GAqSF\FBK
^CPKZQERYW[Av^XDDKXR[LW
tID UY@W[AuTWGQ^[MQF DQ@\X ]{]PDBQQZMSXXw
BVVZG BEZ[YGAtTYZ[FMBGAJZ qK_       SVYWFPK _Z|[SPZZUV      YPM+DUGVUPCCZ[YGAcZTK@D
CVVYG0@VEIC^BZ[YGAhOMM[[      QEZ[YGAQUPM@Q
^CPKZQMSXXUYAPUX DF\FB TZT D^C\YTZTT^VM]B UT]W[X
YRFZQAVQ]FQ  ]XP[_ZMVUMSXXU_GE\F
DUYXNQK _ZUP QEZ[YGAQSFUP QEZ[YGAQSFUP ]^Z[YGAQSFWQ BVYTQP @FU_ZMVUMSXXU^[MQF DZI@]
JRGW[AVQJ[UEZI@]
JRGW[AVQJBQTVUCPF@EYQVW
T]G KYEALYA _VVYGTDPKBKRVA\G ]XP@ D^VJW
T]@F [RG TUUZ[YGAQSC\F@ YYRXSQ TZTUYAWRTZT      _\PXPUMSXXUMYZR_UFMSXXU@GN\Q TZTGRWC\ EVVYG\[T[[AUVGZ\] TZT]^RQ@MQEVQW
TUD\MCRTKW\C^FMUZM^RAU      ^RAW[AVXXN] QBAVGG BT]W[AVXWB DX[       @VVYG@G]QG_GX_ D@ZK_GK _ZUDMUM@UU ]XDDKXR[LW
TID UY@GD TRGXZ TJG]QYAWRTZTUY@\YQ
QVVYGIUU[DK _ZVMSXXVCXYV]QDZ[YGARVQLFXKBV[]G@UC\W@QSC\OQ ][UP\\\DXYYZ[YGARV[WQFBAPKS_EZ[YGARV[WQFS_TWSQK _ZVU UEMUPSC\ZG ][UFKI@P[GQS_Z[YGARTSU BVVYGTR]W
W\X@KRRAMQF DRGWQ@K _ZVQDPXFWCD\J@U YPMPTM[FK _ZVSWMWVAVF ][]DXGW[AU\]@LMG_PWA ][]S_C]\F
WVA\W\ VCBXFQK _ZV] [ZIW
WPGT[ DZUA@ ^DZ[YGAR[@\\U^ZP]]UK _ZVF \^TW@P YCTUW
WK[CB@\JQ ][AZU@TKQ ]ZUDCPK]ZBYPMW
VWQ BVYTQP @FWK_E[VSFXVVYG \N[ZK _ZW KQOF\FB WVVYG X@GQS_Z[YGASVQJ[XKYV[XG ]ZUG _U@PXP ^U[[@VVYG QDFXZPDPXFWCD\J@U YPM ^BVZ ]ZPZK \^XXLV [DZ[YGASS[Y[
UD\@WK _ZWQ BVYTQP @FWZLJQU XVVYG VPTMC CRTKW\K _ZW\  [^[WX  [VYZ\QTZT BXXPAYKXR[LW
VS@KUCWX ^PPMUCU\CYT^ R] ^XBW[ATYPW_S_PTM ]ZX]HU@Z_GK _ZWZM W
VWGY   ]Z[WQ^YZUGMSXXW
U\^ZDQDPJW
VVZR PGXZPBRPM]ZBVVM]B MSXXW
DR[MPXUTKW
VVZ@ EVYJQU XVVYG _EEWRTZT EGZWGDXGW[ATGG@
GZIADHTDW[CK _ZWFVVYG BXFJF[CG\_PQVVYG C]V@VTZTTL][[MSXXWCBX]ZHUT]W[AT@J@JRDPZ@KUCPUUDAGD TU\MW
QX@U_EXV]ASPU@UKTEZXF ]]]FKPW[AS\KQWMC^XIXQQQSPW ]][WR^BVZ ]][Y
^\X[
EGZ[YGATXBWX[  ]][C _VQUV DRGPZ@ ^RAW[ASZNZX
TWVZN MSXXP
^[ZXP\[PMDF
VDZ_@ ]][C _VQRQ QYRW[ASZNZX
TRPSUS_FVR@BRZ[YGATXBWX[^EPZG XCWQ@GATXBWX[AM WASZNZX
TBQQZMSXXP
^[ZXPKRRAMQF DRGWQ@K _ZPM MF^GMAYTXZ[YGATN[XY]MXXA[UFK _ZPM UY@\[QEZ[YGAUTETW
P_W _YZ[YGAUGFPX[ MCRTKW\C^FMUZM^RAQBRFJRQVVYGJF\UF YYRW[AROLXUK _ZR] F@PW_K _ZR] _[Z^MY[\BQ_YPZQAQFMFU F\UF TZT@VU]WBVVR]ZMYYSVDXG DXGW[APTM[FURX@[MSXXSPTM[FK _ZSQUVAQQFCCZ[YGAW^^U@
TZT_UTU@[
RVGW[APYVVU      UUF\UF TZTQYQJ@F D^[MQF D^C\W
RJS_EZ[YGAWC^U@
TZT\GTMG BT]W[A_\MGQR@P[W
]VYQK
GX[W[A_ZMVUMSXX]H_X^LD ]P]TZT TDXPF
BVVYG
UGYLS] MSXX]DYPMW
\TUS MY\TS ]PYU^X^RUTZT QPPJV
J^Z[YGAYZT^QGKQCZKW
\TSVTZ[YGAYZRY QVVYG
]PZ BDMZ\U UVVYG
]PU[DK _Z]YQEXW[A^XIFQYX[G BT]W[A^[J@U      UGVCG DXZUVUMSXX] DVYUP[      QEFW[A^[J@U      C]V@VTZT DRGWUXKHZWG
^CPKZQN_GAPY]BVVYG
@R[]PQDAVFYKYM]D C^RQ@ ]PF[ MG_PWA ]SUBQEZ^@TM^RA^CZMP
BVVYG      SSPZYW]ZU@]M^RA^U[TGK      _[APP DSWP N^ZF^
D^QZQA]VTGTXZKW
_Z[Z^CGTM^RA^ GYYVUP SVS@KUC^Q ^\P@W[\@G      YTDW^RYPMYYQJQ@K ZCZQA]E\P[\XT]^
D^QW[A]EP[X T_M DSC]      ]RQPU      DWQ@GA[KYYFX[MSXX_QYZWW
Y\UPKXR[LW
YPWQ U]V@VTZT      
CCFUP QEZ[YGA\XZR@
QNZ[YGA\XZRY MSXXX
TZTW^VWRTZTY[OLK STUDKQCZKW
XXF_KPW[AZTJ@QM]OMUFD^[^W
XXLQTZTT^TUXUCZ[YGA]RQPUVY\ZW[\@GUZZKMY UEZ[YGA]RGZAFMG_PWA ]TQGWRWK[U QDA\F DTQ@M W
XPZPD^Z[YGA]XCPQGHDTZ[YGA]DPXFWM W
XJB] TVYRTYPYUET^JW
XMK \^XXLV [DZ[YGA]NPC[ MSXXYQY\ZVA_YZ[YGA]NF\UF ^XBW[AZLNQVQEVQW
[\@D^XBW[AYPMDU       VQPKG DWQ@QEVQG[TZT G[\@GYTA\W\ D@ZK_GK _ZZ[ @[\@GC\LD
DBFXW
[JVZ CA Z]MGEDXXF_ YYRW[AXS_QF
D^XPNQMSXX[WVF\UF TZT
Y@IPUYPM
R^A\LD       BRGW[AGTK@Z C]V@VTZTIGPK@QTZT X^O@FMF^GMAYTXZ[YGA@[@^AG TTJ\ ]IXAMY@ZWW
ETU      ^RAW[AGG\P]YAPJQU XVVYGB^V\VU YCZ[YGA@E\OUWMF^GMAYTXZ[YGA@E\CQY X^[\SUDPC[ MSXXD ]XF\[QEZ[YGA@EZJQU X^[^W
ELB DUTKW
DLQFMYYV[_TZTWDPKBQMWVAVF ]KQD
DDQ[@BVVYGUGZK@GK VQPK[D
]^O\F ]KQGDD]UGQEZ[YGABRFLX@MCRTKW\ _BAW[AEPJAX]VFMQFK _ZFGKQCZKW
GJDG BT]W[ADXVQUE\W@QUCZ[YGACVC\Z[N@XEUPMSXXGUYZND
EGXPGK _ZGV
  ]JVBMSXXGYGAJQFBRX@[MSXXG BT]UW
FRTULK _ZGQS_^U@
TZTQEVQ] \BRPZ ]JQU X\N[ZK _ZGQS_TMG BT]W[CK _ZGQS_AFQ TRGW[ADPXFWQ^U[[@VVYGUVGZ\USTZTQEVQUG
CCTW@ _YZ[YGACRTKW\C^FMUZM^RAG BT][AGK _ZGQS_QPGDK _CWXF ]JQU XRM\W
F\UF GRW W
F\Z@]X[]D C^RQ@ DJQFB\I]Z
W_AZQAD]XZSYK _ZG]
\VGJ]ZUDZ[YGAC^[XRQVVYG[^[J\
RVGW[ADZXDUOTW[ADEXDDKXR[LW
FIUC DVVYG@RP]VUM]NBXM ]JDAY\OLK SJDC D_PKC^BZ[YGACGB\V UY@W[ADE@CUXRYIZ FHC]TZTG^G\]H_X^LD ]JFWM\XEW[ADFSU BVVYGCUTZ_AMWVAVF ]J@Y[YPUZYP\MUXK _ZG@YTRVVYGDXED[@T]G GVVYGDBWT[ZK
@^[J]SYPMUYVD ]JAD GRWJQU XVVYGID@IPUPGXZPBRPM]ZBVVM]B MSXXGEGQX@QK
UGYLS] MSXX@_VVYGTZLW[ACP_G ]MR]      MSXX@
^\\WSY YVWQ@GAD_\WG@\T[Q@B^[MQF DVVYGYYN\Q TZT
DV[PAYKXR[LW
AV[XB\X[
EGZ[YGADXZUVUQ^U[[@VVYG_XYM]DMXXA[UFK _Z@[
S\FW[ACZMUX\XVP@MK _Z@DCAVD]CVVYG@SZNZX
TAVD]CVVYG@EPI[FMDXEPW_MSXX@S\]XG BT][UFK _Z@F [FPYD      DET_R]MSXX@S\\WS YDE@W
AKUW
^PJD]BUTP@ ]MFUYYR@\TRG][C _VQJW
AKUR
S_Z^W
AKUZ D[]QBKHZWGBV[JW@      MFOWWGADE\Z_X MWVAVF ]MGDYPMW
AJS_EZ[YGADDFUXUCZ[YGADA  \BAP[ZMSXXAQCPGD TU\MW
@IPUDAVD @BEUPN^XBW[ABE]U@ MD_@WPQ_@[U[UTZTTVA\GC\AVDYPMC[CVVYG@STMQGKUD^M[DKYEALYA _VVYG@STMQGK _CWXF ]LDPUDPKBQMWVAVF ]LDSTRF\[QEZ[YGAEDPKRQVVYGYRBU@DVVYGYG_UFR_ZMVUMSXXB QTKYMXXA[UFK _ZB]NVVGT DUTKW
CPDBZO\
RVGW[AA\IR]O\
RVGW[AA\IR]C\[QEZ[YGAF^GMAYTXZ[YGAF[Z^]WK[[\@C
[DZ[YGAFZT]Y] MSXXB@RQUF_AP]W
CMFUA\K@A^SZW[A@TIRQVVYGRRX@[MSXXC D_PKS_EZ[YGAGRTM\QMG_PWA ]NQU UEN\Q DE\QP Q[\@GUUXSR^U@
TZTRBQQZMSXXC @]\ZAK@RP]QFM^RAC @SESU BVVYGV^MW[A@]\ZAHTAPK@]
^PPZR
MSXXC^BXPB D^FPZSK _ZC\ EEVDANQSFW[A@]\ZAK _ZC\ EDPXFWMSXXC^BFQ[DHTAPK@]
^PZQZQ[Z[YGAG_PWAG @EVDCVVYGXR[LG\
DEXWQK _ZC\ ED]VD UY@W[A@B ] \BRPZ ]NCK
UGYLS] MSXXC^PIXA
^VVYGGSPQD      W^[W[A@BNUSTXJW
BNCVTZ[YGAG@B URWQ@GAG@BY QDPXFWMSXXC F\UF TZTGTXPW
TZTGT[Q@B^[MQF DVVYGG@XW@ UTUQFNCRGOQFK _ZCCMQTAPBQHQOZ[YGAG@BUWDVAW[A@BNUYTAPBQS_[VX[
UDWQ@GAG@BUP QEZ[YGAG@BUPSC\ZG ]NCCKTCZT] ]NCCKYZQVXXMSXXCV\TD\ [VVYGG@XXQTZTGTUXU ECF\UF YYRW[A@BNU      XNE\FX [DZ[YGAG@BUX
W_A@GQS_Z[YGAG@BUXUCZ[YGAG@BUXUCE D ]NCCK]VOPZSDXFJQU XVVYGG@XYZM^RACVASUCVVYGG@XBQ UZP]]UK _ZCCMRQW[A@BNVT Z[YGAG@BVXXVC\ZY YVZ[YGAG@BVZRYPMGWWGKUCCCMRX[C] ]NCCK_YOPVAIVVYGG@]      YV[MP]
DVYW[A@BNV GDPK@[
RVGW[A@BNV GDPKC]TZTGWLXX @EZVRG
DVVYGG@ZU@TKQ ]NCCK UYAKUXT^TCGGAG@BWX ^PPMUCU\CGVU]WQV^[]Z[MSXXCTYPW_S_PTM ]NCCK \^VR@F [^[^] _NCCK \^XXLV [DZ[YGAG@BWX
 [F@ZWK _ZCCMSZFZ BNCCWQ@GAG@BW[DV\UWU TZTGVVZ@ EVYJQU XVVYGG@ZFUQTZTGV@P[
TZTGQXG\BVVYGG@]U@DXGTV BNCDRTUZUEZ[YGAG@BP]EGW[A@BNP
Q^[]       _\@IW
BNC QCPJW
BNC  @ZZ[YGAG@BQNHUVGZ\] TZTGSPZPHE^VRW
BNC
^SZU[SMSXXCQ@WCQBXQLW@MSXXCPTM[FK _ZCCMWVAVFUUEAPG] YYSVFYYX[WQ@ B\Z[YGAG@BSU BTZKD[D^ZWW
BNCD@PX@\ SVFMW
BNC
WVA\W\ VCBXFQK _ZCCMWX[WUG BT]W[A@BNS^SFMFQ YYA\FUYAPW[A@BNSQDLZ[CK _ZCCMXXA[UFK _ZCCMYYV[_TZTG\\DXYYZ[YGAG@B]S ^RAW[A@BN][RLN[FTZTG\^ZDQDPJW
BNC RBXW[A@BN] UE[\@
D^XPNQMSXXC^EPZG XCZ[YGAG@B]D C^RQ@ DNCCK
GX[W[A@BN_QYZWW
BNC      
^\FM[M
TZTGYV[_H_ST@W
BNC       _\TQ ]NCCK_X^ YQTMSXXC[ZV_VVYGG@U[[Q]RW[A@BNX
TZTGYVDK _ZCCM\XC\@FV^VW[A@BNXQDPXFWMSXXCZPT[FUCPKW
BNCCDT^QV QSVXG@ YPMGXPZPD^Z[YGAG@BY] CRAPZ@ QTAPBQK _ZCCM]XCPQGHDTZ[YGAG@BYDVUVGZ\ ]NCCKCA\\C BNCCTKSQ
^PZ[YGAG@BYM^^V[A@ ^VVYGG@TMDEYPLD ]NCCKIDPXFWMSXXCZLJQU XYZNW
BNCGRWJQU XVVYGG@WQ@\YZNW
BNC DGTU[RBDWQ@GAG@BZQUVGZ\G
DVVYGG@WQC ^\[VCGK _ZCCM^^VMQWUCBVF_MSXXCYZD[TZTG[VD[M^RACY@RQFK _ZCCM_SLJGQ]VGRQ@ WVVYGG@VRR SXXIUZ ^VVYGG@VRR _GAPY]BVVYGG@VYQCRTKW\K _ZCCM_Z\ADDRWQ@GAG@BDUN@RGGQS_Z[YGAG@BDUUEGXZ_ WVVYGG@IXAC^[WU TZTGEKQW YX[@]TZTGEK]W QYQP@ ]NCCKBXF\UF YYRW[A@BNECRTKW\K _ZCCMBRFLX@QDA\F ]NCCKWDZQA@BNF[\@GG@K[]IVVYGG@KGDQEVQW
BNCRAVGF[BFK _ZCCMCRTKW\WS VVYGG@JQU XVFJ]G^CWQ@GAG@BGQS_PAQ ]NCCKUVGZ\G ECZ[YGAG@BGQS_B\VK _ZCCMC^XPXUYYRUQGK _ZCCMCGTNZQMSXXCDEPPQQ^AW[A@BNGGVG\\Q      YPMGFIMCUY@RQFK _ZCCMCEC WDMSXXCDAVD @BEUPN^XBW[A@BN@_VVYGG@MR]      MSXXCCRZGQS_Z[YGAG@B@\ [^[^YQ
Q[\@GG@M[D  [DZ[YGAG@B@[\APU[W IVVYGG@MDGTSZKSGG@MFQ\BPW[A@BN@YYMQWMSXXCB[P@QUYQPZSKUCCCMF^GMAYTXZ[YGAG@BBLWMSTCCMGRTM\QSXE\W
BNCRDPZAF \RGMW
BNC UY@W[A@BNC^BZ[YKTPPJA]YPMGBQQZUVGZ\ ]NCCKXR[LG\
TZTGBVFXN@XGMUXK _ZCCMIXZ^QQK _ZCCMJRFMMR TVVYGG@CGQS_AV[XBVVYGG@]C
TZTGU[DK _ZCCQUGVCG DXZUVUMSXXC\X[
EGZ[YGAHVQJ[UEZI@]
JRGW[AOT]G[K VQPK[D
]^O\F ]AUPXS_QF
D^XPNQMSXXLHZ_RQ @C\T]N TZTCVU]YRBVRG ]AVGK _T^MU]       QD]W[AO\TUS XS_QF
D^XPNQMSXXL@^A\F ]AX]XS_QF
D^XPNQMSXXLCQMSXXLCRTKW\KQ[TWWQKQCZKW
MTXG BT]SU BVVYGQ_ZVRQVVYG_XR\Q ]CVZCCL_]ZMSXXN SBQQZMSXXNQEVQ@[
RVGW[AJH96594uH
r7594uH
r7594}m`d_LXWXXPQZWQ@JY|`13
VVU      ENTTZ       6594t]c0759475944ec0
0
 
wanstorAuthor Commented:
useful isn't it!!!!
0
 
rossfingalCommented:
Before we do anything else - do this:

From the l2mfix folder on your desktop,
double click l2mfix.bat and select option # 2 for "Run Fix" by typing 2 and then pressing enter,
then press any key to reboot your computer.
After a reboot, your desktop and icons will appear, then disappear (this is normal).
L2mfix will continue to scan your computer and when it's finished, notepad will open with a log.
The log should be in the same folder as l2mfix.
Copy the contents of that log and paste it back into this thread.

Then download and run TDS-3 Trojan Scan (free 30 day trial).
http://tds.diamondcs.com.au/
Update before you run it.
We'll see what it comes up with - make a note of all files it shows up as bad.

I hesitate to try and remove this manually -
I don't like the fact that it appears to have "winlogon" hooked.

RF
0
 
wanstorAuthor Commented:
L2Mfix 1.03
 
Running From:
C:\Documents and Settings\2care\Desktop\l2mfix
 
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access       NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access       NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access       NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access       NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access       Everyone
(IO)    ALLOW  Full access       Everyone


 
Setting registry permissions:
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
 - adding new ACCESS DENY entry

 
Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI)    DENY   --C-------         BUILTIN\Administrators
(NI)    ALLOW  Full access       NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access       NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access       NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access       NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access       Everyone
(IO)    ALLOW  Full access       Everyone
(ID-NI) ALLOW  Read              BUILTIN\Users
(ID-IO) ALLOW  Read              BUILTIN\Users
(ID-NI) ALLOW  Read              BUILTIN\Power Users
(ID-IO) ALLOW  Read              BUILTIN\Power Users
(ID-NI) ALLOW  Full access       BUILTIN\Administrators
(ID-IO) ALLOW  Full access       BUILTIN\Administrators
(ID-NI) ALLOW  Full access       NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access       NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access       CREATOR OWNER


 
Setting up for Reboot
 
 
Starting Reboot!
 
C:\Documents and Settings\2care\Desktop\l2mfix
System Rebooted!
 
Running From:
C:\Documents and Settings\2care\Desktop\l2mfix
 
killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1548 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe
 
Scanning First Pass. Please Wait!
 
First Pass Completed
 
Second Pass Scanning
 
Second pass Completed!
 
Zipping up files for submission:
  adding: clear.reg (164 bytes security) (deflated 2%)
  adding: echo.reg (164 bytes security) (deflated 9%)
  adding: direct.txt (164 bytes security) (stored 0%)
  adding: lo2.txt (164 bytes security) (deflated 71%)
  adding: readme.txt (164 bytes security) (deflated 49%)
  adding: test.txt (164 bytes security) (stored 0%)
  adding: test2.txt (164 bytes security) (stored 0%)
  adding: test3.txt (164 bytes security) (stored 0%)
  adding: test5.txt (164 bytes security) (stored 0%)
  adding: backregs/shell.reg (164 bytes security) (deflated 74%)
 
Restoring Registry Permissions:
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Warning (option /rga:(ci)) - There is no ACE to remove!

 
Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access       NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access       NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access       NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access       NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access       Everyone
(IO)    ALLOW  Full access       Everyone


Restoring Sedebugprivilege:
 
 Granting SeDebugPrivilege to Administrators   ... successful
 
 
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mfcdoc]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\repair\\mfcdoc.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

 
The following are the files found:
****************************************************************************
 
Registry Entries that were Deleted:
Please verify that the listing looks ok.  
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

0
 
rossfingalCommented:
Hi!

Did you try running TDS-3?
What were it's results?

RF
0
 
wanstorAuthor Commented:
What if i boot into safe mode and remove mfcdoc.dll? is it a important file?
0
 
rossfingalCommented:
Here's info on how to use TDS-3:
http://tds.diamondcs.com.au/index.php?page=easytouse

And, here's how to update it if you are not registered (trial version users):
http://tds.diamondcs.com.au/index.php?page=update
0
 
wanstorAuthor Commented:
ok i updated TDS did a full system scan found about +-15 alarms, deleted 3 definite problems the rest were all possible problems, none of them seemed related to the winlogon
or mfcdoc.dll or troj_agent.fz
0
 
rossfingalCommented:
Well, that mfcdoc.dll file does not appear to be a valid Windows file.
Yes, you could try going into "Safe" mode and delete it -
or use Killbox in safe mode to get rid of it.

RF
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 12
  • 11
Tackle projects and never again get stuck behind a technical roadblock.
Join Now