Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tibetan malware MacGyver?


  • This topic is locked This topic is locked
24 replies to this topic

#1 Vistuck

Vistuck

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 10 April 2010 - 01:06 AM

What follows is an excerpt from an e-mail exchange I'm having with a very helpful technician from Greatis software. I'm posting it here in the hopes that someone on this site has heard of or seen this particular issue before and can provide their insight. I've been battling my PC for months now, through an OS change from Vista to Windows 7, two new hard drives, a new DVD-ROM drive and numerous formats, low-level wipes, blah, blah, etc., etc. I've tried every free anti-malware product out there, and paid for three or four, too. But my PC is still acting like young Linda Blair in The Exorcist. About the only thing it HASN'T done is levitate and hurl pea soup. Or make age-inappropriate sexual gestures.

The primary symptoms are fairly common: IE redirects, hijacking of the Windows Installer program, hijacking of Windows PowerShell, inexplicable security settings changes, bogus and unchangeable network configurations, unidentifiable network traffic, lots of extraneous mass-storage drivers that came back if uninstalled, etc.

But there are a few unusual elements:

1) Evidence of malware activity during POST and in the Windows PE environment even when booting directly from DVD. (Such as BIOS settings ignored, logs indicating the PC is booting from from a nonexistent firmware device, referred to as "firmware type 8," along with frantic HDD and CD-ROM reads/writes happening BEFORE Windows has started to boot up. Also, the malware can control verification/denial of trusted installer certificates. Very bad news. I set my system clock back to 1990, so at the very least all certificates would be denied, and not just the legitimate ones.

2) A standard HDD formatting and reinstallation of Windows from the retail DVD does not clean the infection. I've tested this a number of times. Unless my system is becoming immediately reinfected through means i do not understand, (I disconnect all networked devices during reinstall and subsequent scanning/testing) the only explanation is a persistent infection that resists deletion during Windows reinstall.

3) Extreme, EXTREME stealth. Stealth that should not be possible for malware with such a wide range of functionality.

What follows is a lot of assumptions and half-baked theories. I'm a total compyooter noob who's been reading too much Inturnetz trying to understand computers now that mine has gone seriously south on me. However, I do think there's something happening on my PC that hasn't found its way into the mainstream of malware detection. Oh, and let me just get this out of the way now: My HijackThis logs look clean, so no need to ask me for one. I know somebody will anyway.

I don't think I have a BIOS or firmware rootkit or any such thing. It's just a regular backdoor trojan type thing that has some new trick up its sleeve. Here's my crackpot theory: This "malware suite," as I'm calling it, is made up of 97 percent legitimate Windows components. The "trojan," which I suspect is a mini OS unto itself, written perhaps in NetBSD, is a sort of master conductor that is capable of playing legitimate Windows executables, drivers, libraries and environment variables as its orchestra. It does so via a wide range of specialized scripts. It can even generate scripts on the fly -- it's intelligent and reactive to a wide range of detection and removal efforts, which it detects via keylogging, WMI data and event logs. It also can configure the installation of programs that use Windows Installer (such as in order to make an anti-virus scanner ignore the malware), and it can compile custom device drivers on the fly, both for new devices and to thwart user attempts to update existing drivers.

I have found documentation, albeit limited, on the Web to support my theory. If you do a Google search you can find instructions for something called "extreme domain registry" at a Web address originating in Tibet that begins with hxxp://hi.baidu.com. (Probably not a great idea to visit this site unless your system is super-secure -- or super-already-hosed, like mine is.)

I believe the site contains the blueprints for a malicious contraption that some clever criminal has pieced together out of legitimate files found on most any Windows machine. Search for "recieve.exe" (note the misspelling with "i" before "e"), or either of the registry keys "HKLM_LOCAL_MACHINE\Software\Classes\BuyGoods" or "HKEY_LOCAL_MACHINE\Software\Classes\Byblos."

The reference to "BDA tuner" on this Web site immediately caught my eye, because the BDA tuner driver was referenced in some of my boot logs, even though i do not have my machine's TV tuner connected. It also makes reference to the bidi spooler APIs, which are known to be exploitable by some malware and are referenced over and over again in my machine's boot logs. I've also found references to "byblos" and "recieve.exe" on my machine. That's how i came to search for and find the (perhaps all-time geekiest oxymoron?) "extreme domain registry." Hey Tibetan malware dude, I've got Tony Hawk on Line 2. He would like you to please put away the Hardcore Monster Thrash Chess Set and return that last shred of dignity you stole from him.

What follows are some event logs and a section of my PC's registry hive that seem to indicate ... something amiss. If you have some time to spare and you're interested in taking a look, please keep in mind that my PC is a home computer, not on a LAN, connected directly to a cable modem via ethernet cable (I did buy a LinkSys (wired) firewall router, but it only made things worse, so I disconnected it.) I do not have any wireless devices attached, and no antenna or cable connected for radio or TV broadcast. As far as I know, my system does not have an on-board Bluetooth device or any other wireless capability. However, my ATI Crappeon graphics card is connected via HDMI cble to an HDTV that does have Bluetooth and IR wireless functionality. (Don't know if that's relevant.) My PC is a Dell XPS-430 with a 2.50 GHz Intel Core2 Quad processor, currently running 64-bit Windows 7 Home Premium (Installed from a retail "upgrade" DVD, which I bought at a local Wal-Mart) and 4 GB of RAM. I actually removed some RAM because it was just overhead that the malware was using to do more evil. The PC originally came installed with 64-bit Windows Vista OEM (Sort of Home Premium-ish.) I am the sole user of this PC, and I only have one user account set up (the one I use). I do not have a printer or mobile device connected to my PC at any time. I am not using an encrypted key card or other smart card to boot into Windows. I'm not running any type of virtual machine, nor am I using Teredo tunneling nor any network protocol aside from IPv4 for communication. I have never used Windows Mail, Media Center nor any type of online streaming media. And yet all of the above appear to be active (either running now or in recently logged activity) on my system.

Here are the event logs I mentioned. The registry leak referenced in the first two logs ocurred when I turned ON network file sharing but set the sharing permissions to deny "Everyone," "Console Session" and "System." I gave myself full access, of course. That maneuver actually has given me back some control over my PC.

FIRST USER PROFILE SERVICE ERROR (USER REGISTRY HANDLES LEAK)

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
6 user registry handles leaked from \Registry\User\S-1-5-21-1495150082-1455092368-1129167694-1000:
Process 460 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-1495150082-1455092368-1129167694-1000
Process 1204 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 1204 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 1204 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Policies
Process 1204 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Process 1204 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1495150082-1455092368-1129167694-1000\Software
DETAILS:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="1990-02-02T17:34:07.337598500Z" />
<EventRecordID>173</EventRecordID>
<Correlation />
<Execution ProcessID="976" ThreadID="2548" />
<Channel>Application</Channel>
<Computer>Goopnutticus</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">6 user registry handles leaked from \Registry\User\S-1-5-21-1495150082-1455092368-1129167694-1000: Process 460 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-1495150082-1455092368-1129167694-1000 Process 1204 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings Process 1204 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings Process 1204 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Policies Process 1204 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Process 1204 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1495150082-1455092368-1129167694-1000\Software</Data>
</EventData>
</Event>

SECOND USER PROFILE SERVICE ERROR (USER REGISTRY HANDLES LEAK)

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
5 user registry handles leaked from \Registry\User\S-1-5-21-1495150082-1455092368-1129167694-1000:
Process 1088 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 1088 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 1088 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Policies
Process 1088 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Process 1088 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1495150082-1455092368-1129167694-1000\Software
DETAILS:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="1990-02-02T17:59:01.445752900Z" />
<EventRecordID>302</EventRecordID>
<Correlation />
<Execution ProcessID="940" ThreadID="1676" />
<Channel>Application</Channel>
<Computer>Goopnutticus</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">5 user registry handles leaked from \Registry\User\S-1-5-21-1495150082-1455092368-1129167694-1000: Process 1088 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings Process 1088 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings Process 1088 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Policies Process 1088 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Process 1088 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1495150082-1455092368-1129167694-1000\Software</Data>
</EventData>
</Event>


Here are some other various logs from around the time of the registry handles leak issue:

WINDOWS UPDATE SERVICE HANG ERROR
The Windows Update service hung on starting.
DETAILS:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="49152">7022</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="1990-02-02T17:40:17.517792400Z" />
<EventRecordID>605</EventRecordID>
<Correlation />
<Execution ProcessID="524" ThreadID="636" />
<Channel>System</Channel>
<Computer>Goopnutticus</Computer>
<Security />
</System>
- <EventData>
<Data Name="param1">Windows Update</Data>
</EventData>
</Event>

ETHERNET DEVICE DISCONNECT ERROR (And, no, I did not yank out the ethernet cable)
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="e1express" />
<EventID Qualifiers="40964">27</EventID>
<Level>3</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="1990-02-02T17:51:02.336721200Z" />
<EventRecordID>719</EventRecordID>
<Channel>System</Channel>
<Computer>Goopnutticus</Computer>
<Security />
</System>
- <EventData>
<Data>\Device\NDMP11</Data>
<Data>Intel 82566DC-2 Gigabit Network Connection</Data>
<Binary>0000040002003400000000001B0004A00000000000000000000000000000000000000000000000001B0004A0</Binary>
</EventData>
</Event>

SEARCH ERROR:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Search" Guid="{CA4E628D-8567-4896-AB6B-835B221F373F}" EventSourceName="Windows Search Service" />
<EventID Qualifiers="32768">1008</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="1990-02-02T13:48:26.000000000Z" />
<EventRecordID>145</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Goopnutticus</Computer>
<Security />
</System>
- <EventData>
<Data Name="ExtraInfo" />
<Data Name="Reason">Full Index Reset</Data>
</EventData>
</Event>

PRINT ERROR:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-PrintService" Guid="{747EF6FD-E535-4D16-B510-42C90F6873A1}" />
<EventID>512</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>1</Task>
<Opcode>12</Opcode>
<Keywords>0x8000000000002800</Keywords>
<TimeCreated SystemTime="1990-02-02T14:44:21.101517200Z" />
<EventRecordID>1</EventRecordID>
<Correlation />
<Execution ProcessID="1144" ThreadID="1168" />
<Channel>Microsoft-Windows-PrintService/Admin</Channel>
<Computer>37L4247D28-05</Computer>
<Security UserID="S-1-5-18" />
</System>
- <UserData>
- <RouterError xmlns:auto-ns3="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events">
<Name>inetpp.dll</Name>
<Error>0x0</Error>
</RouterError>
</UserData>
</Event

ANTI-VIRUS UPDATE ERROR
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-DNS-Client" Guid="{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}" />
<EventID>1014</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="1990-02-02T13:59:19.158834600Z" />
<EventRecordID>483</EventRecordID>
<Correlation />
<Execution ProcessID="3428" ThreadID="2668" />
<Channel>System</Channel>
<Computer>Goopnutticus</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="QueryName">liveupdate.symantecliveupdate.com</Data>
<Data Name="AddressLength">16</Data>
<Data Name="Address">02000035D043DEDE0000000000000000</Data>
</EventData>
</Event>

DHCP ADDRESS ACQUISITION ERROR
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Dhcp-Client" Guid="{15A7A4F8-0072-4EAB-ABAD-F98A4D666AED}" />
<EventID>1001</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>3</Task>
<Opcode>75</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="1990-02-02T14:45:22.409624900Z" />
<EventRecordID>1</EventRecordID>
<Correlation />
<Execution ProcessID="808" ThreadID="1100" />
<Channel>Microsoft-Windows-Dhcp-Client/Admin</Channel>
<Computer>37L4247D28-05</Computer>
<Security UserID="S-1-5-19" />
</System>
- <EventData>
<Data Name="HWLength">6</Data>
<Data Name="HWAddress">002219213248</Data>
<Data Name="StatusCode">121</Data>
</EventData>
</Event>

NEXT, Here is a portion of the registry hive that is persistent and cannot be deleted or changed, even with a clean reinstall:

Windows Registry Editor Version 5.00
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000]
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000\Control Panel]
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000\Control Panel\Input Method]
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000\Control Panel\Input Method\Hot Keys]
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000\Keyboard Layout]
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000\Keyboard Layout\Preload]
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000\Keyboard Layout\Toggle]
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000\Software]
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Microsoft]
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Microsoft\CTF]
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Microsoft\CTF\SortOrder]
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Microsoft\Protected Storage System Provider]
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Microsoft\SystemCertificates]
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Microsoft\SystemCertificates\Root]
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Microsoft\SystemCertificates\Root\ProtectedRoots]
"Certificates"=hex:18,00,00,00,01,00,00,00,90,d9,39,47,c3,37,b4,01,00,00,00,00,\
18,00,00,00
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Microsoft\Windows]
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Microsoft\Windows\CurrentVersion]
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Microsoft\Windows\CurrentVersion\Explorer]
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32]
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU]
"0"=hex:72,00,65,00,67,00,65,00,64,00,69,00,74,00,2e,00,65,00,78,00,65,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,58,03,00,\
00,fe,00,00,00,f5,09,00,00,d8,03,00,00,60,03,00,00,30,01,00,00,9b,05,00,00,\
38,03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy]
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
"0"=hex:72,00,65,00,67,00,65,00,64,00,69,00,74,00,2e,00,65,00,78,00,65,00,00,\
00,14,00,1f,50,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,2f,43,\
3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,5e,00,31,00,\
00,00,00,00,42,14,4d,74,10,20,57,69,6e,64,6f,77,73,2e,6f,6c,64,00,44,00,08,\
00,04,00,ef,be,42,14,4d,74,42,14,4d,74,2a,00,00,00,7f,02,00,00,00,00,05,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,57,00,69,00,6e,00,64,00,6f,00,77,\
00,73,00,2e,00,6f,00,6c,00,64,00,00,00,1a,00,74,00,31,00,00,00,00,00,42,14,\
d7,42,11,20,55,73,65,72,73,00,60,00,08,00,04,00,ef,be,ee,3a,85,1a,42,14,d7,\
42,2a,00,00,00,e3,01,00,00,00,00,01,00,00,00,00,00,00,00,00,00,36,00,00,00,\
00,00,55,00,73,00,65,00,72,00,73,00,00,00,40,00,73,00,68,00,65,00,6c,00,6c,\
00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,32,00,31,00,38,00,31,00,\
33,00,00,00,14,00,4a,00,31,00,00,00,00,00,42,14,1b,3b,10,20,47,6f,61,74,00,\
00,36,00,08,00,04,00,ef,be,42,14,11,3b,42,14,1b,3b,2a,00,00,00,f9,01,00,00,\
00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,47,00,6f,00,61,00,74,\
00,00,00,14,00,80,00,31,00,00,00,00,00,44,14,61,47,11,20,44,4f,57,4e,4c,4f,\
7e,31,00,00,68,00,08,00,04,00,ef,be,42,14,11,3b,44,14,61,47,2a,00,00,00,07,\
02,00,00,00,00,02,00,00,00,00,00,00,00,00,00,3e,00,00,00,00,00,44,00,6f,00,\
77,00,6e,00,6c,00,6f,00,61,00,64,00,73,00,00,00,40,00,73,00,68,00,65,00,6c,\
00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,32,00,31,00,37,00,\
39,00,38,00,00,00,18,00,00,00
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU]
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*]
"0"=hex:14,00,1f,50,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,2f,\
43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,5e,00,31,\
00,00,00,00,00,42,14,4d,74,10,20,57,69,6e,64,6f,77,73,2e,6f,6c,64,00,44,00,\
08,00,04,00,ef,be,42,14,4d,74,42,14,4d,74,2a,00,00,00,7f,02,00,00,00,00,05,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,2e,00,6f,00,6c,00,64,00,00,00,1a,00,74,00,31,00,00,00,00,00,42,\
14,d7,42,11,20,55,73,65,72,73,00,60,00,08,00,04,00,ef,be,ee,3a,85,1a,42,14,\
d7,42,2a,00,00,00,e3,01,00,00,00,00,01,00,00,00,00,00,00,00,00,00,36,00,00,\
00,00,00,55,00,73,00,65,00,72,00,73,00,00,00,40,00,73,00,68,00,65,00,6c,00,\
6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,32,00,31,00,38,00,31,\
00,33,00,00,00,14,00,4a,00,31,00,00,00,00,00,42,14,1b,3b,10,20,47,6f,61,74,\
00,00,36,00,08,00,04,00,ef,be,42,14,11,3b,42,14,1b,3b,2a,00,00,00,f9,01,00,\
00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,47,00,6f,00,61,00,\
74,00,00,00,14,00,80,00,31,00,00,00,00,00,44,14,61,47,11,20,44,4f,57,4e,4c,\
4f,7e,31,00,00,68,00,08,00,04,00,ef,be,42,14,11,3b,44,14,61,47,2a,00,00,00,\
07,02,00,00,00,00,02,00,00,00,00,00,00,00,00,00,3e,00,00,00,00,00,44,00,6f,\
00,77,00,6e,00,6c,00,6f,00,61,00,64,00,73,00,00,00,40,00,73,00,68,00,65,00,\
6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,32,00,31,00,37,\
00,39,00,38,00,00,00,18,00,98,00,32,00,00,00,00,00,00,00,00,00,80,00,42,41,\
44,20,55,53,45,52,20,2d,20,50,45,52,53,49,53,54,45,4e,54,20,4b,45,59,53,2e,\
72,65,67,00,00,6a,00,08,00,04,00,ef,be,00,00,00,00,00,00,00,00,2a,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,42,00,41,\
00,44,00,20,00,55,00,53,00,45,00,52,00,20,00,2d,00,20,00,50,00,45,00,52,00,\
53,00,49,00,53,00,54,00,45,00,4e,00,54,00,20,00,4b,00,45,00,59,00,53,00,2e,\
00,72,00,65,00,67,00,00,00,2e,00,00,00
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\reg]
"0"=hex:14,00,1f,50,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,2f,\
43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,5e,00,31,\
00,00,00,00,00,42,14,4d,74,10,20,57,69,6e,64,6f,77,73,2e,6f,6c,64,00,44,00,\
08,00,04,00,ef,be,42,14,4d,74,42,14,4d,74,2a,00,00,00,7f,02,00,00,00,00,05,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,2e,00,6f,00,6c,00,64,00,00,00,1a,00,74,00,31,00,00,00,00,00,42,\
14,d7,42,11,20,55,73,65,72,73,00,60,00,08,00,04,00,ef,be,ee,3a,85,1a,42,14,\
d7,42,2a,00,00,00,e3,01,00,00,00,00,01,00,00,00,00,00,00,00,00,00,36,00,00,\
00,00,00,55,00,73,00,65,00,72,00,73,00,00,00,40,00,73,00,68,00,65,00,6c,00,\
6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,32,00,31,00,38,00,31,\
00,33,00,00,00,14,00,4a,00,31,00,00,00,00,00,42,14,1b,3b,10,20,47,6f,61,74,\
00,00,36,00,08,00,04,00,ef,be,42,14,11,3b,42,14,1b,3b,2a,00,00,00,f9,01,00,\
00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,47,00,6f,00,61,00,\
74,00,00,00,14,00,80,00,31,00,00,00,00,00,44,14,61,47,11,20,44,4f,57,4e,4c,\
4f,7e,31,00,00,68,00,08,00,04,00,ef,be,42,14,11,3b,44,14,61,47,2a,00,00,00,\
07,02,00,00,00,00,02,00,00,00,00,00,00,00,00,00,3e,00,00,00,00,00,44,00,6f,\
00,77,00,6e,00,6c,00,6f,00,61,00,64,00,73,00,00,00,40,00,73,00,68,00,65,00,\
6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,32,00,31,00,37,\
00,39,00,38,00,00,00,18,00,98,00,32,00,00,00,00,00,00,00,00,00,80,00,42,41,\
44,20,55,53,45,52,20,2d,20,50,45,52,53,49,53,54,45,4e,54,20,4b,45,59,53,2e,\
72,65,67,00,00,6a,00,08,00,04,00,ef,be,00,00,00,00,00,00,00,00,2a,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,42,00,41,\
00,44,00,20,00,55,00,53,00,45,00,52,00,20,00,2d,00,20,00,50,00,45,00,52,00,\
53,00,49,00,53,00,54,00,45,00,4e,00,54,00,20,00,4b,00,45,00,59,00,53,00,2e,\
00,72,00,65,00,67,00,00,00,2e,00,00,00
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cb7fed60-a3bd-11c8-a537-806e6f6e6963}]
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_USERS\S-1-5-21-1495150082-1455092368-1129167694-1000\Software\Classes]

Well, that's probably far more than you could ever want for a single post. Maybe what I've written will seem far-fetched, even crazy, but there's nothing magical about this Ultra-Hard Manly Server-Douche thingy. My guess is that it's just a clever new malware app that has gone mostly unnoticed. My hope is that someone will figure out how it works and develop a removal tool. Thank you in advance...

(EDITED TO ADD:)

And if I can be of any assistance, I've got piles of logs, and i also took a bunch of digital pics of things that looked wrong or unusual. That's right, I spent hours taking sweet pics of my own computer screen! Look who's extreme NOW, baby?! (I never said that I was not a geek also...)

(EDITED MORESO TO ADD MOREOVER:)

Two other interesting quirks about this malware that popped into mind:

1) It really, really digs .mui files. Tries to hoard 'em, in fact. Does not take kindly to their deletion, be it Hungarian, Lithuanian or what have you. I can't help but wonder if .mui files have something to do with how this app sneaks malicious scripts through the Windows reinstall process.

2) And as for those scripts themselves, it's got a neat trick of gunking up the text with lots of enyays and oomlauts and other non-Romanji script doodads. First time i looked at one, i thought it was encrypted. But nope, just remove all the other letters and symbols, and you're left with the complete script. It's got a filter that weeds them out at the time the script is executed. I forget the actual command, but it's something to do with ignoring non-printable characters. Maybe that's also why it protects the print spooler thingamabob and won't let you shut it down.

(ONE FINAL EDIT TO KICK SELF IN BACKSIDE:)

No, idiot! It hoards the .mui files because that's where it gets the oomlauts and whatnots to junk up the English scripts! Duh.

(Edit to reflect on moving of my post to the "Am I infected?" board.)
I'm actually 100 percent sure I am infected, and I'm sort of beyond the stage of hoping that anyone can fix this issue for me. That does not mean I wouldn't accept help from someowne who offered it. Just please understand that i have gone through the basic and intermediate cleanup processes multiple times now, with no luck. It seems as though I'm dealing with something new. My primary interest here was in alerting others to that possibility, because I can't be the only person in the world with this very frustrating malware infestation.

Edited by Vistuck, 10 April 2010 - 04:47 AM.
Mod Edit: Moved to AII and De-linkified bad link - AA


BC AdBot (Login to Remove)

 


#2 Vistuck

Vistuck
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 10 April 2010 - 07:29 AM

I am pasting the aforementioned "Extreme Domain Registry" secret sauce recipe here as a convenience to anyone who's interested.

Can anyone tell me what it does? My guess is that it keeps a tight grip on the victim's registry and makes whatever changes suit the malware's purpose. Whatever that is. Presumably to help its authors earn a a few Simoleons for all their hard work pimpin' dem bots.

2008年02月23日 星期六 00:30
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D1C559D-84F0-4BB3-A7D5-56A7435A9BA6}

\InprocServer32]
@="C:\\WINDOWS\\system32\\wbem\\fastprox.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D4B04E1-1331-11d0-81B8-00C04FD85AB4}]
@="CLSID_ImnAccountManager"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D4B04E1-1331-11d0-81B8-00C04FD85AB4}

\InprocServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,00,73,00,\
6f,00,65,00,61,00,63,00,63,00,74,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D670533-270B-4549-B19B-414FB9C6EBDB}]
@="MSDVDAdm Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D670533-270B-4549-B19B-414FB9C6EBDB}\Control]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D670533-270B-4549-B19B-414FB9C6EBDB}

\Implemented Categories]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D670533-270B-4549-B19B-414FB9C6EBDB}

\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D670533-270B-4549-B19B-414FB9C6EBDB}

\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D670533-270B-4549-B19B-414FB9C6EBDB}

\InprocServer32]
@="C:\\WINDOWS\\system32\\mswebdvd.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D670533-270B-4549-B19B-414FB9C6EBDB}

\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D670533-270B-4549-B19B-414FB9C6EBDB}

\MiscStatus\1]
@="131473"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D670533-270B-4549-B19B-414FB9C6EBDB}\ProgID]
@="MSWebDVD.MSDVDAdm.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D670533-270B-4549-B19B-414FB9C6EBDB}

\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D670533-270B-4549-B19B-414FB9C6EBDB}

\ToolboxBitmap32]
@="C:\\WINDOWS\\system32\\mswebdvd.dll, 104"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D670533-270B-4549-B19B-414FB9C6EBDB}\TypeLib]
@="{38EE5CE1-4B62-11D3-854F-00A0C9C898E7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D670533-270B-4549-B19B-414FB9C6EBDB}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D670533-270B-4549-B19B-414FB9C6EBDB}

\VersionIndependentProgID]
@="MSWebDVD.MSDVDAdm"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D8763AB-E93B-4812-964E-F04E0008FD50}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D8763AB-E93B-4812-964E-F04E0008FD50}

\InProcServer32]
@="shell32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D8763AB-E93B-4812-964E-F04E0008FD50}\ProgID]
@="{8D8763AB-E93B-4812-964E-F04E0008FD50}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D8763AB-E93B-4812-964E-F04E0008FD50}\Version]
@="{8D8763AB-E93B-4812-964E-F04E0008FD50}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D91090E-B955-11D1-ADC5-006008A5848C}]
@="DEGetBlockFmtNamesParam Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D91090E-B955-11D1-ADC5-006008A5848C}

\Implemented Categories]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D91090E-B955-11D1-ADC5-006008A5848C}

\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D91090E-B955-11D1-ADC5-006008A5848C}

\InprocServer32]
@="C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\dhtmled.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D91090E-B955-11D1-ADC5-006008A5848C}\ProgID]
@="DEGetBlockFmtNamesParam.DEGetBlockFmtNamesParam.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D91090E-B955-11D1-ADC5-006008A5848C}

\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D91090E-B955-11D1-ADC5-006008A5848C}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D91090E-B955-11D1-ADC5-006008A5848C}

\VersionIndependentProgID]
@="DEGetBlockFmtNamesParam.DEGetBlockFmtNamesParam"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8dabe793-23d9-45df-a3db-f442883bb479}]
@="DgnetCom Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8dabe793-23d9-45df-a3db-f442883bb479}

\InprocServer32]
@="C:\\WINDOWS\\system32\\dgnet.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8dabe793-23d9-45df-a3db-f442883bb479}\ProgID]
@="Dgnet.DgnetCom.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8dabe793-23d9-45df-a3db-f442883bb479}

\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8dabe793-23d9-45df-a3db-f442883bb479}

\VersionIndependentProgID]
@="Dgnet.DgnetCom"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DB2180F-BD29-11D1-8B7E-00C04FD7A924}]
@="COMComponentRegistrar Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DB2180F-BD29-11D1-8B7E-00C04FD7A924}

\InprocServer32]
@="C:\\WINDOWS\\system32\\catsrvut.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DB2180F-BD29-11D1-8B7E-00C04FD7A924}\ProgID]
@="COMComponentRegistrar.COMComponentRegistrar.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DB2180F-BD29-11D1-8B7E-00C04FD7A924}

\VersionIndependentProgID]
@="COMComponentRegistrar.COMComponentRegistrar"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DBEF13F-1948-4AA8-8CF0-048EEBED95D8}]
@="SpCustomStream Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DBEF13F-1948-4AA8-8CF0-048EEBED95D8}

\InprocServer32]
@="C:\\Program Files\\Common Files\\Microsoft Shared\\Speech\\SAPI.DLL"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DBEF13F-1948-4AA8-8CF0-048EEBED95D8}\ProgID]
@="SAPI.SpCustomStream.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DBEF13F-1948-4AA8-8CF0-048EEBED95D8}\TypeLib]
@="{C866CA3A-32F7-11D2-9602-00C04F8EE628}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DBEF13F-1948-4AA8-8CF0-048EEBED95D8}

\VersionIndependentProgID]
@="SAPI.SpCustomStream"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DD448E6-C188-4aed-AF92-44956194EB1F}]
@="WMP Burn Audio CD Launcher"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DD448E6-C188-4aed-AF92-44956194EB1F}

\InprocServer32]
@="C:\\WINDOWS\\system32\\wmpshell.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DD448E6-C188-4aed-AF92-44956194EB1F}\TypeLib]
@="{4B288991-E57A-4400-B6A2-89CE10F9F520}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DD448E6-C188-4aed-AF92-44956194EB1F}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DD6C641-98CB-11D1-9846-00A024CFEF6D}]
@="MPEG Layer-3 Decoder Statistics Page"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DD6C641-98CB-11D1-9846-00A024CFEF6D}

\InprocServer32]
@="C:\\Program Files\\VIEWGOOD\\WebPlayer\\Audio\\l3codecx.ax"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E17FFF3-C5BA-11D1-8D8A-0060088F38C8}]
@="MakeCab Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E17FFF3-C5BA-11D1-8D8A-0060088F38C8}

\InprocServer32]
@="C:\\WINDOWS\\system32\\catsrvut.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E17FFF3-C5BA-11D1-8D8A-0060088F38C8}\ProgID]
@="MakeCab.MakeCab.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E17FFF3-C5BA-11D1-8D8A-0060088F38C8}

\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E17FFF3-C5BA-11D1-8D8A-0060088F38C8}

\VersionIndependentProgID]
@="MakeCab.MakeCab"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E528C21-9D52-4030-BA92-3481227ADDD1}]
@="WMPlayer PrivacyPropPage Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E528C21-9D52-4030-BA92-3481227ADDD1}

\InprocServer32]
@="C:\\WINDOWS\\system32\\wmp.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E6E6079-0CB7-11d2-8F10-0000F87ABD16}]
@="Offline Pages Cleaner"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E6E6079-0CB7-11d2-8F10-0000F87ABD16}

\DefaultIcon]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,00,65,00,\
62,00,63,00,68,00,65,00,63,00,6b,00,2e,00,64,00,6c,00,6c,00,2c,00,30,00,00,\
00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E6E6079-0CB7-11d2-8F10-0000F87ABD16}

\InprocServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,68,00,\
64,00,6f,00,63,00,76,00,77,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E718888-423F-11D2-876E-00A0C9082467}]
@="Radio"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E718888-423F-11D2-876E-00A0C9082467}

\InprocServer32]
@="C:\\WINDOWS\\system32\\msdxm.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E718888-423F-11D2-876E-00A0C9082467}\ProgID]
@="Mmedia.RadioBand.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E718888-423F-11D2-876E-00A0C9082467}

\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E718888-423F-11D2-876E-00A0C9082467}\TypeLib]
@="{22D6F304-B0F6-11D0-94AB-0080C74C7E95}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E718888-423F-11D2-876E-00A0C9082467}

\VersionIndependentProgID]
@="Mmedia.RadioBand"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E71888A-423F-11D2-876E-00A0C9082467}]
@="RadioServer Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E71888A-423F-11D2-876E-00A0C9082467}

\InprocServer32]
@="C:\\WINDOWS\\system32\\msdxm.ocx"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E71888A-423F-11D2-876E-00A0C9082467}\ProgID]
@="Mmedia.RadioServer.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E71888A-423F-11D2-876E-00A0C9082467}

\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E71888A-423F-11D2-876E-00A0C9082467}\TypeLib]
@="{22D6F304-B0F6-11D0-94AB-0080C74C7E95}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E71888A-423F-11D2-876E-00A0C9082467}

\VersionIndependentProgID]
@="Mmedia.RadioServer"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8e827c11-33e7-4bc1-b242-8cd9a1c2b304}]
@="合并的文件夹分类器"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8e827c11-33e7-4bc1-b242-8cd9a1c2b304}

\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,53,00,48,00,\
45,00,4c,00,4c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8EAD3A12-B2C1-11d0-83AA-00A0C92C9D5D}]
@="DiskManagement.SnapInExtension"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8EAD3A12-B2C1-11d0-83AA-00A0C92C9D5D}

\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,6d,00,\
64,00,73,00,6b,00,6d,00,67,00,72,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8EAD3A12-B2C1-11d0-83AA-00A0C92C9D5D}\ProgID]
@="DiskManagement.SnapInExtension"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8ED14CC0-7A1F-11d0-92F6-00A0C922E6B2}]
@="Microsoft NetMeeting Installable Codecs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8ED14CC0-7A1F-11d0-92F6-00A0C922E6B2}

\InProcServer32]
@="\"C:\\Program Files\\NetMeeting\\nac.dll\""
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8EE42293-C315-11D0-8D6F-00A0C9A06E1F}]
@="CLSID_ApprenticeICW"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8EE42293-C315-11D0-8D6F-00A0C9A06E1F}

\InprocServer32]
@="C:\\WINDOWS\\system32\\inetcfg.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8EE42293-C315-11D0-8D6F-00A0C9A06E1F}\ProgID]
@="INETCFG.Apprentice.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8EE42293-C315-11D0-8D6F-00A0C9A06E1F}

\VersionIndependentProgID]
@="INETCFG.Apprentice"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8EE97210-FD1F-4B19-91DA-67914005F020}]
@="Microsoft DocProp Inplace ML Edit Box Control"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8EE97210-FD1F-4B19-91DA-67914005F020}

\InProcServer32]
@="C:\\WINDOWS\\system32\\docprop2.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F0C5675-AEEF-11d0-84F0-00C04FD43F8F}]
@="AthWafer"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F0C5675-AEEF-11d0-84F0-00C04FD43F8F}

\InprocServer32]
@=hex(2):25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,00,65,\
00,73,00,25,00,5c,00,4f,00,75,00,74,00,6c,00,6f,00,6f,00,6b,00,20,00,45,00,\
78,00,70,00,72,00,65,00,73,00,73,00,5c,00,6d,00,73,00,6f,00,65,00,2e,00,64,\
00,6c,00,6c,00,00,00
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8f6b0360-b80d-11d0-a9b3-006097942311}]
@="AP lzdhtml encoding/decoding Filter"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8f6b0360-b80d-11d0-a9b3-006097942311}

\InprocServer32]
@="C:\\WINDOWS\\system32\\urlmon.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8f92a857-478e-11d1-a3b4-00c04fb950dc}]
@="ADs Email 对象"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8f92a857-478e-11d1-a3b4-00c04fb950dc}

\InprocServer32]
@="adsnds.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8f92a857-478e-11d1-a3b4-00c04fb950dc}\ProgID]
@="Email"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8f92a857-478e-11d1-a3b4-00c04fb950dc}\TypeLib]
@="{97d25db0-0363-11cf-abc4-02608c9e7553}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8f92a857-478e-11d1-a3b4-00c04fb950dc}\Version]
@="0.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FA0D5A8-DEDF-11D0-9A61-00C04FB68BF7}]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FA0D5A8-DEDF-11D0-9A61-00C04FB68BF7}

\InprocServer32]
@="C:\\WINDOWS\\system32\\itircl.dll"
"ThreadingModel"="both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FA0D5A8-DEDF-11D0-9A61-00C04FB68BF7}\ProgID]
@="ITIR.EngStemmer.4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FA0D5A8-DEDF-11D0-9A61-00C04FB68BF7}

\VersionIndependentProgID]
@="ITIR.EngStemmer"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}]
@="组策略对象编辑器"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}

\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,47,00,50,00,\
45,00,64,00,69,00,74,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FE7E181-BB96-11D2-A1CB-00609778EA66}]
@="Microsoft MS Audio Decompressor Control Property page"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FE7E181-BB96-11D2-A1CB-00609778EA66}

\InprocServer32]
@="C:\\WINDOWS\\system32\\msadds32.ax"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{90087284-d6d6-11d0-8353-00a0c90640bf}]
@="设备管理器扩展"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{90087284-d6d6-11d0-8353-00a0c90640bf}

\InprocServer32]
@="C:\\WINDOWS\\system32\\devmgr.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{90087284-d6d6-11d0-8353-00a0c90640bf}\ProgId]
@="DevMgrExtension.DevMgrExtension.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{90087284-d6d6-11d0-8353-00a0c90640bf}

\VersionIndependentProgId]
@="DevMgrExtension.DevMgrExtension.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{905667aa-acd6-11d2-8080-00805f6596d2}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{905667aa-acd6-11d2-8080-00805f6596d2}

\InProcServer32]
@="wiashext.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{90903716-2F42-11D3-9C26-00C04F8EF87C}]
@="SpCompressedLexicon Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{90903716-2F42-11D3-9C26-00C04F8EF87C}

\InprocServer32]
@="C:\\Program Files\\Common Files\\Microsoft Shared\\Speech\\sapi.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{90903716-2F42-11D3-9C26-00C04F8EF87C}\ProgID]
@="SAPI.SpCompressedLexicon.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{90903716-2F42-11D3-9C26-00C04F8EF87C}\TypeLib]
@="{C866CA3A-32F7-11D2-9602-00C04F8EE628}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{90903716-2F42-11D3-9C26-00C04F8EF87C}

\VersionIndependentProgID]
@="SAPI.SpCompressedLexicon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{911685D1-350F-11d1-83B3-00C04FBD7C09}]
@="CLSID_CAgentAcctImport"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{911685D1-350F-11d1-83B3-00C04FBD7C09}

\InprocServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,00,73,00,\
6f,00,65,00,61,00,63,00,63,00,74,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91643D00-4AFA-11D1-A520-000000000000}]
@="Windows Media Network Property Page"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91643D00-4AFA-11D1-A520-000000000000}

\InprocServer32]
@="C:\\WINDOWS\\system32\\dxmasf.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91778246-9BE4-4713-A651-E833B853CC30}]
"AppID"="{B8C54A54-355E-11D3-83EB-00A0C92A2F2D}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}]
@="InstallShield setup kernel"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}

\LocalServer32]
@="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\engine\\6\\INTEL3~1\\iKernel.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}\ProgID]
@="Setup.Kernel.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}

\VersionIndependentProgID]
@="Setup.Kernel"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9185F743-1143-4C28-86B5-BFF14F20E5C8}]
@="SpPhoneConverter Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9185F743-1143-4C28-86B5-BFF14F20E5C8}

\InprocServer32]
@="C:\\Program Files\\Common Files\\Microsoft Shared\\Speech\\sapi.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9185F743-1143-4C28-86B5-BFF14F20E5C8}\ProgID]
@="SAPI.SpPhoneConverter.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9185F743-1143-4C28-86B5-BFF14F20E5C8}\TypeLib]
@="{C866CA3A-32F7-11D2-9602-00C04F8EE628}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9185F743-1143-4C28-86B5-BFF14F20E5C8}

\VersionIndependentProgID]
@="SAPI.SpPhoneConverter"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91888BF6-FED1-4acd-9CB1-6C2F80AE58A3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91888BF6-FED1-4acd-9CB1-6C2F80AE58A3}

\InprocServer32]
@="C:\\WINDOWS\\system32\\catsrvut.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9193A8F9-0CBA-400E-AA97-EB4709164576}]
@="MSVidCtl SBE Source to Closed Caption Composition Segment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9193A8F9-0CBA-400E-AA97-EB4709164576}

\InprocServer32]
@="C:\\WINDOWS\\system32\\msvidctl.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9193A8F9-0CBA-400E-AA97-EB4709164576}\TypeLib]
@="{B0EDF154-910A-11D2-B632-00C04F79498E}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91EA3F8B-C99B-11d0-9815-00C04FD91972}]
@="补充的外壳文件夹"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91EA3F8B-C99B-11d0-9815-00C04FD91972}

\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,62,00,72,00,\
6f,00,77,00,73,00,65,00,75,00,69,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92187326-72B4-11d0-A1AC-0000F8026977}]
@="游戏控制器 CPL Shell 扩展默认属性页"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92187326-72B4-11d0-A1AC-0000F8026977}

\InprocServer32]
@="gcdef.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{922B698F-936B-11D5-9BF4-D10253D4F315}]
@="BybShlExt Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{922B698F-936B-11D5-9BF4-D10253D4F315}

\InprocServer32]
@="C:\\WINDOWS\\byblos.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{922B698F-936B-11D5-9BF4-D10253D4F315}\ProgID]
@="Byblos.BybShlExt.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{922B698F-936B-11D5-9BF4-D10253D4F315}

\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{922B698F-936B-11D5-9BF4-D10253D4F315}\TypeLib]
@="{922B6981-936B-11D5-9BF4-D10253D4F315}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{922B698F-936B-11D5-9BF4-D10253D4F315}

\VersionIndependentProgID]
@="Byblos.BybShlExt"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92337A8C-E11D-11D0-BE48-00C04FC30DF6}]
@="prturl Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92337A8C-E11D-11D0-BE48-00C04FC30DF6}

\Implemented Categories]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92337A8C-E11D-11D0-BE48-00C04FC30DF6}

\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92337A8C-E11D-11D0-BE48-00C04FC30DF6}

\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92337A8C-E11D-11D0-BE48-00C04FC30DF6}

\InprocServer32]
@="C:\\WINDOWS\\system32\\oleprn.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92337A8C-E11D-11D0-BE48-00C04FC30DF6}\ProgID]
@="OlePrn.PrinterURL.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92337A8C-E11D-11D0-BE48-00C04FC30DF6}

\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92337A8C-E11D-11D0-BE48-00C04FC30DF6}

\VersionIndependentProgID]
@="OlePrn.PrinterURL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92396AD0-68F5-11d0-A57E-00A0C9138C66}]
@="RowsetHelper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92396AD0-68F5-11d0-A57E-00A0C9138C66}

\ExtendedErrors]
@="Extended Error Service"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92396AD0-68F5-11d0-A57E-00A0C9138C66}

\ExtendedErrors\{92396AD0-68F5-11d0-A57E-00A0C9138C66}]
@="Rowset Helper Error Lookup Service"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92396AD0-68F5-11d0-A57E-00A0C9138C66}

\InprocServer32]
@="C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92396AD0-68F5-11d0-A57E-00A0C9138C66}\ProgID]
@="RowsetHelper"

Edited by Vistuck, 11 April 2010 - 06:21 AM.


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,320 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:25 PM

Posted 10 April 2010 - 12:27 PM

Hello there,

To be perfectly honest, I'm reading here a lot of "malware sci-fi".

The most likely cause is that either you are reinfecting your system by using infected data on secondary or removable drives/backups or you are downloading stuff that reinfects your system.

If you need help, please give a clear, short description of your problem. Post only relevant info (like: google searches are being redirected).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 Vistuck

Vistuck
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 10 April 2010 - 03:49 PM

Hello there,

To be perfectly honest, I'm reading here a lot of "malware sci-fi".

The most likely cause is that either you are reinfecting your system by using infected data on secondary or removable drives/backups or you are downloading stuff that reinfects your system.

If you need help, please give a clear, short description of your problem. Post only relevant info (like: google searches are being redirected).


First of all, you've every right to be skeptical, because the problem of malware resisting a clean reinstall of Windows is not something that's been documented, and I can't really prove it to you that this is occurring without shipping my PC to you. However, I don't think it's impossible or even improbable that malware developers would develop this type of defense mechanism. I believe they accomplish it by intervening in the reinstall process, launching remotely an unattended install script that either tells Windows to ignore the malware or allows the malware to be reinstalled during the OS install.

And, just for the record, I posted this thread not in the help forums but in general Windows 7 discussion forum, and a moderator moved it here. I'm not expecting anyone to fix this for me. If you would like to take a stab at it, I'll gladly follow your instructions to the letter.

EDIT TO ADD:

I'm going to try a little harder to provide solid evidence to back up my story.

Looks like I can't post photos via the edit tool, so I'm gonna have to double-post.

Edited by Vistuck, 11 April 2010 - 12:17 AM.


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,320 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:25 PM

Posted 11 April 2010 - 01:53 AM

I don't think it's impossible or even improbable that malware developers would develop this type of defense mechanism. I believe they accomplish it by intervening in the reinstall process,

This is possible under one condition: in case your version of windows is pirated. Malware writers could have entered some code into the normal installation.

Otherwise its impossible, for the simple reason that no internet connection is possible during the installation.

Again, please provide a short description of the problems you are having.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 Vistuck

Vistuck
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 11 April 2010 - 04:25 AM

I'll try to be more succinct this time, but since I can't find any record of anyone having the same issue, I don't necessarily know what's relevant and what isn't. I can at least provide some of the basis for my "malware sci-fi" claims:

CLAIM 1: The malware hijacks Windows' security certificate authentication system, thus rendering certificates useless as a security measure.

EVIDENCE: This is one of those "picture is worth 1,000 words" moments.

Posted Image

"I beg your pardon? Task Mana who? Sorry, never heard of 'em. Try the Linux box down the street."


CLAIM 2: The malware is active in a Windows pre-install/recovery environment (it doesn't need Windows to be running in order to cause trouble.)

Again, I'll use photos here, but just to set the scene, I'm using a Norton Anti-Virus 2010 recovery boot CD here to demonstrate how this malware interferes with a normal direct-from-DVD boot. I could use the Windows 7 DVD, but it's easier to prove my case using the Norton DVD. And just in case you're wondering:

Posted Image

Posted Image

Yes, mine are real. So no chance of infection from bad boot media here.

OK, so I hope we can agree that when you boot into Windows from a recovery DVD, it usually creates a temporary boot drive labeled as the "X: Drive." The following pics show the file system tree that gets generated when I boot directly from the Norton recovery DVD. Keep in mind that this X: Drive doesn't exist in regular Windows, and that it is made up only of files contained on the boot DVD. I think I can demonstrate that some of the files in MY X-drive have no business being there.

Everything I'm gonna show you is listed under this Drive, X:.

Posted Image

Here are lots of files that could not possibly be included in a store-bought Norton Anti-Virus recovery DVD:

Posted Image

Internet Explorer? You can't even USE Internet Explorer in the Norton recovery environment, so it hardly makes sense that they'd put it on their DVD.

Posted Image

And Windows PXE, for booting into Windows remotely over a network? Why would that be included on a Norton boot DVD? Again, the recovery DVD does not let users access the Internet at all.

Posted Image

Remote access? For who? And for what purpose?

Posted Image

Downloads? Music? Pictures? Video? This one really takes the cake. No way that would be on a Norton recovery boot DVD. All you can do from the DVD is run a (useless, in my case) scan, open a command prompt or transfer files to a removable drive. These folders look like regular old Windows folders.

So what does it mean? Why are those folders there? I think it's because the malware has a protected store of files and folders that it slipstreams into the temporary X: drive's file system whenever the infected user attempts to boot clean from a Windows DVD. The malware thinks the Norton DVD is a Windows DVD because it's bootable and Windows-based, and so it slipstreams those same folders and files into the X: drive image when the user boots from the Norton DVD. If my explanation is wrong, I would love for someone to set me straight and explain how else this could be happening.


CLAIM 3: The malware does not get deleted during a full Windows reinstall, even when booting from the Windows DVD.

Earlier today I formatted a hard drive and installed Windows 7 onto it, booting from the Windows upgrade DVD and choosing "Custom Install," which is the option you choose when you need to do a clean install. (At that time there would have been no OS present on the hard drive to upgrade from.) Microsoft allows you to do a clean install from the upgrade-only DVD, but they call it a "custom install." I imagine if they called it a clean install, it would be harder for Microsoft to explain to people why they charge like $50 more for the standalone Windows 7 product. But I digress...

Here are some pics taken immediately following the fresh, custom install. My PC is connected to nothing except a mouse, keyboard and a standard monitor. And what do I find?

Posted Image

First off, hundreds of copies of the file "Desktop.ini." Correct me if I'm wrong, but the presence of THIS many Desktop.ini files is a pretty clear sign of malware infection. As I understand it, the malware takes advantage of a Windows process that scans folders for desktop.ini files and uses the information contained within them to automatically update the registry. So it's a way for malware to change the registry without gaining access to it directly.

Posted Image

Oh, hey! It's a bunch of Norton junk! And I haven't even installed Norton AV yet, or come within 100 feet of this hard drive with the Norton disc! Where on earth did these folders come from? This is not even the same HARD DRIVE I had connected when I booted from the Norton recovery DVD. This one was (according to Windows) formatted and empty when I installed the OS. Even better, there's a text file inside labeled "key.txt," and inside it is my product key that came with the Norton Anti Virus program! No wonder those Norton scans never find anything...

Finally, I booted into Norton Recovery mode and ran GMER, which I copied over from a flash drive (the kind that you can lock into read-only mode. I had loaded GMER onto the (brand new) flash drive at a friend's office. I'm pretty sure the flash drive is clean. To my surprise, it actually found something, which it usually does not.

Posted Image

Posted Image

Posted Image

Posted Image

Posted Image

My machine crashed shortly thereafter. I did manage to write down the names of the bad files I saw:
aglcrpod.sys
netbt.sys
tcpip.sys
tdx.sys
axliykod.sys
usbstor.sys

And bad services:
Dhcp
Imhosts
USBSTOR

There might have been even more. I can't seem to find them or delete them. I tried again with GMER and the next time it didn't show anything in red like it did the first time. At least i got some sort of evidence to post here. People need to know that some malware can survive a Windows reinstall. This is no joke.

**Edited to replace incorrect pic showing "remote access" folder -- And again to add to my list other malware visible in the photos.**

Edited by Vistuck, 11 April 2010 - 06:10 AM.


#7 Vistuck

Vistuck
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 11 April 2010 - 05:12 AM

I don't think it's impossible or even improbable that malware developers would develop this type of defense mechanism. I believe they accomplish it by intervening in the reinstall process,

This is possible under one condition: in case your version of windows is pirated. Malware writers could have entered some code into the normal installation.

Otherwise its impossible, for the simple reason that no internet connection is possible during the installation.

Again, please provide a short description of the problems you are having.


If the malicious file or files never get deleted from the hard drive in the first place, the infected PC would not have to be connected to the Internet. It would be infected already.

I understand why you're saying it's impossible, but you're taking all of this at face value. I'm arguing for the possibility that the malware developer has figured out a new misdirection or obfuscation to fool the Windows OS, or the user, into leaving it alone during the reinstallation process. Maybe it hijacks BitLocker to encrypt/hide itself. Maybe it uses some type of virtual machine that simply fakes the reinstall process entirely. Maybe it uses a stealthy deployment of EFS, which can practically boot off two tin cans and a piece of fishing line.

I'm not suggesting that the laws of the universe have ceased to hold sway over my PC. I know it's got to be some sort of trick. All I'm asking for is someone to help me figure out where the trapdoor and the hidden wires are.

EDIT TO ADD:

Elise, i want to make sure you know that I really appreciate your time and respect your opinion. You are the expert here, not me. It's just that my PC is doing things everyone says are impossible, and so in this one particular instance I am in the unique position of knowing that these things are indeed possible. My hope is that we can eventually move beyond the doubting phase and into the solution-seeking phase. I will provide you with whatever information, logs, photos, etc., that would help make that happen. Thanks again for your time.

Edited by Vistuck, 11 April 2010 - 05:55 AM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,320 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:25 PM

Posted 11 April 2010 - 05:56 AM

Okay, this helped clarify your problems and doubts for a great deal :flowers:

Before entering in more detailed explanations, let me assure you everything you showed is perfectly normal and NOT a sign of malware.

Of course I am not going to make this claim without explaining...

CLAIM 1: The malware hijacks Windows' security certificate authentication system, thus rendering certificates useless as a security measure.

This is caused by many software developpers not digitally signing their files anymore (including Microsoft). It can be confusing, but is in fact completely harmless.

First off, hundreds of copies of the file "Desktop.ini." Correct me if I'm wrong, but the presence of THIS many Desktop.ini files is a pretty clear sign of malware infection. As I understand it, the malware takes advantage of a Windows process that scans folders for desktop.ini files and uses the information contained within them to automatically update the registry. So it's a way for malware to change the registry without gaining access to it directly.

Nothing that dramatic :trumpet: Those files are perfectly normal and usually not seen because they're hidden.
To hide them, follow the steps here
These files are used by Windows to store certain folder settings.

Finally, I booted into Norton Recovery mode and ran GMER,

Those two are not going together :thumbsup: TBH, I am surprised you got it to run. I'm also not surprised by the results.
GMER is designed to detect for rootkits on windows. The reason in simple. Windows (32 bit) is the only OS that can get infected by a rootkit. Rootkits are designed to run on 32 bit operating systems (windows only).
When GMER runs on windows, it whitelists certain hidden processes because they're legit and will always run. If GMER wouldn't do that, the log would be huge.
However, since GMER isn't designed to run in the Norton PE, it sees Nortons legit processes/services, decides those are NOT normal on windows and thus they show up in the log.

To make it easier for you to understand why rootkits or other advanced malware only targets windows 32 bit, keep the following in mind: the goal of malware is making money. Therefore malware is interested in things like stealing sensible information like passwords or banking information, credit card numbers or in scaring users to buy their product. I think you might find this topic of interest as well.
For that reason, malware writers target the most widespread OS: windows 32 bit. 64 bit users, such as yourself, have the advantage that their system is very well protected and rootkits (designed for 32 bit) have no ability to install.
Now you may ask, why don't they develop a 64 bit rootkit? Well, why would they. It would be a lot of trouble for nothing. The biggest part of computer users still has windows 32 bit. Why go through all the trouble to develop a 64 bit compatible rootkit if the gain is so small?

OK, so I hope we can agree that when you boot into Windows from a recovery DVD, it usually creates a temporary boot drive labeled as the "X: Drive."

This is true. It is also known as a Preinstalled Environment (PE). The X drive you refer is just plain RAM (memory). The CD loads the OS (which is the PE) in RAM, which is very handy when you need to troubleshoot a system that can no longer boot.

So what does it mean? Why are those folders there? I think it's because the malware has a protected store of files and folders that it slipstreams into the temporary X: drive's file system whenever the infected user attempts to boot clean from a Windows DVD.

This is technically impossible and thus "malware sci-fi" :inlove:
The reason for this is simple: when booting up with a CD (whether thats windows or norton or something else), the computer uses the CD as boot disk. The CD dumps its content directly in the RAM and the harddisk is not accessed. This is a hardware condition. No malware stored on the harddisk can be active at this point because the harddisk is not accessed/used. You can boot up from a CD without a harddisk even being connected.
Those folders are there because they are compressed on the CD and unpacked in the RAM (X drive).

And Windows PXE, for booting into Windows remotely over a network? Why would that be included on a Norton boot DVD? Again, the recovery DVD does not let users access the Internet at all.

The folders in the menu (of your picture), are your C drives folder. You can access those from the PE (this is also the goal of the PE, the ability to repair damage and/or rescue personal data).
Most PE's offer the possibility to go online, together with a browser. This is handy in many cases (for example, we use PE's often in the forums when users can no longer boot. That way they can more easily post their logs).
I haven't tested the Norton boot DVD, but I can easily deduce they have a good reason to offer network support: if you want to use it to remove malware, you will be able to download the latest virus definitions. for that same reason they also include a browser.

As a general note, when browsing inside a PE, be aware you can browse in more drives (below is just an example):
X:\ <-- this is the RAM loaded PE
C:\ <-- this is your harddisk
D:\ <-- this is your CD drive (where the PE boot CD is located)
E:\ <-- this is a flashdrive/partition/external drive

Note that X will not contain the same file/folder structure as D.

I hope I covered all items here, if you have more questions, please let me know :huh:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Vistuck

Vistuck
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 11 April 2010 - 08:50 AM

Okay, this helped clarify your problems and doubts for a great deal :thumbsup:

Before entering in more detailed explanations, let me assure you everything you showed is perfectly normal and NOT a sign of malware.


Hi again. Your explanation about Desktop.ini, GMER and Norton PE all make good sense, so I do feel better about those now. Thanks.

However, there are still two major problems with my PC that I don't understand. I'll jump ahead to that part and then ask my follow-up question:

(Elise) The X drive you refer is just plain RAM (memory). The CD loads the OS (which is the PE) in RAM, which is very handy when you need to troubleshoot a system that can no longer boot.


(Vistuck) So what does it mean? Why are those folders there? I think it's because the malware has a protected store of files and folders that it slipstreams into the temporary X: drive's file system whenever the infected user attempts to boot clean from a Windows DVD.



(Elise) This is technically impossible and thus "malware sci-fi" :flowers:
The reason for this is simple: when booting up with a CD (whether thats windows or norton or something else), the computer uses the CD as boot disk. The CD dumps its content directly in the RAM and the harddisk is not accessed. This is a hardware condition. No malware stored on the harddisk can be active at this point because the harddisk is not accessed/used. You can boot up from a CD without a harddisk even being connected.
Those folders are there because they are compressed on the CD and unpacked in the RAM (X drive).



And goes on to say...

The folders in the menu (of your picture), are your C drives folder. You can access those from the PE (this is also the goal of the PE, the ability to repair damage and/or rescue personal data).


Could you please explain why you said those folders are on my C drive, and not on X? Every one of them was listed under X. The C drive had its own separate section entirely. I can take some more pics if necessary to prove this, but I assure you I was paying very close attention. The only reason it concerned me in the first place was because those files and folders are shown on the X drive. If they were on C, I would not have thought anything was wrong.

I hope I covered all items here, if you have more questions, please let me know :trumpet:


I do still have one more unanswered question: How did Norton Anti-Virus appear on my clean install of Windows 7, with my product ID already stored? I absolutely did not install NAV on there. That's a pretty major issue, which I don't think you addressed in your previous post.

EDIT TO ADD:

My question above is phrased poorly. What I meant to ask is, can you think of any legitimate ways in which NAV could show up as being installed on a fresh Windows install, when I had not yet installed it?

Thanks again!

Edited by Vistuck, 11 April 2010 - 08:57 AM.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,320 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:25 PM

Posted 11 April 2010 - 09:25 AM

Could you please explain why you said those folders are on my C drive, and not on X? Every one of them was listed under X.

Sorry, I misunderstood that.
Since X is RAM, you can easily deduce there is no way all folders on your Harddisk were actually on X (RAM is only a few GB, whereas your drive will be a lot bigger). Most likely these are so-called mountpoints. They are created to allow you to mount (or make accessible) your C drive. Since Vista they are often used in Windows also. They appear to be folders but in fact are some kind of reference point.

My question above is phrased poorly. What I meant to ask is, can you think of any legitimate ways in which NAV could show up as being installed on a fresh Windows install, when I had not yet installed it?

Look at your Windows7 documentation to see if it didn't already come with Norton preinstalled.
Its also possible that your ISP (Internet Service Provider) automatically installs Norton when you install the software you need to get your internet to work.
Or it was installed automatically when you used the Norton boot DVD.

Maybe also good to think about: why on earth would malware want to install Norton on your computer?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Vistuck

Vistuck
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 11 April 2010 - 12:59 PM

Maybe also good to think about: why on earth would malware want to install Norton on your computer?


Haha -- I don't think it would! I'm worried that Norton AV is still there from the previous Windows install. Which would mean other, undesirable files could still be there, too.

Norton Anti-Virus definitely does not come installed with Windows 7, and there is no way i can think of for it to have "self-installed," so to speak.

I'll reinstall Windows again just to make sure I'm not mistaken. Maybe I installed it in my sleep?

Also, I've been thinking: Even if GMER does have a conflict with Norton PE that's causing GMER to report false positives, what the heck is Norton PE doing running services like "TCPIP," "IMHOSTS" and "NETBT?" Those are all networking-related, and my PC was not even connected to the Internet. I'm just asking, doesn't that seem kind of strange?

Edited by Vistuck, 11 April 2010 - 01:06 PM.


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,320 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:25 PM

Posted 11 April 2010 - 01:31 PM

Maybe I installed it in my sleep?

:thumbsup: That was one bad nightmare I'm sure...

To understand why it is impossible for Norton to have remained from a previous install, consider the following.

When someone installs Norton, all Norton files are copied in the right locations, after that they are registered. This means, references and settings for those files are stored in the Windows Registry. If those files were not registered, the program wouldn't be able to function.

When you reformat a drive, all data on a drive is wiped. There is no way one program can remain on a drive. And even in the theoretical case it does, there is no way it could run.

Another option is, the Norton program was on the driver CD for your computer (for example, my driver CD contains a copy of McAfee that gets installed if I would allow all content to install.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Vistuck

Vistuck
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 12 April 2010 - 04:03 PM

Well in any case it's not worth worrying about in the absence of any other problems, and since we've been corresponding I have not experienced any other issues with my PC. I uninstalled Norton and decided to try Microsoft Security Essentials for a while. (SE provides adequate virus protection, doesn't it?)

Thanks for clearing up my scary malware sci-fi fantasies.

#14 Layback Bear

Layback Bear

  • Members
  • 1,880 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ohio
  • Local time:11:25 AM

Posted 12 April 2010 - 09:37 PM

I have read all of this and there is alot. Dam elise025 you are sharp. I hope I'm not jumping on some one post but could this be cause by a bad copy of Norton.

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,320 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:25 PM

Posted 13 April 2010 - 02:06 AM

@Vistuck, I'm very happy to hear that :thumbsup: Please let me know if you have any more questions.

@Layback bear, what do you mean, I don't see anything out of the ordinary, and so, I don't see what could've been caused by a bad copy of Norton :flowers:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users