Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Jkkjg.dll


  • This topic is locked This topic is locked
12 replies to this topic

#1 Jatycre

Jatycre

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 02 August 2006 - 01:33 AM

This is really bad. Whatever this is, keeps shutting my computer off at random intervals of running time. I can run in safe mode with no problems, but normal mode only runs for a couple minutes or so and then boom black screen, reboot.


Logfile of HijackThis v1.99.1
Scan saved at 11:25:08 PM, on 8/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\issearch.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ismon.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\JT\LOCALS~1\Temp\Rar$EX00.906\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\system32\ixt4.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {E521797A-22DE-4B46-8B2F-8E98AB77B942} - C:\WINDOWS\system32\iiffffe.dll
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149491355625
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Documents\Settings\20242402.dll (file missing)
O20 - Winlogon Notify: iiffffe - C:\WINDOWS\SYSTEM32\iiffffe.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
O20 - Winlogon Notify: winpsa32 - C:\WINDOWS\SYSTEM32\winpsa32.dll
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

BC AdBot (Login to Remove)

 


#2 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 02 August 2006 - 03:54 AM

Hi,

You have several infections, so it will take several steps. Please follow these instructions.

• Download L2mfix from one of these two locations:
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

- Save the file to your Desktop and double-click l2mfix.exe
- Click the Install button to extract the files and follow the prompts.
- Then open the newly-added l2mfix folder on your Desktop.
- Double-click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing Enter.
- This will scan your computer, and it may appear nothing is happening. After a minute or two, Notepad will open with a log.
- Copy the contents of this log to paste in your reply.

IMPORTANT: Do NOT run option #2 OR any other options in the l2mfix folder until you are asked to do so! This Fix must NOT be run in Safe Mode for it to work.

If, while running option #1, you receive an error similar to: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications - choose "close to terminate the application.." Then please use option 5 or the web page link in the l2mfix folder to solve this error condition. Do not run the fix portion without fixing this first.


• Post back with the log generated by L2mfix and a new HijackThis log.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#3 Jatycre

Jatycre
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 02 August 2006 - 01:30 PM

Ok, here is the l2mfix log


L2MFIX find log 051206
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\20242402reg]
"DllName"="C:\\Documents and Settings\\All Users\\Documents\\Settings\\20242402.dll"
"Startup"="20242402reg"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iiffffe]
"Asynchronous"=dword:00000001
"DllName"="iiffffe.dll"
"Impersonate"=dword:00000000
"Logon"="Logon"
"Logoff"="Logoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\polymorphreg]
"DllName"="C:\\Documents and Settings\\All Users\\Documents\\Settings\\polymorph.dll"
"Startup"="polymorphreg"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,5c,be,51,65,58,8c,23,4a,b3,44,72,6f,6e,e4,23,e0,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,c2,cf,04,ad,40,01,fa,9a,\
24,45,cf,be,98,94,19,dd,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,1a,\
82,e0,25,18,ac,cb,1e,ab,84,49,8b,79,76,e8,db,08,06,00,00,1d,df,20,0e,1f,bf,\
42,f2,ce,05,00,22,b4,78,58,79,bd,7d,67,7c,00,e6,44,dc,38,07,cc,95,8f,7d,71,\
c0,00,2d,41,a0,32,73,03,da,dc,e5,8d,1a,5f,f6,0b,43,34,17,b9,cb,94,e0,3e,47,\
4e,2a,ca,bb,16,04,77,b1,39,81,42,93,b6,94,ca,40,ee,d4,49,f1,4c,1f,13,83,5c,\
36,6b,49,2c,cb,34,97,7e,38,c4,35,fb,d2,c9,fc,98,30,7f,82,3d,75,89,a7,08,3f,\
2f,3c,11,a2,3a,1b,fc,af,23,06,3e,21,6c,26,9b,78,c2,18,a8,80,a7,f2,7a,cb,83,\
4d,67,63,2f,77,80,a6,78,ab,53,7c,4d,c9,8a,89,32,34,9f,37,c6,5b,5f,54,f2,62,\
e2,4e,dd,68,9b,13,e0,47,6e,44,2d,17,7b,e3,f2,8d,43,d1,ec,0a,83,c1,87,6d,81,\
d3,eb,59,cc,88,29,cb,5e,0c,cb,be,35,bd,f4,dc,6b,25,24,78,0c,48,8b,ec,ca,a0,\
5c,9c,a1,1b,21,a9,dc,51,b2,e0,d1,b3,b8,b8,a4,01,88,15,79,4e,2a,43,0d,f7,36,\
70,d6,87,e4,76,46,17,08,5d,f1,38,d9,e5,34,5b,83,16,85,86,33,d0,33,ec,ed,18,\
b5,ed,d8,df,d1,e3,9e,d7,a9,97,c0,55,77,04,1a,0e,bb,9f,ae,0a,32,21,1d,c8,f1,\
9e,54,c6,59,a7,79,27,71,d0,2e,2b,8d,f7,99,36,1e,13,15,0d,e6,04,5c,54,07,77,\
c9,ee,71,e9,06,ca,6a,e1,95,b0,02,1e,df,bc,9e,0b,42,ba,ca,45,6f,d9,f0,19,ad,\
06,bd,93,6b,44,7a,0c,b0,8f,45,e5,e0,f5,54,3b,90,98,0c,99,f8,f2,9e,68,30,5f,\
4d,61,3c,d9,58,19,fa,a1,58,11,49,87,43,97,61,10,70,23,69,0e,c2,fd,83,42,dc,\
47,20,e6,cb,ee,ee,b6,f0,2c,be,7c,8a,bc,f2,45,92,d9,6d,29,b4,35,fc,a0,79,97,\
94,2d,37,7c,53,a2,4d,99,4b,75,63,e7,1e,76,86,65,1a,26,fc,db,f6,74,79,4e,06,\
61,e7,50,ee,3b,68,7d,cf,a2,db,05,f7,67,52,f6,3e,6a,eb,b5,89,cd,7c,22,77,12,\
6b,b4,4f,b7,38,a0,6e,0b,fe,45,d9,9f,8d,5f,f7,ba,d9,c6,d9,d3,3d,3c,59,80,6f,\
d2,04,48,3b,c1,29,49,be,1c,65,62,7a,1a,fe,2f,73,2a,7a,fe,10,67,cd,76,a2,9a,\
a7,e8,a4,0a,f8,99,a1,8a,7c,d1,d0,ff,10,9e,10,1f,2b,1a,6d,94,db,70,36,d9,39,\
8a,d5,c1,93,47,e8,b1,70,e0,1e,c1,fc,09,3b,0f,3a,4b,e4,a6,e6,65,5d,a0,1a,db,\
6b,ca,28,76,4b,8a,c5,7a,79,42,7b,21,c2,c0,49,8f,4c,ae,f3,db,a1,79,20,df,06,\
a7,b6,95,42,34,17,3c,5c,0d,7d,65,26,95,e3,08,7b,28,6b,1a,7b,02,fc,15,37,c7,\
b5,74,bd,3a,e6,fd,d5,88,3c,90,7e,01,b6,0c,e4,8f,b4,03,de,f3,44,2a,2e,ec,fe,\
2a,c7,37,ac,9c,f6,13,51,aa,ec,91,38,72,f0,3e,e1,66,f6,43,3b,76,17,0c,a8,ab,\
e0,c1,0a,fd,c5,35,28,77,28,98,6e,7e,76,d0,3d,97,d7,ab,1f,67,5b,21,09,e0,df,\
07,29,aa,81,fb,e8,a4,79,60,cd,42,55,31,f0,b9,00,73,11,39,3b,0d,e9,01,57,8d,\
1a,cd,08,06,46,a5,b9,da,59,e8,b6,35,19,1b,47,09,a8,5b,19,0f,b7,d5,86,13,26,\
52,5d,88,c1,43,5d,e8,fc,f6,0d,5c,4f,81,d6,c5,aa,72,b4,b4,7a,50,27,63,73,e8,\
39,c5,f5,2a,65,b4,f1,87,3d,7b,f0,e2,02,38,9b,9c,b0,c4,ea,15,fb,db,03,0c,c0,\
c0,6e,a6,d5,ee,73,fd,77,bd,44,9b,92,75,48,82,2f,32,c2,31,b4,d7,55,82,cf,a5,\
89,b2,eb,dc,e6,dc,70,a4,3b,5c,5e,39,88,8a,c8,2f,86,24,71,17,40,b4,cd,1f,4c,\
be,a3,a2,db,13,9c,5e,b9,b9,76,0e,87,94,34,c8,e7,e0,2a,fb,8c,ac,d2,df,5d,bb,\
e1,a8,5c,59,7a,a4,87,4c,1a,6c,33,2c,fa,4a,8c,03,01,d0,b0,a9,ce,dd,3a,d5,6f,\
5e,c1,44,88,76,ba,18,ba,29,57,d5,2c,a7,63,40,d7,0d,c3,c0,35,a6,bb,29,a3,19,\
9a,6e,96,56,65,31,fb,9f,ee,23,f3,5b,fb,e9,c4,d6,21,3f,b0,21,50,30,7c,07,1c,\
0c,f8,2f,d5,06,db,fe,b0,f2,71,46,87,59,39,33,85,b7,1b,40,4a,97,e2,58,f0,e8,\
a8,e5,74,e1,f6,4b,37,9f,3c,2f,90,5a,bd,64,69,f9,1e,69,43,2b,a1,5f,e6,45,6d,\
5b,7e,e7,b7,bf,7c,77,36,21,c7,9f,b8,22,8b,db,1d,26,14,10,f3,7a,1e,be,b4,ed,\
0b,78,01,79,bc,e3,52,bf,b1,7b,dc,d6,b9,7c,5d,95,be,d6,08,3b,1b,af,80,6e,21,\
c0,9f,86,45,07,1e,e4,a4,df,2d,cb,f6,01,03,90,d5,7b,ca,e9,07,ee,aa,97,c3,c3,\
d9,27,44,d5,ac,a1,38,18,77,d5,4a,ae,d3,8b,0e,c5,00,32,20,74,1b,7b,6b,ed,ed,\
c4,30,56,a8,46,ad,d3,b0,5b,71,2a,8f,aa,dd,97,06,71,95,03,7b,db,54,79,a7,ae,\
de,2b,80,ab,bc,91,08,6a,18,a0,78,34,b2,4c,7d,05,ee,dc,1d,af,2a,ef,92,de,0c,\
41,07,e0,cb,7b,7e,4a,0d,74,0b,07,90,e5,59,20,22,5c,d6,7a,c3,b9,c9,83,a0,71,\
70,ce,bd,63,1f,51,5e,a7,8d,a1,8f,4c,ee,9e,4f,f1,ad,4d,21,33,28,0c,ba,d0,6f,\
e4,1d,89,e9,48,e9,e5,4c,2e,4d,06,d2,d9,f0,ca,e7,6d,1b,c6,37,c7,fd,0f,72,08,\
85,07,c4,2a,bb,92,6e,25,69,a2,db,12,6e,0d,8f,da,4c,dd,ae,11,2e,53,9f,1d,c8,\
a2,f0,2e,c5,c3,20,61,47,28,66,80,2f,3e,c4,e2,07,62,36,70,b0,25,49,95,28,73,\
77,6c,32,13,91,af,e4,60,dd,e5,95,69,ad,ef,09,3f,00,de,98,30,4f,7a,11,07,7b,\
20,c6,f0,1a,9d,a7,ba,05,da,b0,76,fc,27,ef,5a,9f,05,94,e8,59,16,e2,0f,71,47,\
22,77,a1,e8,d5,86,c5,51,7f,46,68,d6,31,b3,62,e1,1f,85,cc,46,2f,99,78,aa,01,\
d0,12,64,8d,d3,c5,46,96,d1,8d,d7,28,ba,f5,51,cf,30,26,7a,a7,1b,54,b8,fd,67,\
85,fb,3a,81,16,ed,bf,c1,88,12,a0,45,61,fe,8d,bc,01,2d,be,15,69,b1,41,7d,d5,\
9c,be,25,25,d5,33,d7,69,b6,01,f5,e7,ad,e0,e6,51,38,6e,89,6a,d8,cb,38,6d,50,\
9f,ca,e0,8c,57,64,ca,7f,3b,a4,2a,74,18,67,91,a5,17,eb,37,70,78,84,9f,64,e1,\
29,a6,6c,d0,50,f7,f0,59,90,48,06,28,03,f9,fb,4f,9e,a5,d1,fa,8f,80,62,7e,09,\
c1,54,8b,36,46,c0,5d,64,d8,c2,54,c8,20,ce,0b,2f,1a,a8,cb,ad,9c,17,73,3c,8e,\
0e,44,b4,0a,2f,7e,68,71,58,1c,14,8e,ec,da,f6,13,ab,a4,56,0e,a5,53,64,4a,98,\
3c,f7,d8,56,39,ec,d1,e6,e8,29,e2,d8,fe,79,e7,67,dc,0a,f5,de,8a,06,54,b0,6e,\
bb,65,28,2e,73,ba,7c,42,c1,1b,3e,09,ee,14,00,00,00,e4,7e,a8,f3,19,82,86,5a,\
d7,71,66,c3,b4,1f,47,42,c6,96,3c,87

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winm32]
"secureUID"="[20350092072783140796]"
"DllName"=hex(2):77,00,69,00,6e,00,6d,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,\
00,00
"Startup"="MemMMView7"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
"MaxWait"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winpsa32]
"Asynchronous"=dword:00000001
"DllName"="winpsa32.dll"
"Impersonate"=dword:00000000
"Startup"="EvtStartup"
"Shutdown"="EvtShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"="PowerISO"
"{EBDF1F20-C829-11D1-8233-0020AF3E97A6}"="ATS Context Menu Shell Extension"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}"="Messenger Sharing Folders"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Tue May 9 2006 10:23:00p A.... 1,022,976 999.00 K
capicom.dll Mon May 15 2006 6:24:34p A.... 466,944 456.00 K
cdfview.dll Tue May 9 2006 10:23:00p A.... 151,040 147.50 K
danim.dll Tue May 9 2006 10:23:00p A.... 1,054,208 1.00 M
dhcpcsvc.dll Fri May 19 2006 5:59:42a A.... 111,616 109.00 K
dnsapi.dll Fri May 19 2006 5:59:42a A.... 148,480 145.00 K
dxinpu~1.dll Tue Jul 11 2006 7:33:36p A.... 36,864 36.00 K
dxtmsft.dll Tue May 9 2006 10:23:00p A.... 357,888 349.50 K
dxtrans.dll Tue May 9 2006 10:23:00p A.... 205,312 200.50 K
extmgr.dll Tue May 9 2006 10:23:00p A.... 55,808 54.50 K
iepeers.dll Tue May 9 2006 10:23:00p A.... 251,392 245.50 K
iiffffe.dll Mon Jul 31 2006 4:12:34a A.SH. 40,973 40.01 K
inseng.dll Tue May 9 2006 10:23:00p A.... 96,256 94.00 K
iphlpapi.dll Fri May 19 2006 5:59:42a A.... 94,720 92.50 K
ixt0.dll Tue Aug 1 2006 9:09:24p A.... 46,592 45.50 K
ixt1.dll Tue Aug 1 2006 9:34:42p A.... 46,592 45.50 K
ixt2.dll Tue Aug 1 2006 9:56:26p A.... 46,592 45.50 K
ixt3.dll Tue Aug 1 2006 11:20:58p A.... 46,592 45.50 K
ixt4.dll Wed Aug 2 2006 11:19:42a A.... 46,592 45.50 K
jgdw400.dll Thu Jun 1 2006 11:47:08a A.... 163,840 160.00 K
jgpl400.dll Thu Jun 1 2006 11:47:08a A.... 27,648 27.00 K
jscript.dll Wed May 17 2006 11:43:58a A.... 465,864 454.95 K
jsproxy.dll Tue May 9 2006 10:23:00p A.... 16,384 16.00 K
legitc~1.dll Mon Jun 19 2006 4:19:42p A.... 571,184 557.80 K
mshtml.dll Fri May 19 2006 8:08:32a A.... 3,052,544 2.91 M
mshtmled.dll Tue May 9 2006 10:23:02p A.... 448,512 438.00 K
msrating.dll Tue May 9 2006 10:23:02p A.... 146,432 143.00 K
mstime.dll Tue May 9 2006 10:23:02p A.... 532,480 520.00 K
pngfilt.dll Tue May 9 2006 10:23:02p A.... 39,424 38.50 K
rasmans.dll Thu Jun 22 2006 3:47:18a A.... 181,248 177.00 K
shdocvw.dll Mon May 29 2006 8:30:34a A.... 1,494,016 1.42 M
shlwapi.dll Tue May 9 2006 10:23:02p A.... 474,112 463.00 K
sirenacm.dll Fri Jun 16 2006 2:34:44p A.... 48,936 47.79 K
urlmon.dll Tue May 9 2006 10:23:02p A.... 613,888 599.50 K
wgalogon.dll Mon Jun 19 2006 4:20:42p A.... 702,768 686.30 K
wininet.dll Tue May 9 2006 10:23:04p A.... 658,432 643.00 K
winpsa32.dll Wed Jul 12 2006 5:00:22p ..... 18,432 18.00 K
xpsp3res.dll Thu May 11 2006 1:23:24a A.... 24,576 24.00 K

38 items found: 38 files (1 H/S), 0 directories.
Total of file sizes: 14,008,157 bytes 13.36 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
1.tmp Sat May 13 2006 11:57:10p A.... 367 0.36 K
acbeg.tmp Sat Jul 22 2006 1:21:52a A.SH. 883,725 863.01 K
gjkkj.tmp Sat Jul 29 2006 2:03:04a A.SH. 1,002,095 978.61 K
mcrh.tmp Mon Jul 31 2006 9:53:20a A.... 143 0.14 K

4 items found: 4 files (2 H/S), 0 directories.
Total of file sizes: 1,886,330 bytes 1.80 M
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 60EC-09FE

Directory of C:\WINDOWS\System32

08/01/2006 09:22 PM <DIR> dllcache
07/31/2006 03:47 PM 360 gjkkj.ini2
07/31/2006 04:12 AM 40,973 iiffffe.dll
07/29/2006 02:03 AM 1,002,095 gjkkj.tmp
07/22/2006 01:26 AM 878,831 acbeg.ini2
07/22/2006 01:25 AM 878,924 acbeg.bak2
07/22/2006 01:21 AM 883,725 acbeg.tmp
07/21/2006 08:37 PM 878,819 acbeg.bak1
07/02/2006 12:39 AM <DIR> Microsoft
04/05/2001 06:43 AM 94,208 msstkprp.dll
8 File(s) 4,657,935 bytes
2 Dir(s) 2,665,226,240 bytes free





And here is another Hijackthis log


Logfile of HijackThis v1.99.1
Scan saved at 11:20:43 AM, on 8/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\issearch.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ismon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\JT\LOCALS~1\Temp\Rar$EX00.766\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\system32\ixt4.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {E521797A-22DE-4B46-8B2F-8E98AB77B942} - C:\WINDOWS\system32\iiffffe.dll
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149491355625
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Documents\Settings\20242402.dll (file missing)
O20 - Winlogon Notify: iiffffe - C:\WINDOWS\SYSTEM32\iiffffe.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
O20 - Winlogon Notify: winpsa32 - C:\WINDOWS\SYSTEM32\winpsa32.dll
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe



I was lucky enough to get it to run in normal mode long enough to get each in normal mode rather than safe mode.

#4 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 02 August 2006 - 05:28 PM

Hi,

Please follow these directions. Close ALL programs you have open since this step requires a reboot.

• Go to the l2mfix folder on your Desktop and double-click l2mfix.bat.
- Select option 2 for Run Fix by typing 2 and then press Enter.
- The process will then start. Your Desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and, when it is finished, it will be ready for a reboot.
- Press any key to reboot.
- After the reboot, Notepad will open with a log. Copy the contents of this log to paste in your reply.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Do Not run in safe mode!!

If, after the reboot, the log does not open, double-click on it in the l2mfix folder.

• Post back with the log generated by L2mfix and a new HijackThis log.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#5 Jatycre

Jatycre
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 02 August 2006 - 05:58 PM

Ok I've got a problem. The computer keeps getting rebooted before the process can finish. I'm running in safe mode with networking right now, but you can't use the fix in safe mode. I've tried quite a few times already. I've only been able to get finished with the scanning passes, and then the computer gets rebooted. I don't know what it is, but every time I start this thing up in normal mode, I only get a few minutes of running time, and then it just magically reboots itself.



EDIT: Ok I got lucky, I was able to complete the fix, but it didn't seem to fix any of the problems.


L2MFIX find log 051206
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\20242402reg]
"DllName"="C:\\Documents and Settings\\All Users\\Documents\\Settings\\20242402.dll"
"Startup"="20242402reg"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iiffffe]
"Asynchronous"=dword:00000001
"DllName"="iiffffe.dll"
"Impersonate"=dword:00000000
"Logon"="Logon"
"Logoff"="Logoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\polymorphreg]
"DllName"="C:\\Documents and Settings\\All Users\\Documents\\Settings\\polymorph.dll"
"Startup"="polymorphreg"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,5c,be,51,65,58,8c,23,4a,b3,44,72,6f,6e,e4,23,e0,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,b2,b6,69,e7,45,83,8a,a4,\
5a,f7,ed,85,ac,39,eb,1c,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,51,\
02,da,7f,bf,39,39,b4,e0,10,91,7f,78,34,ec,bc,08,06,00,00,10,55,ad,d3,a3,e3,\
1c,1f,1a,3a,5e,01,9e,98,5f,7a,19,2c,e0,b9,30,c5,2b,ce,60,40,39,2e,86,ce,19,\
4c,81,fc,c9,a1,70,81,5d,d5,2b,03,41,cc,21,ac,a1,3a,93,31,1a,6d,72,0c,9c,9e,\
47,b9,fc,f8,3a,74,67,0b,0b,6b,ef,39,4d,04,f8,2e,ec,5d,57,1a,26,70,e9,54,2b,\
b5,b7,55,92,33,8d,d9,07,0f,d9,f6,8d,b9,6a,46,61,67,df,81,5d,51,b1,5e,15,3f,\
b5,dc,66,be,28,5e,41,5a,fc,97,d8,ca,a8,97,6b,b4,1d,00,93,0a,ce,13,f2,b9,79,\
b9,d2,b0,51,4b,d8,a1,43,1b,7e,6c,e3,fe,11,e8,69,c0,1e,c2,38,bf,7d,34,d5,01,\
43,66,da,e5,0c,27,ea,0a,73,02,dd,9a,c7,15,dd,23,2c,82,1d,1f,1a,60,21,67,bf,\
33,70,59,b2,57,33,a7,fc,fb,30,d6,f9,a0,8c,8c,d1,78,36,93,d0,24,97,e2,7b,e3,\
86,ac,4d,e2,6a,5f,bd,e4,fe,1e,0f,fe,9c,c7,33,44,b0,53,62,05,4e,bc,4f,55,f8,\
52,8b,7d,aa,4f,bb,5a,3d,fd,fa,fc,5c,49,e0,38,2c,b5,be,61,36,ac,ea,9a,f2,8b,\
78,d4,74,44,08,2b,03,2a,6c,39,8d,a7,98,ae,a1,a9,07,d7,21,24,26,41,25,52,b1,\
91,7d,1d,f8,a5,74,78,4c,9d,b0,4e,f9,4c,58,cb,b9,b8,6d,58,9f,c2,92,42,4a,ff,\
81,73,7a,f8,e7,45,4d,07,33,fc,94,bc,7c,d8,d6,1d,ab,a5,e2,56,a5,2e,ad,14,9c,\
6c,32,6c,7d,22,74,47,11,08,7f,da,a6,bf,32,57,77,66,43,7a,72,a7,9c,1d,7c,99,\
ee,27,00,e3,fd,b6,17,6b,e5,10,73,05,96,17,44,41,89,ee,46,c8,27,ad,c1,2d,09,\
25,01,db,74,cf,79,5d,a4,d6,e0,fb,80,18,31,60,ff,a6,d9,44,8c,28,9e,9b,6d,5c,\
7e,4f,b2,a2,14,c9,88,f0,ac,ac,74,a4,30,5d,f1,1d,64,b5,10,d0,4d,1e,ea,bf,b1,\
01,32,ab,09,e6,45,df,0b,d3,7f,b2,ba,53,58,d3,b3,6a,df,e7,93,cd,b4,30,a7,5f,\
a3,39,54,02,25,7b,68,9d,c7,68,ee,69,bb,66,81,8c,92,97,0b,97,f0,35,95,21,1e,\
53,1a,19,62,05,28,e0,d1,63,73,94,8b,ad,ca,54,a3,be,89,19,27,04,35,32,25,bf,\
e6,77,b7,73,a6,aa,76,e7,8e,4f,e9,c5,07,07,50,0b,fc,4a,08,a4,57,d3,5c,69,e8,\
fa,d5,4c,1f,b7,5f,1a,16,8f,37,bf,1c,b3,d9,bf,f5,3c,61,66,ea,7f,f1,92,63,5b,\
e8,ef,8d,47,12,25,28,28,d5,e5,43,74,c9,ce,e7,72,e2,20,16,88,41,3c,92,ba,db,\
45,c6,5f,bf,15,28,08,2b,6f,ab,f5,5d,71,9b,2a,99,dd,eb,66,34,86,c5,cd,17,56,\
70,f3,65,b9,9d,10,73,a4,e5,ad,f3,e2,0a,15,d7,95,4a,e8,d8,fe,27,83,03,2c,42,\
d3,3a,ec,d1,d2,0e,49,c0,bb,5b,1b,a2,c6,b2,dc,9e,95,55,a9,a4,31,53,9f,98,c7,\
85,3b,91,c6,19,46,63,8f,4d,4e,36,5c,b3,55,79,af,10,76,0e,22,d4,31,b6,2e,bb,\
0c,c7,63,54,f8,c1,6f,3c,6d,44,58,55,df,86,b6,69,b7,45,db,0c,0b,8c,51,eb,9d,\
53,58,ad,ec,8e,0f,a3,45,25,f9,af,4c,ce,14,0c,9d,80,9c,33,00,de,76,0a,33,c1,\
cb,e0,81,62,8e,6a,8c,4a,62,a1,22,cd,05,0e,17,3f,4c,02,97,60,67,22,8d,a7,c3,\
bb,fe,e5,c3,a9,6c,82,40,34,a9,f2,6f,ec,8e,88,a1,6f,da,e6,ae,7c,c0,01,ac,55,\
31,4c,1f,cd,2a,73,1a,7c,67,65,e0,fa,ec,8c,31,6c,70,ca,35,bd,00,7f,3a,92,7b,\
80,e3,ae,c6,ed,d8,08,0b,5f,a0,ec,de,f1,a7,b7,e7,55,33,50,a2,14,e4,53,02,68,\
4e,22,9e,a2,27,f3,1b,e1,3f,d5,65,0b,8d,e9,59,77,98,d7,96,8f,8b,89,b1,3c,a0,\
2d,e4,6c,43,47,61,66,d9,bc,e8,90,f4,5c,6d,29,7e,96,1a,2a,6e,9e,b3,e2,3e,37,\
ce,33,dc,4e,26,4a,84,51,3a,60,21,1e,b7,86,09,21,d7,22,6f,eb,f8,db,97,59,d2,\
21,b5,73,0d,db,c4,7e,98,49,f4,44,2b,da,02,55,a9,73,3e,0b,97,40,5a,8a,9d,e8,\
78,a4,2b,30,fb,9c,c0,22,e3,f8,04,e4,14,2a,5c,fe,ca,5e,06,4b,27,38,0c,74,5d,\
c6,1f,0b,0f,f6,14,d0,38,2e,80,a1,71,c6,36,0a,b8,30,54,bd,3a,21,86,b8,1c,de,\
1c,6f,24,cf,2b,b4,45,6d,83,1a,0c,3b,25,69,d2,32,af,3e,76,69,12,3e,a0,22,ab,\
10,30,e1,39,fc,06,44,79,64,06,74,16,ec,58,7d,42,07,8e,0c,f1,6c,16,43,35,31,\
3e,2d,fe,8a,3f,96,be,88,e2,b5,8c,a9,00,b7,47,d0,5f,bb,9c,1b,81,e3,e8,5a,2f,\
78,4e,88,d7,b4,5e,f7,76,25,6c,d7,14,48,a9,07,67,13,84,a1,f8,d1,cb,22,07,13,\
2a,36,dc,73,7a,a1,5e,2f,68,e9,e6,f0,c5,09,25,a3,07,6b,15,ee,80,e3,3f,d9,bb,\
19,04,2c,28,79,31,c0,03,80,e6,70,a5,12,a0,ce,9c,7b,81,ee,4e,88,df,87,8d,2f,\
06,ad,4d,de,d4,9a,4d,44,7c,79,fa,1b,7f,b7,3c,b6,bb,61,c2,41,ab,55,1e,6f,0b,\
18,11,8d,1d,a7,bf,a1,85,ef,2b,7e,8e,22,05,9b,42,0e,3f,51,85,e2,81,b1,78,f2,\
5b,03,d5,cc,1f,46,c4,2f,71,ea,cf,5c,cf,e7,8a,41,f0,ab,29,23,fd,62,97,30,d0,\
1e,65,3a,0e,51,a4,08,d6,0d,5b,1c,b8,73,1c,e2,3a,2b,59,e5,60,29,89,4d,1d,15,\
1a,fd,43,88,8f,7a,16,69,12,bd,53,3d,96,42,8c,aa,99,9e,71,88,dc,d2,14,04,82,\
49,b1,9f,2c,00,6d,95,ba,1b,bb,ab,45,83,3b,46,5f,70,31,c4,73,13,7d,3e,83,c4,\
0a,43,15,d9,72,5c,9f,fa,44,9b,97,d4,7b,2e,f7,fc,ed,e1,09,51,16,fa,d5,8d,eb,\
be,4b,d5,dd,be,d7,b7,70,51,8d,65,a0,67,9c,5d,71,45,0a,0e,75,bd,e9,c1,e8,c6,\
36,29,ba,0a,9d,f6,5f,eb,46,82,33,ef,87,77,3a,f3,f3,07,7e,9c,9e,d8,4b,26,73,\
61,10,c4,4a,31,15,46,cb,d1,e2,9d,e0,b2,88,b0,70,9f,37,1d,30,89,a7,71,01,74,\
1d,36,25,99,03,78,cf,2e,63,e7,be,8d,51,ca,7f,ec,df,90,e5,fd,f3,80,4c,3b,b6,\
d1,1d,f9,bd,97,8a,59,f1,c9,43,67,75,8c,21,67,04,db,b7,82,1e,23,7a,9c,0a,7d,\
7e,e2,58,b3,fd,83,64,d3,28,40,57,53,21,a2,cf,56,35,eb,2c,b3,1a,ea,80,7c,9c,\
b1,c9,fe,f9,33,79,e0,ef,9c,1d,cf,75,02,1c,84,9e,70,84,06,2f,b3,00,e2,fc,d1,\
a4,6b,2e,64,87,ab,ab,e1,5c,24,75,fe,ef,1f,6c,b7,a7,a1,6c,80,49,68,c6,f6,23,\
48,e5,81,eb,57,cf,40,a4,12,0b,8d,4a,fb,34,93,cd,cc,af,5f,8a,99,03,1e,49,88,\
b5,96,89,fc,70,ae,9f,3c,d7,7f,0c,2f,cf,14,00,00,00,64,09,75,cd,40,17,6c,af,\
39,a3,15,cf,9b,a7,19,b8,01,b1,f0,cd

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winm32]
"secureUID"="[20350092072783140796]"
"DllName"=hex(2):77,00,69,00,6e,00,6d,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,\
00,00
"Startup"="MemMMView7"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
"MaxWait"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winpsa32]
"Asynchronous"=dword:00000001
"DllName"="winpsa32.dll"
"Impersonate"=dword:00000000
"Startup"="EvtStartup"
"Shutdown"="EvtShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"="PowerISO"
"{EBDF1F20-C829-11D1-8233-0020AF3E97A6}"="ATS Context Menu Shell Extension"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}"="Messenger Sharing Folders"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Tue May 9 2006 10:23:00p A.... 1,022,976 999.00 K
capicom.dll Mon May 15 2006 6:24:34p A.... 466,944 456.00 K
cdfview.dll Tue May 9 2006 10:23:00p A.... 151,040 147.50 K
danim.dll Tue May 9 2006 10:23:00p A.... 1,054,208 1.00 M
dhcpcsvc.dll Fri May 19 2006 5:59:42a A.... 111,616 109.00 K
dnsapi.dll Fri May 19 2006 5:59:42a A.... 148,480 145.00 K
dxinpu~1.dll Tue Jul 11 2006 7:33:36p A.... 36,864 36.00 K
dxtmsft.dll Tue May 9 2006 10:23:00p A.... 357,888 349.50 K
dxtrans.dll Tue May 9 2006 10:23:00p A.... 205,312 200.50 K
extmgr.dll Tue May 9 2006 10:23:00p A.... 55,808 54.50 K
iepeers.dll Tue May 9 2006 10:23:00p A.... 251,392 245.50 K
iiffffe.dll Mon Jul 31 2006 4:12:34a A.SH. 40,973 40.01 K
inseng.dll Tue May 9 2006 10:23:00p A.... 96,256 94.00 K
iphlpapi.dll Fri May 19 2006 5:59:42a A.... 94,720 92.50 K
ixt0.dll Tue Aug 1 2006 9:09:24p A.... 46,592 45.50 K
ixt1.dll Tue Aug 1 2006 9:34:42p A.... 46,592 45.50 K
ixt2.dll Tue Aug 1 2006 9:56:26p A.... 46,592 45.50 K
ixt3.dll Tue Aug 1 2006 11:20:58p A.... 46,592 45.50 K
ixt4.dll Wed Aug 2 2006 5:43:34p A.... 46,592 45.50 K
jgdw400.dll Thu Jun 1 2006 11:47:08a A.... 163,840 160.00 K
jgpl400.dll Thu Jun 1 2006 11:47:08a A.... 27,648 27.00 K
jscript.dll Wed May 17 2006 11:43:58a A.... 465,864 454.95 K
jsproxy.dll Tue May 9 2006 10:23:00p A.... 16,384 16.00 K
legitc~1.dll Mon Jun 19 2006 4:19:42p A.... 571,184 557.80 K
mshtml.dll Fri May 19 2006 8:08:32a A.... 3,052,544 2.91 M
mshtmled.dll Tue May 9 2006 10:23:02p A.... 448,512 438.00 K
msrating.dll Tue May 9 2006 10:23:02p A.... 146,432 143.00 K
mstime.dll Tue May 9 2006 10:23:02p A.... 532,480 520.00 K
pngfilt.dll Tue May 9 2006 10:23:02p A.... 39,424 38.50 K
rasmans.dll Thu Jun 22 2006 3:47:18a A.... 181,248 177.00 K
shdocvw.dll Mon May 29 2006 8:30:34a A.... 1,494,016 1.42 M
shlwapi.dll Tue May 9 2006 10:23:02p A.... 474,112 463.00 K
sirenacm.dll Fri Jun 16 2006 2:34:44p A.... 48,936 47.79 K
urlmon.dll Tue May 9 2006 10:23:02p A.... 613,888 599.50 K
wgalogon.dll Mon Jun 19 2006 4:20:42p A.... 702,768 686.30 K
wininet.dll Tue May 9 2006 10:23:04p A.... 658,432 643.00 K
winpsa32.dll Wed Jul 12 2006 5:00:22p ..... 18,432 18.00 K
xpsp3res.dll Thu May 11 2006 1:23:24a A.... 24,576 24.00 K

38 items found: 38 files (1 H/S), 0 directories.
Total of file sizes: 14,008,157 bytes 13.36 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
1.tmp Sat May 13 2006 11:57:10p A.... 367 0.36 K
acbeg.tmp Sat Jul 22 2006 1:21:52a A.SH. 883,725 863.01 K
gjkkj.tmp Sat Jul 29 2006 2:03:04a A.SH. 1,002,095 978.61 K
mcrh.tmp Mon Jul 31 2006 9:53:20a A.... 143 0.14 K

4 items found: 4 files (2 H/S), 0 directories.
Total of file sizes: 1,886,330 bytes 1.80 M
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 60EC-09FE

Directory of C:\WINDOWS\System32

08/01/2006 09:22 PM <DIR> dllcache
07/31/2006 03:47 PM 360 gjkkj.ini2
07/31/2006 04:12 AM 40,973 iiffffe.dll
07/29/2006 02:03 AM 1,002,095 gjkkj.tmp
07/22/2006 01:26 AM 878,831 acbeg.ini2
07/22/2006 01:25 AM 878,924 acbeg.bak2
07/22/2006 01:21 AM 883,725 acbeg.tmp
07/21/2006 08:37 PM 878,819 acbeg.bak1
07/02/2006 12:39 AM <DIR> Microsoft
04/05/2001 06:43 AM 94,208 msstkprp.dll
8 File(s) 4,657,935 bytes
2 Dir(s) 2,677,776,384 bytes free



Logfile of HijackThis v1.99.1
Scan saved at 5:44:21 PM, on 8/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\issearch.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\WINDOWS\system32\ismon.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\JT\LOCALS~1\Temp\Rar$EX00.937\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\system32\ixt4.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {E521797A-22DE-4B46-8B2F-8E98AB77B942} - C:\WINDOWS\system32\iiffffe.dll
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149491355625
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Documents\Settings\20242402.dll (file missing)
O20 - Winlogon Notify: iiffffe - C:\WINDOWS\SYSTEM32\iiffffe.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
O20 - Winlogon Notify: winpsa32 - C:\WINDOWS\SYSTEM32\winpsa32.dll
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Edited by Jatycre, 02 August 2006 - 07:54 PM.


#6 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 03 August 2006 - 03:40 AM

Hi,

• HijackThis was not properly extracted, and you are currently running HijackThis from a "Temp" folder. It needs to be in its own folder because it makes Backups each time fix an entry.
Please download the current version from here and save it to a convenient location. This is a self-executing file, so just double-click the file and it will install itself in its own folder in Program Files. You may delete the other version.

• Download KillBox by Option^Explicit and save it to your Desktop.

Double-click KillBox.exe to open KillBox
Select the option "Delete on reboot".
Click the button: All Files (Important!!)
Now it should flash green.

• Now copy the following part in bold print:

C:\WINDOWS\SYSTEM32\winm32.dll
C:\WINDOWS\SYSTEM32\winpsa32.dll


Open 'File' in the KillBox menu on top and choose Paste from clipboard

Then press the button that looks like a red circle with a white X in it.
Note: Killbox will let you know if a file does not exist.
Killbox will tell you that all listed files will be removed on next reboot and will ask if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer should reboot now.

• Please download VundoFix.exe and save it to your desktop.
- Double-click VundoFix.exe to run it
- Put a check next to Run Vundo Fix as a task
- You will receive a message saying Vundofix will close and re-open in a minute or two
- Click OK
- When VundoFix re-opens, click the Scan for Vundo button
- Once it is done scanning, click the Remove Vundo button
- You will receive a prompt asking if you want to remove the files
- Click YES
- Once you click YES, your desktop will go blank as it starts removing Vundo
- When completed, it will prompt that it will shutdown your computer
- Click OK
- Turn your computer back on.

Please run VundoFix only one time.
If you run it more than one time, you will overwrite the original log generated when it was run the first time.

• Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#7 Jatycre

Jatycre
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 03 August 2006 - 06:38 PM

Ok followed all instructions, and set up Hijackthis the right way.


Vundofix, found no infected files.


VundoFix V5.1.6

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.3

Java version is 1.5.0.6

Scan started at 4:25:03 PM 8/3/2006

Listing files found while scanning....

No infected files were found.




Logfile of HijackThis v1.99.1
Scan saved at 4:28:58 PM, on 8/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\issearch.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\ismon.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\system32\ixt4.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {E521797A-22DE-4B46-8B2F-8E98AB77B942} - C:\WINDOWS\system32\iiffffe.dll
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149491355625
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Documents\Settings\20242402.dll (file missing)
O20 - Winlogon Notify: iiffffe - C:\WINDOWS\SYSTEM32\iiffffe.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
O20 - Winlogon Notify: winpsa32 - winpsa32.dll (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Edited by Jatycre, 04 August 2006 - 12:24 AM.


#8 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 04 August 2006 - 12:35 AM

Hi,

Well, the vundo infection is still there, so please do the following.

• Download VirtumundoBeGone.exe:
1. Save it to your Desktop.
2. Locate and double-click VirtumundoBeGone.exe to run it.
3. Follow the instructions. Do not worry if you see a BLUE SCREEN "Fatal Error" Message. It is normal and expected.
4. When finished, it will create a log named vbg.txt on your desktop.

• Reboot your computer.

• Post back with the contents of the vbg.txt and a new HiJackThis log.

Edited by waterfalls, 04 August 2006 - 12:36 AM.

Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#9 Jatycre

Jatycre
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 04 August 2006 - 01:24 AM

Ok, ran the fix, and got a new Hijackthis log. Seems to have done something, but XP is still crashing in normal mode. By the way, if I disable reboot on failure, and let Windows crash into the blue STOP screen, it says that a driver called Winm64.sys is the reason for the failure. I don't seem to remember any of my drivers, system, or hardware, being named Winm64.sys. I dunno if any of that info helped at all, but I thought I'd throw it out there just in case.


[07/31/2006, 15:51:33] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\JT\Desktop\VirtumundoBeGone.exe" )
[07/31/2006, 15:51:38] - Detected System Information:
[07/31/2006, 15:51:38] - Windows Version: 5.1.2600, Service Pack 2
[07/31/2006, 15:51:38] - Current Username: JT (Admin)
[07/31/2006, 15:51:38] - Windows is in SAFE mode with Networking.
[07/31/2006, 15:51:38] - Searching for Browser Helper Objects:
[07/31/2006, 15:51:38] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/31/2006, 15:51:38] - BHO 2: {873eb32d-ae1a-4183-89bd-45a77f761be4} ()
[07/31/2006, 15:51:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/31/2006, 15:51:38] - Checking for HKLM\...\Winlogon\Notify\ixt0
[07/31/2006, 15:51:38] - Key not found: HKLM\...\Winlogon\Notify\ixt0, continuing.
[07/31/2006, 15:51:38] - BHO 3: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[07/31/2006, 15:51:38] - BHO 4: {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} (ToolBar888)
[07/31/2006, 15:51:38] - BHO 5: {E521797A-22DE-4B46-8B2F-8E98AB77B942} ()
[07/31/2006, 15:51:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/31/2006, 15:51:38] - Checking for HKLM\...\Winlogon\Notify\iiffffe
[07/31/2006, 15:51:38] - Found: HKLM\...\Winlogon\Notify\iiffffe - This is probably Virtumundo.
[07/31/2006, 15:51:38] - Assigning {E521797A-22DE-4B46-8B2F-8E98AB77B942} MSEvents Object
[07/31/2006, 15:51:38] - BHO list has been changed! Starting over...
[07/31/2006, 15:51:38] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/31/2006, 15:51:38] - BHO 2: {873eb32d-ae1a-4183-89bd-45a77f761be4} ()
[07/31/2006, 15:51:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/31/2006, 15:51:38] - Checking for HKLM\...\Winlogon\Notify\ixt0
[07/31/2006, 15:51:38] - Key not found: HKLM\...\Winlogon\Notify\ixt0, continuing.
[07/31/2006, 15:51:38] - BHO 3: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[07/31/2006, 15:51:38] - BHO 4: {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} (ToolBar888)
[07/31/2006, 15:51:38] - BHO 5: {E521797A-22DE-4B46-8B2F-8E98AB77B942} (MSEvents Object)
[07/31/2006, 15:51:38] - ALERT: Found MSEvents Object!
[07/31/2006, 15:51:39] - Finished Searching Browser Helper Objects
[07/31/2006, 15:51:39] - *** Detected MSEvents Object
[07/31/2006, 15:51:39] - Trying to remove MSEvents Object...
[07/31/2006, 15:51:40] - Terminating Process: IEXPLORE.EXE
[07/31/2006, 15:51:40] - Terminating Process: RUNDLL32.EXE
[07/31/2006, 15:51:40] - Disabling Automatic Shell Restart
[07/31/2006, 15:51:40] - Terminating Process: EXPLORER.EXE
[07/31/2006, 15:51:41] - Suspending the NT Session Manager System Service
[07/31/2006, 15:51:41] - Terminating Windows NT Logon/Logoff Manager
[07/31/2006, 15:51:41] - Re-enabling Automatic Shell Restart
[07/31/2006, 15:51:41] - File to disable: C:\WINDOWS\system32\iiffffe.dll
[07/31/2006, 15:51:41] - Renaming C:\WINDOWS\system32\iiffffe.dll -> C:\WINDOWS\system32\iiffffe.dll.vir
[07/31/2006, 15:51:42] - ! File rename was unsucessful.
[07/31/2006, 15:51:42] - Attempting to Deny Access to C:\WINDOWS\system32\iiffffe.dll
[07/31/2006, 15:51:42] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[07/31/2006, 15:51:42] - processed file: C:\WINDOWS\system32\iiffffe.dll

[07/31/2006, 15:51:42] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[07/31/2006, 15:51:42] - Removing HKLM\...\Browser Helper Objects\{E521797A-22DE-4B46-8B2F-8E98AB77B942}
[07/31/2006, 15:51:42] - Removing HKCR\CLSID\{E521797A-22DE-4B46-8B2F-8E98AB77B942}
[07/31/2006, 15:51:42] - Adding Kill Bit for ActiveX for GUID: {E521797A-22DE-4B46-8B2F-8E98AB77B942}
[07/31/2006, 15:51:42] - Deleting ATLEvents/MSEvents Registry entries
[07/31/2006, 15:51:42] - Removing HKLM\...\Winlogon\Notify\iiffffe
[07/31/2006, 15:51:42] - Searching for Browser Helper Objects:
[07/31/2006, 15:51:42] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/31/2006, 15:51:42] - BHO 2: {873eb32d-ae1a-4183-89bd-45a77f761be4} ()
[07/31/2006, 15:51:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/31/2006, 15:51:42] - Checking for HKLM\...\Winlogon\Notify\ixt0
[07/31/2006, 15:51:42] - Key not found: HKLM\...\Winlogon\Notify\ixt0, continuing.
[07/31/2006, 15:51:42] - BHO 3: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[07/31/2006, 15:51:42] - BHO 4: {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} (ToolBar888)
[07/31/2006, 15:51:43] - BHO 5: {E521797A-22DE-4B46-8B2F-8E98AB77B942} ()
[07/31/2006, 15:51:43] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/31/2006, 15:51:43] - Checking for HKLM\...\Winlogon\Notify\iiffffe
[07/31/2006, 15:51:44] - Key not found: HKLM\...\Winlogon\Notify\iiffffe, continuing.
[07/31/2006, 15:51:44] - Finished Searching Browser Helper Objects
[07/31/2006, 15:51:44] - Finishing up...
[07/31/2006, 15:51:45] - A restart is needed.
[07/31/2006, 15:51:55] - Attempting to Restart via STOP error (Blue Screen!)



Logfile of HijackThis v1.99.1
Scan saved at 11:14:02 PM, on 8/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\issearch.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ismon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\system32\ixt4.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149491355625
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Documents\Settings\20242402.dll (file missing)
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
O20 - Winlogon Notify: winpsa32 - winpsa32.dll (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Edited by Jatycre, 04 August 2006 - 01:30 AM.


#10 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 04 August 2006 - 03:40 AM

Hi,

Thank you for the information about that file. It's part of the haxdoor infection which was already showing in your log amongst other infections. We will deal with that one as well.

• For now, I do not see an Anti-Virus program ("AV") present on your system. Please install an Anti-Virus program. I do not want you getting more infections as we go through this process.
AVG -or- AntiVirฎ -or- Avast are good FREE Anti-Virus programs.
Never install more than one Anti-Virus scanner on your system! Having more than one AV installed will likely cause your system to become unstable and seriously decrease the reliable detection of any malware.
Let your Anti-Virus perform a full scan and let it delete everything it finds.

• Also, I see you used msconfig, so I want to know in case you disabled some entries, what they are because what you disabled are not showing in your Hijackthis logs. So perform this next:

Open notepad and copy and paste next bold in it:

regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"
regedit /e peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder"
type peek1.txt >> startup.txt
type peek2.txt >> startup.txt
del peek*.txt
start notepad startup.txt


Save this as look.bat, choose to save as *all files and place it on your Desktop.

Double-click on look.bat and post back with the contents in your reply.


• Now download haxfix.exe.
- Save it to your Desktop.
- Double click on haxfix.exe to install haxfix. (standard installation path is C:\Program Files\haxfix)
- Checkmark "Create a desktop icon".
- Click "Next".
- When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
- Click "Finish".
- A red "dos window" (dos box) will open.
- Select option 1. Make logfile by typing 1 and then pressing Enter.
- Haxfix will start scanning the computer. When it is finished a logfile will open.

Copy the contents of the logfile from haxdoor.exe and paste it in your reply.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#11 Jatycre

Jatycre
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 04 August 2006 - 03:35 PM

HAXFIX logfile - by Marckie
______________
version 4.04
Fri 08/04/2006 13:29:53.25
running from: C:\Program Files\HaxFix

checking for haxdoor
--------------------
checking for a3d files....
a3d files found
ps.a3d

checking for matching notify keys....
matching notify keys found
winm

checking for matching services....
matching services found
winm32
winm64

checking for matching safeboot services....
matching safeboot services found
winm32.sys
winm64.sys


Checking for goldun
-------------------
checking for notify keys....
no notify keys found

checking for services....
no services found


Finished



Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\0mcamcap]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="0mcamcap"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\0mcamcap.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\4c79d725.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="4c79d725"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\4c79d725.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AceGain LiveUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LiveUpdate"
"hkey"="HKLM"
"command"="C:\\Program Files\\AceGain\\LiveUpdate\\LiveUpdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Adobe Photo Downloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apdproxy"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ae16e7ea.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ae16e7ea"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\ae16e7ea.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Aim6]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLLaunch"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NMBgMonitor"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CleanUp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcappins"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\McAfee.com\\Shared\\mcappins.exe /v=3 /cleanup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1144476682\\ee\\AOLSoftware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HotKeysCmd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="system"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\system.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Jwyglh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="explorer"
"hkey"="HKCU"
"command"="C:\\Documents and Settings\\JT\\My Documents\\?dobe\\explorer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\McAfee QuickClean Imonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Plguni"
"hkey"="HKCU"
"command"="C:\\Program Files\\McAfee\\McAfee QuickClean\\Plguni.exe /START"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MCAgentExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="McAgent"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\McAfee.com\\Agent\\McAgent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\McRegWiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcregwiz"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\McAfee.com\\Agent\\mcregwiz.exe /autorun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MCUpdateExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcupdate"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\OASClnt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="oasclnt"
"hkey"="HKLM"
"command"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Pinnacle Game Profiler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pinnacle"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\KALiNKOsoft\\Pinnacle Game Profiler\\pinnacle.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PlaxoUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PlaxoHelper"
"hkey"="HKCU"
"command"="C:\\Program Files\\Plaxo\\2.5.10.21\\PlaxoHelper.exe -a"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PWRISOVM.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PWRISOVM"
"hkey"="HKLM"
"command"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Run]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="winlogon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\inet20001\\winlogon.exe"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Seal]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wowexec"
"hkey"="HKCU"
"command"="\"C:\\DOCUME~1\\JT\\APPLIC~1\\ICROSO~1.NET\\wowexec.exe\" -vt yax"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SpyBlocs]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GLF11"
"hkey"="HKCU"
"command"="C:\\Program Files\\eBlocs\\SpyBlocs\\GLF11.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SpybotSD TeaTimer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TeaTimer"
"hkey"="HKCU"
"command"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SpySweeper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpySweeper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SysTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="paytime"
"hkey"="HKLM"
"command"="c:\\Program Files\\paytime.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VirusScan Online]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcvsshld"
"hkey"="HKLM"
"command"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VSOCheckTask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcmnhdlr"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows Defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSASCui"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows Media Connect 2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WMCCFG"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Windows Media Connect 2\\WMCCFG.exe\" /StartQuiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows update loader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="xpupdate"
"hkey"="HKCU"
"command"="C:\\Windows\\xpupdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\xp_system]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winlogon"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\inet20001\\winlogon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Xromzpu]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winlogon"
"hkey"="HKCU"
"command"="C:\\Program Files\\Common Files\\F?nts\\winlogon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\InterVideo WinCinema Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE "
"item"="InterVideo WinCinema Manager"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^JT^Start Menu^Programs^Startup^Aquarius Soft PC Alarm Clock Pro.lnk]
"path"="C:\\Documents and Settings\\JT\\Start Menu\\Programs\\Startup\\Aquarius Soft PC Alarm Clock Pro.lnk"
"backup"="C:\\WINDOWS\\pss\\Aquarius Soft PC Alarm Clock Pro.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\AQUARI~1\\PCALAR~1\\alarm.exe /Startup"
"item"="Aquarius Soft PC Alarm Clock Pro"

#12 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 04 August 2006 - 08:34 PM

Hi,

• Navigate to C:\Program Files\haxfix
- Select option 2. Run auto fix by typing 2, and then pressing Enter.
- If an infection is found, you'll get a message to close all other open windows.
- Close them, except the red dos window from haxfix and then press Enter.
- The computer will reboot.
- After reboot a logfile will open.

• Post the contents of that logfile along with a new HijackThis log.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#13 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 12 August 2006 - 01:04 PM

Due to a lack of response ... this topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a new topic.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users