Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Help. Desperate!


  • This topic is locked This topic is locked
13 replies to this topic

#1 sandbar

sandbar

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 22 May 2007 - 09:09 PM

My apologies in advance for being long winded.

Daughter's machine. Don't know what her son downloded but it's got the thing pretty much stopped cold.
XP Home, 256M Memory, 1.6 Celeron. Was working fine until it got infected. A few things I had her do:
Ran Spybot and let it clean up what it found.
Ran Adaware the same.
Uninstall everything that looked suspicious
System still near death so I had her bring it over. IE 6.0 would get the "IE Has encountered...." dialog and wouldn't run. Everything was VERY slow. I noticed XP SP2 not installed so I installed it and everything took off and ran great. We then cleaned a ton of junk here younguns had downloaded, games, music, Kazaa etc. from the HD. Everything ran great, BUT we weren't plugged into the internet.

She took the machine home, plugged into the web and everything went to H again.

She brought it back and I uninstalled Internet Explorer 6.n and installed the latest 7.n from Microsoft just in case. IE will now open but hangs up. I don' think IE is the problem cause it took several tries to get it to install and tings are messed up even before you try it.

I noticed in TaskManager
retadpu11.exe was eating the CPU so I killed it and deleted the .exe from Windows. It helped for a minute.
Xiyir.exe is now eating the CPU. Killed it and tried to open IE. t says "Website found. Waiting..." but it's froze. TaskManager says iexplore.exe is at 98% of CPU. Killed iexplore.exe and Internet Explorer went away and CPU usage went back to 5%. Rebooted and tried IE again same result.

Here's the HijackThis log. I'd sure appreciate help. Thanks, Bob Ritter

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:15:43 PM, on 5/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\WINDOWS\System32\qttask.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Okcvwc\Xiyir.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\lxcycoms.exe
C:\Program Files\Netropa\OSD.exe
C:\Documents and Settings\Lynn\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Tray Temperature] C:\Program Files\Blubster\WeatherBug\MiniBug.exe 1
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] C:\WINDOWS\system32\1.tmp
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\WINDOWS\system32\1.tmp
O4 - HKLM\..\Run: [Krxktnr] C:\Program Files\Okcvwc\Xiyir.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu11.exe 61A847B5BBF72813338B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ExpressPLNRnote.lnk = C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Extern/RoadRunner...an/pestscan.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\htmlfwgfw.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: lxcy_device - - C:\WINDOWS\System32\lxcycoms.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINDOWS\System32\ssl.exe
O23 - Service: Windows Process Moniter - Unknown owner - C:\WINDOWS\winmon.exe

--
End of file - 7484 bytes

BC AdBot (Login to Remove)

 


#2 sandbar

sandbar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 22 May 2007 - 09:55 PM

I started this topic and just go sent to a page with a message from Grinler saying I was using and old version or beta and directing me to download a new .zip and redo the scan. If this is legit and neccesary I'll sure do it.

#3 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 AM

Posted 23 May 2007 - 02:58 AM

Hi -

The PM you received is legitimate because you are using a BETA version of HijackThis. However, I want you to download the current version from here and save it to a convenient location. This is a self-executing file, so just double-click the file and it will install itself in its own folder. Use this version from now on.

Please follow these directions in the order stated.
You will need to print or copy these instructions because you will be working in Safe Mode without an Internet connection.

Download SDFix and save it to your Desktop.
Reboot into SAFE MODE
To get into the Windows XP Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times. Choose Safe Mode from the menu that will appear and press Enter.
  • In Safe Mode, choose your usual account
  • Right-click the SDFix.zip folder and choose Extract All
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt in your next reply

I see that you have no Anti-Virus program ("AV") present on your system. Please install an Anti-Virus program.
Active Virus Shield is a good FREE Anti-Virus program.
Note: Never install more than one Anti-Virus scanner on your system! Having more than one AV installed will likely cause your system to become unstable and seriously decrease the reliable detection of any malware.
After installing the AV program, have it perform a complete scan, and let it delete everything it finds.

Post back with SDFix's Report.txt and a new HijackThis log.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#4 sandbar

sandbar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 24 May 2007 - 06:49 PM

Couldn't open IE to download Active Virus. Installed Mozilla and it ran fine. Tried to install Active Virus but it failed, it thought eZArmor was on machine. Tried to uninstall it but it won't go away.
Here's new HijackkThis and

Thanks again for the help. Bob Ritter

Logfile of HijackThis v1.99.1
Scan saved at 6:30:24 PM, on 5/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\WINDOWS\System32\qttask.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Okcvwc\Xiyir.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\WINDOWS\System32\lxcycoms.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe
C:\Program Files\Netropa\OSD.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Tray Temperature] C:\Program Files\Blubster\WeatherBug\MiniBug.exe 1
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] C:\WINDOWS\system32\1.tmp
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\WINDOWS\system32\1.tmp
O4 - HKLM\..\Run: [Krxktnr] C:\Program Files\Okcvwc\Xiyir.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\RunOnce: [avp6_post_install] msiexec.exe /i"C:\Documents and Settings\Lynn\Desktop\avs.msi"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ExpressPLNRnote.lnk = C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Extern/RoadRunner...an/pestscan.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\htmlfwgfw.dll
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: lxcy_device - - C:\WINDOWS\System32\lxcycoms.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe



SDFix: Version 1.84

Run by Lynn - Thu 05/24/2007 - 17:30:35.65

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
rdriv
ssl
Windows Process Moniter

ImagePath:
\??\C:\WINDOWS\system32\rdriv.sys
C:\WINDOWS\System32\ssl.exe
"C:\WINDOWS\winmon.exe"

rdriv - Deleted
ssl - Deleted
Windows Process Moniter - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\ERASEM~4.EXE - Deleted
C:\WINDOWS\SYSTEM32\eraseme_27421.exe - Deleted
C:\WINDOWS\SYSTEM32\eraseme_31086.exe - Deleted
C:\WINDOWS\SYSTEM32\eraseme_58063.exe - Deleted
C:\WINDOWS\SYSTEM32\eraseme_61022.exe - Deleted
C:\WINDOWS\SYSTEM32\winmon.sys - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\o - Deleted
C:\WINDOWS\system32\ssl.exe - Deleted
C:\WINDOWS\winmon.exe - Deleted

Could Not Remove C:\WINDOWS\SYSTEM32\rdriv.sys


Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------

rdriv


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\1.tmp"="C:\\WINDOWS\\system32\\1.tmp:*:Enabled:Server"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\1.tmp"="C:\\WINDOWS\\system32\\1.tmp:*:Enabled:Server"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------
C:\WINDOWS\SYSTEM32\rdriv.sys Found

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\WINDOWS\aim.exe
C:\Documents and Settings\Lynn\Application Data\Microsoft\Office\Shortcut Bar\Pro1.tmp
C:\Documents and Settings\Lynn\Application Data\Microsoft\Templates\~WRL1065.tmp
C:\Documents and Settings\Lynn\Application Data\Microsoft\Templates\~WRL1413.tmp

Finished

#5 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 AM

Posted 24 May 2007 - 10:13 PM

Hi -

Your system is badly infected which includes backdoor trojans. Do NOT do any online transactions such as purchases, banking, etc. Change your passwords at sensitive websites.
We will try and clean your system.
You will need to print these directions because you will be working in Safe Mode without an Internet connection.

Download Superantispyware
- Load Superantispyware and click the check for updates button.
- Once the update is finished, exit the program.
Do NOT scan with it yet!

Please set your system to show all files.
- Go to Start > open My Computer
- Select the Tools menu and click Folder Options.
- Select the View tab and, under Hidden files and folders, select Show hidden files and folders
- Uncheck Hide file extensions for known file types
- Uncheck Hide protected operating system files (Recommended)
- Click Apply, then OK

Reboot into SAFE MODE
To get into the Windows XP Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times. Choose Safe Mode from the menu that will appear and press Enter.

Start HijackThis, click System Scan Only and place a checkmark next to the following items:
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] C:\WINDOWS\system32\1.tmp
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\WINDOWS\system32\1.tmp
O4 - HKLM\..\Run: [Krxktnr] C:\Program Files\Okcvwc\Xiyir.exe
O4 - HKLM\..\RunOnce: [avp6_post_install] msiexec.exe /i"C:\Documents and Settings\Lynn\Desktop\avs.msi"
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O20 - AppInit_DLLs: C:\WINDOWS\System32\htmlfwgfw.dll


Close ALL browsers and open windows/programs leaving just HijackThis and click 'Fix Checked'.

Navigate to and delete the following files if present:
C:\Windows\aim.exe
C:\Windows\system32\rdriv.sys
C:\Windows\system32\htmlfwgfw.dll
C:\Documents and Settings\Lynn\Application Data\Microsoft\Office\Shortcut Bar\Pro1.tmp

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Run Superantispyware
- Click the scan your computer button.
- Check Perform Complete Scan and then next.
- Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
- Make sure that they all have a check next to them and press next.
- Click finish and you will be taken back to the main interface.
- Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
- Copy and paste the log in your next reply.

Reboot into NORMAL MODE

Post back with the log from Superantispyware and a new HijackThis log. You really need an AV on your computer.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#6 sandbar

sandbar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 25 May 2007 - 09:39 AM

Following your directions and all is going well except htmlfwgfw.dll wouldn't delete. However following all the steps except the virus span I was able to get IE to run.

After the scan and reboot I tried again to install Active Virus Shield and it still fails due to eTrust EZ Armor. Uninstall won't get rid of it. Its not running but AVS still won't install. I've used Avast for years on my machine. What do you think of that AV?

Here's the logs. Thanks again. The system seems to working normally now.

Logfile of HijackThis v1.99.1
Scan saved at 9:29:40 AM, on 5/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\WINDOWS\System32\qttask.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe
C:\WINDOWS\System32\lxcycoms.exe
C:\WINDOWS\System32\msiexec.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Tray Temperature] C:\Program Files\Blubster\WeatherBug\MiniBug.exe 1
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\RunOnce: [avp6_post_install] msiexec.exe /i"C:\Documents and Settings\Lynn\Desktop\avs.msi"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: ExpressPLNRnote.lnk = C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Extern/RoadRunner...an/pestscan.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: lxcy_device - - C:\WINDOWS\System32\lxcycoms.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/25/2007 at 09:11 AM

Application Version : 3.8.1002

Core Rules Database Version : 3242
Trace Rules Database Version: 1253

Scan type : Complete Scan
Total Scan Time : 00:43:12

Memory items scanned : 165
Memory threats detected : 0
Registry items scanned : 4405
Registry threats detected : 381
File items scanned : 25358
File threats detected : 12

Unclassified.Novopops
HKLM\Software\Classes\CLSID\{005514d7-df37-09c0-650f-006ac0879dc2}
HKCR\CLSID\{005514D7-DF37-09C0-650F-006AC0879DC2}
HKCR\CLSID\{005514D7-DF37-09C0-650F-006AC0879DC2}\InprocServer32
HKCR\CLSID\{005514D7-DF37-09C0-650F-006AC0879DC2}\InprocServer32#ThreadingModel
C:\WINDOWS\CDMDOWNLD\KBPWOEUWTM.DLL
HKLM\Software\Classes\CLSID\{006670d7-000b-7714-6e99-da1b58c31286}
HKCR\CLSID\{006670D7-000B-7714-6E99-DA1B58C31286}
HKCR\CLSID\{006670D7-000B-7714-6E99-DA1B58C31286}\InprocServer32
HKCR\CLSID\{006670D7-000B-7714-6E99-DA1B58C31286}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{00ffd2af-7bb5-fb30-5366-b67cb0f53f9c}
HKCR\CLSID\{00FFD2AF-7BB5-FB30-5366-B67CB0F53F9C}
HKCR\CLSID\{00FFD2AF-7BB5-FB30-5366-B67CB0F53F9C}\InprocServer32
HKCR\CLSID\{00FFD2AF-7BB5-FB30-5366-B67CB0F53F9C}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{07bb8a9e-7b55-2d3c-1299-4024b01b1b22}
HKCR\CLSID\{07BB8A9E-7B55-2D3C-1299-4024B01B1B22}
HKCR\CLSID\{07BB8A9E-7B55-2D3C-1299-4024B01B1B22}\InprocServer32
HKCR\CLSID\{07BB8A9E-7B55-2D3C-1299-4024B01B1B22}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{07cc2e39-8ddf-656c-0055-2253d00341d6}
HKCR\CLSID\{07CC2E39-8DDF-656C-0055-2253D00341D6}
HKCR\CLSID\{07CC2E39-8DDF-656C-0055-2253D00341D6}\InprocServer32
HKCR\CLSID\{07CC2E39-8DDF-656C-0055-2253D00341D6}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{07dd8abc-29c9-ba30-a822-8a3f707b36ec}
HKCR\CLSID\{07DD8ABC-29C9-BA30-A822-8A3F707B36EC}
HKCR\CLSID\{07DD8ABC-29C9-BA30-A822-8A3F707B36EC}\InprocServer32
HKCR\CLSID\{07DD8ABC-29C9-BA30-A822-8A3F707B36EC}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{07ff9aaa-52ed-2dcc-9dee-2441a8e93f0a}
HKCR\CLSID\{07FF9AAA-52ED-2DCC-9DEE-2441A8E93F0A}
HKCR\CLSID\{07FF9AAA-52ED-2DCC-9DEE-2441A8E93F0A}\InprocServer32
HKCR\CLSID\{07FF9AAA-52ED-2DCC-9DEE-2441A8E93F0A}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{0933da87-7be9-4afc-c322-025358cfe9a0}
HKCR\CLSID\{0933DA87-7BE9-4AFC-C322-025358CFE9A0}
HKCR\CLSID\{0933DA87-7BE9-4AFC-C322-025358CFE9A0}\InprocServer32
HKCR\CLSID\{0933DA87-7BE9-4AFC-C322-025358CFE9A0}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{09449c11-7b6e-af30-0933-14361800de5a}
HKCR\CLSID\{09449C11-7B6E-AF30-0933-14361800DE5A}
HKCR\CLSID\{09449C11-7B6E-AF30-0933-14361800DE5A}\InprocServer32
HKCR\CLSID\{09449C11-7B6E-AF30-0933-14361800DE5A}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{09bb40bb-52a6-7030-2d0f-ae9910c32464}
HKCR\CLSID\{09BB40BB-52A6-7030-2D0F-AE9910C32464}
HKCR\CLSID\{09BB40BB-52A6-7030-2D0F-AE9910C32464}\InprocServer32
HKCR\CLSID\{09BB40BB-52A6-7030-2D0F-AE9910C32464}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{09ccf61b-2913-3600-9dcc-0058e8653fa0}
HKCR\CLSID\{09CCF61B-2913-3600-9DCC-0058E8653FA0}
HKCR\CLSID\{09CCF61B-2913-3600-9DCC-0058E8653FA0}\InprocServer32
HKCR\CLSID\{09CCF61B-2913-3600-9DCC-0058E8653FA0}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{12cc0cbc-00d7-00cc-af0f-f05840b98bd6}
HKCR\CLSID\{12CC0CBC-00D7-00CC-AF0F-F05840B98BD6}
HKCR\CLSID\{12CC0CBC-00D7-00CC-AF0F-F05840B98BD6}\InprocServer32
HKCR\CLSID\{12CC0CBC-00D7-00CC-AF0F-F05840B98BD6}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{1b224eee-8d62-ba6c-1222-1a65184d7900}
HKCR\CLSID\{1B224EEE-8D62-BA6C-1222-1A65184D7900}
HKCR\CLSID\{1B224EEE-8D62-BA6C-1222-1A65184D7900}\InprocServer32
HKCR\CLSID\{1B224EEE-8D62-BA6C-1222-1A65184D7900}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{1b5548ff-52e9-c36c-09dd-f0cf30ffd55a}
HKCR\CLSID\{1B5548FF-52E9-C36C-09DD-F0CF30FFD55A}
HKCR\CLSID\{1B5548FF-52E9-C36C-09DD-F0CF30FFD55A}\InprocServer32
HKCR\CLSID\{1B5548FF-52E9-C36C-09DD-F0CF30FFD55A}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{1bbb32aa-003c-9dfc-090f-d83fb0d15338}
HKCR\CLSID\{1BBB32AA-003C-9DFC-090F-D83FB0D15338}
HKCR\CLSID\{1BBB32AA-003C-9DFC-090F-D83FB0D15338}\InprocServer32
HKCR\CLSID\{1BBB32AA-003C-9DFC-090F-D83FB0D15338}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{1bbbc4e4-2978-c300-94aa-5c41d8c507ec}
HKCR\CLSID\{1BBBC4E4-2978-C300-94AA-5C41D8C507EC}
HKCR\CLSID\{1BBBC4E4-2978-C300-94AA-5C41D8C507EC}\InprocServer32
HKCR\CLSID\{1BBBC4E4-2978-C300-94AA-5C41D8C507EC}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{1bbbfa94-8dab-e014-8b66-720010410914}
HKCR\CLSID\{1BBBFA94-8DAB-E014-8B66-720010410914}
HKCR\CLSID\{1BBBFA94-8DAB-E014-8B66-720010410914}\InprocServer32
HKCR\CLSID\{1BBBFA94-8DAB-E014-8B66-720010410914}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{1bcc36af-e4f3-00c0-8b0f-6c003033af72}
HKCR\CLSID\{1BCC36AF-E4F3-00C0-8B0F-6C003033AF72}
HKCR\CLSID\{1BCC36AF-E4F3-00C0-8B0F-6C003033AF72}\InprocServer32
HKCR\CLSID\{1BCC36AF-E4F3-00C0-8B0F-6C003033AF72}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{24007205-521b-77b8-e011-3a8e48890938}
HKCR\CLSID\{24007205-521B-77B8-E011-3A8E48890938}
HKCR\CLSID\{24007205-521B-77B8-E011-3A8E48890938}\InprocServer32
HKCR\CLSID\{24007205-521B-77B8-E011-3A8E48890938}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{246682ee-8d65-2d3c-2d11-1690001b8272}
HKCR\CLSID\{246682EE-8D65-2D3C-2D11-1690001B8272}
HKCR\CLSID\{246682EE-8D65-2D3C-2D11-1690001B8272}\InprocServer32
HKCR\CLSID\{246682EE-8D65-2D3C-2D11-1690001B8272}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{2d55a6d7-293a-3614-d577-8e24103af250}
HKCR\CLSID\{2D55A6D7-293A-3614-D577-8E24103AF250}
HKCR\CLSID\{2D55A6D7-293A-3614-D577-8E24103AF250}\InprocServer32
HKCR\CLSID\{2D55A6D7-293A-3614-D577-8E24103AF250}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{2dbb3882-00fe-5c28-1bdd-1abde0544172}
HKCR\CLSID\{2DBB3882-00FE-5C28-1BDD-1ABDE0544172}
HKCR\CLSID\{2DBB3882-00FE-5C28-1BDD-1ABDE0544172}\InprocServer32
HKCR\CLSID\{2DBB3882-00FE-5C28-1BDD-1ABDE0544172}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{36005e32-2905-3f60-c399-12651805001e}
HKCR\CLSID\{36005E32-2905-3F60-C399-12651805001E}
HKCR\CLSID\{36005E32-2905-3F60-C399-12651805001E}\InprocServer32
HKCR\CLSID\{36005E32-2905-3F60-C399-12651805001E}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{36dd1605-00e4-0758-70bb-5400c8eea66e}
HKCR\CLSID\{36DD1605-00E4-0758-70BB-5400C8EEA66E}
HKCR\CLSID\{36DD1605-00E4-0758-70BB-5400C8EEA66E}\InprocServer32
HKCR\CLSID\{36DD1605-00E4-0758-70BB-5400C8EEA66E}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{36dd906b-e4f6-af74-a600-98b468f5d588}
HKCR\CLSID\{36DD906B-E4F6-AF74-A600-98B468F5D588}
HKCR\CLSID\{36DD906B-E4F6-AF74-A600-98B468F5D588}\InprocServer32
HKCR\CLSID\{36DD906B-E4F6-AF74-A600-98B468F5D588}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{3800129e-7bb9-0058-1b33-d465601d531e}
HKCR\CLSID\{3800129E-7BB9-0058-1B33-D465601D531E}
HKCR\CLSID\{3800129E-7BB9-0058-1B33-D465601D531E}\InprocServer32
HKCR\CLSID\{3800129E-7BB9-0058-1B33-D465601D531E}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{3888b628-294a-b1b8-240f-ce3fb0410972}
HKCR\CLSID\{3888B628-294A-B1B8-240F-CE3FB0410972}
HKCR\CLSID\{3888B628-294A-B1B8-240F-CE3FB0410972}\InprocServer32
HKCR\CLSID\{3888B628-294A-B1B8-240F-CE3FB0410972}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{38aa34bc-528b-2d0c-a6ff-be2d98b9de86}
HKCR\CLSID\{38AA34BC-528B-2D0C-A6FF-BE2D98B9DE86}
HKCR\CLSID\{38AA34BC-528B-2D0C-A6FF-BE2D98B9DE86}\InprocServer32
HKCR\CLSID\{38AA34BC-528B-2D0C-A6FF-BE2D98B9DE86}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{3faa4826-df20-1b28-8b88-1290c0f0a8aa}
HKCR\CLSID\{3FAA4826-DF20-1B28-8B88-1290C0F0A8AA}
HKCR\CLSID\{3FAA4826-DF20-1B28-8B88-1290C0F0A8AA}\InprocServer32
HKCR\CLSID\{3FAA4826-DF20-1B28-8B88-1290C0F0A8AA}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{41111405-e428-8bfc-6e00-c83f30524188}
HKCR\CLSID\{41111405-E428-8BFC-6E00-C83F30524188}
HKCR\CLSID\{41111405-E428-8BFC-6E00-C83F30524188}\InprocServer32
HKCR\CLSID\{41111405-E428-8BFC-6E00-C83F30524188}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{4199441c-e485-3658-2dee-66b4909aaf64}
HKCR\CLSID\{4199441C-E485-3658-2DEE-66B4909AAF64}
HKCR\CLSID\{4199441C-E485-3658-2DEE-66B4909AAF64}\InprocServer32
HKCR\CLSID\{4199441C-E485-3658-2DEE-66B4909AAF64}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{4a774a11-2956-e960-b166-767ca03f4136}
HKCR\CLSID\{4A774A11-2956-E960-B166-767CA03F4136}
HKCR\CLSID\{4A774A11-2956-E960-B166-767CA03F4136}\InprocServer32
HKCR\CLSID\{4A774A11-2956-E960-B166-767CA03F4136}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{4aaa8cee-e4ca-7788-79dd-50b4c8c0c322}
HKCR\CLSID\{4AAA8CEE-E4CA-7788-79DD-50B4C8C0C322}
HKCR\CLSID\{4AAA8CEE-E4CA-7788-79DD-50B4C8C0C322}\InprocServer32
HKCR\CLSID\{4AAA8CEE-E4CA-7788-79DD-50B4C8C0C322}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{4addf689-5237-53a4-9422-5c24a0522db4}
HKCR\CLSID\{4ADDF689-5237-53A4-9422-5C24A0522DB4}
HKCR\CLSID\{4ADDF689-5237-53A4-9422-5C24A0522DB4}\InprocServer32
HKCR\CLSID\{4ADDF689-5237-53A4-9422-5C24A0522DB4}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{5311146c-294c-a814-9d55-247ce8fa4172}
HKCR\CLSID\{5311146C-294C-A814-9D55-247CE8FA4172}
HKCR\CLSID\{5311146C-294C-A814-9D55-247CE8FA4172}\InprocServer32
HKCR\CLSID\{5311146C-294C-A814-9D55-247CE8FA4172}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{53113ac8-293f-946c-2d33-dc1b787d6538}
HKCR\CLSID\{53113AC8-293F-946C-2D33-DC1B787D6538}
HKCR\CLSID\{53113AC8-293F-946C-2D33-DC1B787D6538}\InprocServer32
HKCR\CLSID\{53113AC8-293F-946C-2D33-DC1B787D6538}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{53116a37-8d01-a8f0-afff-001b60300700}
HKCR\CLSID\{53116A37-8D01-A8F0-AFFF-001B60300700}
HKCR\CLSID\{53116A37-8D01-A8F0-AFFF-001B60300700}\InprocServer32
HKCR\CLSID\{53116A37-8D01-A8F0-AFFF-001B60300700}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{5377caaa-52ef-2dc0-ba77-4c77a005006e}
HKCR\CLSID\{5377CAAA-52EF-2DC0-BA77-4C77A005006E}
HKCR\CLSID\{5377CAAA-52EF-2DC0-BA77-4C77A005006E}\InprocServer32
HKCR\CLSID\{5377CAAA-52EF-2DC0-BA77-4C77A005006E}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{5c551a0a-29d6-1244-9d22-54b478571214}
HKCR\CLSID\{5C551A0A-29D6-1244-9D22-54B478571214}
HKCR\CLSID\{5C551A0A-29D6-1244-9D22-54B478571214}\InprocServer32
HKCR\CLSID\{5C551A0A-29D6-1244-9D22-54B478571214}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{5caa1a78-00f4-e9cc-c388-4acf1822074c}
HKCR\CLSID\{5CAA1A78-00F4-E9CC-C388-4ACF1822074C}
HKCR\CLSID\{5CAA1A78-00F4-E9CC-C388-4ACF1822074C}\InprocServer32
HKCR\CLSID\{5CAA1A78-00F4-E9CC-C388-4ACF1822074C}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{6544081b-52a9-af3c-e70f-0ebd203aba14}
HKCR\CLSID\{6544081B-52A9-AF3C-E70F-0EBD203ABA14}
HKCR\CLSID\{6544081B-52A9-AF3C-E70F-0EBD203ABA14}\InprocServer32
HKCR\CLSID\{6544081B-52A9-AF3C-E70F-0EBD203ABA14}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{65dd9844-e429-82f0-07cc-ac36c80c701e}
HKCR\CLSID\{65DD9844-E429-82F0-07CC-AC36C80C701E}
HKCR\CLSID\{65DD9844-E429-82F0-07CC-AC36C80C701E}\InprocServer32
HKCR\CLSID\{65DD9844-E429-82F0-07CC-AC36C80C701E}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{6e22ecf5-7bc6-c3b8-5cf0-a4e380b2e750}
HKCR\CLSID\{6E22ECF5-7BC6-C3B8-5CF0-A4E380B2E750}
HKCR\CLSID\{6E22ECF5-7BC6-C3B8-5CF0-A4E380B2E750}\InprocServer32
HKCR\CLSID\{6E22ECF5-7BC6-C3B8-5CF0-A4E380B2E750}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{6e8812d9-e4eb-12fc-38dd-b45330d66ea0}
HKCR\CLSID\{6E8812D9-E4EB-12FC-38DD-B45330D66EA0}
HKCR\CLSID\{6E8812D9-E4EB-12FC-38DD-B45330D66EA0}\InprocServer32
HKCR\CLSID\{6E8812D9-E4EB-12FC-38DD-B45330D66EA0}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{6edd8c0f-5277-6e90-ccbb-7c6a308412d8}
HKCR\CLSID\{6EDD8C0F-5277-6E90-CCBB-7C6A308412D8}
HKCR\CLSID\{6EDD8C0F-5277-6E90-CCBB-7C6A308412D8}\InprocServer32
HKCR\CLSID\{6EDD8C0F-5277-6E90-CCBB-7C6A308412D8}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{6edde6cd-e4d7-240c-1b99-eee8c87824f0}
HKCR\CLSID\{6EDDE6CD-E4D7-240C-1B99-EEE8C87824F0}
HKCR\CLSID\{6EDDE6CD-E4D7-240C-1B99-EEE8C87824F0}\InprocServer32
HKCR\CLSID\{6EDDE6CD-E4D7-240C-1B99-EEE8C87824F0}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{7088980f-2978-9400-d500-1690c04d3f1e}
HKCR\CLSID\{7088980F-2978-9400-D500-1690C04D3F1E}
HKCR\CLSID\{7088980F-2978-9400-D500-1690C04D3F1E}\InprocServer32
HKCR\CLSID\{7088980F-2978-9400-D500-1690C04D3F1E}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{70ff2ebc-8dd2-2d00-e733-7a0968e9360a}
HKCR\CLSID\{70FF2EBC-8DD2-2D00-E733-7A0968E9360A}
HKCR\CLSID\{70FF2EBC-8DD2-2D00-E733-7A0968E9360A}\InprocServer32
HKCR\CLSID\{70FF2EBC-8DD2-2D00-E733-7A0968E9360A}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{7788c05f-8d91-1b00-e0ee-1c7ca89aa85a}
HKCR\CLSID\{7788C05F-8D91-1B00-E0EE-1C7CA89AA85A}
HKCR\CLSID\{7788C05F-8D91-1B00-E0EE-1C7CA89AA85A}\InprocServer32
HKCR\CLSID\{7788C05F-8D91-1B00-E0EE-1C7CA89AA85A}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{7900eca0-e4d3-c390-a844-d21218ee07d6}
HKCR\CLSID\{7900ECA0-E4D3-C390-A844-D21218EE07D6}
HKCR\CLSID\{7900ECA0-E4D3-C390-A844-D21218EE07D6}\InprocServer32
HKCR\CLSID\{7900ECA0-E4D3-C390-A844-D21218EE07D6}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{7955fa0f-5212-de74-4166-cebd8033241e}
HKCR\CLSID\{7955FA0F-5212-DE74-4166-CEBD8033241E}
HKCR\CLSID\{7955FA0F-5212-DE74-4166-CEBD8033241E}\InprocServer32
HKCR\CLSID\{7955FA0F-5212-DE74-4166-CEBD8033241E}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{7966e094-8da1-3614-f288-3277c8461bec}
HKCR\CLSID\{7966E094-8DA1-3614-F288-3277C8461BEC}
HKCR\CLSID\{7966E094-8DA1-3614-F288-3277C8461BEC}\InprocServer32
HKCR\CLSID\{7966E094-8DA1-3614-F288-3277C8461BEC}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{79bb605f-0002-d5a4-b133-d6777835ded6}
HKCR\CLSID\{79BB605F-0002-D5A4-B133-D6777835DED6}
HKCR\CLSID\{79BB605F-0002-D5A4-B133-D6777835DED6}\InprocServer32
HKCR\CLSID\{79BB605F-0002-D5A4-B133-D6777835DED6}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{79ff6611-8d37-fba4-4a22-9ef530dd9d4c}
HKCR\CLSID\{79FF6611-8D37-FBA4-4A22-9EF530DD9D4C}
HKCR\CLSID\{79FF6611-8D37-FBA4-4A22-9EF530DD9D4C}\InprocServer32
HKCR\CLSID\{79FF6611-8D37-FBA4-4A22-9EF530DD9D4C}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{828832bc-df17-9dfc-dedd-06c65003e05a}
HKCR\CLSID\{828832BC-DF17-9DFC-DEDD-06C65003E05A}
HKCR\CLSID\{828832BC-DF17-9DFC-DEDD-06C65003E05A}\InprocServer32
HKCR\CLSID\{828832BC-DF17-9DFC-DEDD-06C65003E05A}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{82cc16ff-2910-5c00-d500-be12806f6e14}
HKCR\CLSID\{82CC16FF-2910-5C00-D500-BE12806F6E14}
HKCR\CLSID\{82CC16FF-2910-5C00-D500-BE12806F6E14}\InprocServer32
HKCR\CLSID\{82CC16FF-2910-5C00-D500-BE12806F6E14}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{8b995600-8dea-24d4-f211-703f7095794c}
HKCR\CLSID\{8B995600-8DEA-24D4-F211-703F7095794C}
HKCR\CLSID\{8B995600-8DEA-24D4-F211-703F7095794C}\InprocServer32
HKCR\CLSID\{8B995600-8DEA-24D4-F211-703F7095794C}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{8bbbe082-e442-09b8-00bb-9cfa00db1b22}
HKCR\CLSID\{8BBBE082-E442-09B8-00BB-9CFA00DB1B22}
HKCR\CLSID\{8BBBE082-E442-09B8-00BB-9CFA00DB1B22}\InprocServer32
HKCR\CLSID\{8BBBE082-E442-09B8-00BB-9CFA00DB1B22}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{8bcceabb-2908-e0e8-2466-9c1b08e92dbe}
HKCR\CLSID\{8BCCEABB-2908-E0E8-2466-9C1B08E92DBE}
HKCR\CLSID\{8BCCEABB-2908-E0E8-2466-9C1B08E92DBE}\InprocServer32
HKCR\CLSID\{8BCCEABB-2908-E0E8-2466-9C1B08E92DBE}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{94dd6493-7bf4-c344-24ff-206a3018af0a}
HKCR\CLSID\{94DD6493-7BF4-C344-24FF-206A3018AF0A}
HKCR\CLSID\{94DD6493-7BF4-C344-24FF-206A3018AF0A}\InprocServer32
HKCR\CLSID\{94DD6493-7BF4-C344-24FF-206A3018AF0A}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{9d5512f0-0094-b1a4-e066-d07c40b92d38}
HKCR\CLSID\{9D5512F0-0094-B1A4-E066-D07C40B92D38}
HKCR\CLSID\{9D5512F0-0094-B1A4-E066-D07C40B92D38}\InprocServer32
HKCR\CLSID\{9D5512F0-0094-B1A4-E066-D07C40B92D38}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{9dcc22e4-00ff-8b90-36cc-922d689f4a72}
HKCR\CLSID\{9DCC22E4-00FF-8B90-36CC-922D689F4A72}
HKCR\CLSID\{9DCC22E4-00FF-8B90-36CC-922D689F4A72}\InprocServer32
HKCR\CLSID\{9DCC22E4-00FF-8B90-36CC-922D689F4A72}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{a6000232-00c4-41cc-fb66-1624c09a2d5a}
HKCR\CLSID\{A6000232-00C4-41CC-FB66-1624C09A2D5A}
HKCR\CLSID\{A6000232-00C4-41CC-FB66-1624C09A2D5A}\InprocServer32
HKCR\CLSID\{A6000232-00C4-41CC-FB66-1624C09A2D5A}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{a6665026-7b3a-8bd4-9422-84ab2033ccaa}
HKCR\CLSID\{A6665026-7B3A-8BD4-9422-84AB2033CCAA}
HKCR\CLSID\{A6665026-7B3A-8BD4-9422-84AB2033CCAA}\InprocServer32
HKCR\CLSID\{A6665026-7B3A-8BD4-9422-84AB2033CCAA}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{a6cca855-52c4-a600-cc55-7e00983fc31e}
HKCR\CLSID\{A6CCA855-52C4-A600-CC55-7E00983FC31E}
HKCR\CLSID\{A6CCA855-52C4-A600-CC55-7E00983FC31E}\InprocServer32
HKCR\CLSID\{A6CCA855-52C4-A600-CC55-7E00983FC31E}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{a855dabb-008a-a6d4-cc66-a865204d8baa}
HKCR\CLSID\{A855DABB-008A-A6D4-CC66-A865204D8BAA}
HKCR\CLSID\{A855DABB-008A-A6D4-CC66-A865204D8BAA}\InprocServer32
HKCR\CLSID\{A855DABB-008A-A6D4-CC66-A865204D8BAA}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{af00b0f0-2950-7728-4a33-de24b084075a}
HKCR\CLSID\{AF00B0F0-2950-7728-4A33-DE24B084075A}
HKCR\CLSID\{AF00B0F0-2950-7728-4A33-DE24B084075A}\InprocServer32
HKCR\CLSID\{AF00B0F0-2950-7728-4A33-DE24B084075A}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{af55b6f0-8d06-e7f0-d544-720930e74a9c}
HKCR\CLSID\{AF55B6F0-8D06-E7F0-D544-720930E74A9C}
HKCR\CLSID\{AF55B6F0-8D06-E7F0-D544-720930E74A9C}\InprocServer32
HKCR\CLSID\{AF55B6F0-8D06-E7F0-D544-720930E74A9C}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{af662882-29cd-77a4-1b55-883fb8161b88}
HKCR\CLSID\{AF662882-29CD-77A4-1B55-883FB8161B88}
HKCR\CLSID\{AF662882-29CD-77A4-1B55-883FB8161B88}\InprocServer32
HKCR\CLSID\{AF662882-29CD-77A4-1B55-883FB8161B88}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{afffe0cd-8d02-4ad4-cc66-186578cc3664}
HKCR\CLSID\{AFFFE0CD-8D02-4AD4-CC66-186578CC3664}
HKCR\CLSID\{AFFFE0CD-8D02-4AD4-CC66-186578CC3664}\InprocServer32
HKCR\CLSID\{AFFFE0CD-8D02-4AD4-CC66-186578CC3664}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{b1114205-0079-e974-9d88-6a6570241b00}
HKCR\CLSID\{B1114205-0079-E974-9D88-6A6570241B00}
HKCR\CLSID\{B1114205-0079-E974-9D88-6A6570241B00}\InprocServer32
HKCR\CLSID\{B1114205-0079-E974-9D88-6A6570241B00}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{b1227ebb-8dcd-07a4-2466-a24138a6e0be}
HKCR\CLSID\{B1227EBB-8DCD-07A4-2466-A24138A6E0BE}
HKCR\CLSID\{B1227EBB-8DCD-07A4-2466-A24138A6E0BE}\InprocServer32
HKCR\CLSID\{B1227EBB-8DCD-07A4-2466-A24138A6E0BE}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{b155ea93-0086-8b3c-8bdd-9ce3106a4ad6}
HKCR\CLSID\{B155EA93-0086-8B3C-8BDD-9CE3106A4AD6}
HKCR\CLSID\{B155EA93-0086-8B3C-8BDD-9CE3106A4AD6}\InprocServer32
HKCR\CLSID\{B155EA93-0086-8B3C-8BDD-9CE3106A4AD6}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{b1cc84b1-8ded-4a3c-a677-5ecfc8c3de88}
HKCR\CLSID\{B1CC84B1-8DED-4A3C-A677-5ECFC8C3DE88}
HKCR\CLSID\{B1CC84B1-8DED-4A3C-A677-5ECFC8C3DE88}\InprocServer32
HKCR\CLSID\{B1CC84B1-8DED-4A3C-A677-5ECFC8C3DE88}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{baaa6294-e432-1b14-36dd-8e244848b172}
HKCR\CLSID\{BAAA6294-E432-1B14-36DD-8E244848B172}
HKCR\CLSID\{BAAA6294-E432-1B14-36DD-8E244848B172}\InprocServer32
HKCR\CLSID\{BAAA6294-E432-1B14-36DD-8E244848B172}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{c3331a5a-002c-1b60-f299-82cfb893360a}
HKCR\CLSID\{C3331A5A-002C-1B60-F299-82CFB893360A}
HKCR\CLSID\{C3331A5A-002C-1B60-F299-82CFB893360A}\InprocServer32
HKCR\CLSID\{C3331A5A-002C-1B60-F299-82CFB893360A}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{c399ba76-8dd3-e028-ccff-5a3f8800de0a}
HKCR\CLSID\{C399BA76-8DD3-E028-CCFF-5A3F8800DE0A}
HKCR\CLSID\{C399BA76-8DD3-E028-CCFF-5A3F8800DE0A}\InprocServer32
HKCR\CLSID\{C399BA76-8DD3-E028-CCFF-5A3F8800DE0A}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{c3aa5abb-e40f-ba60-5c33-0c3f40c30036}
HKCR\CLSID\{C3AA5ABB-E40F-BA60-5C33-0C3F40C30036}
HKCR\CLSID\{C3AA5ABB-E40F-BA60-5C33-0C3F40C30036}\InprocServer32
HKCR\CLSID\{C3AA5ABB-E40F-BA60-5C33-0C3F40C30036}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{cc22fcf0-00c4-e974-cc0f-9e5888b2de4c}
HKCR\CLSID\{CC22FCF0-00C4-E974-CC0F-9E5888B2DE4C}
HKCR\CLSID\{CC22FCF0-00C4-E974-CC0F-9E5888B2DE4C}\InprocServer32
HKCR\CLSID\{CC22FCF0-00C4-E974-CC0F-9E5888B2DE4C}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{cc883e4e-004d-cc9c-3633-167cf8fa0950}
HKCR\CLSID\{CC883E4E-004D-CC9C-3633-167CF8FA0950}
HKCR\CLSID\{CC883E4E-004D-CC9C-3633-167CF8FA0950}\InprocServer32
HKCR\CLSID\{CC883E4E-004D-CC9C-3633-167CF8FA0950}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{d5559876-8d8f-7090-fb88-228e60f38214}
HKCR\CLSID\{D5559876-8D8F-7090-FB88-228E60F38214}
HKCR\CLSID\{D5559876-8D8F-7090-FB88-228E60F38214}\InprocServer32
HKCR\CLSID\{D5559876-8D8F-7090-FB88-228E60F38214}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{d5aa9293-7be3-ba28-1200-a81b983aa800}
HKCR\CLSID\{D5AA9293-7BE3-BA28-1200-A81B983AA800}
HKCR\CLSID\{D5AA9293-7BE3-BA28-1200-A81B983AA800}\InprocServer32
HKCR\CLSID\{D5AA9293-7BE3-BA28-1200-A81B983AA800}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{de558c26-e4dc-3fe8-6588-648e20465cbe}
HKCR\CLSID\{DE558C26-E4DC-3FE8-6588-648E20465CBE}
HKCR\CLSID\{DE558C26-E4DC-3FE8-6588-648E20465CBE}\InprocServer32
HKCR\CLSID\{DE558C26-E4DC-3FE8-6588-648E20465CBE}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{de88c42d-00e6-4a28-e7aa-4653d07b0014}
HKCR\CLSID\{DE88C42D-00E6-4A28-E7AA-4653D07B0014}
HKCR\CLSID\{DE88C42D-00E6-4A28-E7AA-4653D07B0014}\InprocServer32
HKCR\CLSID\{DE88C42D-00E6-4A28-E7AA-4653D07B0014}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{e000d29e-29e8-c300-09aa-747c88c5d550}
HKCR\CLSID\{E000D29E-29E8-C300-09AA-747C88C5D550}
HKCR\CLSID\{E000D29E-29E8-C300-09AA-747C88C5D550}\InprocServer32
HKCR\CLSID\{E000D29E-29E8-C300-09AA-747C88C5D550}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{e055822d-29c3-65b8-1baa-3690c8006e4c}
HKCR\CLSID\{E055822D-29C3-65B8-1BAA-3690C8006E4C}
HKCR\CLSID\{E055822D-29C3-65B8-1BAA-3690C8006E4C}\InprocServer32
HKCR\CLSID\{E055822D-29C3-65B8-1BAA-3690C8006E4C}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{e7449094-7bfc-4a58-e766-1065f84d6e9c}
HKCR\CLSID\{E7449094-7BFC-4A58-E766-1065F84D6E9C}
HKCR\CLSID\{E7449094-7BFC-4A58-E766-1065F84D6E9C}\InprocServer32
HKCR\CLSID\{E7449094-7BFC-4A58-E766-1065F84D6E9C}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{e9449caf-8da4-6e90-f2bb-acd108b97900}
HKCR\CLSID\{E9449CAF-8DA4-6E90-F2BB-ACD108B97900}
HKCR\CLSID\{E9449CAF-8DA4-6E90-F2BB-ACD108B97900}\InprocServer32
HKCR\CLSID\{E9449CAF-8DA4-6E90-F2BB-ACD108B97900}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{e9770cd7-2996-e7cc-a677-de7780b7af14}
HKCR\CLSID\{E9770CD7-2996-E7CC-A677-DE7780B7AF14}
HKCR\CLSID\{E9770CD7-2996-E7CC-A677-DE7780B7AF14}\InprocServer32
HKCR\CLSID\{E9770CD7-2996-E7CC-A677-DE7780B7AF14}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{e9aaa043-52ee-a8c0-e000-e858787b12f0}
HKCR\CLSID\{E9AAA043-52EE-A8C0-E000-E858787B12F0}
HKCR\CLSID\{E9AAA043-52EE-A8C0-E000-E858787B12F0}\InprocServer32
HKCR\CLSID\{E9AAA043-52EE-A8C0-E000-E858787B12F0}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{f2553c93-e4aa-fb90-e099-e6d188591bd8}
HKCR\CLSID\{F2553C93-E4AA-FB90-E099-E6D188591BD8}
HKCR\CLSID\{F2553C93-E4AA-FB90-E099-E6D188591BD8}\InprocServer32
HKCR\CLSID\{F2553C93-E4AA-FB90-E099-E6D188591BD8}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{f2663c6b-7b4c-e974-82dd-7ee300226efa}
HKCR\CLSID\{F2663C6B-7B4C-E974-82DD-7EE300226EFA}
HKCR\CLSID\{F2663C6B-7B4C-E974-82DD-7EE300226EFA}\InprocServer32
HKCR\CLSID\{F2663C6B-7B4C-E974-82DD-7EE300226EFA}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{fbaa2494-2983-65c0-1244-6ae39084d5ec}
HKCR\CLSID\{FBAA2494-2983-65C0-1244-6AE39084D5EC}
HKCR\CLSID\{FBAA2494-2983-65C0-1244-6AE39084D5EC}\InprocServer32
HKCR\CLSID\{FBAA2494-2983-65C0-1244-6AE39084D5EC}\InprocServer32#ThreadingModel

Adware.Avenue Media/Internet Optimizer
HKCR\DyFuCA_BH_Bucket.Bucket
HKCR\DyFuCA_BH_Bucket.Bucket\CLSID
HKCR\DyFuCA_BH_Bucket.Bucket\CurVer
HKCR\DyFuCA_BH_Bucket.Bucket.1
HKCR\DyFuCA_BH_Bucket.Bucket.1\CLSID
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TContext
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TContext#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TContext#UninstallString
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\PNMFDKA7\TCT101[1].DLL
C:\HIJACKTHIS\BACKUPS\BACKUP-20070525-074559-574.DLL

Unclassified.SpywareBot (Not A Threat)
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#spywarebot [ C:\Program Files\SpywareBot\SpywareBot.exe -boot ]

Adware.Avenue Media
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\3D86JZOY\OPTIMIZE314[1].EXE
C:\PROGRAM FILES\OKCVWC\XIYIR.EXE
C:\WINDOWS\Prefetch\XIYIR.EXE-2891861C.pf

Unclassified.Unknown Origin/System
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\ZKEPW6I9\COMRADE[1].EXE

Trojan.Downloader-Gen/RetAd
C:\RECYCLER\S-1-5-21-1123432360-1203752577-514352727-1006\DC1.EXE

Unclassified.Unknown Origin
C:\WINDOWS\CDMDOWNLD\KBPWOEUWTM.EXE

Trojan.NewDotNet
C:\WINDOWS\NDNUNINSTALL5_40.EXE
C:\WINDOWS\NDNUNINSTALL5_48.EXE
C:\WINDOWS\NDNUNINSTALL5_64.EXE

#7 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 AM

Posted 25 May 2007 - 03:10 PM

Hi -

Avast is okay, but don't install it yet. The installer/uninstaller for Active Virus Shield keeps running. As far as EZArmor, you may have to go to CA's website to find out how to get EZArmor completely off of your computer.

Start HijackThis, click System Scan Only and place a checkmark next to the following items:
O4 - HKLM\..\RunOnce: [avp6_post_install] msiexec.exe /i"C:\Documents and Settings\Lynn\Desktop\avs.msi"
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing)


Close ALL browsers and open windows/programs leaving just HijackThis and click 'Fix Checked'.

Reboot your computer.

I would also like you to do the following:
  • Please click Start > Run > and type Regedit
  • Click OK and wait for the Registry Editor to open
  • Now, please click on File and then Export
  • This will bring up the Export Registry File window
  • At the bottom of which you will see an option for Export range
  • Click the option for Selected branch and in the field underneath that, copy and paste:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • Enter a file name of RunOnce and save the file to your Desktop
  • Now go to your Desktop, right-click on the file you have created, select Open With and choose Notepad.
  • Now please copy the contents of that file in your next reply.
Next, download OTMoveIt from here:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    C:\WINDOWS\System32\htmlfwgfw.dll
  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • The list will be processed and the results for each line will be displayed in the right-hand pane.
  • Highlight everything in the Results window, press CTRL+C or right-click, choose Copy, right-click again and :Paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Post back with the RunOnce registry export; the log from OTMoveIt!; and a new HijackThis log.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#8 sandbar

sandbar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 25 May 2007 - 08:54 PM

I managed to get rid of eTrust EZArmor. Went to regedit and deleted everything referring to it. Was then able to install ActiveVirusShield. Ran the scan and it cleaned out a bunch.

I think we're getting close. The ystem seems to be running OK but seems to take a long time to boot. I can hear the disk thrashing and the little bussy icon ( snare drum ) stays there quite awhile.

As for the latest suggestions:

Step 1 - 04 - HKLM\..\RunOnce..... not in the HijackThis scan
23 - Service....... is in the list but refuses to go away. I check it, click Fix checked and get a prompt about delete OR repair. Should it delete it? Run the scan again and it's still there.

Step 2 - The RunOnce.reg file I created is 2,875 KB. Do you really want it?

Step 3 - The file htmlfwgfw.dll doesn't exist. Here's the OTMoveIt log

File/Folder C:\WINDOWS\System32\htmlfwgfw.dll not found.

Created on 05/25/2007 20:37:28

Here's the HiJackThis log

Logfile of HijackThis v1.99.1
Scan saved at 8:40:19 PM, on 5/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\qttask.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe
C:\WINDOWS\System32\lxcycoms.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Tray Temperature] C:\Program Files\Blubster\WeatherBug\MiniBug.exe 1
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: ExpressPLNRnote.lnk = C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing)
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: lxcy_device - - C:\WINDOWS\System32\lxcycoms.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe

#9 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 AM

Posted 25 May 2007 - 11:08 PM

Hi -

Great job! :thumbsup: I don't need the RunOnce export because it's no longer an issue. You can delete the RunOnce fix.reg file on your Desktop. Also, now you see why I recommended ActiveVirusShield. Kaspersky AV 6 is ranked Number #1. ActiveVirusShield is deemed to be the "free Kaspersky" since it uses Kaspersky's engine and, therefore, is tied with Kaspersky AV 6 for the Number #1 rating. Thus, I knew that it would find and delete "a bunch" of items. Also, I'm glad to hear that htmlfwgfw.dll is gone.

Now, just a few more things to do...

• Go to Start > Run > type cmd > make sure that you're at just the C:\ prompt, i.e., if it starts at Documents and Settings, type cd\ to get to C:\
- Type this bold print: sc delete AIM > click OK

• Start HijackThis, click System Scan Only and place a checkmark next to the following items:
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab


The following are unnecessary to start at bootup. Since you have quite a few of them, fixing them might speed up your bootup.

What the files do in the following "optional" fixes:
WksSB.exe - relating to Portfolio Tool which allows you to organize files and images. Start it up when you want to.
WkUFind.exe - checks for updates to MS Works. Check for updates manually when you want to
DirectCD.exe - allows you to drag and drop files onto a suitably formatted CD-RW disc. Unless you use this on a frequent basis it isn't required and is available via Start -> Programs.
Updreg.exe - reminder to register Creative Labs SoundBlaster Live! cards
AHQInit.exe - part of AudioHQ for the Soundblaster Live!. Appears as though it makes the AudioHW toolbar drop down from the top of the desktop and isn't required.
Wkfud.exe - a marketing program for MS Works
DIAGENT.EXE - System Tray access for Creative Diagnostics for the Creative SoundBlaster series soundcards. Available via Start -> Programs
Money Express.exe - Part of MS Money. Available via Start -> Programs

So, check the following as well:
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"


Close ALL browsers and open windows/programs leaving just HijackThis and click 'Fix Checked'.

• Reboot your computer.

If you ever decide that you want to have any of the above begin at bootup, all you have to do is:
- Open HijackThis
- Click "View the list of backups"
- Click the item you wish to restore
- Click "Restore"

• I see no software Firewall program present on your system. This will greatly help in preventing your system from being infected by malware. Please install a Firewall program because you really do need one.
Comodo -or- Jetico are good FREE software Firewall programs and are the two top programs in the ratings.
See, Understanding and Using Firewalls

• When finished with the above steps, post back with a new HijackThis log. Let me know if the "optional" fixes helped with speeding up your bootup.

Edited by waterfalls, 25 May 2007 - 11:11 PM.

Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#10 sandbar

sandbar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 26 May 2007 - 10:12 AM

I installed COMODO.

At boot it gets the desktop up, icons and all but I still hear the HD thrashing and the desktop icon alternates between idol hand pointer, snare drum and metrinome ( that's a word you use ofter - probably spelled it wrong ). During this period even <CNTL><ALT><DEL> take a long time to bring up task manager. Task Mgr shows avp.exe active. After a couple minutes a SuperAntiSpyware window pops up. I did get a messaage from Active Virus Shield that there has not been a full system scan and suggesting I do one ASAP. Already did one but I'll do it again anyway.

With the COMODE and Active Virus Shield running do I still need SuperAntiSpyware ?

Thanks again for the help.

Logfile of HijackThis v1.99.1
Scan saved at 9:55:29 AM, on 5/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\qttask.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\lxcycoms.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Tray Temperature] C:\Program Files\Blubster\WeatherBug\MiniBug.exe 1
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: ExpressPLNRnote.lnk = C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: lxcy_device - - C:\WINDOWS\System32\lxcycoms.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe

#11 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 AM

Posted 26 May 2007 - 03:57 PM

Hi -

You've got a leftover from CA.

Start HijackThis, click System Scan Only and place a checkmark next to the following item:
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control)

Close ALL browsers and open windows/programs leaving just HijackThis and click 'Fix Checked'.

Reboot your computer.

Regarding your pointer, you're going to have to go into Control Panel, click Mouse and review your settings. You might want to set it to Windows Default to see if that helps. Make sure you click Apply if you make any changes.

Regarding the speed of your hard drive, that could be a lot of things. Have you defragged your hard drive recently? Also, each hard drive manufacturer has a diagnostic utility on its website that you can download onto a diskette to check your hard drive. Lastly, it could be a memory issue.

You might also want to download and run CCleaner. That empties a lot of temp files off of your system.
CCleaner.
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free Basic or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
3. Then select the items you wish to clean up.

In the Windows Tab:
  • Clean all entries in the "Internet Explorer" section except Cookies.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.
In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.
3. Click the "Run Cleaner" button.
4. A pop-up box will appear advising this process will permanently delete files from your system.
5. Click "OK" and it will scan and clean your system.
6. Click "exit" when done.

Regarding Superantispyware, you can uninstall it if you want to, although it's a good idea to have at least one antispyware app on your computer. When Superantispyware loads, it usually places an icon in the bottom right tray that looks like a bug. You can right-click onto it and click Exit since the free version doesn't support the guard.

Your log looks clean.

Please set your system to hide system files.
- Go to Start and open My Computer
- Select the Tools menu and click Folder Options.
- Select the View Tab and, under Hidden files and folders, check Do not show hidden files and folders
- Check Hide file extensions for known file types
- Check Hide protected operating system files (Recommended)
- Click Apply, then OK.

If you have not done so, please empty your Recycle Bin.

Create a new Restore Point:
- Go to Start > All Programs > Accessories > System Tools > System Restore.
- When the utility opens, select "Create a new restore point" and click Next
- Name the restore point - something like "After infection cleaned" or "After cleaning"
- Click Create.

Delete the old Restore Points:
- Go to Start > All Programs > Accessories > System Tools > Disk Cleanup. Click Ok.
- Click the "More Options" tab.
- Where it states "System Restore" - click Clean up.
- All of the old Restore Points will be deleted EXCEPT for the one you just created.

Reboot your computer.

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster. SpywareBlaster doesn't scan and clean for so-called spyware but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls and also prevents the installation of any of them via a webpage. Update it periodically.

Install IE-SPYAD puts over 20,000 sites in your restricted zone, so you will be protected when you visit innocent-looking sites that are not actually innocent at all.

* Avoid illegal sites because that's where most malware is present.
* Don't click on links inside pop-ups. If you should get them, use ALT + F4 to close them.
* Don't click on links in spam messages claiming to offer anti-spyware software because most of these so-called removers ARE spyware.
* Download free software only from sites you know and trust because a lot of free software can bundle other software, including spyware.

Let your anti-virus and anti-spyware scanners scan frequently and don't forget to update before scanning.

Make sure your Windows has the latest updates by going here.

More information on how to prevent malware can be found at So how did I get infected in the first place? (by Tony Klein) and Malware Prevention: Prevent Re-infection.

Happy surfing again! :thumbsup:
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#12 sandbar

sandbar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 28 May 2007 - 10:24 AM

All's well that ends well!

Noticed the dumb machine only had 128M memory, no wonder it seemed slow. Add another 128 and it's much better.

One last issue: When I tried to create the new restore point I hit a snag. Under Start-Accessories-System Tools all the machine has is "Internet Explorer" and "Security Center". Other than that the machine is runnung great. My daughter even noticed the faster response.

Thanks again and if you're ever in Pensacola, FL drop me a note ad I'll buy you a beer or three. Bob Ritter

~* MOD EDIT: email removed to protect the user from spambots and other internet threats - rigel *~

Edited by rigel, 28 May 2007 - 02:42 PM.


#13 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 AM

Posted 28 May 2007 - 02:41 PM

Hi -

Thanks - I'll keep it in mind. :thumbsup:

Regarding the memory, 128 megs of RAM is definitely insufficient to run XP2. Now that you have 256 megs, that amount is okay. When you can, though, you should increase it to 512 megs.

Edit: Regarding the problem you had with flushing/creating a Restore Point, try this the following.

Create a new Restore Point and delete the old Restore Points:
- Click Start Menu > Run > type: %SystemRoot%\System32\restore\rstrui.exe > Click OK
- Choose Create a Restore Point then click Next. Name it and click Create. When the confirmation screen shows the restore point has been created, click Close.
- Next, go to Start Menu > Run > type: cleanmgr > Click OK
- Disk Cleanup will open and start calculating the amount of space that can be freed. Once that is finished, it will open the Disk Cleanup options screen.
- Click the More Options tab, then click Clean up on the system restore area.
- Choose Yes at the confirmation window which will remove all the restore points except the one we just created.
- To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan, click OK then choose Yes on the confirmation window.

Edited by waterfalls, 28 May 2007 - 02:52 PM.

Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#14 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 AM

Posted 14 June 2007 - 02:56 AM

Since this issue appears resolved ... this topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a new topic.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users