Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection With Some Sort Of Awdare Trojan/rootkit


  • Please log in to reply
9 replies to this topic

#1 Random_Name

Random_Name

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 25 November 2005 - 06:29 AM

Hello,

One of our customers has brought in a personal laptop (WinXP Home SP2) that was in quite a state. The initial Ad-aware/Spybot clean in safe mode got rid of about 600 items - pretty standard. The AVG scan found a load of trojans, again pretty standard.

The problem is, there is still something there. Now and again AVG detects a trojan with a non-descriptice name (e.d. PSW.Generic.EIG) but these will keep coming back. Also (and this is the main problem) every minute or so a bunch of woeb-browser windows (IE or Firefox) would open up with ads on them. Also, rather pretty free floating ads would appear on the desktop without a web-browser (I can post a screenshot, if this is possible.)

A rootkit revealer scan showed some nasty stuff going on (see logs below.) Having spent a day on this bloody laptop I got fed up and went for the semi-nuclear option of a Windows repair from the install disk. But... it did not work :thumbsup: The only option I can think of is a reformat+reinstall job.

After the repair attempt, I installed a firewall to see what exactly was happening. I got 3 processes trying to go out to the web (blocked all 3):

#1 is legit (i think) - NDIS User I/O (ndisuio.sys)
#2 + #3 are bad: c:\windows\system32\rundll32.exe (user process) and c:\windows\system32\winlogon.exe (system process - unkillable) are both trying to go out to ad-w-a-r-e.com and a-d-w-a-r-e.com - kinda gives it away.

Anyway, here are some logs for your pleasure. With the firewall blocking those connection the malware doesn't detect that there is an internet connection and stays dormant, so I will probably return the laptop to the customer and recommend he sends it to us with all the driver/recovery CD's for a full reinstall. This is the first time I have failed to clean a computer :flowers: I am now even more grateful that I run Linux.

### HijackThis Log ###

Logfile of HijackThis v1.99.1
Scan saved at 10:33:54, on 25/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\JOHNKE~1\LOCALS~1\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1132857491500
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\fpnu0359e.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


### Startup List Log (verbose option) ###

StartupList report, 25/11/2005, 10:34:30
StartupList version: 1.52
Started from : C:\Desktop\startuplist1521\StartupList.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using verbose mode
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\Desktop\startuplist1521\StartupList.exe

This lists all processes running in memory, which are all active
programs and some non-exe system components.

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

These are Windows NT/2000/XP specific startup locations. They
execute when the user logs on to his workstation.

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AGRSMMSG = AGRSMMSG.exe
Apoint = C:\Program Files\Apoint2K\Apoint.exe
SmcService = C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

This lists programs that run Registry keys marked by Windows as
'Autostart key'. To the left are values that are used to clarify what
program they belong to, to the right the program file that is started.

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

The Shell key from SYSTEM.INI tells Windows what file handles
the Windows shell, i.e. creates the taskbar, desktop icons etc. If
programs are added to this line, they are all ran at startup.
The SCRNSAVE.EXE line tells Windows what is the default screensaver
file. This is also a leftover from Windows 3.x and should not be used.
(Since Windows 95 and higher stores this setting in the Registry.)
The 'drivers' line loads non-standard DLLs or programs.

--------------------------------------------------


Enumerating Download Program Files:

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/D/0...D0C/wmv9dmo.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/...b?1132857491500

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

The items in Download Program Files are programs you downloaded and
automatically installed themselves in MSIE. Most of these are Java
classes Media Player codecs and the likes. Some items are only
visible from the Registry and may not show up in the folder.

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

This Registry key lists several system components are loaded at
system startup. Not much is known about this key since it is
virtually undocumented and only used by programs like the Volume
Control, IE Webcheck and Power Management icons. However, a
virus/trojan in the form of a DLL can also load from this key.
The Hitcap trojan is an example of this.

--------------------------------------------------
End of report, 5,294 bytes
Report generated in 0.032 seconds

### Rootkit Reveal Log ###

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 11/25/2005 10:43 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed 11/25/2005 10:43 4 bytes Data mismatch between Windows API and raw hive data.
C:\$VAULT$.AVG\03595765.FIL 11/25/2005 10:54 75.84 KB Hidden from Windows API.
C:\Documents and Settings\User_Name_Hidden\Local Settings\Temp\Temporary Internet Files\Content.IE5\G9EF0DUZ\0b28d9f76676a000[1].htm 11/25/2005 10:53 1.73 KB Hidden from Windows API.
C:\System Volume Information\_restore{0D69DF6A-5038-48B3-AD21-826A8DA3B938}\RP4\A0000672.exe 11/24/2005 17:51 75.50 KB Hidden from Windows API.
C:\WINDOWS\system32\dvdaba.exe 11/23/2005 13:45 75.50 KB Visible in Windows API, but not in MFT or directory index.

### Sygate Connection attempt log (only for one of the 2) ###

File Version : 5.1.2600.2180
File Description : Run a DLL as an App (rundll32.exe)
File Path : C:\WINDOWS\system32\rundll32.exe
Process ID : 0xEB4 (Heximal) 3764 (Decimal)

Connection origin : local initiated
Protocol : TCP
Local Address : 10.169.77.164
Local Port : 1088
Remote Name : www.ad-w-a-r-e.com
Remote Address : 64.192.130.151
Remote Port : 80 (HTTP - World Wide Web)

Ethernet packet details:
Ethernet II (Packet Length: 92)
Destination: 00-50-8b-63-dd-47
Source: 00-02-3f-22-a2-74
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 48
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0xdf2d (Correct)
Source: 10.169.77.164
Destination: 64.192.130.151
Transmission Control Protocol (TCP)
Source port: 1088
Destination port: 80
Sequence number: 1280983002
Acknowledgment number: 0
Header length: 44
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Checksum: 0x9589 (Correct)
Data (0 Bytes)

Binary dump of the packet:
0000: 00 50 8B 63 DD 47 00 02 : 3F 22 A2 74 08 00 45 00 | .P.c.G..?".t..E.
0010: 00 40 01 35 40 00 30 06 : 2D DF 0A A9 4D A4 40 C0 | .@.5@.0.-...M.@.
0020: 82 97 04 40 00 50 4C 5A : 3F DA 00 00 00 00 B0 02 | ...@.PLZ?.......
0030: FF FF 89 95 00 00 02 04 : 05 B4 01 03 03 03 01 01 | ................
0040: 08 0A 00 00 00 00 00 00 : 00 00 01 01 04 02 44 46 | ..............DF
0050: 46 46 45 46 41 43 41 00 : 00 20 00 01 | FFEFACA.. ..


### WHIOS lookup for ad-w-a-r-e.com ###

Domain Name: AD-W-A-R-E.COM
Registrar: GO DADDY SOFTWARE, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS3.AD-W-A-R-E.COM
Name Server: NS4.AD-W-A-R-E.COM
Status: REGISTRAR-LOCK
Updated Date: 30-sep-2005
Creation Date: 11-jun-2004
Expiration Date: 11-jun-2009


>>> Last update of whois database: Fri, 25 Nov 2005 02:25:39 EST <<<


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.


Registrant:
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States

Registered through: GoDaddy.com
Domain Name: AD-W-A-R-E.COM
Created on: 11-Jun-04
Expires on: 11-Jun-09
Last Updated on: 24-Mar-05

Administrative Contact:
Private, Registration AD-W-A-R-E.COM@domainsbyproxy.com
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
(480) 624-2599
Technical Contact:
Private, Registration AD-W-A-R-E.COM@domainsbyproxy.com
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
(480) 624-2599

Domain servers in listed order:
NS3.AD-W-A-R-E.COM
NS4.AD-W-A-R-E.COM

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 25 November 2005 - 08:45 AM

Howdy Random_Name and Welcome to the Bleeping Computer!

The PC has whats know as the Look2me infection and its just no fun at all.

Please Download the l2mfix from
http://www.atribune.org/downloads/l2mfix.exe
or
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe.

Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter.

This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!


If you recieve any errors while attempting to run Option 1 of the l2mfix similar to these

C:\windows\system32\cmd.exe or C:\windows\system32\autoexec.nt

"The system file is not suitable for running ms-dos and microsoft windows applications"

Choose "Close to terminate the application"


Then please use option 5 of the l2mfix or the web page link in the l2mfix folder to solve this error condition.

DO NOT run the fix portion without repairing this first.

#3 Random_Name

Random_Name
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 25 November 2005 - 09:19 AM

### Log file as requested ###

L2MFIX find log 1.99
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnceEx]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\fpnu0359e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F561CD56-B892-67F1-8231-E5B9057FC073}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{5E44E225-A408-11CF-B581-008029601108}"="Roxio DragToDisc Shell Extension"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{92DFB27A-2977-461F-A62A-85E4365D7B00}"=""
"{BFC95294-1BDF-4B4B-A552-F111CFE49C40}"=""
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{2166F251-660A-425F-9674-5A42DFA540C9}"=""
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{617531F2-5E6B-4C45-BB3F-0CC372EC5E2A}"=""
"{E05C9BB1-C199-4F3E-BCCB-3034A2226781}"=""
"{DAF8FFFA-F752-422A-9650-0A56422F9420}"=""
"{5E4390C8-3F50-4113-943A-E639C4C40ABF}"=""
"{738FD0BB-1D82-4BB0-86D7-9529C608B00E}"=""
"{3A9964FC-B729-4EEE-ADB2-D94901FBD2E7}"=""
"{E7617006-5F39-4004-9A6A-FB5AFD8A916D}"=""
"{61A7F6A3-5367-41FA-9673-084B8226BBD4}"=""
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{92DFB27A-2977-461F-A62A-85E4365D7B00}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{92DFB27A-2977-461F-A62A-85E4365D7B00}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{92DFB27A-2977-461F-A62A-85E4365D7B00}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{92DFB27A-2977-461F-A62A-85E4365D7B00}\InprocServer32]
@="C:\\WINDOWS\\system32\\IW41_QCX.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2166F251-660A-425F-9674-5A42DFA540C9}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2166F251-660A-425F-9674-5A42DFA540C9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2166F251-660A-425F-9674-5A42DFA540C9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2166F251-660A-425F-9674-5A42DFA540C9}\InprocServer32]
@="C:\\WINDOWS\\system32\\kldbe.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{617531F2-5E6B-4C45-BB3F-0CC372EC5E2A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{617531F2-5E6B-4C45-BB3F-0CC372EC5E2A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{617531F2-5E6B-4C45-BB3F-0CC372EC5E2A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{617531F2-5E6B-4C45-BB3F-0CC372EC5E2A}\InprocServer32]
@="C:\\WINDOWS\\system32\\wtsdmod.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E05C9BB1-C199-4F3E-BCCB-3034A2226781}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E05C9BB1-C199-4F3E-BCCB-3034A2226781}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E05C9BB1-C199-4F3E-BCCB-3034A2226781}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E05C9BB1-C199-4F3E-BCCB-3034A2226781}\InprocServer32]
@="C:\\WINDOWS\\system32\\ilrdbg32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DAF8FFFA-F752-422A-9650-0A56422F9420}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DAF8FFFA-F752-422A-9650-0A56422F9420}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DAF8FFFA-F752-422A-9650-0A56422F9420}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DAF8FFFA-F752-422A-9650-0A56422F9420}\InprocServer32]
@="C:\\WINDOWS\\system32\\wkdap32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5E4390C8-3F50-4113-943A-E639C4C40ABF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5E4390C8-3F50-4113-943A-E639C4C40ABF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5E4390C8-3F50-4113-943A-E639C4C40ABF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5E4390C8-3F50-4113-943A-E639C4C40ABF}\InprocServer32]
@="C:\\WINDOWS\\system32\\imrnonce.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{738FD0BB-1D82-4BB0-86D7-9529C608B00E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{738FD0BB-1D82-4BB0-86D7-9529C608B00E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{738FD0BB-1D82-4BB0-86D7-9529C608B00E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{738FD0BB-1D82-4BB0-86D7-9529C608B00E}\InprocServer32]
@="C:\\WINDOWS\\system32\\vnajet32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3A9964FC-B729-4EEE-ADB2-D94901FBD2E7}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3A9964FC-B729-4EEE-ADB2-D94901FBD2E7}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3A9964FC-B729-4EEE-ADB2-D94901FBD2E7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3A9964FC-B729-4EEE-ADB2-D94901FBD2E7}\InprocServer32]
@="C:\\WINDOWS\\system32\\cyetcfg.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E7617006-5F39-4004-9A6A-FB5AFD8A916D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E7617006-5F39-4004-9A6A-FB5AFD8A916D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E7617006-5F39-4004-9A6A-FB5AFD8A916D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E7617006-5F39-4004-9A6A-FB5AFD8A916D}\InprocServer32]
@="C:\\WINDOWS\\system32\\wsnshfhc.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{61A7F6A3-5367-41FA-9673-084B8226BBD4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{61A7F6A3-5367-41FA-9673-084B8226BBD4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{61A7F6A3-5367-41FA-9673-084B8226BBD4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{61A7F6A3-5367-41FA-9673-084B8226BBD4}\InprocServer32]
@="C:\\WINDOWS\\system32\\kodit142.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Fri 2 Sep 2005 23:52:04 A.... 1,019,904 996.00 K
cdfview.dll Fri 2 Sep 2005 23:52:04 A.... 151,040 147.50 K
cdosys.dll Sat 10 Sep 2005 1:53:42 A.... 2,067,968 1.97 M
cyetcfg.dll Thu 24 Nov 2005 15:44:06 A.S.R 236,931 231.38 K
danim.dll Fri 2 Sep 2005 23:52:04 A.... 1,053,696 1.00 M
dxtrans.dll Fri 2 Sep 2005 23:52:04 A.... 205,312 200.50 K
extmgr.dll Fri 2 Sep 2005 23:52:04 A.... 55,808 54.50 K
fpnu03~1.dll Fri 25 Nov 2005 3:05:26 ..S.R 233,956 228.47 K
gdi32.dll Thu 6 Oct 2005 3:09:36 A.... 280,064 273.50 K
gprsl3~1.dll Fri 25 Nov 2005 9:54:30 ..S.R 234,521 229.02 K
h4l20e~1.dll Thu 24 Nov 2005 13:50:30 A.S.R 234,042 228.55 K
hrp405~1.dll Thu 24 Nov 2005 14:28:46 A.S.R 235,050 229.54 K
iepeers.dll Fri 2 Sep 2005 23:52:04 A.... 251,392 245.50 K
ilrdbg32.dll Thu 24 Nov 2005 11:43:30 A.S.R 234,229 228.74 K
imrnonce.dll Thu 24 Nov 2005 14:18:10 A.S.R 233,808 228.33 K
inseng.dll Fri 2 Sep 2005 23:52:04 A.... 96,256 94.00 K
k8pm0i~1.dll Thu 24 Nov 2005 12:22:12 A.S.R 237,234 231.67 K
kldbe.dll Fri 25 Nov 2005 9:55:58 ..S.R 233,956 228.47 K
kodit142.dll Thu 24 Nov 2005 16:11:06 A.S.R 236,931 231.38 K
linkinfo.dll Thu 1 Sep 2005 1:41:54 A.... 19,968 19.50 K
mshtml.dll Tue 4 Oct 2005 17:26:00 A.... 3,015,168 2.88 M
mshtmled.dll Fri 2 Sep 2005 23:52:06 A.... 448,512 438.00 K
msrating.dll Fri 2 Sep 2005 23:52:06 A.... 146,432 143.00 K
mstime.dll Fri 2 Sep 2005 23:52:06 A.... 530,432 518.00 K
nbrrhook.dll Fri 25 Nov 2005 9:07:30 ..S.R 234,521 229.02 K
pngfilt.dll Fri 2 Sep 2005 23:52:06 A.... 39,424 38.50 K
qedusapi.dll Wed 23 Nov 2005 13:47:12 A.... 45,056 44.00 K
quartz.dll Tue 30 Aug 2005 3:54:26 A.... 1,287,168 1.23 M
s0pu0a~1.dll Wed 23 Nov 2005 16:05:40 A.S.R 235,171 229.66 K
shdocvw.dll Fri 2 Sep 2005 23:52:06 A.... 1,483,776 1.41 M
shell32.dll Fri 23 Sep 2005 3:05:30 A.... 8,450,560 8.06 M
shlwapi.dll Fri 2 Sep 2005 23:52:06 A.... 473,600 462.50 K
urlmon.dll Fri 2 Sep 2005 23:52:06 A.... 608,768 594.50 K
vnajet32.dll Thu 24 Nov 2005 14:40:40 A.S.R 236,931 231.38 K
wininet.dll Fri 2 Sep 2005 23:52:06 A.... 658,432 643.00 K
winsrv.dll Thu 1 Sep 2005 1:41:54 A.... 291,840 285.00 K
wkdap32.dll Thu 24 Nov 2005 13:45:02 A.S.R 237,056 231.50 K
wsnshfhc.dll Thu 24 Nov 2005 16:01:54 A.S.R 237,236 231.68 K
wtsdmod.dll Thu 24 Nov 2005 10:57:54 A.S.R 235,893 230.36 K

39 items found: 39 files (16 H/S), 0 directories.
Total of file sizes: 26,448,042 bytes 25.22 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Fri 25 Nov 2005 10:22:58 ..S.R 233,956 228.47 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 233,956 bytes 228.47 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is B412-975B

Directory of C:\WINDOWS\System32

25/11/2005 10:22 233,956 guard.tmp
25/11/2005 09:55 233,956 kldbe.dll
25/11/2005 09:54 234,521 gprsl3971.dll
25/11/2005 09:07 234,521 nBrrhook.dll
25/11/2005 03:06 <DIR> dllcache
25/11/2005 03:05 233,956 fpnu0359e.dll
24/11/2005 16:11 236,931 kodit142.dll
24/11/2005 16:01 237,236 wsnshfhc.dll
24/11/2005 15:44 236,931 cyetcfg.dll
24/11/2005 14:40 236,931 vnajet32.dll
24/11/2005 14:28 235,050 hrp4057qe.dll
24/11/2005 14:18 233,808 imrnonce.dll
24/11/2005 13:50 234,042 h4l20e3oeh.dll
24/11/2005 13:45 237,056 wkdap32.dll
24/11/2005 12:22 237,234 k8pm0i71e8.dll
24/11/2005 11:43 234,229 ilrdbg32.dll
24/11/2005 10:57 235,893 wtsdmod.dll
23/11/2005 16:05 235,171 s0pu0a79ed.dll
23/06/2005 21:47 <DIR> Microsoft
17 File(s) 4,001,422 bytes
2 Dir(s) 32,663,457,792 bytes free

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 25 November 2005 - 09:22 AM

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then it will ask for a password enter bye (lowercase) then hit enter.

Your desktop and icons will disappear (this is normal).

L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot.

Press any key to reboot.

After the reboot notepad will open with a log.

Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
If after the reboot the log does not open double click on it in the l2mfix folder.

#5 Random_Name

Random_Name
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 25 November 2005 - 09:47 AM

### l2mfix log ###

Starting Beta Fix 112305
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.

Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Setting Directory
C:\Documents and Settings\John Kelly\Desktop\l2mfix
C:\Documents and Settings\John Kelly\Desktop\l2mfix

Running From:
C:\Documents and Settings\John Kelly\Desktop\l2mfix

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 504 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 588 'winlogon.exe'
Killing PID 588 'winlogon.exe'
Killing PID 588 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 228 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 3764 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\cyetcfg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fpnu0359e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gprsl3971.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\h4l20e3oeh.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hrp4057qe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ilrdbg32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\imrnonce.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k8pm0i71e8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kldbe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kodit142.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nBrrhook.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\s0pu0a79ed.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\vnajet32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wkdap32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wsnshfhc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wtsdmod.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\cyetcfg.dll
Successfully Deleted: C:\WINDOWS\system32\cyetcfg.dll
deleting: C:\WINDOWS\system32\fpnu0359e.dll
Successfully Deleted: C:\WINDOWS\system32\fpnu0359e.dll
deleting: C:\WINDOWS\system32\gprsl3971.dll
Successfully Deleted: C:\WINDOWS\system32\gprsl3971.dll
deleting: C:\WINDOWS\system32\h4l20e3oeh.dll
Successfully Deleted: C:\WINDOWS\system32\h4l20e3oeh.dll
deleting: C:\WINDOWS\system32\hrp4057qe.dll
Successfully Deleted: C:\WINDOWS\system32\hrp4057qe.dll
deleting: C:\WINDOWS\system32\ilrdbg32.dll
Successfully Deleted: C:\WINDOWS\system32\ilrdbg32.dll
deleting: C:\WINDOWS\system32\imrnonce.dll
Successfully Deleted: C:\WINDOWS\system32\imrnonce.dll
deleting: C:\WINDOWS\system32\k8pm0i71e8.dll
Successfully Deleted: C:\WINDOWS\system32\k8pm0i71e8.dll
deleting: C:\WINDOWS\system32\kldbe.dll
Successfully Deleted: C:\WINDOWS\system32\kldbe.dll
deleting: C:\WINDOWS\system32\kodit142.dll
Successfully Deleted: C:\WINDOWS\system32\kodit142.dll
deleting: C:\WINDOWS\system32\nBrrhook.dll
Successfully Deleted: C:\WINDOWS\system32\nBrrhook.dll
deleting: C:\WINDOWS\system32\s0pu0a79ed.dll
Successfully Deleted: C:\WINDOWS\system32\s0pu0a79ed.dll
deleting: C:\WINDOWS\system32\vnajet32.dll
Successfully Deleted: C:\WINDOWS\system32\vnajet32.dll
deleting: C:\WINDOWS\system32\wkdap32.dll
Successfully Deleted: C:\WINDOWS\system32\wkdap32.dll
deleting: C:\WINDOWS\system32\wsnshfhc.dll
Successfully Deleted: C:\WINDOWS\system32\wsnshfhc.dll
deleting: C:\WINDOWS\system32\wtsdmod.dll
Successfully Deleted: C:\WINDOWS\system32\wtsdmod.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: cyetcfg.dll (160 bytes security) (deflated 6%)
adding: fpnu0359e.dll (160 bytes security) (deflated 4%)
adding: gprsl3971.dll (160 bytes security) (deflated 5%)
adding: h4l20e3oeh.dll (160 bytes security) (deflated 4%)
adding: hrp4057qe.dll (160 bytes security) (deflated 5%)
adding: ilrdbg32.dll (160 bytes security) (deflated 4%)
adding: imrnonce.dll (160 bytes security) (deflated 4%)
adding: k8pm0i71e8.dll (160 bytes security) (deflated 6%)
adding: kldbe.dll (160 bytes security) (deflated 4%)
adding: kodit142.dll (160 bytes security) (deflated 6%)
adding: nBrrhook.dll (160 bytes security) (deflated 5%)
adding: s0pu0a79ed.dll (160 bytes security) (deflated 5%)
adding: vnajet32.dll (160 bytes security) (deflated 6%)
adding: wkdap32.dll (160 bytes security) (deflated 5%)
adding: wsnshfhc.dll (160 bytes security) (deflated 6%)
adding: wtsdmod.dll (160 bytes security) (deflated 5%)
adding: guard.tmp (160 bytes security) (deflated 4%)
adding: clear.reg (160 bytes security) (deflated 65%)
zip warning: name not matched: *.ini

zip error: Nothing to do! (backup.zip)
adding: direct.txt (160 bytes security) (stored 0%)
adding: flag.txt (160 bytes security) (stored 0%)
adding: lo2.txt (160 bytes security) (deflated 82%)
adding: readme.txt (160 bytes security) (deflated 52%)
adding: report.txt (160 bytes security) (deflated 70%)
adding: sec.txt (160 bytes security) (stored 0%)
adding: test.txt (160 bytes security) (deflated 77%)
adding: test2.txt (160 bytes security) (deflated 45%)
adding: test3.txt (160 bytes security) (deflated 45%)
adding: test5.txt (160 bytes security) (deflated 45%)
adding: xfind.txt (160 bytes security) (deflated 71%)
adding: backregs/2166F251-660A-425F-9674-5A42DFA540C9.reg (160 bytes security) (deflated 70%)
adding: backregs/3A9964FC-B729-4EEE-ADB2-D94901FBD2E7.reg (160 bytes security) (deflated 70%)
adding: backregs/5E4390C8-3F50-4113-943A-E639C4C40ABF.reg (160 bytes security) (deflated 70%)
adding: backregs/617531F2-5E6B-4C45-BB3F-0CC372EC5E2A.reg (160 bytes security) (deflated 70%)
adding: backregs/61A7F6A3-5367-41FA-9673-084B8226BBD4.reg (160 bytes security) (deflated 70%)
adding: backregs/738FD0BB-1D82-4BB0-86D7-9529C608B00E.reg (160 bytes security) (deflated 70%)
adding: backregs/92DFB27A-2977-461F-A62A-85E4365D7B00.reg (160 bytes security) (deflated 69%)
adding: backregs/DAF8FFFA-F752-422A-9650-0A56422F9420.reg (160 bytes security) (deflated 70%)
adding: backregs/E05C9BB1-C199-4F3E-BCCB-3034A2226781.reg (160 bytes security) (deflated 70%)
adding: backregs/E7617006-5F39-4004-9A6A-FB5AFD8A916D.reg (160 bytes security) (deflated 70%)
adding: backregs/notibac.reg (160 bytes security) (deflated 87%)
adding: backregs/shell.reg (160 bytes security) (deflated 73%)

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: cyetcfg.dll
deleting local copy: fpnu0359e.dll
deleting local copy: gprsl3971.dll
deleting local copy: h4l20e3oeh.dll
deleting local copy: hrp4057qe.dll
deleting local copy: ilrdbg32.dll
deleting local copy: imrnonce.dll
deleting local copy: k8pm0i71e8.dll
deleting local copy: kldbe.dll
deleting local copy: kodit142.dll
deleting local copy: nBrrhook.dll
deleting local copy: s0pu0a79ed.dll
deleting local copy: vnajet32.dll
deleting local copy: wkdap32.dll
deleting local copy: wsnshfhc.dll
deleting local copy: wtsdmod.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnceEx]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\fpnu0359e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\cyetcfg.dll
C:\WINDOWS\system32\fpnu0359e.dll
C:\WINDOWS\system32\gprsl3971.dll
C:\WINDOWS\system32\h4l20e3oeh.dll
C:\WINDOWS\system32\hrp4057qe.dll
C:\WINDOWS\system32\ilrdbg32.dll
C:\WINDOWS\system32\imrnonce.dll
C:\WINDOWS\system32\k8pm0i71e8.dll
C:\WINDOWS\system32\kldbe.dll
C:\WINDOWS\system32\kodit142.dll
C:\WINDOWS\system32\nBrrhook.dll
C:\WINDOWS\system32\s0pu0a79ed.dll
C:\WINDOWS\system32\vnajet32.dll
C:\WINDOWS\system32\wkdap32.dll
C:\WINDOWS\system32\wsnshfhc.dll
C:\WINDOWS\system32\wtsdmod.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{92DFB27A-2977-461F-A62A-85E4365D7B00}"=-
"{BFC95294-1BDF-4B4B-A552-F111CFE49C40}"=-
"{2166F251-660A-425F-9674-5A42DFA540C9}"=-
"{617531F2-5E6B-4C45-BB3F-0CC372EC5E2A}"=-
"{E05C9BB1-C199-4F3E-BCCB-3034A2226781}"=-
"{DAF8FFFA-F752-422A-9650-0A56422F9420}"=-
"{5E4390C8-3F50-4113-943A-E639C4C40ABF}"=-
"{738FD0BB-1D82-4BB0-86D7-9529C608B00E}"=-
"{3A9964FC-B729-4EEE-ADB2-D94901FBD2E7}"=-
"{E7617006-5F39-4004-9A6A-FB5AFD8A916D}"=-
"{61A7F6A3-5367-41FA-9673-084B8226BBD4}"=-
[-HKEY_CLASSES_ROOT\CLSID\{92DFB27A-2977-461F-A62A-85E4365D7B00}]
[-HKEY_CLASSES_ROOT\CLSID\{BFC95294-1BDF-4B4B-A552-F111CFE49C40}]
[-HKEY_CLASSES_ROOT\CLSID\{2166F251-660A-425F-9674-5A42DFA540C9}]
[-HKEY_CLASSES_ROOT\CLSID\{617531F2-5E6B-4C45-BB3F-0CC372EC5E2A}]
[-HKEY_CLASSES_ROOT\CLSID\{E05C9BB1-C199-4F3E-BCCB-3034A2226781}]
[-HKEY_CLASSES_ROOT\CLSID\{DAF8FFFA-F752-422A-9650-0A56422F9420}]
[-HKEY_CLASSES_ROOT\CLSID\{5E4390C8-3F50-4113-943A-E639C4C40ABF}]
[-HKEY_CLASSES_ROOT\CLSID\{738FD0BB-1D82-4BB0-86D7-9529C608B00E}]
[-HKEY_CLASSES_ROOT\CLSID\{3A9964FC-B729-4EEE-ADB2-D94901FBD2E7}]
[-HKEY_CLASSES_ROOT\CLSID\{E7617006-5F39-4004-9A6A-FB5AFD8A916D}]
[-HKEY_CLASSES_ROOT\CLSID\{61A7F6A3-5367-41FA-9673-084B8226BBD4}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


### HJT log ###

Logfile of HijackThis v1.99.1
Scan saved at 14:41:13, on 25/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\DOCUME~1\JOHNKE~1\LOCALS~1\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1132857491500
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

#6 Random_Name

Random_Name
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 25 November 2005 - 09:50 AM

Looks to me like you guys have killed it. Respect to the superior cleaning skills. :thumbsup:

Thanks a lot.

Is this as bad as they get these days, or is there adware even worse than look2me?

Edited by Random_Name, 25 November 2005 - 09:51 AM.


#7 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 25 November 2005 - 02:59 PM

Lets not count our blessing just yet.

Lets be sure nothing is leftover since I have a feeling the Hosts File will have some abnormal entries.


Download WinPFind:
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Restart Normal and Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Post back with the results of those 2 scans.

#8 Random_Name

Random_Name
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 28 November 2005 - 12:24 PM

### WinPFind ###

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...
qoologic 23/11/2005 17:27:40 12286124 C:\AVG7QT.DAT
urllogic 23/11/2005 17:27:40 12286124 C:\AVG7QT.DAT

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 22/08/2004 17:04:56 69120 C:\WINDOWS\daemon.dll
UPX! 24/11/2005 18:43:24 42736 C:\WINDOWS\icont.exe
UPX! 23/11/2005 13:45:22 89623 C:\WINDOWS\mrj.exe
UPX! 23/11/2005 16:12:56 38912 C:\WINDOWS\mtuninst.exe
UPX! 03/05/2005 10:44:44 25157 C:\WINDOWS\RMAgentOutput.dll
ad-w-a-r-e.com 24/11/2005 10:50:32 32594 C:\WINDOWS\setupapi.old
buddy.exe 23/11/2005 15:46:56 409551 C:\WINDOWS\svcpack.log
UPX! 10/01/2005 15:17:24 170053 C:\WINDOWS\tsc.exe

Checking %System% folder...
PEC2 04/08/2004 12:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 12/07/2005 18:04:22 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 10/11/2005 21:17:18 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 10/11/2005 21:17:18 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04/08/2004 12:00:00 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
UPX! 23/11/2005 16:12:56 149504 C:\WINDOWS\SYSTEM32\oins.exe
Umonitor 04/08/2004 12:00:00 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 04/08/2004 12:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 23/11/2005 17:26:54 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 23/11/2005 17:26:54 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 23/11/2005 17:26:54 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 23/11/2005 17:26:54 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 03/08/2004 22:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
28/11/2005 13:43:22 S 2048 C:\WINDOWS\bootstat.dat
24/11/2005 11:37:32 H 24 C:\WINDOWS\p1cof
24/11/2005 18:15:56 RH 749 C:\WINDOWS\WindowsShell.Manifest
24/11/2005 18:16:06 H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
24/11/2005 18:17:04 HS 67 C:\WINDOWS\Fonts\desktop.ini
23/11/2005 13:08:44 H 0 C:\WINDOWS\inf\oem18.inf
24/11/2005 18:16:06 H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
23/11/2005 15:42:04 RHS 286777 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_13.cab
24/11/2005 18:18:10 H 483328 C:\WINDOWS\repair\ntuser.dat
24/11/2005 18:15:56 RH 749 C:\WINDOWS\system32\cdplayer.exe.manifest
24/11/2005 18:16:06 RH 488 C:\WINDOWS\system32\logonui.exe.manifest
24/11/2005 18:15:56 RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest
24/11/2005 18:15:56 RH 749 C:\WINDOWS\system32\nwc.cpl.manifest
24/11/2005 18:15:56 RH 749 C:\WINDOWS\system32\sapi.cpl.manifest
24/11/2005 18:16:06 RH 488 C:\WINDOWS\system32\WindowsLogon.manifest
24/11/2005 18:15:56 RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest
05/10/2005 20:33:38 S 12849 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896424.cat
05/10/2005 01:17:40 S 21737 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
28/11/2005 13:47:12 H 12288 C:\WINDOWS\system32\config\default.LOG
24/11/2005 17:45:54 H 0 C:\WINDOWS\system32\config\default.tmp.LOG
28/11/2005 13:46:12 H 1024 C:\WINDOWS\system32\config\SAM.LOG
28/11/2005 13:43:24 H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
28/11/2005 13:48:18 H 69632 C:\WINDOWS\system32\config\software.LOG
24/11/2005 17:45:54 H 0 C:\WINDOWS\system32\config\software.tmp.LOG
28/11/2005 13:47:26 H 65536 C:\WINDOWS\system32\config\system.LOG
24/11/2005 17:45:34 H 0 C:\WINDOWS\system32\config\system.tmp.LOG
24/11/2005 17:45:30 H 1024 C:\WINDOWS\system32\config\TempKey.LOG
24/11/2005 17:45:54 H 1024 C:\WINDOWS\system32\config\userdiff.LOG
24/11/2005 18:18:12 H 1024 C:\WINDOWS\system32\config\userdifr.LOG
24/11/2005 11:00:22 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
23/11/2005 16:02:44 S 5945 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\486CC6AFD08942336C61FCD401C4A1D1
25/11/2005 09:55:56 S 688 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5
23/11/2005 16:02:44 S 408 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\74BFD122C0875EC75DBE5C6DB4C59019
25/11/2005 09:55:56 S 70226 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\F482C95F83F1B59228F1B1E720F2EDF1
23/11/2005 16:02:44 S 120 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\486CC6AFD08942336C61FCD401C4A1D1
25/11/2005 09:55:56 S 94 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5
23/11/2005 16:02:44 S 124 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\74BFD122C0875EC75DBE5C6DB4C59019
25/11/2005 09:55:56 S 128 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\F482C95F83F1B59228F1B1E720F2EDF1
28/11/2005 13:42:12 H 6 C:\WINDOWS\Tasks\SA.DAT
24/11/2005 10:37:58 HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
24/11/2005 10:37:58 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini

Checking for CPL files...
Microsoft Corporation 04/08/2004 00:56:58 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 04/08/2004 12:00:00 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 04/08/2004 12:00:00 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 04/08/2004 12:00:00 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 04/08/2004 12:00:00 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
BT, Inc. 12/12/2002 16:21:00 286720 C:\WINDOWS\SYSTEM32\gsi.cpl
Microsoft Corporation 04/08/2004 12:00:00 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 04/08/2004 12:00:00 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 04/08/2004 12:00:00 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04/08/2004 12:00:00 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04/08/2004 12:00:00 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 01/07/2005 17:32:56 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 04/08/2004 12:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04/08/2004 12:00:00 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 04/08/2004 12:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 04/08/2004 12:00:00 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04/08/2004 12:00:00 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 04/08/2004 12:00:00 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 04/08/2004 12:00:00 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 23/09/2004 17:57:40 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 04/08/2004 12:00:00 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 04/08/2004 12:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04/08/2004 12:00:00 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 04/08/2004 12:00:00 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 04/08/2004 00:56:58 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 04/08/2004 12:00:00 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 04/08/2004 12:00:00 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 04/08/2004 12:00:00 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 04/08/2004 12:00:00 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 04/08/2004 12:00:00 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 04/08/2004 12:00:00 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 04/08/2004 12:00:00 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 04/08/2004 12:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 04/08/2004 12:00:00 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 04/08/2004 12:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 04/08/2004 12:00:00 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 04/08/2004 12:00:00 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 04/08/2004 12:00:00 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 04/08/2004 12:00:00 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 04/08/2004 00:56:58 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 04/08/2004 12:00:00 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 04/08/2004 12:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 04/08/2004 12:00:00 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 04/08/2004 12:00:00 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
24/11/2005 18:18:06 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
24/11/2005 17:48:28 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
31/08/2005 18:08:24 10 C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameD.txt

Checking files in %USERPROFILE%\Startup folder...
23/06/2005 18:50:10 HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
23/06/2005 19:38:58 HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AGRSMMSG AGRSMMSG.exe
Apoint C:\Program Files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\System32\CTFMON.EXE
AVG7_Run C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
NetDDEclnt 2


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Aaou
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item othb
hkey HKCU
command "C:\Program Files\ipee\othb.exe" -vt mt
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item othb
hkey HKCU
command "C:\Program Files\ipee\othb.exe" -vt mt
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\adtech2005
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item adtech2005
hkey HKLM
command C:\windows\adtech2005.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item adtech2005
hkey HKLM
command C:\windows\adtech2005.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AGRSMMSG
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AGRSMMSG
hkey HKLM
command AGRSMMSG.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AGRSMMSG
hkey HKLM
command AGRSMMSG.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Apoint
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Apoint
hkey HKLM
command C:\Program Files\Apoint2K\Apoint.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Apoint
hkey HKLM
command C:\Program Files\Apoint2K\Apoint.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATIModeChange
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Ati2mdxx
hkey HKLM
command Ati2mdxx.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Ati2mdxx
hkey HKLM
command Ati2mdxx.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATIPTA
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item atiptaxx
hkey HKLM
command C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item atiptaxx
hkey HKLM
command C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Booster
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item oamSender
hkey HKLM
command C:\PROGRA~1\BTVOYA~2\oamSender.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item oamSender
hkey HKLM
command C:\PROGRA~1\BTVOYA~2\oamSender.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Client Server Runtime Process
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item csrs
hkey HKLM
command C:\WINDOWS\system32\csrs.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item csrs
hkey HKLM
command C:\WINDOWS\system32\csrs.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Cpqset
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item cpqset
hkey HKLM
command C:\Program Files\HPQ\Default Settings\cpqset.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item cpqset
hkey HKLM
command C:\Program Files\HPQ\Default Settings\cpqset.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CTFMON.EXE
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ctfmon
hkey HKCU
command C:\WINDOWS\system32\ctfmon.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ctfmon
hkey HKCU
command C:\WINDOWS\system32\ctfmon.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DAEMON Tools-1033
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item daemon
hkey HKLM
command "C:\Program Files\D-Tools\daemon.exe" -lang 1033
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item daemon
hkey HKLM
command "C:\Program Files\D-Tools\daemon.exe" -lang 1033
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DeviceDiscovery
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpotdd01
hkey HKLM
command C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpotdd01
hkey HKLM
command C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DSLAGENTEXE
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dslagent
hkey HKLM
command dslagent.exe USB
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dslagent
hkey HKLM
command dslagent.exe USB
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dvdaba
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dvdaba
hkey HKCU
command C:\WINDOWS\System32\dvdaba.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dvdaba
hkey HKCU
command C:\WINDOWS\System32\dvdaba.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\eabconfg.cpl
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item EabServr
hkey HKLM
command C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item EabServr
hkey HKLM
command C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\elos
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item exe82
hkey HKLM
command C:\WINDOWS\exe82.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item exe82
hkey HKLM
command C:\WINDOWS\exe82.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\GSICONEXE
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item GSICON
hkey HKLM
command GSICON.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item GSICON
hkey HKLM
command GSICON.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Software Update
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item HPWuSchd
hkey HKLM
command C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item HPWuSchd
hkey HKLM
command C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HPDJ Taskbar Utility
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpztsb08
hkey HKLM
command C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpztsb08
hkey HKLM
command C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command C:\Program Files\iTunes\iTunesHelper.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command C:\Program Files\iTunes\iTunesHelper.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\jrm
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mrjj
hkey HKLM
command c:\windows\mrjj.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mrjj
hkey HKLM
command c:\windows\mrjj.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\mrmk
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mrmkm
hkey HKCU
command C:\PROGRA~1\COMMON~1\mrmk\mrmkm.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mrmkm
hkey HKCU
command C:\PROGRA~1\COMMON~1\mrmk\mrmkm.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MS Home 32
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mshome32
hkey HKLM
command mshome32.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mshome32
hkey HKLM
command mshome32.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Registry Value Name
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item service
hkey HKLM
command service.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item service
hkey HKLM
command service.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RemHelp
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item remhelp
hkey HKLM
command remhelp.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item remhelp
hkey HKLM
command remhelp.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RoxioDragToDisc
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DrgToDsc
hkey HKLM
command "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DrgToDsc
hkey HKLM
command "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RoxioEngineUtility
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item EngUtil
hkey HKLM
command "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item EngUtil
hkey HKLM
command "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\seli
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item exe82
hkey HKLM
command C:\WINDOWS\exe82.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item exe82
hkey HKLM
command C:\WINDOWS\exe82.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\timessquare
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item timessquare
hkey HKLM
command C:\windows\timessquare.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item timessquare
hkey HKLM
command C:\windows\timessquare.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Vekxyhk
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Qfsu
hkey HKLM
command C:\Program Files\Hrud\Qfsu.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Qfsu
hkey HKLM
command C:\Program Files\Hrud\Qfsu.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WinFixer 2005
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item wfx5
hkey HKCU
command C:\Program Files\WinFixer 2005\wfx5.exe /scan
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item wfx5
hkey HKCU
command C:\Program Files\WinFixer 2005\wfx5.exe /scan
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 2
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 28/11/2005 13:56:23


# KAV Online Log ###

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, November 28, 2005 17:19:40
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 28/11/2005
Kaspersky Anti-Virus database records: 161983
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 34778
Number of viruses found: 9
Number of infected objects: 39
Number of suspicious objects: 0
Duration of the scan process: 1943 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658JDCO9\AppWrap[1].exe Infected: not-a-virus:AdWare.Win32.AdURL.c
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IDUW7NGB\AppWrap[1].exe Infected: not-a-virus:AdWare.Win32.AdURL.c
C:\Documents and Settings\John Kelly\Local Settings\Temporary Internet Files\Content.IE5\6PZIABUV\AppWrap[1].exe Infected: not-a-virus:AdWare.Win32.AdURL.c
C:\Documents and Settings\John Kelly\Local Settings\Temporary Internet Files\Content.IE5\7QIJKU4E\AppWrap[1].exe Infected: not-a-virus:AdWare.Win32.AdURL.c
C:\Documents and Settings\John Kelly\Local Settings\Temporary Internet Files\Content.IE5\7QIJKU4E\AppWrap[2].exe Infected: not-a-virus:AdWare.Win32.Zestyfind
C:\Documents and Settings\John Kelly\Local Settings\Temporary Internet Files\Content.IE5\7QIJKU4E\AppWrap[3].exe Infected: not-a-virus:AdWare.Win32.AdURL.c
C:\Program Files\ipee\othb.exe Infected: not-a-virus:AdWare.Win32.MediaTickets.r
C:\System Volume Information\_restore{0D69DF6A-5038-48B3-AD21-826A8DA3B938}\RP0\A0000003.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{0D69DF6A-5038-48B3-AD21-826A8DA3B938}\RP2\A0000052.exe Infected: not-a-virus:AdWare.Win32.AdURL.c
C:\System Volume Information\_restore{0D69DF6A-5038-48B3-AD21-826A8DA3B938}\RP2\A0000055.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{0D69DF6A-5038-48B3-AD21-826A8DA3B938}\RP2\A0000076.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{0D69DF6A-5038-48B3-AD21-826A8DA3B938}\RP3\A0000618.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{0D69DF6A-5038-48B3-AD21-826A8DA3B938}\RP3\A0000652.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{0D69DF6A-5038-48B3-AD21-826A8DA3B938}\RP4\A0000663.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{0D69DF6A-5038-48B3-AD21-826A8DA3B938}\RP4\A0000674.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{0D69DF6A-5038-48B3-AD21-826A8DA3B938}\RP4\A0000675.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{0D69DF6A-5038-48B3-AD21-826A8DA3B938}\RP4\A0000676.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{0D69DF6A-5038-48B3-AD21-826A8DA3B938}\RP4\A0000677.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{0D69DF6A-5038-48B3-AD21-826A8DA3B938}\RP4\A0000678.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{0D69DF6A-5038-48B3-AD21-826A8DA3B938}\RP4\A0000679.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{0D69DF6A-5038-48B3-AD21-826A8DA3B938}\RP4\A0000680.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{0D69DF6A-5038-48B3-AD21-826A8DA3B938}\RP4\A0000681.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{0D69DF6A-5038-48B3-AD21-826A8DA3B938}\RP4\A0000682.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{0D69DF6A-5038-48B3-AD21-826A8DA3B938}\RP4\A0000683.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{0D69DF6A-5038-48B3-AD21-826A8DA3B938}\RP4\A0000684.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{0D69DF6A-5038-48B3-AD21-826A8DA3B938}\RP4\A0000685.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{0D69DF6A-5038-48B3-AD21-826A8DA3B938}\RP4\A0000686.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{0D69DF6A-5038-48B3-AD21-826A8DA3B938}\RP4\A0000687.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.ocx Infected: not-a-virus:AdWare.Win32.MediaTickets.f
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5NetInstaller.exe Infected: not-a-virus:Downloader.Win32.Agent.d
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\v3.dll Infected: not-a-virus:AdWare.Win32.EliteBar.aq
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX5NetInstaller.exe Infected: not-a-virus:Downloader.Win32.Agent.d
C:\WINDOWS\Downloaded Program Files\v3.dll Infected: not-a-virus:AdWare.Win32.EliteBar.aq
C:\WINDOWS\icont.exe Infected: not-a-virus:AdWare.Win32.AdURL.c
C:\WINDOWS\iconu.exe Infected: not-a-virus:AdWare.Win32.Zestyfind
C:\WINDOWS\mrj.exe/mrjj.exe Infected: Trojan.Win32.LowZones.am
C:\WINDOWS\mrj.exe Infected: Trojan.Win32.LowZones.am
C:\WINDOWS\system32\qedusapi.dll Infected: Trojan.Win32.Crypt.t
C:\WINDOWS\Temp\bw2.com Infected: not-a-virus:AdWare.Win32.Zestyfind

Scan process completed.


P.S. I've manually removed lots of crap from the hosts file

#9 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 28 November 2005 - 02:53 PM

First things first,lets make sure Apropos is no where to be found on the PC,then we will proceed with cleaning up the rest of the mess.


You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts. Allow the tool time to finish.


Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab

Make Sure "Normal Startup-load all device drivers and services" has a green tick by it

Click Apply>>Close>>Follow the Prompts to Restart


Reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

Edited by Cretemonster, 28 November 2005 - 02:56 PM.


#10 Random_Name

Random_Name
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 07 December 2005 - 04:30 AM

Just to let you know the laptop has gone back. Last week has been a bit hectic here, so I never got round to finishing it off - it should be good enough though. Thanks a lot for all your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users