huge problem

Hi mastaapiece3
Please go Here and unzip the newest version of HJT into a new dedicated folder,
Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it hjt. Unzip HijackThis into this folder. Launch Hijack This, then press Scan, and press Save Log
This will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.
Most things are harmless and needed so don't make any changes.
post a log here please

ok here is the log but i have done this many times before and i checked all the the wintools 1 and i pressed fix then i did the scan again and they showed up again they just keep showing up

Logfile of HijackThis v1.98.2
Scan saved at 7:16:42 PM, on 12/7/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\pasowb.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\HJT\HijackThis.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html

nevermind i got it off i had to shut of seystem restore then do use HJT and then delete the folder in safe mode

now i have another problem

when i restart my comp there is a box tha tpops up and it says firedeamon has a encounterd a problem and must cloes. how do i get this messages to stop poping up evrytime i get on?

and

when i first got my comp ther were allot of add just popin up on my desketop and i did some research and all i can rember is it told me to go to control panel-adminstrative tools-servicews then i had to disable sumthing and then the pop up stoped/ well i need to kno wut it was i disabled bec i am getting allot of popups on my desktop again

also my cp keeps shutting of for no reason. it will do it sometimes when a add pops up an di close it my pc shut off

help me plzzzzzzzzzzzz

Hi mastaapiece3
You have the lates VX2/Look2me varient,
This is also why your having problems with your Recycle bin it has been corupted as well,
It is a difficult removal process, everytime you restart your computer it could be changing in the registry,
You will need to stay online and download a few tools to get the fix properly,
But first off you need to get rid of Wintools and any other garbage on your system,

First rebbot to safe mode ( By tapping the F8 key on start up)
Make sure you can view all Hidden Files/Folders search for and delete the following in BOLD
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

Next,
Please restart HJT put a check next to the following, close all open windows and click "Fix Checked"
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe


The 01's will probably return, Thats part of the infection

Restart your computer,
go Here and download and run VX2Finder(126).exe. Hit "Click to Find VX2.BetterInternet" and then click on "Make Log". Copy it and post it back in this thread.

Also go Here and download and run CWS HiddenDLLFinder. Follow the prompts and post the log it makes back in this thread.

Please Download
Silent Runners
Run it.
Post back the log from it please



Post back a fresh HJT log as well please, Might take a couple post to get them all posted,

when i do the CWS HiddenDLLFinder and after i click run locate and message pops up and it say " C:\WINDOWS\SYSTEM#@\AUTOEXE.NT. the system file is not suitable for running MS-dDOS and microsoft windows applications."



Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
Extensions
igfxcui
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
WB
wlballoon


Guardian Key--- is called:

Guardian Key--- :

User Agent String---
{0C7177AD-4DF3-42D3-BE60-710B5067C362}

"Silent Runners.vbs", revision 27, launched at: 09:24
Operating System: Windows XP SP2


Startup items buried in registry:
---------------------------------

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"PostBootReminder" = "{7849596a-48ea-486e-8937-a2a3009f31a9}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"CDBurn" = "{fbeb8a05-beee-4442-804e-409d6c4515e9}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS\System32\webcheck.dll" [MS]
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS\System32\stobject.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "Extensions\DLLName" = "C:\WINDOWS\system32\n66q0gj5e6o.dll" [null data]
INFECTION WARNING! "igfxcui\DLLName" = "igfxsrvc.dll" ["Intel Corporation"]
INFECTION WARNING! "WB\DLLName" = "C:\PROGRA~1\Stardock\Object Desktop\WindowBlinds\fastload.dll" [file not found]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Application Layer Gateway Service, ALG, "C:\WINDOWS\System32\alg.exe" [MS]
Automatic Updates, wuauserv, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\wuauserv.dll" [MS]}
COM+ Event System, EventSystem, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\es.dll" [MS]}
Cryptographic Services, CryptSvc, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\cryptsvc.dll" [MS]}
DCOM Server Process Launcher, DcomLaunch, "C:\WINDOWS\system32\svchost -k DcomLaunch" {"C:\WINDOWS\system32\rpcss.dll" [MS]}
DHCP Client, Dhcp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\dhcpcsvc.dll" [MS]}
Distributed Link Tracking Client, TrkWks, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\trkwks.dll" [MS]}
DNS Client, Dnscache, "C:\WINDOWS\System32\svchost.exe -k NetworkService" {"C:\WINDOWS\System32\dnsrslvr.dll" [MS]}
Error Reporting Service, ERSvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\ersvc.dll" [MS]}
Event Log, Eventlog, "C:\WINDOWS\system32\services.exe" [MS]
Help and Support, helpsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll" [MS]}
IPSEC Services, PolicyAgent, "C:\WINDOWS\System32\lsass.exe" [MS]
Network Connections, Netman, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\netman.dll" [MS]}
Network Location Awareness (NLA), Nla, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\mswsock.dll" [MS]}
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Plug and Play, PlugPlay, "C:\WINDOWS\system32\services.exe" [MS]
Print Spooler, Spooler, "C:\WINDOWS\system32\spoolsv.exe" [MS]
Protected Storage, ProtectedStorage, "C:\WINDOWS\system32\lsass.exe" [MS]
Remote Access Connection Manager, RasMan, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\rasmans.dll" [MS]}
Remote Procedure Call (RPC), RpcSs, "C:\WINDOWS\system32\svchost -k rpcss" {"C:\WINDOWS\system32\rpcss.dll" [MS]}
SAVScan, SAVScan, "C:\Program Files\Norton AntiVirus\SAVScan.exe" ["Symantec Corporation"]
Secondary Logon, seclogon, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\seclogon.dll" [MS]}
Security Accounts Manager, SamSs, "C:\WINDOWS\system32\lsass.exe" [MS]
Security Center, wscsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wscsvc.dll" [MS]}
Server, lanmanserver, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\srvsvc.dll" [MS]}
Shell Hardware Detection, ShellHWDetection, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\shsvcs.dll" [MS]}
SSDP Discovery Service, SSDPSRV, "C:\WINDOWS\System32\svchost.exe -k LocalService" {"C:\WINDOWS\System32\ssdpsrv.dll" [MS]}
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
SymWMI Service, SymWSC, ""C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"" ["Symantec Corporation"]
System Event Notification, SENS, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\sens.dll" [MS]}
Task Scheduler, Schedule, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\schedsvc.dll" [MS]}
TCP/IP NetBIOS Helper, LmHosts, "C:\WINDOWS\System32\svchost.exe -k LocalService" {"C:\WINDOWS\System32\lmhsvc.dll" [MS]}
Telephony, TapiSrv, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\tapisrv.dll" [MS]}
Terminal Services, TermService, "C:\WINDOWS\System32\svchost -k DComLaunch" {"C:\WINDOWS\System32\termsrv.dll" [MS]}
Themes, Themes, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\shsvcs.dll" [MS]}
WebClient, WebClient, "C:\WINDOWS\System32\svchost.exe -k LocalService" {"C:\WINDOWS\System32\webclnt.dll" [MS]}
Windows Audio, AudioSrv, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\audiosrv.dll" [MS]}
Windows Firewall/Internet Connection Sharing (ICS), SharedAccess, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\ipnathlp.dll" [MS]}
Windows Image Acquisition (WIA), stisvc, "C:\WINDOWS\System32\svchost.exe -k imgsvc" {"C:\WINDOWS\system32\wiaservc.dll" [MS]}
Windows Management Instrumentation, winmgmt, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wbem\WMIsvc.dll" [MS]}
Windows Time, W32Time, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\w32time.dll" [MS]}
Wireless Zero Configuration, WZCSVC, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\wzcsvc.dll" [MS]}
Workstation, lanmanworkstation, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\wkssvc.dll" [MS]}

Logfile of HijackThis v1.98.2
Scan saved at 9:25:11 AM, on 12/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pasowb.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

Hi again,
Looks as though you have a number of start ups disabled, can you enable them if so, want to make sure there is nothing else hiding on us,

Could you try the dllcompare again,
try uninstalling it then reinstalling it please

the dllcompare still says the same error

new log

"Silent Runners.vbs", revision 27, launched at: 19:49
Operating System: Windows XP SP2


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Zqg" = ** WARNING! empty or invalid data **
"Yahoo! Pager" = "C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet" ["Yahoo! Inc."]
"Xbe" = "C:\WINDOWS\System32\nfls.exe" [file not found]
"WeatherCast" = "C:\PROGRA~1\WEATHE~1\Weather.exe /q" [file not found]
"Weather" = "C:\Program Files\AWS\WeatherBug\Weather.EXE 1" [file not found]
"warez" = ""C:\Program Files\Warez P2P Client\warez.exe" -h" [file not found]
"Tsa2" = "C:\PROGRA~1\COMMON~1\tsa\tsm2.exe" [file not found]
"SpySweeper" = "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0" ["Webroot Software, Inc."]
"RoboForm" = ""C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"" [file not found]
"Registry Cleaner Scheduler" = ""C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup" [file not found]
"Notn" = "C:\Documents and Settings\Owner\Application Data\eber.exe" [file not found]
"NDrv" = "C:\WINDOWS\System32\NDrv.exe" [file not found]
"MsnMsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"Lqtfskc" = "C:\WINDOWS\System32\weic.exe" [file not found]
"LeechGet" = "" [(file not found)]
"Io0qRRisP" = "dmu70u.exe" [file not found]
"HXDL.EXE" = "C:\Program Files\Alset\HelpExpress\Owner\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE" " [file not found]
"FreeRAM XP" = ""C:\Documents and Settings\Owner\Desktop\Manuel\FreeRAM XP Pro 1.40.exe" -win" ["YourWare Solutions (TM)"]
"Djeyk" = "C:\WINDOWS\System32\bckqwjeu.exe" [file not found]
"cnet" = ""C:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q" [file not found]
"ClockSync" = "C:\PROGRA~1\CLOCKS~1\Sync.exe /q" [file not found]
"a²" = ""C:\Program Files\a2\a2guard.exe"" [file not found]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"WT GameChannel" = "C:\Program Files\WildTangent\Apps\GameChannel.exe" [file not found]
"WinTools" = "C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe" [file not found]
"WinStart001.EXE" = "C:\WINDOWS\System\WinStart001.EXE -b" [file not found]
"Windows TaskAd" = "C:\Program Files\Windows TaskAd\WinTaskAd.exe" [file not found]
"Windows SA" = "C:\Program Files\WindowsSA\omniscient.exe" [file not found]
"Windows AdTools" = "C:\Program Files\Windows AdTools\WinAdTools.exe" [file not found]
"Windows AdService" = "C:\Program Files\Windows AdService\WinAdServ.exe" [file not found]
"Windows AdControl" = "C:\Program Files\Windows AdControl\WinAdCtl.exe" [file not found]
"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]
"Win Server Updt" = "C:\WINDOWS\wupdt.exe" [file not found]
"Win Comm" = "C:\Program Files\Win Comm\WinComm.exe" [file not found]
"WildTangent CDA" = "RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain" [MS]
"WebSavingsfromEbates" = "wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"" [file not found]
"WebRebates0" = ""C:\Program Files\Web_Rebates\WebRebates0.exe"" [file not found]
"WebRebates" = "javaw -cp "C:\Program Files\WebRebates\System\Code" Main lp: "C:\Program Files\WebRebates"" [file not found]
"wcmdmgr" = "C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch" [file not found]
"VTPreset" = "VTPreset.exe" ["S3 Graphics, Inc."]
"Virus Scan" = "EXPLORER.exe" [MS]
"VBundleOuterDL" = "C:\Program Files\VBouncer\BundleOuter.EXE" [file not found]
"VBouncer" = "C:\PROGRA~1\VBouncer\VirtualBouncer.exe" [file not found]
"utkbtt" = "C:\WINDOWS\system32\sxhrdb.exe" [file not found]
"updmgr" = "C:\Program Files\Common files\updmgr\updmgr.exe" [file not found]
"UpdateStats" = "C:\Program Files\Media\Media\UpdateStats.exe" [file not found]
"updater" = "C:\Program Files\Common files\updater\wupdater.exe" [file not found]
"Uninstall_WinTools" = "C:\WINDOWS\Temp\WTuninst.exe /remove" [file not found]
"Uninstall_TBPS" = "C:\WINDOWS\Temp\TBuninst.exe /remove" [file not found]
"Tsl" = "C:\PROGRA~1\COMMON~1\tsa\tsl.exe" [file not found]
"TotalRecorderScheduler" = ""C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"" [file not found]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" [file not found]
"TBPS" = "C:\PROGRA~1\Toolbar\TBPS.exe" [file not found]
"sysux32.exe" = "C:\WINDOWS\system32\sysux32.exe" [file not found]
"SurfSideKick 2" = "C:\Program Files\SurfSideKick 2\Ssk.exe" [file not found]
"SM1BG" = "C:\WINDOWS\SM1BG.EXE" [file not found]
"slmss" = "C:\Program Files\Common Files\slmss\slmss.exe" [file not found]
"SESync" = ""C:\Program Files\SED\SED.exe"" [file not found]
"Search-Exe" = ""C:\Program Files\se\v11\se.EXE" /H" [file not found]
"SBHC" = "C:\Program Files\SuperBar\sbhc.exe" [file not found]
"salm" = "c:\temp\salm.exe" ["180solutions, Inc."]
"S3TRAY2" = "S3tray2.exe" ["S3 Graphics, Inc."]
"RunDLL" = "rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load" [MS]
"rfflxajs" = "C:\WINDOWS\system32\sxhrdb.exe" [file not found]
"RebateNation0" = ""C:\Program Files\Rebate_Nation\RebateNation0.exe"" [file not found]
"qziz" = "C:\WINNT\qziz.exe" [file not found]
"qrqpsb" = "C:\WINNT\qrqpsb.exe" [file not found]
"qbyfkv" = "C:\WINNT\qbyfkv.exe" [file not found]
"ppxrtale" = "C:\WINDOWS\System32\jdjhpyaj.exe" [file not found]
"Power Scan" = "C:\Program Files\Power Scan\powerscan.exe" [file not found]
"Pcsv" = "C:\WINDOWS\system32\pcs\pcsvc.exe" [file not found]
"p" = "C:\documents and settings\owner\local settings\temp\p.exe" [file not found]
"Open Site" = ""C:\Program Files\Open Site\opensite.exe"" [file not found]
"O1KOlCPLI" = "C:\documents and settings\owner\local settings\temp\O1KOlCPLI.exe" [file not found]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"netna.exe" = "C:\WINDOWS\system32\netna.exe" [file not found]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"NaviSearch" = "C:\Program Files\NaviSearch\bin\nls.exe" [file not found]
"MyWebSearch Email Plugin" = "C:\PROGRA~1\MyWebSearch\bar\3.bin\mwsoemon.exe" [file not found]
"Mwsvm" = "C:\WINDOWS\mwsvm.exe" [file not found]
"lB" = "c:\documents and settings\owner\local settings\temp\lB.exe" [file not found]
"kvuvcrel" = "C:\WINNT\kvuvcrel.exe" [file not found]
"ksmhaxcmwyjfh" = "C:\WINDOWS\system32\sxhrdb.exe" [file not found]
"kdx" = "C:\WINDOWS\kdx\KHost.exe" [file not found]
"jafcxkn" = "C:\WINNT\jafcxkn.exe" [file not found]
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" [file not found]
"ifkz" = "C:\WINNT\ifkz.exe" [file not found]
"Homeland Network" = ""C:\Program Files\HomelandNetwork\HomelandNetwork.exe"" [file not found]
"gvfxltyhcdmy" = "C:\WINDOWS\System32\sxhrdb.exe" [file not found]
"GreenHorseTickerBar" = "C:\Program Files\Tickerbar\TickerBar.exe" ["Green Horse Corporation"]
"fuxqd" = "C:\WINNT\fuxqd.exe" [file not found]
"fash" = "C:\WINDOWS\fash.exe" [null data]
"EbatesMoeMoneyMaker" = "wjview /cp:p "C:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "C:\Program Files\EbatesMoeMoneyMaker"" [file not found]
"Dpi" = "C:\Program Files\Common Files\Dpi\dpi.exe" [file not found]
"DM_Server" = "C:\PROGRA~1\Comet Systems\DM\bin\dmserver.exe /onreboot" [file not found]
"dmhcjun" = "C:\WINNT\dmhcjun.exe" [file not found]
"Detect" = "C:\Program Files\iNTERNET Turbo\iDetect.exe /auto" [file not found]
"DeadAIM" = "rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs" [MS]
"CashBack" = "C:\Program Files\CashBack\bin\cashback.exe" [file not found]
"c7P8S9W" = "C:\documents and settings\owner\local settings\temp\c7P8S9W.exe" [file not found]
"BullsEye Network" = "C:\Program Files\BullsEye Network\bin\bargains.exe" ["eXact Advertising"]
"alchem" = "C:\WINDOWS\alchem.exe" [file not found]
"3Frk35O" = "dmo3dmod.exe" [file not found]
"2P6WFAX43ZHE7C" = "C:\WINDOWS\System32\Trx6w9V5.exe" [file not found]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"Narrator" = "C:\WINDOWS\system32\pasowb.exe" [null data]
"mhwp" = "C:\WINNT\mhwp.exe" [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\
"6c2b39d9-3ce2-45d1-bf93-bc0fe763d507\(Default)" = ""
\StubPath = "C:\WINDOWS\system32\liymha.exe" [null data]
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"PostBootReminder" = "{7849596a-48ea-486e-8937-a2a3009f31a9}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"CDBurn" = "{fbeb8a05-beee-4442-804e-409d6c4515e9}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS\System32\webcheck.dll" [MS]
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS\System32\stobject.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "Control Panel\DLLName" = "C:\WINDOWS\system32\dn6801jue.dll" [null data]
INFECTION WARNING! "igfxcui\DLLName" = "igfxsrvc.dll" ["Intel Corporation"]
INFECTION WARNING! "WB\DLLName" = "C:\PROGRA~1\Stardock\Object Desktop\WindowBlinds\fastload.dll" [file not found]


Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
"Download Plus" -> shortcut to: "C:\Documents and Settings\Owner\Application Data\DownloadPlus.exe" [file not found]
"MyWebSearch Email Plugin" -> shortcut to: "C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE" [file not found]
"TickerBar" -> shortcut to: "C:\Program Files\Tickerbar\TickerBar.exe" ["Green Horse Corporation"]
"UCmore XP - The Search Accelerator" -> shortcut to: "C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\TheSearchAccelerator\UCMTSAIE.dll DllShowToolbar" [MS]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Date Manager" -> shortcut to: "C:\Program Files\Date Manager\DateManager.exe" [file not found]
"eFax Tray Menu" -> shortcut to: "C:\Program Files\eFax Messenger Plus\HotTray.exe" ["j2 Global Communications, Inc."]
"Live Menu" -> shortcut to: "C:\Program Files\eFax Messenger Plus\Dllcmd32.exe /R /K C:\PROGRA~1\eFax Messenger Plus\HsPfcW32.dll,JSPFCWSetHooking,1,0,0,0" ["j2 Global Communications, Inc."]
"MyWebSearch Email Plugin" -> shortcut to: "C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE" [file not found]
"PrecisionTime" -> shortcut to: "C:\Program Files\PrecisionTime\PrecisionTime.exe" [file not found]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Application Layer Gateway Service, ALG, "C:\WINDOWS\System32\alg.exe" [MS]
Automatic Updates, wuauserv, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\wuauserv.dll" [MS]}
COM+ Event System, EventSystem, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\es.dll" [MS]}
Cryptographic Services, CryptSvc, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\cryptsvc.dll" [MS]}
DCOM Server Process Launcher, DcomLaunch, "C:\WINDOWS\system32\svchost -k DcomLaunch" {"C:\WINDOWS\system32\rpcss.dll" [MS]}
DHCP Client, Dhcp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\dhcpcsvc.dll" [MS]}
Distributed Link Tracking Client, TrkWks, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\trkwks.dll" [MS]}
DNS Client, Dnscache, "C:\WINDOWS\System32\svchost.exe -k NetworkService" {"C:\WINDOWS\System32\dnsrslvr.dll" [MS]}
Error Reporting Service, ERSvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\ersvc.dll" [MS]}
Event Log, Eventlog, "C:\WINDOWS\system32\services.exe" [MS]
Help and Support, helpsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll" [MS]}
IPSEC Services, PolicyAgent, "C:\WINDOWS\System32\lsass.exe" [MS]
Network Connections, Netman, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\netman.dll" [MS]}
Network Location Awareness (NLA), Nla, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\mswsock.dll" [MS]}
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, "C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE" ["Symantec Corporation"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Plug and Play, PlugPlay, "C:\WINDOWS\system32\services.exe" [MS]
Print Spooler, Spooler, "C:\WINDOWS\system32\spoolsv.exe" [MS]
Protected Storage, ProtectedStorage, "C:\WINDOWS\system32\lsass.exe" [MS]
Remote Access Connection Manager, RasMan, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\rasmans.dll" [MS]}
Remote Procedure Call (RPC), RpcSs, "C:\WINDOWS\system32\svchost -k rpcss" {"C:\WINDOWS\system32\rpcss.dll" [MS]}
SAVScan, SAVScan, "C:\Program Files\Norton AntiVirus\SAVScan.exe" ["Symantec Corporation"]
Secondary Logon, seclogon, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\seclogon.dll" [MS]}
Security Accounts Manager, SamSs, "C:\WINDOWS\system32\lsass.exe" [MS]
Security Center, wscsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wscsvc.dll" [MS]}
Server, lanmanserver, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\srvsvc.dll" [MS]}
Shell Hardware Detection, ShellHWDetection, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\shsvcs.dll" [MS]}
SSDP Discovery Service, SSDPSRV, "C:\WINDOWS\System32\svchost.exe -k LocalService" {"C:\WINDOWS\System32\ssdpsrv.dll" [MS]}
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
SymWMI Service, SymWSC, ""C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"" ["Symantec Corporation"]
System Event Notification, SENS, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\sens.dll" [MS]}
Task Scheduler, Schedule, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\schedsvc.dll" [MS]}
TCP/IP NetBIOS Helper, LmHosts, "C:\WINDOWS\System32\svchost.exe -k LocalService" {"C:\WINDOWS\System32\lmhsvc.dll" [MS]}
Telephony, TapiSrv, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\tapisrv.dll" [MS]}
Terminal Services, TermService, "C:\WINDOWS\System32\svchost -k DComLaunch" {"C:\WINDOWS\System32\termsrv.dll" [MS]}
Themes, Themes, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\shsvcs.dll" [MS]}
WebClient, WebClient, "C:\WINDOWS\System32\svchost.exe -k LocalService" {"C:\WINDOWS\System32\webclnt.dll" [MS]}
Windows Audio, AudioSrv, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\audiosrv.dll" [MS]}
Windows Firewall/Internet Connection Sharing (ICS), SharedAccess, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\ipnathlp.dll" [MS]}
Windows Image Acquisition (WIA), stisvc, "C:\WINDOWS\System32\svchost.exe -k imgsvc" {"C:\WINDOWS\system32\wiaservc.dll" [MS]}
Windows Management Instrumentation, winmgmt, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wbem\WMIsvc.dll" [MS]}
Windows Time, W32Time, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\w32time.dll" [MS]}
Wireless Zero Configuration, WZCSVC, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\wzcsvc.dll" [MS]}
Workstation, lanmanworkstation, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\wkssvc.dll" [MS]}

I trying to get you a link for another tool but it wont seem to upload here,

ok well if u cant get it just tell me where it is and i will dl the tool

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is PRESARIO
Volume Serial Number is B8AA-68C9

Directory of C:\WINDOWS\System32

12/10/2004 07:31 PM 224,259 mvnql9551.dll
12/09/2004 03:24 PM 222,700 dn6801jue.dll
12/08/2004 03:23 PM 222,700 k462lejo1hoc.dll
12/07/2004 09:49 PM 222,700 d6j00g1me6.dll
12/07/2004 08:34 PM 222,700 hr2405fqe.dll
12/07/2004 08:05 PM 223,697 jtru0799e.dll
12/06/2004 08:51 PM 224,754 p8r40i9qe8.dll
12/06/2004 06:12 PM 224,754 mrafd.dll
12/06/2004 05:45 PM 226,187 gpp6l37s1.dll
12/06/2004 06:52 AM 224,754 iNshlpr.dll
12/05/2004 04:58 PM 225,149 iqetcomm.dll
12/05/2004 04:25 PM 225,316 n26q0cj5efo.dll
12/05/2004 04:12 PM 223,232 g6400ghme64a0.dll
12/04/2004 05:23 PM 223,232 p84u0ih9e84.dll
12/04/2004 09:29 AM 223,981 lv4s09h7e.dll
12/03/2004 09:56 PM 224,657 ir24l5fq1.dll
11/06/2004 06:45 PM <DIR> dllcache
10/14/2004 07:41 AM 380,928 m?iexec.exe
09/09/2004 04:49 PM 512 FmrCj.b90
12/12/2003 07:46 PM <DIR> Microsoft
09/30/1999 07:21 PM 166,672 mstext35.dll
09/28/1999 09:42 PM 1,050,896 msjet35.dll
09/09/1999 10:06 PM 252,688 msexcl35.dll
09/09/1999 10:06 PM 168,720 msltus35.dll
08/25/1999 02:57 PM 415,504 msrepl35.dll
06/07/1999 06:59 PM 250,128 mspdox35.dll
04/25/1999 05:00 PM 252,176 Msrd2x35.dll
04/25/1999 05:00 PM 368,912 Vbar332.dll
04/25/1999 05:00 PM 287,504 Msxbse35.dll
27 File(s) 7,179,412 bytes
2 Dir(s) 9,318,576,128 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is PRESARIO
Volume Serial Number is B8AA-68C9

Directory of C:\WINDOWS\System32

11/06/2004 06:45 PM <DIR> dllcache
10/14/2004 07:41 AM 380,928 m?iexec.exe
09/09/2004 04:49 PM 512 FmrCj.b90
08/03/2004 11:56 PM 581,120 rpcrt4.dll
08/03/2004 11:56 PM 1,392,671 msvbvm60.dll
08/03/2004 11:56 PM 501,248 clbcatq.dll
10/29/2002 12:30 PM 488 WindowsLogon.manifest
10/29/2002 12:30 PM 488 logonui.exe.manifest
10/29/2002 12:30 PM 749 ncpa.cpl.manifest
10/29/2002 12:30 PM 749 sapi.cpl.manifest
10/29/2002 12:30 PM 749 cdplayer.exe.manifest
10/29/2002 12:30 PM 749 nwc.cpl.manifest
10/29/2002 12:30 PM 749 wuaucpl.cpl.manifest
12 File(s) 2,861,200 bytes
1 Dir(s) 9,318,572,032 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is PRESARIO
Volume Serial Number is B8AA-68C9

Directory of C:\WINDOWS\System32

12/10/2004 07:34 PM 222,700 guard.tmp
1 File(s) 222,700 bytes
0 Dir(s) 9,318,567,936 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is PRESARIO
Volume Serial Number is B8AA-68C9

Directory of C:\WINDOWS\System32

12/10/2004 07:34 PM 222,700 guard.tmp
1 File(s) 222,700 bytes
0 Dir(s) 9,318,567,936 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0C7177AD-4DF3-42D3-BE60-710B5067C362}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\dn6801jue.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB]
"Asynchronous"=dword:00000000
"DllName"="C:\\PROGRA~1\\Stardock\\Object Desktop\\WindowBlinds\\fastload.dll"
"Startup"="StartSys"
"Logon"="StartWB"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------