Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

smitfraud.c


  • Please log in to reply
32 replies to this topic

#1 Trebor

Trebor

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 20 May 2005 - 09:13 AM

Hi!

I've been trying to rid a Windows 98 computer of the smitfraud.c trojan. I've had a degree of success but am still encountering probelms.

A Hijack this start up log looks like this:

StartupList report, 20/05/05, 14:26:55
StartupList version: 1.52.2
Started from : C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
Detected: Windows 98 Gold (Win9x 4.10.1998)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAVSVC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAV.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = c:\windows\scanregw.exe /autorun
TaskMonitor = c:\windows\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
EM_EXEC = c:\mouse\system\em_exec.exe
KAVPersonal50 = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
Machine Debug Manager = C:\WINDOWS\SYSTEM\MDM.EXE
kavsvc = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

RAScut = C:\PROGRAM FILES\EIRCOM NET\RASCUT.EXE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = c:\windows\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[SetupcPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 c:\windows\INF\setupc.inf

[AppletsPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 c:\windows\INF\applets.inf

[FontsPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 c:\windows\INF\fonts.inf

[{5A8D6EE0-3E18-11D0-821E-444553540000}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36

[PerUser_ICW_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 c:\windows\INF\icw97.inf

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\SYSTEM\ie4uinit.inf,Shell.UserStub,,36

[{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

[PerUser_Msinfo] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 c:\windows\INF\msinfo.inf

[PerUser_Msinfo2] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 c:\windows\INF\msinfo.inf

[MotownMmsysPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 c:\windows\INF\motown.inf

[MotownAvivideoPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 c:\windows\INF\motown.inf

[PerUser_Base] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 c:\windows\INF\msmail.inf

[ShellPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 c:\windows\INF\shell.inf

[Shell2PerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 c:\windows\INF\shell2.inf

[PerUser_winbase_Links] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 c:\windows\INF\subase.inf

[PerUser_winapps_Links] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 c:\windows\INF\subase.inf

[PerUser_LinkBar_URLs] *
StubPath = c:\windows\COMMAND\sulfnbk.exe /L

[TapiPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 c:\windows\INF\tapi.inf

[PerUserOldLinks] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 c:\windows\INF\appletpp.inf

[MmoptRegisterPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 c:\windows\INF\mmopt.inf

[OlsPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 c:\windows\INF\ols.inf

[PerUser_Paint_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 c:\windows\INF\applets.inf

[PerUser_Calc_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 c:\windows\INF\applets.inf

[PerUser_dxxspace_Links] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_dxxspace_Links 64 c:\windows\INF\applets1.inf

[PerUser_MSBackup_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSBackup_Inis 64 c:\windows\INF\applets1.inf

[PerUser_CVT_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 c:\windows\INF\applets1.inf

[PerUser_Enable_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis 64 c:\windows\INF\enable.inf

[MotownRecPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 c:\windows\INF\motown.inf

[PerUser_Vol] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 c:\windows\INF\motown.inf

[MotownMPlayPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 c:\windows\INF\motown.inf

[PerUser_MSWordPad_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 c:\windows\INF\wordpad.inf

[PerUser_RNA_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 c:\windows\INF\rna.inf

[PerUser_Wingames_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 c:\windows\INF\appletpp.inf

[PerUser_Sysmon_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmon_Inis 64 c:\windows\INF\appletpp.inf

[PerUser_Sysmeter_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmeter_Inis 64 c:\windows\INF\appletpp.inf

[PerUser_netwatch_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_netwatch_Inis 64 c:\windows\INF\appletpp.inf

[PerUser_CharMap_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CharMap_Inis 64 c:\windows\INF\appletpp.inf

[PerUser_Onlinelnks_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis 64 c:\windows\INF\appletpp.inf

[PerUser_Dialer_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 c:\windows\INF\appletpp.inf

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[PerUser_ClipBrd_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_ClipBrd_Inis 64 c:\windows\INF\clip.inf

[{E4066320-E4AE-11CF-B1B0-00AA00BBAD66}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\fpxpress.inf,PerUserstub

[MmoptMusicaPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptMusicaPerUser 64 c:\windows\INF\mmopt.inf

[MmoptJunglePerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptJunglePerUser 64 c:\windows\INF\mmopt.inf

[MmoptRobotzPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptRobotzPerUser 64 c:\windows\INF\mmopt.inf

[MmoptUtopiaPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptUtopiaPerUser 64 c:\windows\INF\mmopt.inf

[PerUser_CDPlayer_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 c:\windows\INF\mmopt.inf

[{44BBA842-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95

[OlsAolPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUser 64 c:\windows\INF\ols.inf

[OlsAttPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUser 64 c:\windows\INF\ols.inf

[OlsCompuservePerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUser 64 c:\windows\INF\ols.inf

[OlsProdigyPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUser 64 c:\windows\INF\ols.inf

[OlsMsnPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 c:\windows\INF\ols.inf

[Shell3PerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Shell3PerUser 64 c:\windows\INF\shell3.inf

[Theme_Windows_PerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Themes_Windows_PerUser 0 c:\windows\INF\themes.inf

[Theme_MoreWindows_PerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Themes_MoreWindows_PerUser 0 c:\windows\INF\themes.inf

[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\wpie5x86.inf,PerUserStub

[>IEPerUser] *
StubPath = RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[Chlen-us] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\chlen-us.inf,InstallUser

[chlen-uk] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\chlen-uk.inf,InstallUser

[chlen-ie] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\chlen-ie.inf,InstallUser

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub

[{73fa19d0-2d75-11d2-995d-00c04f98bbc9}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\webfldrs.inf,PerUserStub.Install,1

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[>{2AD333E1-69C3-11D3-96D9-0008C75BDF54}C03748] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=hpfsched

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\CHANNE~1.SCR
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 20/5/2005, 11:32:52)

[Rename]
NUL=

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

ECHO OFF
C:\DRIVERS\CHKBOOT.EXE /LASTBOOT /NBROFBOOT /FIRSTUSERBOOT
SET BLASTER=A220 I5 D1 T4
mode con codepage prepare=((850) c:\windows\COMMAND\ega.cpi)
mode con codepage select=850
keyb uk,,c:\windows\COMMAND\keyboard.sys
lh c:\Windows\Command\doskey.com

--------------------------------------------------

C:\CONFIG.SYS listing:

DEVICE=C:\WINDOWS\HIMEM.SYS /TESTMEM:OFF
DEVICE=C:\WINDOWS\EMM386.EXE NOEMS
FILES=50
BUFFERS=50
DOS=HIGH,UMB
device=c:\windows\COMMAND\display.sys con=(ega,,1)
Country=044,850,c:\windows\COMMAND\country.sys

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

Echo off
CALL C:\CDINST.BAT Q
LH MOUSE.COM
C:\WINDOWS\setupds.exe /S

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: not hidden (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - c:\windows\downloaded program files\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://c:\windows\Java\classes\xmldso4.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Internet Explorer Classes for Java]
CODEBASE = file://c:\windows\SYSTEM\iejava.cab
OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R634/V3...en/actsetup.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

[{D27CDB6E-AE6D-0000-0000-000000000000}]
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7918.4623958333

[{02BED220-FBC7-4392-93A2-3A50B056F78E}]
CODEBASE = http://down.plaxo.com/down/release/instub.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\KAVWEBSCAN.DLL
CODEBASE = http://www.kaspersky.com/downloads/kws/kavwebscan.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

[AvxScanOnline Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\BITDEF~1.OCX
CODEBASE = http://www.bitdefender.com/scan/Msie/bitdefender.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: c:\windows\SYSTEM\rnr20.dll
Protocol #1: c:\windows\SYSTEM\mswsosp.dll
Protocol #2: c:\windows\SYSTEM\msafd.dll
Protocol #3: c:\windows\SYSTEM\msafd.dll
Protocol #4: c:\windows\SYSTEM\msafd.dll
Protocol #5: c:\windows\SYSTEM\rsvpsp.dll
Protocol #6: c:\windows\SYSTEM\rsvpsp.dll

--------------------------------------------------

Enumerating Win9x VxD services:

NDIS: ndis.vxd,ndis2sup.vxd
JAVASUP: JAVASUP.VXD
CONFIGMG: *CONFIGMG
NTKern: *NTKERN
VWIN32: *VWIN32
VFBACKUP: *VFBACKUP
VCOMM: *VCOMM
COMBUFF: *COMBUFF
IFSMGR: *IFSMGR
IOS: *IOS
MTRR: *mtrr
SPOOLER: *SPOOLER
UDF: *UDF
VFAT: *VFAT
VCACHE: *VCACHE
VCOND: *VCOND
VCDFSD: *VCDFSD
VXDLDR: *VXDLDR
VDEF: *VDEF
VPICD: *VPICD
VTD: *VTD
REBOOT: *REBOOT
VDMAD: *VDMAD
VSD: *VSD
V86MMGR: *V86MMGR
PAGESWAP: *PAGESWAP
DOSMGR: *DOSMGR
VMPOLL: *VMPOLL
SHELL: *SHELL
PARITY: *PARITY
BIOSXLAT: *BIOSXLAT
VMCPD: *VMCPD
VTDAPI: *VTDAPI
PERF: *PERF
VRTWD: c:\windows\SYSTEM\vrtwd.386
VFIXD: c:\windows\SYSTEM\vfixd.vxd
VNETBIOS: vnetbios.vxd
LMUL: LMUL.VXD
LMOUSE: LMOUSE.VXD
Klif: C:\WINDOWS\SYSTEM\klif.vxd
Klmc: C:\WINDOWS\SYSTEM\klmc.vxd
klick: C:\WINDOWS\SYSTEM\klick.vxd
klin: C:\WINDOWS\SYSTEM\klin.vxd

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 25,114 bytes
Report generated in 1.298 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
===================================================

.....and the scan logfile reads:

Logfile of HijackThis v1.98.2
Scan saved at 14:27:39, on 20/05/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAVSVC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAV.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ireland.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eircom.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.iol.ie/search/searchbar.asp
F1 - win.ini: run=hpfsched
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [kavsvc] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe"
O4 - HKCU\..\RunOnce: [RAScut] C:\PROGRAM FILES\EIRCOM NET\RASCUT.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmtrans.html
O12 - Plugin for .exe: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPAUDIO.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

====================================================

I seem to have removed most of the offending files but am left with a few problems;

The 'start' button onthe desktop is disabled.

I cannot access the desktop.

When I try to access 'Folder Options' to allow 'hidden files' to be shown I get an error "operation cancelled due to restriction in effect...contact system administrator". I have no idea how to get around that...even tried in Safe Mode and couldnt get access.

When I open a folder the 'view' has defaulted back to 'as web page' after each reboot.

I ran BitDefender online scan and it came back clean however Panda Activescan did find something but befor ethe scan completed I got 'This program has performed an illegal function and will shut down' so I never go to complete the scan or find whet infection was there.

Kaspersky is coming up with a clean scan as is Search & Destroy.

I ran sfc.exe in normal & safe mode. There were two errors which were repaired.

My feeling is that whatever is still hiding is in a hidden file and I of course am being denied access to them.

Any ideas how to get my 'start' button running again?

----------------------------------------------------------------------------------------------

Thanks in advance. This is a wonderful site....I'd still be staring at the nast 'security warning' walpaper the trojan puts up if I hadn't followed the advice here. Also, the infected computer is on dial-up so I have been able to read here and download to disc the tools I need which is saving a lot of time...a great resurce.

Trebor

BC AdBot (Login to Remove)

 


#2 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:08 AM

Posted 20 May 2005 - 05:57 PM

Let's see what we can do.
I'm asking a collegue for some advise on the matter too.

Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt.
Let me know how things are now.

Edited by g2i2r4, 20 May 2005 - 06:09 PM.



Posted Image
Life is what happens while you're making other plans

#3 Trebor

Trebor
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 22 May 2005 - 04:46 AM

Hi g2i2r4!

Thanks for looking at this for me.

I tried the steps you suggested and there is no change.

Start button is still disbaled. I am unable to access 'folder options' due to 'restrictions' and am still told to contact the system administrator...of which there is none.

Any other suggestions as to how I can access the folder opions?

Trebor

#4 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:08 AM

Posted 22 May 2005 - 06:28 AM

Let's see what's in the Registry.

Open Notepad.
Copy the text from the box to an empty file.
Save it as ‘export.bat’ to your desktop.
Choose ‘save as all types *.*’

regedit /e policies.reg "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"

Close Notepad.

Find ‘export.bat’ on your desktop.
Doubleclick the file. It will create a file on your desktop called ‘policies.reg’
Copy the entire text and past it to your reply here in this topic.

Thanks to Mieke


Posted Image
Life is what happens while you're making other plans

#5 Trebor

Trebor
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 30 May 2005 - 08:32 AM

Mieke.
Sorry for the delay in replying...I was away!

The 'Policies' file reads:


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=hex:95,00,00,00
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000
"NoActiveDesktopChanges"=hex:00,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=dword:00000000



Again, I appreciate any help you can give.

Trebor

#6 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:08 AM

Posted 31 May 2005 - 01:38 PM

I consulted a specialist (Mieke).

The information we are looking for isn't here thou.
Please go to start - run
Paste this line:
regedit /e C:\policies2.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies"

Open c:\Policies2.txt
Copy and paste the content of this file here in your answer.

thanks for hanging in there :thumbsup:

Edited by g2i2r4, 31 May 2005 - 02:06 PM.



Posted Image
Life is what happens while you're making other plans

#7 Trebor

Trebor
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 31 May 2005 - 02:46 PM

Sorry about the mix-up with the name............ :thumbsup:

I cannot access the 'start' button. When I click on it nothing happens. I can right click and get the menu but not the various programs and options from normally pressing it.

Thanx

Trebor

#8 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:08 AM

Posted 31 May 2005 - 03:44 PM

I completly overlooked that, sorry.

Open Notepad.
Copy the text from the box to an empty file.
Save it as ‘export2.bat’ to your desktop.
Choose ‘save as all types *.*’

regedit /e policies2.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies"


Close Notepad.

Find ‘export2.bat’ on your desktop.
Doubleclick the file. It will create a file on your desktop called ‘policies2.txt’
Copy the entire text and past it to your reply here in this topic.


Posted Image
Life is what happens while you're making other plans

#9 Trebor

Trebor
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 10 June 2005 - 08:34 AM

Here is the text from the 'policies2' file.


REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Network]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

Regards
Trebor

#10 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:08 AM

Posted 10 June 2005 - 10:57 AM

move to my computer
go to options
scroll all the way down
set it to show all files and folder, even hidden and system.

Please check to see if these files are present in the folder c:\windows
desktop.html
windows.html
screen.html
control.exe (legit file)

Also go to start - control panel - display - web tab.
Uncheck all that is checked and press apply.

Edited by g2i2r4, 10 June 2005 - 11:02 AM.



Posted Image
Life is what happens while you're making other plans

#11 Trebor

Trebor
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 11 June 2005 - 03:54 AM

Hi!
I cannot access folder options. When I try I get "The Operation has been cancelled due to restrictions on this computer. PLease contact your system administrator".

#12 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:08 AM

Posted 11 June 2005 - 06:30 AM

Can you try to see if those files are present without changing?

Please see if you can log in on an administrator account if nothing shows up.


Posted Image
Life is what happens while you're making other plans

#13 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:08 AM

Posted 11 June 2005 - 09:46 AM

My advisor is pretty sure it has something to do with the policies.

So let's check them out.

Open Notepad.
Copy the text from the box to an empty file.
Save it as ‘export3.bat’ to your desktop.
Choose ‘save as all types *.*’

regedit /e policies3.txt "HKEY_CURRENT_USER\Software\Policies\Microsoft"

Close Notepad.

Find ‘export3.bat’ on your desktop.
Doubleclick the file. It will create a file on your desktop called ‘policies3.txt’
Copy the entire text and past it to your reply here in this topic.


***

Open Notepad.
Copy the text from the box to an empty file.
Save it as ‘export4.bat’ to your desktop.
Choose ‘save as all types *.*’

regedit /e policies4.txt "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft"

Close Notepad.

Find ‘export4.bat’ on your desktop.
Doubleclick the file. It will create a file on your desktop called ‘policies4.txt’
Copy the entire text and past it to your reply here in this topic.

Thank you for your patience. We will find it!


Posted Image
Life is what happens while you're making other plans

#14 Trebor

Trebor
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 27 June 2005 - 06:20 AM

Export3.bat result:
REGEDIT4

[HKEY_CURRENT_USER\Software\Policies\Microsoft]

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer]

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Infodelivery]

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Infodelivery\CompletedModifications]
"ChannelDefault"=dword:01be7d16

[HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates]

[HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust]

[HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\Certificates]

[HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CRLs]

[HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CTLs]

[HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\ca]

[HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\ca\Certificates]

[HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\ca\CRLs]

[HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\ca\CTLs]

=====================================================

export4.bat result:

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft]

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates]

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\root]

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\root\Certificates]

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\root\CRLs]

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\root\CTLs]

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust]

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust\Certificates]

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust\CRLs]

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust\CTLs]

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\ca]

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\ca\Certificates]

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\ca\CRLs]

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\ca\CTLs]

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Outlook Express]

===============================================

Regards,
Trebor

#15 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:08 AM

Posted 27 June 2005 - 01:19 PM

Copy the part below into notepad and
save it as mieke.reg
to your desktop
Choose ‘save as all types *.*’

REGEDIT 4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoColorChoice"=-
"NoSizeChoice"=-
"NoDispScrSavPage"=-
"NoDispCPL"=-
"NoVisualStyleChoice"=-
"NoDispSettingsPage"=-
"NoDispAppearancePage"=-
"NoDispBackgroundPage"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktop"=-
"NoSaveSettings"=-
"NoThemesTab"=-
"NoActiveDesktopChanges"=-


Doubleclick the file and confirm you want to merge it with the registry.

Reboot and let me know how it is now.

Edited by g2i2r4, 27 June 2005 - 01:20 PM.



Posted Image
Life is what happens while you're making other plans




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users