PDA

View Full Version : Big-time PC Issues



Miopip
2007-02-18, 21:32
hi, i'm new to these forums but it looks like they're very helpful so i'm very optimistic that someone can help. since yesterday i've been having some popups rear their ugly heads. it seems to be getting worse today. i ran a full system scan with symantec and a whole host of trojans and the like were quarantined. i ran hijack this but can't seem to get a logfile to be created (whether i downloaded from download.com or merijn.org, same result). in doing some research i found that i should delte a VSAdd-in. But using add/remove programs, nothing happens when i try to remove it. my PC (Windows 200 Pro OS) seems to be running slower and slower and i'm getting more and more pop-ups. How can I clean up this mess? It all seemed to begin yesterday when my wife clicked on a link from cnn.com that supposedly had pics of britney spears with her head shaved!

please let me know what other info I should provide to facilitate help.

Help!

-Miopip

Miopip
2007-02-18, 21:45
Here is some more info. When i ran the 'full scan' on Symantec I got the following 9 items quarantined. But now my system is running slower since the scan AND i get more popups.

Winfixer- filename: winantiviruspro2006freeinstall(1).cab
Downloader- filename: svchost.exe
Trojan.vundo- rwfnqend.exe
Infostealer- biwhcvgh.dll
W32.spybot.worm- tots3o.exe
W32.spybot.worm- s1stfu.exe
Trojan.vundo- VSAdd-in.dll
W32.spybot.worm- qtask.exe
W32.spybot.worm- mixers.exe

Mr_JAk3
2007-02-19, 16:58
Hi Miopip and welcome to the Forums :)

Sounds that you're badly infected.

Let's try this: Click here (http://downloads.malwareremoval.com/HijackThis.exe) to download HijackThis.exe
Save HijackThis.exe to your desktop.
Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.
Then rename HijackThis.exe to Scanner.exe
Run Scanner.exe
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


:bigthumb:

Miopip
2007-02-20, 03:26
Thanks for the welcoming Mr_JAk3.

Here is my HijackThis log. As you suggested I did not fix anything yet.

One other thing....I have the VSAdd-in which I can't remove via Add/Remove Programs and a page I saved as a Favorite yesterday now doesn't have the IE logo next to it but rather a 'V' logo, part of the whole VSAdd-in thing.

Logfile of HijackThis v1.99.1
Scan saved at 8:26:06 PM, on 2/19/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis\Scanner.exe.exe
C:\WINNT\System32\WBEM\WinMgmt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sr009rd/opsreporter/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
R3 - URLSearchHook: CnsHook Class - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINNT\DOWNLO~1\CnsHook.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {279188B7-747B-4F57-9B54-EE1ED5630AAA} - C:\WINNT\system32\jkhfd.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINNT\DOWNLO~1\CnsHook.dll
O2 - BHO: (no name) - {D7B374C3-8DED-4CB1-820B-413FF0C71FC6} - C:\WINNT\system32\awtqrro.dll
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINNT\system32\ujnavfls.dll
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINNT\DOWNLO~1\CnsMin.dll,Rundll32
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Chinese Keyword - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm (file missing)
O9 - Extra button: (no name) - {BF1F4A1A-BDCD-43ac-9D17-261D2C197AB8} - http://assistant.3721.com/uninstall.htm (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm (file missing)
O11 - Options group: [!CNS] Chinese keywords
O14 - IERESET.INF: START_PAGE_URL=http://sr009rd/opsreporter/
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O20 - Winlogon Notify: awtqrro - C:\WINNT\SYSTEM32\awtqrro.dll
O20 - Winlogon Notify: cbxxxus - C:\WINNT\SYSTEM32\cbxxxus.dll
O20 - Winlogon Notify: jkhfd - C:\WINNT\system32\jkhfd.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\bin\iPodService.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: OracleOra9ias_homeClientCache - Unknown owner - C:\ora9ias\BIN\ONRSD.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Mr_JAk3
2007-02-20, 10:26
OK you're infected...

We'll begin the cleaning :)

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log (scanner.exe).

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Miopip
2007-02-21, 03:02
Ok, let's get this PC clean! Many thanks in advance for your help...

Here is the VundoFix log. I got the reboot message but over that I did have a Registry Editor window with the following message: 'Cannot import C:\\VundoFix.reg: Error opening the file. There may be a disk or file system error. I closed that window and clicked OK on reboot.

Anyway, here's the VundoFix log:

VundoFix V6.3.9

Checking Java version...

Sun Java not detected
Scan started at 6:29:00 PM 2/20/2007

Listing files found while scanning....

C:\Documents and settings\administrator\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
C:\Documents and settings\administrator\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
C:\Program Files\VSAdd-in\VSAdd-in.dll
C:\WINNT\system32\awtqrro.dll
C:\WINNT\system32\awtsqrq.dll
C:\WINNT\system32\cbxxxus.dll
C:\WINNT\system32\dfhkj.bak1
C:\WINNT\system32\dfhkj.bak2
C:\WINNT\system32\dfhkj.ini
C:\WINNT\system32\dfhkj.ini2
C:\WINNT\system32\dfhkj.tmp
C:\WINNT\system32\jkhfd.dll
C:\WINNT\system32\ujnavfls.dll
C:\WINNT\system32\wvuvsrr.dll

Beginning removal...

Attempting to delete C:\Documents and settings\administrator\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
C:\Documents and settings\administrator\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt Has been deleted!

Attempting to delete C:\Documents and settings\administrator\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
C:\Documents and settings\administrator\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt Has been deleted!

Attempting to delete C:\WINNT\system32\awtqrro.dll
C:\WINNT\system32\awtqrro.dll Has been deleted!

Attempting to delete C:\WINNT\system32\awtsqrq.dll
C:\WINNT\system32\awtsqrq.dll Has been deleted!

Attempting to delete C:\WINNT\system32\cbxxxus.dll
C:\WINNT\system32\cbxxxus.dll Has been deleted!

Attempting to delete C:\WINNT\system32\dfhkj.bak1
C:\WINNT\system32\dfhkj.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\dfhkj.bak2
C:\WINNT\system32\dfhkj.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\dfhkj.ini
C:\WINNT\system32\dfhkj.ini Has been deleted!

Attempting to delete C:\WINNT\system32\dfhkj.ini2
C:\WINNT\system32\dfhkj.ini2 Has been deleted!

Attempting to delete C:\WINNT\system32\dfhkj.tmp
C:\WINNT\system32\dfhkj.tmp Has been deleted!

Attempting to delete C:\WINNT\system32\jkhfd.dll
C:\WINNT\system32\jkhfd.dll Has been deleted!

Attempting to delete C:\WINNT\system32\ujnavfls.dll
C:\WINNT\system32\ujnavfls.dll Has been deleted!

Attempting to delete C:\WINNT\system32\wvuvsrr.dll
C:\WINNT\system32\wvuvsrr.dll Has been deleted!

Performing Repairs to the registry.
Done!


And here are the results of HijackThis scan run after VundoFix.exe was run:
Logfile of HijackThis v1.99.1
Scan saved at 8:05:03 PM, on 2/20/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis\Scanner.exe.exe
C:\WINNT\System32\WBEM\WinMgmt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sr009rd/opsreporter/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
R3 - URLSearchHook: CnsHook Class - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINNT\DOWNLO~1\CnsHook.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {873E6CE5-4F6A-4C4A-B918-A2352F2EC6BB} - C:\WINNT\system32\jkhfd.dll (file missing)
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINNT\DOWNLO~1\CnsHook.dll
O2 - BHO: (no name) - {D7B374C3-8DED-4CB1-820B-413FF0C71FC6} - C:\WINNT\system32\awtqrro.dll (file missing)
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINNT\system32\ujnavfls.dll (file missing)
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINNT\DOWNLO~1\CnsMin.dll,Rundll32
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Chinese Keyword - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm (file missing)
O9 - Extra button: (no name) - {BF1F4A1A-BDCD-43ac-9D17-261D2C197AB8} - http://assistant.3721.com/uninstall.htm (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm (file missing)
O11 - Options group: [!CNS] Chinese keywords
O14 - IERESET.INF: START_PAGE_URL=http://sr009rd/opsreporter/
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\bin\iPodService.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: OracleOra9ias_homeClientCache - Unknown owner - C:\ora9ias\BIN\ONRSD.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Mr_JAk3
2007-02-21, 10:13
Hi again, we'll continue :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

==================

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sr009rd/opsreporter/
R3 - URLSearchHook: CnsHook Class - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINNT\DOWNLO~1\CnsHook.dll
O2 - BHO: (no name) - {873E6CE5-4F6A-4C4A-B918-A2352F2EC6BB} - C:\WINNT\system32\jkhfd.dll (file missing)
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINNT\DOWNLO~1\CnsHook.dll
O2 - BHO: (no name) - {D7B374C3-8DED-4CB1-820B-413FF0C71FC6} - C:\WINNT\system32\awtqrro.dll (file missing)
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINNT\system32\ujnavfls.dll (file missing)
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINNT\DOWNLO~1\CnsMin.dll,Rundll32
O9 - Extra button: Chinese Keyword - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm (file missing)
O9 - Extra button: (no name) - {BF1F4A1A-BDCD-43ac-9D17-261D2C197AB8} - http://assistant.3721.com/uninstall.htm (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm (file missing)
O11 - Options group: [!CNS] Chinese keywords
O14 - IERESET.INF: START_PAGE_URL=http://sr009rd/opsreporter/

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following files (if present):
C:\WINNT\downloaded program files\CnsHook.dll
C:\WINNT\downloaded program files\CnsMin.dll
C:\WINNT\downloaded program files\ Any other files that begin with Cns

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log

Miopip
2007-02-22, 09:21
Ok, I followed all steps you outlined. I did not find any files beginning with CNS in My Computer when started in Safe Mode. There were a handful of files that had status set to 'unknown' and file names were a series of numbers and letters but didn't have CNS. I didn't delete these.

Here is the AVG report:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:04:39 AM 2/22/2007

+ Scan result:



D:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
C:\Program Files\3721\alliveex.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\Program Files\3721\scrblock.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\WINNT\Downloaded Program Files\CnsMinAL.cab/AutoLive.dll/helper.dll -> Adware.Cnshel : Cleaned with backup (quarantined).
HKLM\SOFTWARE\3721 -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\3721\Assist -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\3721\Assist\Modules -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\3721\AutoLive -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\3721\AutoLive\scrblock -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\3721\CnsMin -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\3721\CnsMin\CnsMinEx -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AutoLive.Live -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AutoLive.Live.1 -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AutoLive.Live\CLSID -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AutoLive.Live\CurVer -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CnsHelper.CH -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CnsHelper.CH.1 -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CnsHelper.CH\CLSID -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CnsHelper.CH\CurVer -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CnsMinHK.CnsHook -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CnsMinHK.CnsHook.1 -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CnsMinHK.CnsHook\CLSID -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CnsMinHK.CnsHook\CurVer -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\InterChina -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\InterChina\Chin@ddress -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\!CNS -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Enable -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Hint -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\!CNS\List -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Menu -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Reset -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CnsMin -> Adware.CnsMin : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\3721 -> Adware.CnsMin : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\3721\CnsMin -> Adware.CnsMin : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\3721\CnsUrl -> Adware.CnsMin : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\3721\InputCns -> Adware.CnsMin : Cleaned with backup (quarantined).
HKU\S-1-5-21-267729164-597128604-668086641-500\Software\3721 -> Adware.CnsMin : Cleaned with backup (quarantined).
HKU\S-1-5-21-267729164-597128604-668086641-500\Software\3721\AutoLive -> Adware.CnsMin : Cleaned with backup (quarantined).
HKU\S-1-5-21-267729164-597128604-668086641-500\Software\3721\AutoLive\UserCatch -> Adware.CnsMin : Cleaned with backup (quarantined).
HKU\S-1-5-21-267729164-597128604-668086641-500\Software\3721\CnsMin -> Adware.CnsMin : Cleaned with backup (quarantined).
HKU\S-1-5-21-267729164-597128604-668086641-500\Software\3721\CnsMin\Variant -> Adware.CnsMin : Cleaned with backup (quarantined).
HKU\S-1-5-21-267729164-597128604-668086641-500\Software\3721\CnsUrl -> Adware.CnsMin : Cleaned with backup (quarantined).
HKU\S-1-5-21-267729164-597128604-668086641-500\Software\3721\InputCns -> Adware.CnsMin : Cleaned with backup (quarantined).
C:\Program Files\Hotbar -> Adware.HotBar : Cleaned with backup (quarantined).
C:\Program Files\Hotbar\bin -> Adware.HotBar : Cleaned with backup (quarantined).
C:\Program Files\Hotbar\hotbar.log -> Adware.HotBar : Cleaned with backup (quarantined).
D:\Documents and Settings\default\Local Settings\Temp\MiniBug.exe -> Adware.SuspectModule : Cleaned with backup (quarantined).
C:\WINNT\Temp\45DB94D1.qsp -> Backdoor.Rbot.bwb : Cleaned with backup (quarantined).
C:\WINNT\system32\winsystem16.exe -> Backdoor.SdBot.bdy : Cleaned with backup (quarantined).
C:\WINNT\system32\xCmdSvc.exe -> Not-A-Virus.RemoteAdmin.Win32.RemoteExec : Cleaned with backup (quarantined).
D:\Documents and Settings\default\Cookies\default@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.
D:\Documents and Settings\default\Cookies\default@247realmedia[2].txt -> TrackingCookie.247realmedia : Cleaned.
D:\Documents and Settings\Guest\Cookies\guest@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\Guest\Cookies\guest@buycom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\Guest\Cookies\guest@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\Guest\Cookies\guest@microsofteup.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@2o7[3].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@2o7[10].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@2o7[3].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@2o7[4].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@2o7[5].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@2o7[6].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@2o7[7].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@2o7[8].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@americanexpress.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@buycom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@cbs.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@cnn.122.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@cnn.122.2o7[3].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@cratebarrel.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@dealnews.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@ford.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@giftscom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@kohler.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@marthastewart.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@maxim.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@microsofteup.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@msnportal.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@njmvc.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@registercom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@snapfish.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@sungarddatasystemsinc.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Local Settings\Temp\Cookies\default@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\default\Cookies\default@ad-flow[2].txt -> TrackingCookie.Ad-flow : Cleaned.
D:\Documents and Settings\default\Cookies\default@ad-logics[1].txt -> TrackingCookie.Ad-logics : Cleaned.
D:\Documents and Settings\default\Cookies\default@pmg.ad-logics[1].txt -> TrackingCookie.Ad-logics : Cleaned.
D:\Documents and Settings\default\Cookies\default@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
D:\Documents and Settings\Guest\Cookies\guest@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
D:\Documents and Settings\default\Cookies\default@addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
D:\Documents and Settings\default\Cookies\default@addynamix[3].txt -> TrackingCookie.Addynamix : Cleaned.
D:\Documents and Settings\default\Cookies\default@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
D:\Documents and Settings\default\Cookies\default@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
D:\Documents and Settings\default\Cookies\default@ads.addynamix[3].txt -> TrackingCookie.Addynamix : Cleaned.
D:\Documents and Settings\default\Cookies\default@ads.addynamix[4].txt -> TrackingCookie.Addynamix : Cleaned.
D:\Documents and Settings\default\Cookies\default@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned.
D:\Documents and Settings\default\Cookies\default@admarketplace[1].txt -> TrackingCookie.Admarketplace : Cleaned.
D:\Documents and Settings\default\Cookies\default@admarketplace[3].txt -> TrackingCookie.Admarketplace : Cleaned.
D:\Documents and Settings\default\Cookies\default@admonitor[2].txt -> TrackingCookie.Admonitor : Cleaned.
D:\Documents and Settings\default\Cookies\default@adorigin[1].txt -> TrackingCookie.Adorigin : Cleaned.
D:\Documents and Settings\default\Cookies\default@www.adorigin[2].txt -> TrackingCookie.Adorigin : Cleaned.
D:\Documents and Settings\default\Cookies\default@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
D:\Documents and Settings\default\Cookies\default@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned.
D:\Documents and Settings\default\Cookies\default@adserv4.ads360[1].txt -> TrackingCookie.Ads360 : Cleaned.
D:\Documents and Settings\default\Cookies\default@dynaserv.ads360[2].txt -> TrackingCookie.Ads360 : Cleaned.
D:\Documents and Settings\Guest\Cookies\guest@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@z1.adserver[2].txt -> TrackingCookie.Adserver : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@z1.adserver[3].txt -> TrackingCookie.Adserver : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@z1.adserver[5].txt -> TrackingCookie.Adserver : Cleaned.
D:\Documents and Settings\default\Cookies\default@z1.adserver[10].txt -> TrackingCookie.Adserver : Cleaned.
D:\Documents and Settings\default\Cookies\default@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned.
D:\Documents and Settings\default\Cookies\default@z1.adserver[2].txt -> TrackingCookie.Adserver : Cleaned.
D:\Documents and Settings\default\Cookies\default@z1.adserver[3].txt -> TrackingCookie.Adserver : Cleaned.
D:\Documents and Settings\default\Cookies\default@z1.adserver[4].txt -> TrackingCookie.Adserver : Cleaned.
D:\Documents and Settings\default\Cookies\default@z1.adserver[5].txt -> TrackingCookie.Adserver : Cleaned.
D:\Documents and Settings\default\Cookies\default@z1.adserver[6].txt -> TrackingCookie.Adserver : Cleaned.
D:\Documents and Settings\default\Cookies\default@z1.adserver[7].txt -> TrackingCookie.Adserver : Cleaned.
D:\Documents and Settings\default\Cookies\default@z1.adserver[8].txt -> TrackingCookie.Adserver : Cleaned.
D:\Documents and Settings\default\Cookies\default@adservingcentral[1].txt -> TrackingCookie.Adservingcentral : Cleaned.
D:\Documents and Settings\default\Cookies\default@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
D:\Documents and Settings\default\Cookies\default@adtech[3].txt -> TrackingCookie.Adtech : Cleaned.
D:\Documents and Settings\default\Cookies\default@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.

rest of AVG report in next post due to text length restrictions....

Miopip
2007-02-22, 09:26
AVG report continued from previous post...

D:\Documents and Settings\default\Cookies\default@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
D:\Documents and Settings\default\Cookies\default@advertising[3].txt -> TrackingCookie.Advertising : Cleaned.
D:\Documents and Settings\default\Cookies\default@rd.advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
D:\Documents and Settings\default\Cookies\default@servedby.advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
D:\Documents and Settings\default\Cookies\default@servedby.advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
D:\Documents and Settings\default\Cookies\default@servedby.advertising[4].txt -> TrackingCookie.Advertising : Cleaned.
D:\Documents and Settings\default\Cookies\default@adviva[1].txt -> TrackingCookie.Adviva : Cleaned.
D:\Documents and Settings\default\Cookies\default@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
D:\Documents and Settings\default\Cookies\default@atdmt[3].txt -> TrackingCookie.Atdmt : Cleaned.
D:\Documents and Settings\default\Cookies\default@atdmt[4].txt -> TrackingCookie.Atdmt : Cleaned.
D:\Documents and Settings\default\Cookies\default@bfast[2].txt -> TrackingCookie.Bfast : Cleaned.
D:\Documents and Settings\default\Cookies\default@bfast[3].txt -> TrackingCookie.Bfast : Cleaned.
D:\Documents and Settings\default\Cookies\default@bfast[4].txt -> TrackingCookie.Bfast : Cleaned.
D:\Documents and Settings\default\Cookies\default@bluemountain[2].txt -> TrackingCookie.Bluemountain : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@bluestreak[3].txt -> TrackingCookie.Bluestreak : Cleaned.
D:\Documents and Settings\default\Cookies\default@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
D:\Documents and Settings\default\Cookies\default@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned.
D:\Documents and Settings\default\Cookies\default@bluestreak[3].txt -> TrackingCookie.Bluestreak : Cleaned.
D:\Documents and Settings\default\Cookies\default@bluestreak[4].txt -> TrackingCookie.Bluestreak : Cleaned.
D:\Documents and Settings\default\Cookies\default@bluestreak[5].txt -> TrackingCookie.Bluestreak : Cleaned.
D:\Documents and Settings\default\Cookies\default@bluestreak[6].txt -> TrackingCookie.Bluestreak : Cleaned.
D:\Documents and Settings\default\Cookies\default@bluestreak[7].txt -> TrackingCookie.Bluestreak : Cleaned.
D:\Documents and Settings\default\Cookies\default@bluestreak[8].txt -> TrackingCookie.Bluestreak : Cleaned.
D:\Documents and Settings\default\Cookies\default@ads32.bpath[1].txt -> TrackingCookie.Bpath : Cleaned.
D:\Documents and Settings\default\Cookies\default@ads43.bpath[1].txt -> TrackingCookie.Bpath : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@citi.bridgetrack[3].txt -> TrackingCookie.Bridgetrack : Cleaned.
D:\Documents and Settings\default\Cookies\default@cc.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned.
D:\Documents and Settings\default\Cookies\default@cc.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned.
D:\Documents and Settings\default\Cookies\default@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned.
D:\Documents and Settings\default\Cookies\default@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned.
D:\Documents and Settings\default\Cookies\default@citi.bridgetrack[3].txt -> TrackingCookie.Bridgetrack : Cleaned.
D:\Documents and Settings\default\Cookies\default@citi.bridgetrack[4].txt -> TrackingCookie.Bridgetrack : Cleaned.
D:\Documents and Settings\default\Cookies\default@citi.bridgetrack[5].txt -> TrackingCookie.Bridgetrack : Cleaned.
D:\Documents and Settings\default\Cookies\default@citi.bridgetrack[6].txt -> TrackingCookie.Bridgetrack : Cleaned.
D:\Documents and Settings\default\Cookies\default@citi.bridgetrack[7].txt -> TrackingCookie.Bridgetrack : Cleaned.
D:\Documents and Settings\default\Cookies\default@rccl.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned.
D:\Documents and Settings\default\Cookies\default@rccl.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned.
D:\Documents and Settings\default\Cookies\default@rccl.bridgetrack[4].txt -> TrackingCookie.Bridgetrack : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
D:\Documents and Settings\default\Cookies\default@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
D:\Documents and Settings\default\Cookies\default@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
D:\Documents and Settings\default\Cookies\default@www.burstbeacon[3].txt -> TrackingCookie.Burstbeacon : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
D:\Documents and Settings\default\Cookies\default@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
D:\Documents and Settings\default\Cookies\default@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
D:\Documents and Settings\default\Cookies\default@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
D:\Documents and Settings\default\Cookies\default@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
D:\Documents and Settings\default\Cookies\default@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
D:\Documents and Settings\default\Cookies\default@casalemedia[3].txt -> TrackingCookie.Casalemedia : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@centrport[1].txt -> TrackingCookie.Centrport : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@centrport[2].txt -> TrackingCookie.Centrport : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@centrport[3].txt -> TrackingCookie.Centrport : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@centrport[4].txt -> TrackingCookie.Centrport : Cleaned.
D:\Documents and Settings\default\Cookies\default@centrport[1].txt -> TrackingCookie.Centrport : Cleaned.
D:\Documents and Settings\default\Cookies\default@centrport[2].txt -> TrackingCookie.Centrport : Cleaned.
D:\Documents and Settings\default\Cookies\default@centrport[3].txt -> TrackingCookie.Centrport : Cleaned.
D:\Documents and Settings\default\Cookies\default@centrport[4].txt -> TrackingCookie.Centrport : Cleaned.
D:\Documents and Settings\default\Cookies\default@centrport[5].txt -> TrackingCookie.Centrport : Cleaned.
D:\Documents and Settings\default\Cookies\default@centrport[6].txt -> TrackingCookie.Centrport : Cleaned.
D:\Documents and Settings\default\Cookies\default@centrport[8].txt -> TrackingCookie.Centrport : Cleaned.
D:\Documents and Settings\default\Cookies\default@centrport[9].txt -> TrackingCookie.Centrport : Cleaned.
D:\Documents and Settings\default\Cookies\default@clickagents[1].txt -> TrackingCookie.Clickagents : Cleaned.
D:\Documents and Settings\default\Cookies\default@cz3.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned.
D:\Documents and Settings\default\Cookies\default@cz3.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
D:\Documents and Settings\default\Cookies\default@cz4.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
D:\Documents and Settings\default\Cookies\default@cz4.clickzs[3].txt -> TrackingCookie.Clickzs : Cleaned.
D:\Documents and Settings\default\Cookies\default@cz5.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
D:\Documents and Settings\default\Cookies\default@cz5.clickzs[3].txt -> TrackingCookie.Clickzs : Cleaned.
D:\Documents and Settings\default\Cookies\default@cz6.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
D:\Documents and Settings\default\Cookies\default@cz7.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned.
D:\Documents and Settings\default\Cookies\default@cz8.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
D:\Documents and Settings\default\Cookies\default@cz9.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
D:\Documents and Settings\default\Cookies\default@vip.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned.
D:\Documents and Settings\default\Cookies\default@vip.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
D:\Documents and Settings\default\Cookies\default@vip2.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
D:\Documents and Settings\default\Cookies\default@com[1].txt -> TrackingCookie.Com : Cleaned.
D:\Documents and Settings\default\Cookies\default@com[2].txt -> TrackingCookie.Com : Cleaned.
D:\Documents and Settings\default\Cookies\default@com[3].txt -> TrackingCookie.Com : Cleaned.
D:\Documents and Settings\default\Cookies\default@com[4].txt -> TrackingCookie.Com : Cleaned.
D:\Documents and Settings\default\Cookies\default@com[5].txt -> TrackingCookie.Com : Cleaned.
D:\Documents and Settings\default\Cookies\default@commission-junction[1].txt -> TrackingCookie.Commission-junction : Cleaned.
D:\Documents and Settings\default\Cookies\default@www.commission-junction[2].txt -> TrackingCookie.Commission-junction : Cleaned.
D:\Documents and Settings\default\Cookies\default@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.
D:\Documents and Settings\default\Cookies\default@data.coremetrics[2].txt -> TrackingCookie.Coremetrics : Cleaned.
D:\Documents and Settings\default\Cookies\default@data.coremetrics[3].txt -> TrackingCookie.Coremetrics : Cleaned.
D:\Documents and Settings\default\Cookies\default@bilbo.counted[1].txt -> TrackingCookie.Counted : Cleaned.
D:\Documents and Settings\default\Cookies\default@bilbo.counted[2].txt -> TrackingCookie.Counted : Cleaned.
D:\Documents and Settings\default\Cookies\default@bilbo.counted[3].txt -> TrackingCookie.Counted : Cleaned.
D:\Documents and Settings\default\Cookies\default@adultximages2000.com.16871.fb.dbbsrv[1].txt -> TrackingCookie.Dbbsrv : Cleaned.
D:\Documents and Settings\default\Cookies\default@dbbsrv[1].txt -> TrackingCookie.Dbbsrv : Cleaned.
D:\Documents and Settings\default\Cookies\default@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@doubleclick[3].txt -> TrackingCookie.Doubleclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@doubleclick[4].txt -> TrackingCookie.Doubleclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@engage[1].txt -> TrackingCookie.Engage : Cleaned.
D:\Documents and Settings\default\Cookies\default@c.enhance[2].txt -> TrackingCookie.Enhance : Cleaned.
D:\Documents and Settings\default\Cookies\default@estat[1].txt -> TrackingCookie.Estat : Cleaned.
D:\Documents and Settings\default\Cookies\default@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@adopt.euroclick[3].txt -> TrackingCookie.Euroclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@a.as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
D:\Documents and Settings\default\Cookies\default@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
D:\Documents and Settings\default\Cookies\default@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
D:\Documents and Settings\default\Cookies\default@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
D:\Documents and Settings\default\Cookies\default@as-us.falkag[3].txt -> TrackingCookie.Falkag : Cleaned.
D:\Documents and Settings\default\Cookies\default@as-us.falkag[4].txt -> TrackingCookie.Falkag : Cleaned.
D:\Documents and Settings\default\Cookies\default@as-us.falkag[5].txt -> TrackingCookie.Falkag : Cleaned.
D:\Documents and Settings\default\Cookies\default@as1.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
D:\Documents and Settings\default\Cookies\default@as1.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
D:\Documents and Settings\default\Cookies\default@sel.as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@fastclick[3].txt -> TrackingCookie.Fastclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@fastclick[10].txt -> TrackingCookie.Fastclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@fastclick[3].txt -> TrackingCookie.Fastclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@fastclick[4].txt -> TrackingCookie.Fastclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@fastclick[5].txt -> TrackingCookie.Fastclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@fastclick[6].txt -> TrackingCookie.Fastclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@fastclick[7].txt -> TrackingCookie.Fastclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@fastclick[8].txt -> TrackingCookie.Fastclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
D:\Documents and Settings\default\Cookies\default@flycast[1].txt -> TrackingCookie.Flycast : Cleaned.
D:\Documents and Settings\default\Cookies\default@focalink[2].txt -> TrackingCookie.Focalink : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@gator[1].txt -> TrackingCookie.Gator : Cleaned.
D:\Documents and Settings\default\Cookies\default@gator[2].txt -> TrackingCookie.Gator : Cleaned.
D:\Documents and Settings\default\Cookies\default@gator[3].txt -> TrackingCookie.Gator : Cleaned.
D:\Documents and Settings\default\Cookies\default@webpdp.gator[1].txt -> TrackingCookie.Gator : Cleaned.
D:\Documents and Settings\default\Cookies\default@earth.goclick[1].txt -> TrackingCookie.Goclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@goclick[1].txt -> TrackingCookie.Goclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@goclick[2].txt -> TrackingCookie.Goclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@ehg-apcs.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\default\Cookies\default@ehg-bestbuy.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\default\Cookies\default@ehg-careerbuilder.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\default\Cookies\default@ehg-cbs.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\default\Cookies\default@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\default\Cookies\default@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\default\Cookies\default@ehg-dig.hitbox[3].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\default\Cookies\default@ehg-editorialpro.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\default\Cookies\default@ehg-espn.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\default\Cookies\default@ehg-foxsports.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\default\Cookies\default@ehg-lexnex.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\default\Cookies\default@ehg-sportsline.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\default\Cookies\default@ehg-vonage.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\default\Cookies\default@ehg.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\default\Cookies\default@ehg.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\default\Cookies\default@hg1.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\default\Cookies\default@hg1.hitbox[3].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\default\Cookies\default@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\default\Cookies\default@hitbox[3].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\default\Cookies\default@hitbox[4].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\default\Cookies\default@hitbox[5].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\default\Cookies\default@phg.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\default\Cookies\default@w111.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\default\Cookies\default@w116.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\default\Cookies\default@w131.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\default\Cookies\default@counter.hitslink[1].txt -> TrackingCookie.Hitslink : Cleaned.
D:\Documents and Settings\default\Cookies\default@counter.hitslink[2].txt -> TrackingCookie.Hitslink : Cleaned.
D:\Documents and Settings\default\Cookies\default@hotlog[2].txt -> TrackingCookie.Hotlog : Cleaned.
D:\Documents and Settings\default\Cookies\default@www.hypertracker[1].txt -> TrackingCookie.Hypertracker : Cleaned.
D:\Documents and Settings\default\Cookies\default@searchportal.information[1].txt -> TrackingCookie.Information : Cleaned.
D:\Documents and Settings\default\Cookies\default@searchportal.information[2].txt -> TrackingCookie.Information : Cleaned.
D:\Documents and Settings\default\Cookies\default@adserv.internetfuel[1].txt -> TrackingCookie.Internetfuel : Cleaned.
D:\Documents and Settings\default\Cookies\default@banserv.internetfuel[2].txt -> TrackingCookie.Internetfuel : Cleaned.
D:\Documents and Settings\default\Cookies\default@internetfuel[1].txt -> TrackingCookie.Internetfuel : Cleaned.

Miopip
2007-02-22, 09:28
Sorry, the text-length restriction is killing me here...

continuation of AVG report...

D:\Documents and Settings\default\Cookies\default@ivwbox[1].txt -> TrackingCookie.Ivwbox : Cleaned.
D:\Documents and Settings\default\Cookies\default@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
D:\Documents and Settings\default\Cookies\default@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
D:\Documents and Settings\default\Cookies\default@server.iad.liveperson[3].txt -> TrackingCookie.Liveperson : Cleaned.
D:\Documents and Settings\default\Cookies\default@server.iad.liveperson[4].txt -> TrackingCookie.Liveperson : Cleaned.
D:\Documents and Settings\default\Cookies\default@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
D:\Documents and Settings\default\Cookies\default@image.masterstats[2].txt -> TrackingCookie.Masterstats : Cleaned.
D:\Documents and Settings\default\Cookies\default@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
D:\Documents and Settings\default\Cookies\default@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
D:\Documents and Settings\default\Cookies\default@mediaplex[3].txt -> TrackingCookie.Mediaplex : Cleaned.
D:\Documents and Settings\default\Cookies\default@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
D:\Documents and Settings\default\Cookies\default@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
D:\Documents and Settings\default\Cookies\default@offshoreclicks[1].txt -> TrackingCookie.Offshoreclicks : Cleaned.
D:\Documents and Settings\default\Cookies\default@php.offshoreclicks[2].txt -> TrackingCookie.Offshoreclicks : Cleaned.
D:\Documents and Settings\default\Cookies\default@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned.
D:\Documents and Settings\Guest\Cookies\guest@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
D:\Documents and Settings\Guest\Cookies\guest@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@overture[2].txt -> TrackingCookie.Overture : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@overture[3].txt -> TrackingCookie.Overture : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@overture[4].txt -> TrackingCookie.Overture : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
D:\Documents and Settings\default\Cookies\default@data1.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
D:\Documents and Settings\default\Cookies\default@data1.perf.overture[3].txt -> TrackingCookie.Overture : Cleaned.
D:\Documents and Settings\default\Cookies\default@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
D:\Documents and Settings\default\Cookies\default@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
D:\Documents and Settings\default\Cookies\default@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
D:\Documents and Settings\default\Cookies\default@data4.perf.overture[3].txt -> TrackingCookie.Overture : Cleaned.
D:\Documents and Settings\default\Cookies\default@overture[1].txt -> TrackingCookie.Overture : Cleaned.
D:\Documents and Settings\default\Cookies\default@overture[3].txt -> TrackingCookie.Overture : Cleaned.
D:\Documents and Settings\default\Cookies\default@overture[4].txt -> TrackingCookie.Overture : Cleaned.
D:\Documents and Settings\default\Cookies\default@overture[5].txt -> TrackingCookie.Overture : Cleaned.
D:\Documents and Settings\default\Cookies\default@overture[6].txt -> TrackingCookie.Overture : Cleaned.
D:\Documents and Settings\default\Cookies\default@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
D:\Documents and Settings\default\Cookies\default@perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
D:\Documents and Settings\default\Cookies\default@perf.overture[3].txt -> TrackingCookie.Overture : Cleaned.
D:\Documents and Settings\default\Cookies\default@perf.overture[4].txt -> TrackingCookie.Overture : Cleaned.
D:\Documents and Settings\default\Cookies\default@paycounter[1].txt -> TrackingCookie.Paycounter : Cleaned.
D:\Documents and Settings\default\Cookies\default@paycounter[2].txt -> TrackingCookie.Paycounter : Cleaned.
D:\Documents and Settings\default\Cookies\default@paycounter[3].txt -> TrackingCookie.Paycounter : Cleaned.
D:\Documents and Settings\default\Cookies\default@paycounter[4].txt -> TrackingCookie.Paycounter : Cleaned.
D:\Documents and Settings\default\Cookies\default@paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned.
D:\Documents and Settings\default\Cookies\default@www1.paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned.
D:\Documents and Settings\default\Cookies\default@www3.paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned.
D:\Documents and Settings\default\Cookies\default@www5.paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned.
D:\Documents and Settings\default\Cookies\default@www6.paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned.
D:\Documents and Settings\default\Cookies\default@www7.paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned.
D:\Documents and Settings\Guest\Cookies\guest@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@ads.pointroll[3].txt -> TrackingCookie.Pointroll : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@ads.pointroll[5].txt -> TrackingCookie.Pointroll : Cleaned.
D:\Documents and Settings\default\Cookies\default@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
D:\Documents and Settings\default\Cookies\default@ads.pointroll[3].txt -> TrackingCookie.Pointroll : Cleaned.
D:\Documents and Settings\default\Cookies\default@ads.pointroll[4].txt -> TrackingCookie.Pointroll : Cleaned.
D:\Documents and Settings\default\Cookies\default@ads.pointroll[5].txt -> TrackingCookie.Pointroll : Cleaned.
D:\Documents and Settings\default\Cookies\default@ads.pointroll[6].txt -> TrackingCookie.Pointroll : Cleaned.
D:\Documents and Settings\default\Cookies\default@pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
D:\Documents and Settings\default\Cookies\default@pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
D:\Documents and Settings\default\Cookies\default@mediatrack.popupsponsor[1].txt -> TrackingCookie.Popupsponsor : Cleaned.
D:\Documents and Settings\default\Cookies\default@popupsponsor[2].txt -> TrackingCookie.Popupsponsor : Cleaned.
D:\Documents and Settings\default\Cookies\default@www.popuptraffic[1].txt -> TrackingCookie.Popuptraffic : Cleaned.
D:\Documents and Settings\default\Cookies\default@c.porngraph[2].txt -> TrackingCookie.Porngraph : Cleaned.
D:\Documents and Settings\default\Cookies\default@aphrodite.porntrack[1].txt -> TrackingCookie.Porntrack : Cleaned.
D:\Documents and Settings\default\Cookies\default@stats3.porntrack[1].txt -> TrackingCookie.Porntrack : Cleaned.
D:\Documents and Settings\default\Cookies\default@gm.preferences[1].txt -> TrackingCookie.Preferences : Cleaned.
D:\Documents and Settings\default\Cookies\default@preferences[1].txt -> TrackingCookie.Preferences : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@pro-market[1].txt -> TrackingCookie.Pro-market : Cleaned.
D:\Documents and Settings\default\Cookies\default@qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned.
D:\Documents and Settings\default\Cookies\default@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned.
D:\Documents and Settings\default\Cookies\default@www.qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned.
D:\Documents and Settings\Guest\Cookies\guest@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@questionmarket[3].txt -> TrackingCookie.Questionmarket : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@questionmarket[4].txt -> TrackingCookie.Questionmarket : Cleaned.
D:\Documents and Settings\default\Cookies\default@questionmarket[10].txt -> TrackingCookie.Questionmarket : Cleaned.
D:\Documents and Settings\default\Cookies\default@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
D:\Documents and Settings\default\Cookies\default@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
D:\Documents and Settings\default\Cookies\default@questionmarket[3].txt -> TrackingCookie.Questionmarket : Cleaned.
D:\Documents and Settings\default\Cookies\default@questionmarket[4].txt -> TrackingCookie.Questionmarket : Cleaned.
D:\Documents and Settings\default\Cookies\default@questionmarket[5].txt -> TrackingCookie.Questionmarket : Cleaned.
D:\Documents and Settings\default\Cookies\default@questionmarket[6].txt -> TrackingCookie.Questionmarket : Cleaned.
D:\Documents and Settings\default\Cookies\default@questionmarket[7].txt -> TrackingCookie.Questionmarket : Cleaned.
D:\Documents and Settings\default\Cookies\default@questionmarket[9].txt -> TrackingCookie.Questionmarket : Cleaned.
D:\Documents and Settings\default\Local Settings\Temp\Cookies\default@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
D:\Documents and Settings\default\Local Settings\Temp\Cookies\default@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
D:\Documents and Settings\default\Cookies\default@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
D:\Documents and Settings\default\Cookies\default@oas-central.realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
D:\Documents and Settings\default\Cookies\default@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
D:\Documents and Settings\default\Cookies\default@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
D:\Documents and Settings\default\Cookies\default@realmedia[3].txt -> TrackingCookie.Realmedia : Cleaned.
D:\Documents and Settings\default\Cookies\default@realmedia[4].txt -> TrackingCookie.Realmedia : Cleaned.
D:\Documents and Settings\default\Cookies\default@realmedia[5].txt -> TrackingCookie.Realmedia : Cleaned.
D:\Documents and Settings\default\Cookies\default@realmedia[6].txt -> TrackingCookie.Realmedia : Cleaned.
D:\Documents and Settings\default\Cookies\default@realmedia[7].txt -> TrackingCookie.Realmedia : Cleaned.
D:\Documents and Settings\default\Cookies\default@project1.realtracker[1].txt -> TrackingCookie.Realtracker : Cleaned.
D:\Documents and Settings\default\Cookies\default@web1.realtracker[1].txt -> TrackingCookie.Realtracker : Cleaned.
D:\Documents and Settings\default\Cookies\default@web4.realtracker[1].txt -> TrackingCookie.Realtracker : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
D:\Documents and Settings\default\Cookies\default@mediatrack.revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
D:\Documents and Settings\default\Cookies\default@revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
D:\Documents and Settings\default\Cookies\default@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
D:\Documents and Settings\default\Cookies\default@revenue[3].txt -> TrackingCookie.Revenue : Cleaned.
D:\Documents and Settings\default\Cookies\default@revenue[5].txt -> TrackingCookie.Revenue : Cleaned.
D:\Documents and Settings\Guest\Cookies\guest@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@edge.ru4[3].txt -> TrackingCookie.Ru4 : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@edge.ru4[4].txt -> TrackingCookie.Ru4 : Cleaned.
D:\Documents and Settings\default\Cookies\default@edge.ru4[10].txt -> TrackingCookie.Ru4 : Cleaned.
D:\Documents and Settings\default\Cookies\default@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
D:\Documents and Settings\default\Cookies\default@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
D:\Documents and Settings\default\Cookies\default@edge.ru4[3].txt -> TrackingCookie.Ru4 : Cleaned.
D:\Documents and Settings\default\Cookies\default@edge.ru4[4].txt -> TrackingCookie.Ru4 : Cleaned.
D:\Documents and Settings\default\Cookies\default@edge.ru4[5].txt -> TrackingCookie.Ru4 : Cleaned.
D:\Documents and Settings\default\Cookies\default@edge.ru4[6].txt -> TrackingCookie.Ru4 : Cleaned.
D:\Documents and Settings\default\Cookies\default@edge.ru4[7].txt -> TrackingCookie.Ru4 : Cleaned.
D:\Documents and Settings\default\Cookies\default@edge.ru4[8].txt -> TrackingCookie.Ru4 : Cleaned.
D:\Documents and Settings\Guest\Cookies\guest@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@serving-sys[3].txt -> TrackingCookie.Serving-sys : Cleaned.
D:\Documents and Settings\default\Cookies\default@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
D:\Documents and Settings\default\Cookies\default@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
D:\Documents and Settings\default\Cookies\default@bs.serving-sys[4].txt -> TrackingCookie.Serving-sys : Cleaned.
D:\Documents and Settings\default\Cookies\default@bs.serving-sys[5].txt -> TrackingCookie.Serving-sys : Cleaned.
D:\Documents and Settings\default\Cookies\default@bs.serving-sys[6].txt -> TrackingCookie.Serving-sys : Cleaned.
D:\Documents and Settings\default\Cookies\default@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.

Miopip
2007-02-22, 09:29
D:\Documents and Settings\default\Cookies\default@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
D:\Documents and Settings\default\Cookies\default@serving-sys[3].txt -> TrackingCookie.Serving-sys : Cleaned.
D:\Documents and Settings\default\Cookies\default@serving-sys[5].txt -> TrackingCookie.Serving-sys : Cleaned.
D:\Documents and Settings\default\Cookies\default@serving-sys[6].txt -> TrackingCookie.Serving-sys : Cleaned.
D:\Documents and Settings\default\Local Settings\Temp\Cookies\default@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
D:\Documents and Settings\default\Cookies\default@c.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned.
D:\Documents and Settings\default\Cookies\default@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned.
D:\Documents and Settings\default\Cookies\default@sexlist[1].txt -> TrackingCookie.Sexlist : Cleaned.
D:\Documents and Settings\default\Cookies\default@sexlist[2].txt -> TrackingCookie.Sexlist : Cleaned.
D:\Documents and Settings\default\Cookies\default@counter1.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
D:\Documents and Settings\default\Cookies\default@counter10.sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned.
D:\Documents and Settings\default\Cookies\default@counter11.sextracker[3].txt -> TrackingCookie.Sextracker : Cleaned.
D:\Documents and Settings\default\Cookies\default@counter12.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
D:\Documents and Settings\default\Cookies\default@counter13.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
D:\Documents and Settings\default\Cookies\default@counter14.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
D:\Documents and Settings\default\Cookies\default@counter16.sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned.
D:\Documents and Settings\default\Cookies\default@counter2.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
D:\Documents and Settings\default\Cookies\default@counter2.sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned.
D:\Documents and Settings\default\Cookies\default@counter3.sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned.
D:\Documents and Settings\default\Cookies\default@counter3.sextracker[3].txt -> TrackingCookie.Sextracker : Cleaned.
D:\Documents and Settings\default\Cookies\default@counter4.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
D:\Documents and Settings\default\Cookies\default@counter4.sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned.
D:\Documents and Settings\default\Cookies\default@counter5.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
D:\Documents and Settings\default\Cookies\default@counter6.sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned.
D:\Documents and Settings\default\Cookies\default@counter6.sextracker[3].txt -> TrackingCookie.Sextracker : Cleaned.
D:\Documents and Settings\default\Cookies\default@counter7.sextracker[3].txt -> TrackingCookie.Sextracker : Cleaned.
D:\Documents and Settings\default\Cookies\default@counter8.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
D:\Documents and Settings\default\Cookies\default@counter8.sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned.
D:\Documents and Settings\default\Cookies\default@counter9.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
D:\Documents and Settings\default\Cookies\default@counter9.sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned.
D:\Documents and Settings\default\Cookies\default@sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
D:\Documents and Settings\default\Cookies\default@sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@adopt.specificclick[3].txt -> TrackingCookie.Specificclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@adopt.specificclick[4].txt -> TrackingCookie.Specificclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@specificpop[2].txt -> TrackingCookie.Specificpop : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@spylog[1].txt -> TrackingCookie.Spylog : Cleaned.
D:\Documents and Settings\default\Cookies\default@spylog[1].txt -> TrackingCookie.Spylog : Cleaned.
D:\Documents and Settings\default\Cookies\default@spylog[2].txt -> TrackingCookie.Spylog : Cleaned.
D:\Documents and Settings\default\Cookies\default@h.starware[1].txt -> TrackingCookie.Starware : Cleaned.
D:\Documents and Settings\default\Cookies\default@starware[2].txt -> TrackingCookie.Starware : Cleaned.
D:\Documents and Settings\default\Cookies\default@try.starware[1].txt -> TrackingCookie.Starware : Cleaned.
D:\Documents and Settings\default\Cookies\default@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
D:\Documents and Settings\default\Cookies\default@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
D:\Documents and Settings\default\Cookies\default@statcounter[3].txt -> TrackingCookie.Statcounter : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
D:\Documents and Settings\default\Cookies\default@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
D:\Documents and Settings\default\Cookies\default@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
D:\Documents and Settings\default\Cookies\default@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
D:\Documents and Settings\default\Cookies\default@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
D:\Documents and Settings\default\Cookies\default@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned.
D:\Documents and Settings\default\Cookies\default@tradedoubler[3].txt -> TrackingCookie.Tradedoubler : Cleaned.
D:\Documents and Settings\default\Cookies\default@tradedoubler[4].txt -> TrackingCookie.Tradedoubler : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@trafficmp[3].txt -> TrackingCookie.Trafficmp : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@trafficmp[4].txt -> TrackingCookie.Trafficmp : Cleaned.
D:\Documents and Settings\default\Cookies\default@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
D:\Documents and Settings\default\Cookies\default@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
D:\Documents and Settings\default\Cookies\default@trafficmp[3].txt -> TrackingCookie.Trafficmp : Cleaned.
D:\Documents and Settings\default\Cookies\default@trafficmp[4].txt -> TrackingCookie.Trafficmp : Cleaned.
D:\Documents and Settings\default\Cookies\default@trafficmp[5].txt -> TrackingCookie.Trafficmp : Cleaned.
D:\Documents and Settings\default\Cookies\default@trafficmp[6].txt -> TrackingCookie.Trafficmp : Cleaned.
D:\Documents and Settings\default\Cookies\default@trafficmp[7].txt -> TrackingCookie.Trafficmp : Cleaned.
D:\Documents and Settings\default\Cookies\default@hestia.sextrail.trakkerd[2].txt -> TrackingCookie.Trakkerd : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
D:\Documents and Settings\default\Cookies\default@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
D:\Documents and Settings\default\Cookies\default@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
D:\Documents and Settings\default\Cookies\default@tribalfusion[3].txt -> TrackingCookie.Tribalfusion : Cleaned.
D:\Documents and Settings\default\Cookies\default@tribalfusion[4].txt -> TrackingCookie.Tribalfusion : Cleaned.
D:\Documents and Settings\default\Cookies\default@tribalfusion[5].txt -> TrackingCookie.Tribalfusion : Cleaned.
D:\Documents and Settings\default\Cookies\default@tribalfusion[6].txt -> TrackingCookie.Tribalfusion : Cleaned.
D:\Documents and Settings\default\Cookies\default@servedfor.valuead[1].txt -> TrackingCookie.Valuead : Cleaned.
D:\Documents and Settings\default\Cookies\default@usta.valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@valueclick[3].txt -> TrackingCookie.Valueclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@valueclick[4].txt -> TrackingCookie.Valueclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@valueclick[5].txt -> TrackingCookie.Valueclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@valueclick[6].txt -> TrackingCookie.Valueclick : Cleaned.
D:\Documents and Settings\default\Cookies\default@server3.web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned.
D:\Documents and Settings\default\Cookies\default@www.web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned.
D:\Documents and Settings\default\Cookies\default@weborama[1].txt -> TrackingCookie.Weborama : Cleaned.
D:\Documents and Settings\default\Cookies\default@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
D:\Documents and Settings\default\Cookies\default@x10[2].txt -> TrackingCookie.X10 : Cleaned.
D:\Documents and Settings\default\Cookies\default@xxxcounter[1].txt -> TrackingCookie.Xxxcounter : Cleaned.
D:\Documents and Settings\default\Cookies\default@xxxcounter[3].txt -> TrackingCookie.Xxxcounter : Cleaned.
D:\Documents and Settings\default\Cookies\default@xxxtoolbar[2].txt -> TrackingCookie.Xxxtoolbar : Cleaned.
D:\Documents and Settings\default\Cookies\default@yadro[2].txt -> TrackingCookie.Yadro : Cleaned.
D:\Documents and Settings\default\Cookies\default@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
D:\Documents and Settings\default\Cookies\default@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
D:\Documents and Settings\default\Cookies\default@ad.yieldmanager[3].txt -> TrackingCookie.Yieldmanager : Cleaned.
D:\Documents and Settings\default\Cookies\default@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
D:\Documents and Settings\Guest\Cookies\guest@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@zedo[3].txt -> TrackingCookie.Zedo : Cleaned.
D:\Documents and Settings\Isabel\Cookies\isabel@zedo[4].txt -> TrackingCookie.Zedo : Cleaned.
D:\Documents and Settings\default\Cookies\default@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
D:\Documents and Settings\default\Cookies\default@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
D:\Documents and Settings\default\Cookies\default@zedo[3].txt -> TrackingCookie.Zedo : Cleaned.
D:\Documents and Settings\default\Cookies\default@zedo[4].txt -> TrackingCookie.Zedo : Cleaned.
D:\Documents and Settings\default\Cookies\default@zedo[5].txt -> TrackingCookie.Zedo : Cleaned.
D:\Documents and Settings\default\Cookies\default@zedo[6].txt -> TrackingCookie.Zedo : Cleaned.
D:\Documents and Settings\default\Cookies\default@zedo[8].txt -> TrackingCookie.Zedo : Cleaned.
D:\Documents and Settings\default\Local Settings\Temp\Cookies\default@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.


::Report end

Miopip
2007-02-22, 09:29
Sorry for the multiple posts to display the AVG report.

And here is the HJT log created after all your defined steps were completed and computer was rebooted in Normal mode. I see in this log there are still a couple of CnsHook.dll's after running AVG.

Logfile of HijackThis v1.99.1
Scan saved at 2:19:33 AM, on 2/22/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis\Scanner.exe.exe
C:\WINNT\System32\WBEM\WinMgmt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
R3 - URLSearchHook: CnsHook Class - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINNT\DOWNLO~1\CnsHook.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINNT\DOWNLO~1\CnsHook.dll
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINNT\DOWNLO~1\CnsMin.dll,Rundll32
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Chinese Keyword - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm (file missing)
O9 - Extra button: (no name) - {BF1F4A1A-BDCD-43ac-9D17-261D2C197AB8} - http://assistant.3721.com/uninstall.htm (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm (file missing)
O11 - Options group: [!CNS] Chinese keywords
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\bin\iPodService.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: OracleOra9ias_homeClientCache - Unknown owner - C:\ora9ias\BIN\ONRSD.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Mr_JAk3
2007-02-22, 09:41
You did the right thing with AVG log :bigthumb:

Ok let's see...


Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.

Miopip
2007-02-23, 01:40
It's running currently but I also have a Symantec AntiVirus Notification popup that reads 'Symantec Tamper Protection Alert' with the following info:

Target: C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
Event Info: Open Process
Action Taken: Blocked
Actor Process: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\gmer.exe (PID 5456)
Time: Thursday, February 22, 2007 6:40:16 PM

Is that cause for concern?

Miopip
2007-02-23, 02:18
Here's the GMER log:

GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-02-22 19:18:05
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.12 ----

SSDT 877AF268 ZwConnectPort
SSDT CnsMinKP.sys ZwCreateSection
SSDT CnsMinKP.sys ZwDeleteKey
SSDT CnsMinKP.sys ZwDeleteValueKey
SSDT 87BDD568 ZwDuplicateObject
SSDT CnsMinKP.sys ZwEnumerateKey
SSDT CnsMinKP.sys ZwEnumerateValueKey
SSDT CnsMinKP.sys ZwLoadDriver
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT CnsMinKP.sys ZwOpenSection
SSDT 87BDD6C8 ZwOpenThread
SSDT CnsMinKP.sys ZwQueryValueKey
SSDT CnsMinKP.sys ZwRestoreKey
SSDT CnsMinKP.sys ZwSetValueKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.12 ----

.text NTDLL.DLL!NtClose 77F881F8 5 Bytes JMP 7203407A
.text NTDLL.DLL!NtCreateProcess 77F88308 5 Bytes JMP 72034205
.text NTDLL.DLL!NtCreateSection 77F88328 5 Bytes JMP 72034098

---- User code sections - GMER 1.0.12 ----

.text C:\WINNT\Explorer.EXE[1836] WININET.dll!HttpAddRequestHeadersA 6303D5F4 5 Bytes JMP 01A61628 C:\PROGRA~1\3721\alrex.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3284] WININET.DLL!HttpAddRequestHeadersA 6303D5F4 5 Bytes JMP 00831628 C:\PROGRA~1\3721\alrex.dll

---- EOF - GMER 1.0.12 ----

Here's the new HJT log. Still some CNSHook dll's:

Logfile of HijackThis v1.99.1
Scan saved at 7:19:58 PM, on 2/22/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\bin\iPodService.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis\Scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
R3 - URLSearchHook: CnsHook Class - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINNT\DOWNLO~1\CnsHook.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINNT\DOWNLO~1\CnsHook.dll
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINNT\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [helper.dll] C:\WINNT\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\RunOnce: [3721C:\PROGRA~1\3721\notifier.dll4105543] regsvr32 /s C:\PROGRA~1\3721\notifier.dll
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Chinese Keyword - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm (file missing)
O9 - Extra button: (no name) - {BF1F4A1A-BDCD-43ac-9D17-261D2C197AB8} - http://assistant.3721.com/uninstall.htm (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm (file missing)
O11 - Options group: [!CNS] Chinese keywords
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\bin\iPodService.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: OracleOra9ias_homeClientCache - Unknown owner - C:\ora9ias\BIN\ONRSD.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Mr_JAk3
2007-02-23, 18:25
Ok I need a one more log before we may continue the cleaning. These chinese infections can be nasty.

Generate a HijackThis Startup list:
Open HijackThis: Click on "Open the Misc Tools Section"
Check the following boxes to the right of "Generate StartupList Log": List also minor sections (Full)
List empty sections (Complete) Click "Generate StartupListLog"
Click "Yes" at the prompt.
A Notepad window will open with the contents of the HijackThis Startup list displayed
Copy & Paste that log to here

Miopip
2007-02-24, 00:47
You're not kidding about these Chinese infections! Here's the log....

StartupList report, 2/23/2007, 5:49:06 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Administrator\Desktop\HijackThis\Scanner.exe.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\rundll32.exe
D:\Program Files\bin\iPodService.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DfrgFat.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis\Scanner.exe.exe
C:\WINNT\System32\WBEM\WinMgmt.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NGClient = C:\Program Files\Symantec\Ghost\ngctw32.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
CnsMin = Rundll32.exe C:\WINNT\DOWNLO~1\CnsMin.dll,Rundll32
helper.dll = C:\WINNT\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=(NONE)
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
IE - C:\WINNT\DOWNLO~1\CnsHook.dll - {D157330A-9EF3-49F8-9A67-4141AC41ADD4}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job

--------------------------------------------------

Enumerating Download Program Files:

[{0000000A-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab

[Microsoft Office Template and Media Control]
InProcServer32 = C:\WINNT\Downloaded Program Files\IEAWSDC.DLL
CODEBASE = http://office.microsoft.com/templates/ieawsdc.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37861.5178356481

[{CEBC955E-58AF-11D2-A30A-00A0C903492B}]
CODEBASE = http://windowsupdate.microsoft.com/R778/V31Controls/x86/nt5/en/actsetup.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\Macromed\Flash\Flash9.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
SysTray: stobject.dll
WebCheck: C:\WINNT\System32\webcheck.dll

--------------------------------------------------
End of report, 5,938 bytes
Report generated in 2.003 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Miopip
2007-02-24, 15:08
Are these Chinese keyword infections related to the VSAdd-in for IE that I can't remove via Add/Remove Programs??

Mr_JAk3
2007-02-24, 22:02
Hi :)

You forgot to check these two options before creating the startuplist:
* List also minor sections (Full)
* List empty sections (Complete)

Please check those two options and post a new startuplist.

And yes, that VSAdd-in for IE is a baddie too. We'll get rid of it.

:bigthumb:

Miopip
2007-02-24, 22:25
Oops. Here you go...thought I checked both boxes.

StartupList report, 2/24/2007, 3:28:11 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Administrator\Desktop\HijackThis\Scanner.exe.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\rundll32.exe
D:\Program Files\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINNT\system32\ifconfig.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis\Scanner.exe.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\WBEM\WinMgmt.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NGClient = C:\Program Files\Symantec\Ghost\ngctw32.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
CnsMin = Rundll32.exe C:\WINNT\DOWNLO~1\CnsMin.dll,Rundll32
helper.dll = C:\WINNT\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
(Default) = ifconfig.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

(Default) = ifconfig.exe

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=(NONE)
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
IE - C:\WINNT\DOWNLO~1\CnsHook.dll - {D157330A-9EF3-49F8-9A67-4141AC41ADD4}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job

--------------------------------------------------

Enumerating Download Program Files:

[{0000000A-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab

[Microsoft Office Template and Media Control]
InProcServer32 = C:\WINNT\Downloaded Program Files\IEAWSDC.DLL
CODEBASE = http://office.microsoft.com/templates/ieawsdc.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37861.5178356481

[{CEBC955E-58AF-11D2-A30A-00A0C903492B}]
CODEBASE = http://windowsupdate.microsoft.com/R778/V31Controls/x86/nt5/en/actsetup.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\Macromed\Flash\Flash9.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
SysTray: stobject.dll
WebCheck: C:\WINNT\System32\webcheck.dll

--------------------------------------------------
End of report, 6,187 bytes
Report generated in 1.102 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Mr_JAk3
2007-02-25, 18:42
Hi again :)

Looks like the two options didn't want to enable...

We'll use another tool.

Make a new folder in the C:\drive called silentrunners
Download 'silent runners" from here: (direct download)
http://www.silentrunners.org/Silent%20Runners.vbs
Save it to your silentrunners folder.

Click start> run> type cmd and hit enter
Type the following exactly and hit enter after each line.
cd c:\silentrunners and hit enter
"silent runners.vbs" -all and hit enter

Wait until it pops up saying its completed, then post the resulting logfile here
It will be very large. You may need several posts to include everything

:bigthumb:

Miopip
2007-02-25, 19:42
Here we go....

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows 2000
Output of all locations checked and all values found.


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
"NGClient" = "C:\Program Files\Symantec\Ghost\ngctw32.exe" ["Symantec New Zealand Limited"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"CnsMin" = "Rundll32.exe C:\WINNT\DOWNLO~1\CnsMin.dll,Rundll32" [MS]
"helper.dll" = "C:\WINNT\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32" [MS]
"(Default)" = "ifconfig.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\

HKLM\Software\Microsoft\Active Setup\Installed Components\

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{D157330A-9EF3-49F8-9A67-4141AC41ADD4}\(Default) = "IE"
-> {HKLM...CLSID} = "CnsHook Class"
\InProcServer32\(Default) = "C:\WINNT\DOWNLO~1\CnsHook.dll" ["************" (unwritable string)]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{00022613-0000-0000-C000-000000000046}" = "Multimedia File Property Sheet"
-> {HKLM...CLSID} = "Multimedia File Property Sheet"
\InProcServer32\(Default) = "mmsys.cpl" [MS]
"{176d6597-26d3-11d1-b350-080036a75b03}" = "ICM Scanner Management"
-> {HKLM...CLSID} = "ICM Scanner Management"
\InProcServer32\(Default) = "icmui.dll" [MS]
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}" = "NTFS Security Page"
-> {HKLM...CLSID} = "Security Shell Extension"
\InProcServer32\(Default) = "rshx32.dll" [MS]
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}" = "OLE Docfile Property Page"
-> {HKLM...CLSID} = "OLE Docfile Property Page"
\InProcServer32\(Default) = "docprop.dll" [MS]
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}" = "Shell extensions for sharing"
-> {HKLM...CLSID} = "Shell extensions for sharing"
\InProcServer32\(Default) = "ntshrui.dll" [MS]
"{41E300E0-78B6-11ce-849B-444553540000}" = "PlusPack CPL Extension"
-> {HKLM...CLSID} = "PlusPack CPL Extension"
\InProcServer32\(Default) = "plustab.dll" [MS]
"{42071712-76d4-11d1-8b24-00a0c9068ff3}" = "Display Adapter CPL Extension"
-> {HKLM...CLSID} = "Display Adapter CPL Extension"
\InProcServer32\(Default) = "deskadp.dll" [MS]
"{42071713-76d4-11d1-8b24-00a0c9068ff3}" = "Display Monitor CPL Extension"
-> {HKLM...CLSID} = "Display Monitor CPL Extension"
\InProcServer32\(Default) = "deskmon.dll" [MS]
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{4E40F770-369C-11d0-8922-00A024AB2DBB}" = "DS Security Page"
-> {HKLM...CLSID} = "Security Shell Extension"
\InProcServer32\(Default) = "dssec.dll" [MS]
"{56117100-C0CD-101B-81E2-00AA004AE837}" = "Shell Scrap DataHandler"
-> {HKLM...CLSID} = "Shell Scrap DataHandler"
\InProcServer32\(Default) = "shscrap.dll" [MS]
"{59099400-57FF-11CE-BD94-0020AF85B590}" = "Disk Copy Extension"
-> {HKLM...CLSID} = "Disk Copy Extension"
\InProcServer32\(Default) = "diskcopy.dll" [MS]
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}" = "Shell extensions for Microsoft Windows Network objects"
-> {HKLM...CLSID} = "Shell extensions for Microsoft Windows Network objects"
\InProcServer32\(Default) = "ntlanui2.dll" [MS]
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}" = "ICM Monitor Management"
-> {HKLM...CLSID} = "ICM Monitor Management"
\InProcServer32\(Default) = "C:\WINNT\System32\icmui.dll" [MS]
"{675F097E-4C4D-11D0-B6C1-0800091AA605}" = "ICM Printer Management"
-> {HKLM...CLSID} = "ICM Printer Management"
\InProcServer32\(Default) = "C:\WINNT\system32\icmui.dll" [MS]
"{77597368-7b15-11d0-a0c2-080036af3f03}" = "Web Printer Shell Extension"
-> {HKLM...CLSID} = "Web Printer Shell Extension"
\InProcServer32\(Default) = "printui.dll" [MS]
"{7988B573-EC89-11cf-9C00-00AA00A14F56}" = "Disk Quota UI"
-> {HKLM...CLSID} = "Microsoft Disk Quota UI"
\InProcServer32\(Default) = "dskquoui.dll" [MS]
"{85BBD920-42A0-1069-A2E4-08002B30309D}" = "Briefcase"
-> {HKLM...CLSID} = "Briefcase"
\InProcServer32\(Default) = "syncui.dll" [MS]

Miopip
2007-02-25, 19:43
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{BD84B380-8CA2-1069-AB1D-08000948F534}" = "Fonts"
-> {HKLM...CLSID} = "Fonts"
\InProcServer32\(Default) = "fontext.dll" [MS]
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}" = "ICC Profile"
-> {HKLM...CLSID} = "ICC Profile"
\InProcServer32\(Default) = "C:\WINNT\system32\icmui.dll" [MS]
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}" = "Printers Security Page"
-> {HKLM...CLSID} = "Security Shell Extension"
\InProcServer32\(Default) = "rshx32.dll" [MS]
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}" = "Shell extensions for sharing"
-> {HKLM...CLSID} = "Shell extensions for sharing"
\InProcServer32\(Default) = "ntshrui.dll" [MS]
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}" = "Display TroubleShoot CPL Extension"
-> {HKLM...CLSID} = "Display TroubleShoot CPL Extension"
\InProcServer32\(Default) = "deskperf.dll" [MS]
"{60254CA5-953B-11CF-8C96-00AA00B8708C}" = "Shell extensions for Windows Script Host"
-> {HKLM...CLSID} = "Shell Extension For Windows Script Host"
\InProcServer32\(Default) = "C:\WINNT\System32\wshext.dll" [MS]
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}" = "Crypto PKO Extension"
-> {HKLM...CLSID} = "CryptPKO Class"
\InProcServer32\(Default) = "C:\WINNT\system32\cryptext.dll" [MS]
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}" = "Crypto Sign Extension"
-> {HKLM...CLSID} = "CryptSig Class"
\InProcServer32\(Default) = "C:\WINNT\system32\cryptext.dll" [MS]
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}" = "Network and Dial-up Connections"
-> {HKLM...CLSID} = "Network and Dial-up Connections"
\InProcServer32\(Default) = "C:\WINNT\system32\NETSHELL.dll" [MS]
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}" = "Tasks Folder Icon Handler"
-> {HKLM...CLSID} = "Scheduling UI icon handler"
\InProcServer32\(Default) = "C:\WINNT\System32\mstask.dll" [MS]
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}" = "Tasks Folder Shell Extension"
-> {HKLM...CLSID} = "Scheduling UI property sheet handler"
\InProcServer32\(Default) = "C:\WINNT\System32\mstask.dll" [MS]
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}" = "Scheduled Tasks"
-> {HKLM...CLSID} = "Scheduled Tasks"
\InProcServer32\(Default) = "C:\WINNT\System32\mstask.dll" [MS]
"{1A9BA3A0-143A-11CF-8350-444553540000}" = "Shell Favorite Folder"
-> {HKLM...CLSID} = "Shell Favorite Folder"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}" = "My Computer"
-> {HKLM...CLSID} = "My Computer"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
"{86747AC0-42A0-1069-A2E6-08002B30309D}" = "Briefcase Folder"
-> {HKLM...CLSID} = "Briefcase Folder"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
"{0AFACED1-E828-11D1-9187-B532F1E9575D}" = "Folder Shortcut"
-> {HKLM...CLSID} = "Folder Shortcut"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
"{12518493-00B2-11d2-9FA5-9E3420524153}" = "Mounted Volume"
-> {HKLM...CLSID} = "Mounted Volume"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
"{21B22460-3AEA-1069-A2DC-08002B30309D}" = "File Property Page Extension"
-> {HKLM...CLSID} = "File Property Page Extension"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
"{B091E540-83E3-11CF-A713-0020AFD79762}" = "File Types Page"
-> {HKLM...CLSID} = "File Types Page"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}" = "MIME File Types Hook"
-> {HKLM...CLSID} = "MIME File Types Hook"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}" = "Microsoft CopyTo Service"
-> {HKLM...CLSID} = "Microsoft CopyTo Service"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}" = "Microsoft MoveTo Service"
-> {HKLM...CLSID} = "Microsoft MoveTo Service"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
"{13709620-C279-11CE-A49E-444553540000}" = "Shell Automation Service"
-> {HKLM...CLSID} = "Shell Automation Service"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}" = "Shell Automation Folder View"
-> {HKLM...CLSID} = "Shell Automation Folder View"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}" = "Start Menu"
-> {HKLM...CLSID} = "Start Menu"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}" = "Microsoft SendTo Service"
-> {HKLM...CLSID} = "Microsoft SendTo Service"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}" = "Microsoft New Object Service"
-> {HKLM...CLSID} = "Microsoft New Object Service"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}" = "Open With Context Menu Handler"
-> {HKLM...CLSID} = "Open With Context Menu Handler"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}" = "Display Control Panel HTML Extensions"
-> {HKLM...CLSID} = "Display Control Panel HTML Extensions"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
"{75048700-EF1F-11D0-9888-006097DEACF9}" = "ActiveDesktop"
-> {HKLM...CLSID} = "ActiveDesktop"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}" = "Folder Options Property Page Extension"
-> {HKLM...CLSID} = "Folder Options Property Page Extension"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
"{57651662-CE3E-11D0-8D77-00C04FC99D61}" = "CmdFileIcon"
-> {HKLM...CLSID} = "CmdFileIcon"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
"{4657278A-411B-11d2-839A-00C04FD918D0}" = "Shell Drag and Drop helper"
-> {HKLM...CLSID} = "Shell Drag and Drop helper"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}" = "Add encryption item to context menus in explorer"
-> {HKLM...CLSID} = "Add encryption item to context menus in explorer"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
"{5E6AB780-7743-11CF-A12B-00AA004AE837}" = "Microsoft Internet Toolbar"
-> {HKLM...CLSID} = "Microsoft Internet Toolbar"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}" = "Download Status"
-> {HKLM...CLSID} = "Download Status"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{568804CA-CBD7-11d0-9816-00C04FD91972}" = "Menu Shell Folder"
-> {HKLM...CLSID} = "Menu Shell Folder"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{5b4dae26-b807-11d0-9815-00c04fd91972}" = "Menu Band"
-> {HKLM...CLSID} = "Menu Band"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{8278F931-2A3E-11d2-838F-00C04FD918D0}" = "Tracking Shell Menu"
-> {HKLM...CLSID} = "Tracking Shell Menu"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}" = "Menu Site"
-> {HKLM...CLSID} = "Menu Site"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}" = "Menu Desk Bar"
-> {HKLM...CLSID} = "Menu Desk Bar"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}" = "Augmented Shell Folder"
-> {HKLM...CLSID} = "Augmented Shell Folder"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{6413BA2C-B461-11d1-A18A-080036B11A03}" = "Augmented Shell Folder 2"
-> {HKLM...CLSID} = "Augmented Shell Folder 2"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}" = "BandProxy"
-> {HKLM...CLSID} = "BandProxy"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}" = "IShellFolderBand"
-> {HKLM...CLSID} = "IShellFolderBand"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}" = "Microsoft BrowserBand"
-> {HKLM...CLSID} = "Microsoft BrowserBand"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{30D02401-6A81-11d0-8274-00C04FD5AE38}" = "Search Band"
-> {HKLM...CLSID} = "Search Band"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}" = "In-pane search"
-> {HKLM...CLSID} = "In-pane search"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{07798131-AF23-11d1-9111-00A0C98BA67D}" = "Web Search"
-> {HKLM...CLSID} = "Web Search"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}" = "&Links"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}" = "Registry Tree Options Utility"
-> {HKLM...CLSID} = "Registry Tree Options Utility"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}" = "&Address"
-> {HKLM...CLSID} = "&Address"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{A08C11D2-A228-11d0-825B-00AA005B4383}" = "Address EditBox"
-> {HKLM...CLSID} = "Address EditBox"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{00BB2763-6A77-11D0-A535-00C04FD7D062}" = "Microsoft AutoComplete"
-> {HKLM...CLSID} = "Microsoft AutoComplete"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{7487cd30-f71a-11d0-9ea7-00805f714772}" = "Thumbnail Image"
-> {HKLM...CLSID} = "Thumbnail Image"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{7376D660-C583-11d0-A3A5-00C04FD706EC}" = "TridentImageExtractor"
-> {HKLM...CLSID} = "TridentImageExtractor"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{6756A641-DE71-11d0-831B-00AA005B4383}" = "MRU AutoComplete List"
-> {HKLM...CLSID} = "MRU AutoComplete List"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{00BB2764-6A77-11D0-A535-00C04FD7D062}" = "Microsoft History AutoComplete List"
-> {HKLM...CLSID} = "Microsoft History AutoComplete List"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{03C036F1-A186-11D0-824A-00AA005B4383}" = "Microsoft Shell Folder AutoComplete List"
-> {HKLM...CLSID} = "Microsoft Shell Folder AutoComplete List"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{00BB2765-6A77-11D0-A535-00C04FD7D062}" = "Microsoft Multiple AutoComplete List Container"
-> {HKLM...CLSID} = "Microsoft Multiple AutoComplete List Container"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}" = "Shell Band Site Menu"
-> {HKLM...CLSID} = "Shell Band Site Menu"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}" = "Shell DeskBarApp"
-> {HKLM...CLSID} = "Shell DeskBarApp"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}" = "Shell DeskBar"
-> {HKLM...CLSID} = "Shell DeskBar"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}" = "Shell Rebar BandSite"
-> {HKLM...CLSID} = "Shell Rebar BandSite"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}" = "User Assist"
-> {HKLM...CLSID} = "User Assist"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}" = "Global Folder Settings"
-> {HKLM...CLSID} = "Global Folder Settings"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}" = "Favorites Band"
-> {HKLM...CLSID} = "Favorites Band"
\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
"{0A89A860-D7B1-11CE-8350-444553540000}" = "Shell Automation Inproc Service"
-> {HKLM...CLSID} = "Shell Automation Inproc Service"
\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}" = "Shell DocObject Viewer"
-> {HKLM...CLSID} = "Shell DocObject Viewer"
\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}" = "InternetShortcut"
-> {HKLM...CLSID} = "Internet Shortcut"
\InProcServer32\(Default) = "shdocvw.dll" [MS]
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}" = "Microsoft Url History Service"
-> {HKLM...CLSID} = "Microsoft Url History Service"
\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
"{FF393560-C2A7-11CF-BFF4-444553540000}" = "History"
-> {HKLM...CLSID} = "History"
\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}" = "Temporary Internet Files"
-> {HKLM...CLSID} = "Temporary Internet Files"
\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = "Microsoft Url Search Hook"
-> {HKLM...CLSID} = "Microsoft Url Search Hook"
\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}" = "IE4 Suite Splash Screen"
-> {HKLM...CLSID} = "IE4 Suite Splash Screen"
\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}" = "CDF Extension Copy Hook"
-> {HKLM...CLSID} = "CDF Extension Copy Hook"
\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
"{131A6951-7F78-11D0-A979-00C04FD705A2}" = "ISFBand OC"
-> {HKLM...CLSID} = "ISFBand OC"
\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}" = "Search Assistant OC"
-> {HKLM...CLSID} = "Search Assistant OC"
\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}" = "The Internet"
-> {HKLM...CLSID} = "The Internet"
\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
"{871C5380-42A0-1069-A2EA-08002B30309D}" = "Internet Name Space"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}" = "Thumbnails"
-> {HKLM...CLSID} = "Thumbnails"
\InProcServer32\(Default) = "C:\WINNT\System32\thumbvw.dll" [MS]
"{EAB841A0-9550-11CF-8C16-00805F1408F3}" = "HTML Thumbnail Extractor"
-> {HKLM...CLSID} = "HTML Thumbnail Extractor"
\InProcServer32\(Default) = "C:\WINNT\System32\thumbvw.dll" [MS]
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}" = "Office Graphics Filters Thumbnail Extractor"
-> {HKLM...CLSID} = "Office Graphics Filters Thumbnail Extractor"
\InProcServer32\(Default) = "C:\WINNT\System32\thumbvw.dll" [MS]
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}" = "Summary Info Thumbnail handler (DOCFILES)"
-> {HKLM...CLSID} = "Summary Info Thumbnail handler (DOCFILES)"
\InProcServer32\(Default) = "C:\WINNT\System32\thumbvw.dll" [MS]
"{500202A0-731E-11D0-B829-00C04FD706EC}" = "LNK file thumbnail interface delegator"
-> {HKLM...CLSID} = "LNK file thumbnail interface delegator"
\InProcServer32\(Default) = "C:\WINNT\System32\thumbvw.dll" [MS]
"{352EC2B7-8B9A-11D1-B8AE-006008059382}" = "Shell Application Manager"
-> {HKLM...CLSID} = "%DESC_AppMgr%"
\InProcServer32\(Default) = "C:\WINNT\System32\appwiz.cpl" [MS]
"{0B124F8C-91F0-11D1-B8B5-006008059382}" = "Installed Apps Enumerator"
-> {HKLM...CLSID} = "Installed Apps Enumerator"
\InProcServer32\(Default) = "C:\WINNT\System32\appwiz.cpl" [MS]
"{CFCCC7A0-A282-11D1-9082-006008059382}" = "Darwin App Publisher"
-> {HKLM...CLSID} = "Darwin App Publisher"
\InProcServer32\(Default) = "C:\WINNT\System32\appwiz.cpl" [MS]
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}" = "Directory Namespace"
-> {HKLM...CLSID} = "Directory"
\InProcServer32\(Default) = "dsfolder.dll" [MS]
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}" = "Shell properties for a DS object"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "dsfolder.dll" [MS]

Miopip
2007-02-25, 19:44
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}" = "Directory Query UI"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "dsquery.dll" [MS]
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}" = "Directory Object Find"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "dsquery.dll" [MS]
"{F020E586-5264-11d1-A532-0000F8757D7E}" = "Directory Start/Search Find"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "dsquery.dll" [MS]
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}" = "Directory Property UI"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "dsuiext.dll" [MS]
"{62AE1F9A-126A-11D0-A14B-0800361B1103}" = "Directory Context Menu Verbs"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "dsuiext.dll" [MS]
"{450D8FBA-AD25-11D0-98A8-0800361B1103}" = "MyDocs Folder"
-> {HKLM...CLSID} = "My Documents"
\InProcServer32\(Default) = "mydocs.dll" [MS]
"{ECF03A33-103D-11d2-854D-006008059367}" = "MyDocs Copy Hook"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "mydocs.dll" [MS]
"{ECF03A32-103D-11d2-854D-006008059367}" = "MyDocs Drop Target"
-> {HKLM...CLSID} = "MyDocs Drop Target"
\InProcServer32\(Default) = "mydocs.dll" [MS]
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}" = "MyDocs Properties"
-> {HKLM...CLSID} = "MyDocs menu and properties"
\InProcServer32\(Default) = "mydocs.dll" [MS]
"{750fdf0e-2a26-11d1-a3ea-080036587f03}" = "Offline Files Menu"
-> {HKLM...CLSID} = "Offline Files Menu"
\InProcServer32\(Default) = "cscui.dll" [MS]
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}" = "Offline Files Folder Options"
-> {HKLM...CLSID} = "Offline Files Folder Options"
\InProcServer32\(Default) = "cscui.dll" [MS]
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}" = "Offline Files Folder"
-> {HKLM...CLSID} = "Offline Files Folder"
\InProcServer32\(Default) = "cscui.dll" [MS]
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}" = "MMC Icon Handler"
-> {HKLM...CLSID} = "ExtractIcon Class"
\InProcServer32\(Default) = "mmcshext.dll" [MS]
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}" = ".CAB file viewer"
-> {HKLM...CLSID} = "Cabinet File"
\InProcServer32\(Default) = "cabview.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {HKLM...CLSID} = "Microsoft Office Binder Unbind"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1033\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{DB8DC413-C0AA-11D0-9545-080009B1C2F3}" = "Hummingbird Neighborhood"
-> {HKLM...CLSID} = "Hummingbird Neighborhood"
\InProcServer32\(Default) = "C:\Program Files\Hummingbird\Connectivity\7.00\HostExplorer\Ftp\HESHELL.DLL" ["Hummingbird Ltd."]
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}" = "ShimLayer Property Page"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINNT\apppatch\slayerui.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}" = "Explorer Band"
-> {HKLM...CLSID} = "Explorer Band"
\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}" = "Sendmail service"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINNT\System32\sendmail.dll" [MS]
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}" = "Sendmail service"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINNT\System32\sendmail.dll" [MS]
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" = "WebCheck"
-> {HKLM...CLSID} = "WebCheck"
\InProcServer32\(Default) = "C:\WINNT\System32\webcheck.dll" [MS]
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}" = "Subscription Mgr"
-> {HKLM...CLSID} = "Subscription Mgr"
\InProcServer32\(Default) = "C:\WINNT\System32\webcheck.dll" [MS]
"{F5175861-2688-11d0-9C5E-00AA00A45957}" = "Subscription Folder"
-> {HKLM...CLSID} = "Subscription Folder"
\InProcServer32\(Default) = "C:\WINNT\System32\webcheck.dll" [MS]
"{08165EA0-E946-11CF-9C87-00AA005127ED}" = "WebCheckWebCrawler"
-> {HKLM...CLSID} = "WebCheckWebCrawler"
\InProcServer32\(Default) = "C:\WINNT\System32\webcheck.dll" [MS]
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}" = "WebCheckChannelAgent"
-> {HKLM...CLSID} = "WebCheckChannelAgent"
\InProcServer32\(Default) = "C:\WINNT\System32\webcheck.dll" [MS]
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}" = "TrayAgent"
-> {HKLM...CLSID} = "TrayAgent"
\InProcServer32\(Default) = "C:\WINNT\System32\webcheck.dll" [MS]
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}" = "Code Download Agent"
-> {HKLM...CLSID} = "Code Download Agent"
\InProcServer32\(Default) = "C:\WINNT\System32\webcheck.dll" [MS]
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}" = "ConnectionAgent"
-> {HKLM...CLSID} = "ConnectionAgent"
\InProcServer32\(Default) = "C:\WINNT\System32\webcheck.dll" [MS]
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}" = "PostAgent"
-> {HKLM...CLSID} = "PostAgent"
\InProcServer32\(Default) = "C:\WINNT\System32\webcheck.dll" [MS]
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}" = "WebCheck SyncMgr Handler"
-> {HKLM...CLSID} = "WebCheck SyncMgr Handler"
\InProcServer32\(Default) = "C:\WINNT\System32\webcheck.dll" [MS]
"{88C6C381-2E85-11D0-94DE-444553540000}" = "ActiveX Cache Folder"
-> {HKLM...CLSID} = "ActiveX Cache Folder"
\InProcServer32\(Default) = "C:\WINNT\System32\occache.dll" [MS]
"{32683183-48a0-441b-a342-7c2a440a9478}" = "Media Band"
-> {HKLM...CLSID} = "Media Band"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}" = "Custom MRU AutoCompleted List"
-> {HKLM...CLSID} = "Custom MRU AutoCompleted List"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{7e653215-fa25-46bd-a339-34a2790f3cb7}" = "Accessible"
-> {HKLM...CLSID} = "Accessible"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{acf35015-526e-4230-9596-becbe19f0ac9}" = "Track Popup Bar"
-> {HKLM...CLSID} = "Track Popup Bar"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}" = "Address Bar Parser"
-> {HKLM...CLSID} = "Address Bar Parser"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}" = "Microsoft Browser Architecture"
-> {HKLM...CLSID} = "Microsoft Browser Architecture"
\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}" = "Temporary Internet Files"
-> {HKLM...CLSID} = "Temporary Internet Files"
\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}" = "Channel File"
-> {HKLM...CLSID} = "Channel"
\InProcServer32\(Default) = "C:\WINNT\System32\cdfview.dll" [MS]
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}" = "Channel Shortcut"
-> {HKLM...CLSID} = "Channel Shortcut"
\InProcServer32\(Default) = "C:\WINNT\System32\cdfview.dll" [MS]
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}" = "Channel Handler Object"
-> {HKLM...CLSID} = "Channel Handler Object"
\InProcServer32\(Default) = "C:\WINNT\System32\cdfview.dll" [MS]
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}" = "Channel Menu"
-> {HKLM...CLSID} = "Channel Menu Handler Object"
\InProcServer32\(Default) = "C:\WINNT\System32\cdfview.dll" [MS]
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}" = "Channel Properties"
-> {HKLM...CLSID} = "Channel Shortcut Property Pages"
\InProcServer32\(Default) = "C:\WINNT\System32\cdfview.dll" [MS]
"{32714800-2E5F-11d0-8B85-00AA0044F941}" = "For &People..."
-> {HKLM...CLSID} = "For &People..."
\InProcServer32\(Default) = "C:\Program Files\Outlook Express\wabfind.dll" [MS]
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
-> {HKLM...CLSID} = "ImageExtractorShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio10\VisShe.dll" [null data]
"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"
-> {HKLM...CLSID} = "CInfoTipShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio10\VisShe.dll" [null data]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}" = "Browseui preloader"
-> {HKLM...CLSID} = "Browseui preloader"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}" = "Component Categories cache daemon"
-> {HKLM...CLSID} = "Component Categories cache daemon"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}" = "**" (unwritable string)
-> {HKLM...CLSID} = "URL Exec Hook"
\InProcServer32\(Default) = "shell32.dll" [MS]
<<!>> "{B83FC273-3522-4CC6-92EC-75CC86678DA4}" = (no title provided)
-> {HKLM...CLSID} = "3721"
\InProcServer32\(Default) = "C:\WINNT\DOWNLO~1\CnsMin.dll" ["******(**)****" (unwritable string)]
<<!>> "{D157330A-9EF3-49F8-9A67-4141AC41ADD4}" = "*t*T**A***" (unwritable string)
-> {HKLM...CLSID} = "CnsHook Class"
\InProcServer32\(Default) = "C:\WINNT\DOWNLO~1\CnsHook.dll" ["************" (unwritable string)]
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKCU\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"Network.ConnectionTray" = "{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
-> {HKLM...CLSID} = "Network Connections Tray"
\InProcServer32\(Default) = "C:\WINNT\system32\NETSHELL.dll" [MS]
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
-> {HKLM...CLSID} = "SysTray"
\InProcServer32\(Default) = "stobject.dll" [MS]
"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
-> {HKLM...CLSID} = "WebCheck"
\InProcServer32\(Default) = "C:\WINNT\System32\webcheck.dll" [MS]

HKCU\Software\Microsoft\Command Processor\
"AutoRun" = (value not found)

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"Shell" = (value not found)

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
"load" = (empty string)
"run" = (value not found)

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"Shell" = (value not found)

HKLM\Software\Microsoft\Command Processor\
"AutoRun" = (empty string)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
"AppInit_DLLs" = (empty string)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "GinaDLL" = "C:\Program Files\Symantec\Ghost\ginastub.dll" ["Symantec Corporation"]
"Shell" = "Explorer.exe" [MS]
"Taskman" = (value not found)
"Userinit" = "C:\WINNT\system32\userinit.exe," [MS]
"System" = (empty string)

Miopip
2007-02-25, 19:45
HKLM\System\CurrentControlSet\Control\SafeBoot\Option\
"UseAlternateShell" = (value not found)

HKLM\System\CurrentControlSet\Control\SecurityProviders\
"SecurityProviders" = "msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll"

HKLM\System\CurrentControlSet\Control\Session Manager\
"BootExecute" = "autocheck autochk *"

HKLM\System\CurrentControlSet\Control\WOW\
"cmdline" = "C:\WINNT\system32\ntvdm.exe" [MS]
"wowcmdline" = "C:\WINNT\system32\ntvdm.exe -a C:\WINNT\system32\krnl386" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
crypt32chain\DLLName = "crypt32.dll" [MS]
cryptnet\DLLName = "cryptnet.dll" [MS]
cscdll\DLLName = "cscdll.dll" [MS]
<<!>> NavLogon\DLLName = "C:\WINNT\system32\NavLogon.dll" ["Symantec Corporation"]
sclgntfy\DLLName = "sclgntfy.dll" [MS]
SensLogn\DLLName = "WlNotify.dll" [MS]
wzcnotif\DLLName = "wzcdlg.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Your Image File Name Here without a path\Debugger = "ntsd -d" [MS]

HKCU\Software\Policies\Microsoft\Windows\System\Scripts\

HKLM\Software\Policies\Microsoft\Windows\System\Scripts\

HKLM\Software\Classes\PROTOCOLS\Filter\
Class Install Handler\CLSID = "{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"
-> {HKLM...CLSID} = "AP Class Install Handler filter"
\InProcServer32\(Default) = "C:\WINNT\system32\urlmon.dll" [MS]
deflate\CLSID = "{8f6b0360-b80d-11d0-a9b3-006097942311}"
-> {HKLM...CLSID} = "AP lzdhtml encoding/decoding Filter"
\InProcServer32\(Default) = "C:\WINNT\system32\urlmon.dll" [MS]
gzip\CLSID = "{8f6b0360-b80d-11d0-a9b3-006097942311}"
-> {HKLM...CLSID} = "AP lzdhtml encoding/decoding Filter"
\InProcServer32\(Default) = "C:\WINNT\system32\urlmon.dll" [MS]
lzdhtml\CLSID = "{8f6b0360-b80d-11d0-a9b3-006097942311}"
-> {HKLM...CLSID} = "AP lzdhtml encoding/decoding Filter"
\InProcServer32\(Default) = "C:\WINNT\system32\urlmon.dll" [MS]
text/webviewhtml\CLSID = "{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"
-> {HKLM...CLSID} = "WebView MIME Filter"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{0D2E74C4-3C34-11d2-A27E-00C04FC30871}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
{24F14F01-7B1C-11d1-838f-0000F80461CF}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
{24F14F02-7B1C-11d1-838f-0000F80461CF}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
{66742402-F9B9-11D1-A202-0000F81FEDEE}\(Default) = "Version Column Provider"
-> {HKLM...CLSID} = "Version Column Provider"
\InProcServer32\(Default) = "C:\WINNT\System32\docprop2.dll" [MS]
{7f9609be-af9a-11d1-83e0-00c04fb6e984}\(Default) = "Fax Tiff Data Column Provider"
-> {HKLM...CLSID} = "Fax Tiff Data Column Provider"
\InProcServer32\(Default) = "C:\WINNT\system32\faxshell.dll" [MS]
{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}\(Default) = (no title provided)
-> {HKLM...CLSID} = "ShAVColumnProvider class"
\InProcServer32\(Default) = "C:\WINNT\System32\docprop2.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
Offline Files\(Default) = "{750fdf0e-2a26-11d1-a3ea-080036587f03}"
-> {HKLM...CLSID} = "Offline Files Menu"
\InProcServer32\(Default) = "cscui.dll" [MS]
Open With\(Default) = "{09799AFB-AD67-11d1-ABCD-00C04FC30936}"
-> {HKLM...CLSID} = "Open With Context Menu Handler"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
Open With EncryptionMenu\(Default) = "{A470F8CF-A1E8-4f65-8335-227475AA5C46}"
-> {HKLM...CLSID} = "Add encryption item to context menus in explorer"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
Offline Files\(Default) = "{750fdf0e-2a26-11d1-a3ea-080036587f03}"
-> {HKLM...CLSID} = "Offline Files Menu"
\InProcServer32\(Default) = "cscui.dll" [MS]
Open With EncryptionMenu\(Default) = "{A470F8CF-A1E8-4f65-8335-227475AA5C46}"
-> {HKLM...CLSID} = "Add encryption item to context menus in explorer"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
Sharing\(Default) = "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"
-> {HKLM...CLSID} = "Shell extensions for sharing"
\InProcServer32\(Default) = "ntshrui.dll" [MS]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
Send To\(Default) = "{7BA4C740-9E81-11CF-99D3-00AA004AE837}"
-> {HKLM...CLSID} = "Microsoft SendTo Service"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]


Default executables:
--------------------

HKLM\Software\Classes\.bat\(Default) = "batfile"
HKLM\Software\Classes\batfile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.cmd\(Default) = "cmdfile"
HKLM\Software\Classes\cmdfile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.com\(Default) = "comfile"
HKLM\Software\Classes\comfile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.exe\(Default) = "exefile"
HKLM\Software\Classes\exefile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.hta\(Default) = "htafile"
HKLM\Software\Classes\htafile\shell\open\command\(Default) = "C:\WINNT\System32\mshta.exe "%1" %*"

HKLM\Software\Classes\.pif\(Default) = "piffile"
HKLM\Software\Classes\piffile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.scr\(Default) = "scrfile"
HKLM\Software\Classes\scrfile\shell\open\command\(Default) = ""%1" /S"


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDriveTypeAutoRun" = (REG_DWORD) hex:0x00000095
{User Configuration|Administrative Templates|Windows Components|AutoPlay Policies|
Turn off Autoplay}

"CDRAutoRun" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Disable registry editing tools}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\

HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel\

HKCU\Software\Policies\Microsoft\Internet Explorer\Download\

HKLM\Software\Policies\Microsoft\Internet Explorer\Download\

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

HKCU\Software\Policies\Microsoft\Internet Explorer\Main\

HKLM\Software\Policies\Microsoft\Internet Explorer\Main\

HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\

HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\

HKCU\Software\Policies\Microsoft\Internet Explorer\PhishingFilter\

HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter\

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\

HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions\

HKCU\Software\Policies\Microsoft\Internet Explorer\Security\

HKLM\Software\Policies\Microsoft\Internet Explorer\Security\

HKCU\Software\Policies\Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\

Miopip
2007-02-25, 19:45
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\

HKCU\Software\Policies\Microsoft\Windows\Network Connections\

HKCU\Software\Policies\Microsoft\Windows\System\

HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0\

HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0\

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"dontdisplaylastusername" = (REG_DWORD) hex:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Interactive logon: Do not display last user name}

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"

Active Desktop web content (hidden if disabled):

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"FriendlyName" = "My Current Home Page"
"Source" = "About:Home"
"SubscribedURL" = "About:Home"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = (value not set)


Autostart via AUTORUN.INF on local fixed drives:
------------------------------------------------

C:\
AUTORUN.INF -> (file not found)

D:\
AUTORUN.INF -> (file not found)


DESKTOP.INI DLL launch in local fixed drive directories:
--------------------------------------------------------

C:\Documents and Settings\Administrator\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LCXL3X9B\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M30VNOHS\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M4E9JX08\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\YP87EPWL\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Default User\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Default User\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\N4VE9LI5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\QSHKEW4S\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\UZYRS9SX\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\W9MFY9Y3\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\jianquin.lu.old\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\jianquin.lu.old\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\jianquin.lu.old\Local Settings\Temp\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\jianquin.lu.old\Local Settings\Temp\Temporary Internet Files\Content.IE5\ADC5E7AZ\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\jianquin.lu.old\Local Settings\Temp\Temporary Internet Files\Content.IE5\IV8L2F8H\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\jianquin.lu.old\Local Settings\Temp\Temporary Internet Files\Content.IE5\ODIFG9M7\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\jianquin.lu.old\Local Settings\Temp\Temporary Internet Files\Content.IE5\WHUFGPIV\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\jianquin.lu.old\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\jianquin.lu.old\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

Miopip
2007-02-25, 19:46
C:\Documents and Settings\jianquin.lu.old\Local Settings\Temporary Internet Files\Content.IE5\45MZ8HUV\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\jianquin.lu.old\Local Settings\Temporary Internet Files\Content.IE5\4XYRK5IN\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\jianquin.lu.old\Local Settings\Temporary Internet Files\Content.IE5\8L6RS9UR\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\jianquin.lu.old\Local Settings\Temporary Internet Files\Content.IE5\8LK7074Z\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\jianquin.lu.old\Local Settings\Temporary Internet Files\Content.IE5\8R3V24D5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\jianquin.lu.old\Local Settings\Temporary Internet Files\Content.IE5\EB6BU1YN\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\jianquin.lu.old\Local Settings\Temporary Internet Files\Content.IE5\ILLYBMD4\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\jianquin.lu.old\Local Settings\Temporary Internet Files\Content.IE5\JVPR39GW\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\jianquin.lu.old\Local Settings\Temporary Internet Files\Content.IE5\KX2FOXMR\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\jianquin.lu.old\Local Settings\Temporary Internet Files\Content.IE5\O1UBGPMN\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\jianquin.lu.old\Local Settings\Temporary Internet Files\Content.IE5\QJYNQ52R\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\jianquin.lu.old\Local Settings\Temporary Internet Files\Content.IE5\ZQSNV5SX\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Jianqun.Lu\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Jianqun.Lu\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Jianqun.Lu\Local Settings\Temp\Temporary Internet Files\Content.IE5\LKK8ETJR\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Jianqun.Lu\Local Settings\Temp\Temporary Internet Files\Content.IE5\LVB2L6TA\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Jianqun.Lu\Local Settings\Temp\Temporary Internet Files\Content.IE5\P4WYQC6Y\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Jianqun.Lu\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\WINNT\Downloaded Program Files\DESKTOP.INI
[.ShellClassInfo]
CLSID={88C6C381-2E85-11d0-94DE-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\occache.dll" [MS]

C:\WINNT\Fonts\DESKTOP.INI
[.ShellClassInfo]
UICLSID={BD84B380-8CA2-1069-AB1D-08000948F534}
-> {HKLM...CLSID}\InProcServer32\(Default) = "fontext.dll" [MS]

C:\WINNT\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\WINNT\Tasks\DESKTOP.INI
[.ShellClassInfo]
CLSID={d6277990-4c6a-11cf-8d87-00aa0060f5bf}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\mstask.dll" [MS]

C:\WINNT\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\WINNT\Temporary Internet Files\Content.IE5\IDHROFTB\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\WINNT\Temporary Internet Files\Content.IE5\MAYCD9NC\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\WINNT\Temporary Internet Files\Content.IE5\PREK10ZD\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

C:\WINNT\Temporary Internet Files\Content.IE5\WKLZ4GY6\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\M74TQVK1\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IXSTOJQP\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0523CT6F\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\01QJKXM3\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\WINDOWS\FONTS\DESKTOP.INI
[.ShellClassInfo]
UICLSID={BD84B380-8CA2-1069-AB1D-08000948F534}
-> {HKLM...CLSID}\InProcServer32\(Default) = "fontext.dll" [MS]

D:\WINDOWS\TASKS\DESKTOP.INI
[.ShellClassInfo]
CLSID={d6277990-4c6a-11cf-8d87-00aa0060f5bf}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\mstask.dll" [MS]

D:\WINDOWS\Downloaded Program Files\DESKTOP.INI
[.ShellClassInfo]
CLSID={88C6C381-2E85-11d0-94DE-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\occache.dll" [MS]

D:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\01QJKXM3\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\0523CT6F\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\IXSTOJQP\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\M74TQVK1\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Default User\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Default User\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\default\Local Settings\Temp\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

Miopip
2007-02-25, 19:47
D:\Documents and Settings\default\Local Settings\Temp\Temporary Internet Files\Content.IE5\86OMM65X\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\default\Local Settings\Temp\Temporary Internet Files\Content.IE5\DM7SATSZ\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\default\Local Settings\Temp\Temporary Internet Files\Content.IE5\IIWUSE8Z\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\default\Local Settings\Temp\Temporary Internet Files\Content.IE5\TO9Q032G\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\default\Local Settings\Temp\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\default\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\default\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\default\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\CDA7CHA3\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\CV76B0PC\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\UQIOB39E\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\E5WT63GX\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\KTEVWTM7\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\SLE3C12B\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\SNEZUHY5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\I90RAPGD\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\2J4RTMJI\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\3YJ1LD77\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\YM6TH1GM\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\T7R13TNS\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\LXRFMOIP\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\9P0AR7DD\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\LTDYNBH6\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\IINZ1C3J\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\GPMV056Z\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8PCTM9UR\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\ENSZ0XS3\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\GPMZGDYF\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\LocalService\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\LocalService\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPQJKLQN\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8XANOPE3\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8DKP4ZYJ\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WZENUVE7\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\01234567\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\OXUZ09UZ\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\09IVO9IN\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\WLUV4TI7\DESKTOP.INI

Miopip
2007-02-25, 19:48
D:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\WLUV4TI7\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Isabel\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Isabel\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Isabel\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Isabel\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Isabel\Local Settings\Temporary Internet Files\Content.IE5\01QJKXM3\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Isabel\Local Settings\Temporary Internet Files\Content.IE5\M74TQVK1\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Isabel\Local Settings\Temporary Internet Files\Content.IE5\VWZZF2AQ\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Isabel\Local Settings\Temporary Internet Files\Content.IE5\1IM60R3V\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Isabel\Local Settings\Temporary Internet Files\Content.IE5\YL2BAP2K\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Isabel\Local Settings\Temporary Internet Files\Content.IE5\6F6R2H2J\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Isabel\Local Settings\Temporary Internet Files\Content.IE5\SP0H6V8D\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Isabel\Local Settings\Temporary Internet Files\Content.IE5\U1872LQX\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Isabel\Local Settings\Temporary Internet Files\Content.IE5\09IJ45U7\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Isabel\Local Settings\Temporary Internet Files\Content.IE5\OHARGP6Z\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Isabel\Local Settings\Temporary Internet Files\Content.IE5\KTU7C1QN\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Isabel\Local Settings\Temporary Internet Files\Content.IE5\K1GJ4VWZ\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Isabel\Local Settings\Temporary Internet Files\Content.IE5\HMZ5DQ8Q\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Isabel\Local Settings\Temporary Internet Files\Content.IE5\3XXSFD3J\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Isabel\Local Settings\Temporary Internet Files\Content.IE5\0523CT6F\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Isabel\Local Settings\Temporary Internet Files\Content.IE5\IXSTOJQP\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Isabel\Local Settings\Temporary Internet Files\Content.IE5\17OL3HNG\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Isabel\Local Settings\Temporary Internet Files\Content.IE5\4X2NSP6N\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Isabel\Local Settings\Temporary Internet Files\Content.IE5\GW8XSVAT\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Guest\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Guest\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\M74TQVK1\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\IXSTOJQP\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\0523CT6F\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

D:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\01QJKXM3\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]


Startup items in "administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"EPSON Status Monitor 3 Environment Check" -> shortcut to: "C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE" ["SEIKO EPSON CORPORATION"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}"
-> {HKLM...CLSID} = "&Address"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}"
-> {HKLM...CLSID} = "&Address"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{0E5CBF21-D15F-11D0-8301-00AA005B4383}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
"{74DD705D-6834-439C-A735-A6DBE2677452}"
-> {HKLM...CLSID} = "&VSAdd-in"
\InProcServer32\(Default) = "C:\Program Files\VSAdd-in\VSAdd-in.dll" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{32683183-48A0-441B-A342-7C2A440A9478}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Media Band"
\InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]
{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\(Default) = (no title provided)
-> {HKLM...CLSID} = "File and Folders Search ActiveX Control"
\InProcServer32\(Default) = "C:\WINNT\system32\shell32.dll" [MS]
{EFA24E61-B078-11D0-89E4-00C04FC9E26E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Favorites Band"
\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
{EFA24E62-B078-11D0-89E4-00C04FC9E26E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4D5C8C25-D075-11D0-B416-00C04FB90376}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Tip of the Day"
\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{30D02401-6A81-11D0-8274-00C04FD5AE38}\(Default) = "Search Band"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINNT\System32\browseui.dll" [MS]

HKLM\Software\Classes\CLSID\{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}\(Default) = "&Discuss"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}\(Default) = "Explorer Band"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{5D73EE86-05F1-49ED-B850-E423120EC338}\
"ButtonText" = "Chinese Keyword"
"Exec" = "http://assistant.3721.com/index.htm" [file not found]

{BF1F4A1A-BDCD-43AC-9D17-261D2C197AB8}\
"Exec" = "http://assistant.3721.com/uninstall.htm" [file not found]

{ECF2E268-F28C-48D2-9AB7-8F69C11CCB71}\
"MenuText" = "Repair Browser"
"Exec" = "http://assistant.3721.com/security1.htm" [file not found]

{FD00D911-7529-4084-9946-A29F1BDF4FE5}\
"MenuText" = "Clean Internet access record"
"Exec" = "http://assistant.3721.com/clean1.htm" [file not found]


Internet Explorer Address Prefixes:
-----------------------------------

Prefix for bare domain ("domain-name-here.com")

HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Default Prefix\
(Default) = "http://"

Prefix for specific service (i.e., "www")

HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes\
"ftp" = "ftp://"
"gopher" = "gopher://"
"home" = "http://"
"mosaic" = "http://"
"www" = "http://"


Miscellaneous IE Hijack Points
------------------------------

C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings" -- no anomalies found)

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = (no title provided)
-> {HKLM...CLSID} = "Microsoft Url Search Hook"
\InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll" [MS]
<<H>> "{D157330A-9EF3-49F8-9A67-4141AC41ADD4}" = (no title provided)
-> {HKLM...CLSID} = "CnsHook Class"
\InProcServer32\(Default) = "C:\WINNT\DOWNLO~1\CnsHook.dll" ["************" (unwritable string)]

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
"NavigationFailure" = "res://shdoclc.dll/navcancl.htm" [MS]
"DesktopItemNavigationFailure" = "res://shdoclc.dll/navcancl.htm" [MS]
"NavigationCanceled" = "res://shdoclc.dll/navcancl.htm" [MS]
"OfflineInformation" = "res://shdoclc.dll/offcancl.htm" [MS]
"Home" = hex:0x0000010E
"blank" = "res://mshtml.dll/blank.htm" [MS]
"PostNotCached" = "res://mshtml.dll/repost.htm" [MS]
"mozilla" = "res://mshtml.dll/about.moz" [MS]

Miopip
2007-02-25, 19:49
Last one. At last...

HOSTS file
----------

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\
"DataBasePath" = "C:\WINNT\System32\drivers\etc"

C:\WINNT\System32\drivers\etc\HOSTS

maps: 1 domain name to an IP address,
and this is the localhost IP address


All Running Services (Display Name, Service Name, Path {Service DLL}):
----------------------------------------------------------------------

Automatic Updates, wuauserv, "C:\WINNT\system32\svchost.exe -k wugroup" {"C:\WINNT\system32\wuauclt.dll" [file not found]}
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
COM+ Event System, EventSystem, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\es.dll" [MS]}
Computer Browser, Browser, "C:\WINNT\System32\services.exe" [MS]
DHCP Client, Dhcp, "C:\WINNT\System32\services.exe" [MS]
Diskeeper, Diskeeper, "C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe" ["Executive Software International, Inc."]
Distributed Link Tracking Client, TrkWks, "C:\WINNT\system32\services.exe" [MS]
DNS Client, Dnscache, "C:\WINNT\System32\services.exe" [MS]
Event Log, Eventlog, "C:\WINNT\system32\services.exe" [MS]
Hummingbird Inetd, HCLInetd, "C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe" ["Hummingbird Ltd."]
Hummingbird Jconfig Daemon, Jconfigd, "C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe" ["Hummingbird Ltd."]
iPod Service, iPod Service, ""D:\Program Files\bin\iPodService.exe"" ["Apple Computer, Inc."]
IPSEC Policy Agent, PolicyAgent, "C:\WINNT\System32\lsass.exe" [MS]
Logical Disk Manager, dmserver, "C:\WINNT\System32\services.exe" [MS]
Network Connections, Netman, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\netman.dll" [MS]}
Plug and Play, PlugPlay, "C:\WINNT\system32\services.exe" [MS]
Print Spooler, Spooler, "C:\WINNT\system32\spoolsv.exe" [MS]
Protected Storage, ProtectedStorage, "C:\WINNT\system32\services.exe" [MS]
Remote Access Connection Manager, RasMan, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\rasmans.dll" [MS]}
Remote Procedure Call (RPC), RpcSs, "C:\WINNT\system32\svchost -k rpcss" {"C:\WINNT\system32\rpcss.dll" [MS]}
Remote Registry Service, RemoteRegistry, "C:\WINNT\system32\regsvc.exe" [MS]
Removable Storage, NtmsSvc, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\NtmsSvc.dll" [MS]}
RunAs Service, seclogon, "C:\WINNT\system32\services.exe" [MS]
SAVRoam, SavRoam, ""C:\Program Files\Symantec AntiVirus\SavRoam.exe"" ["symantec"]
Security Accounts Manager, SamSs, "C:\WINNT\system32\lsass.exe" [MS]
Server, lanmanserver, "C:\WINNT\System32\services.exe" [MS]
Still Image Service, StiSvc, "C:\WINNT\system32\stisvc.exe" [MS]
Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Ghost Client Agent, NGClient, "C:\Program Files\Symantec\Ghost\ngctw32.exe" ["Symantec New Zealand Limited"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]
System Event Notification, SENS, "C:\WINNT\system32\svchost.exe -k netsvcs" {"C:\WINNT\system32\sens.dll" [MS]}
Task Scheduler, Schedule, "C:\WINNT\system32\MSTask.exe" [MS]
TCP/IP NetBIOS Helper Service, LmHosts, "C:\WINNT\System32\services.exe" [MS]
Telephony, TapiSrv, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\tapisrv.dll" [MS]}
Windows Management Instrumentation, WinMgmt, "C:\WINNT\System32\WBEM\WinMgmt.exe" [MS]
Windows Management Instrumentation Driver Extensions, Wmi, "C:\WINNT\system32\Services.exe" [MS]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINNT\system32\mspmspsv.exe" [MS]
Workstation, lanmanworkstation, "C:\WINNT\System32\services.exe" [MS]


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = "kbdclass" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
BJ Language Monitor\Driver = "cnbjmon.dll" [MS]
EPSON V3 2KMonitor300\Driver = "E_SL2300.DLL" ["SEIKO EPSON CORPORATION"]
HCL LPR Monitor\Driver = "C:\WINNT\System32\Hummingbird\Connectivity\7.00\Accessories\hcllpr.dll" ["Hummingbird Ltd."]
Local Port\Driver = "localspl.dll" [MS]
PJL Language Monitor\Driver = "pjlmon.dll" [MS]
Standard TCP/IP Port\Driver = "tcpmon.dll" [MS]
USB Monitor\Driver = "usbmon.dll" [MS]


-- (total run time: 480 seconds)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

Mr_JAk3
2007-02-26, 14:29
Hi again, we'll continue :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

==================

Backup your registry:
Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :


REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"CnsMin"=-
"helper.dll"=-
"(Default)"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{B83FC273-3522-4CC6-92EC-75CC86678DA4}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{74DD705D-6834-439C-A735-A6DBE2677452}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{5D73EE86-05F1-49ED-B850-E423120EC338}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{BF1F4A1A-BDCD-43AC-9D17-261D2C197AB8}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{ECF2E268-F28C-48D2-9AB7-8F69C11CCB71}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{FD00D911-7529-4084-9946-A29F1BDF4FE5}]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}]



Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

R3 - URLSearchHook: CnsHook Class - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINNT\DOWNLO~1\CnsHook.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINNT\DOWNLO~1\CnsHook.dll
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINNT\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [helper.dll] C:\WINNT\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\RunOnce: [3721C:\PROGRA~1\3721\notifier.dll4105543] regsvr32 /s C:\PROGRA~1\3721\notifier.dll
O9 - Extra button: Chinese Keyword - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm (file missing)
O9 - Extra button: (no name) - {BF1F4A1A-BDCD-43ac-9D17-261D2C197AB8} - http://assistant.3721.com/uninstall.htm (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm (file missing)
O11 - Options group: [!CNS] Chinese keywords

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following files (if present):
C:\WINNT\downloaded program files\CnsHook.dll

Go to the My Computer and delete the following folders (if present):
C:\Program Files\3721
C:\Program Files\VSAdd-in

Use the Windows search Start
Search
All files and folders
More advanced options Checkmark these options: "Search system folders"
"Search hidden files and folders"
"Search subfolders"
Search for this and delete if found: ifconfig.exe <- be careful with the name
Search for this and delete if found: CnsMinKP.sys


Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.

When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log

Miopip
2007-03-01, 03:11
Sorry for my delay!

CureIt report...What does 'Incurable- Moved' mean? Moved where?

Silent Runners.vbs;C:\silentrunners;Probably BATCH.Virus;Incurable.Moved.;
awtqrro.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
awtsqrq.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
cbxxxus.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
jkhfd.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
ujnavfls.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
wvuvsrr.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
CnsMinEx.dll;C:\WINNT\Downloaded Program Files;Trojan.Cnsmin;Will be cured after reboot.;
eservice.dll;C:\WINNT\Downloaded Program Files;Probably STPAGE.Trojan;Incurable.Moved.;
keepmain.dll;C:\WINNT\Downloaded Program Files;Adware.Cdn;Incurable.Moved.;
CnsMin.dll;C:\WINNT\Downloaded Program Files\3721;Adware.Cdn;Incurable.Moved.;
Popular Screensavers.scr;D:\WINDOWS\SYSTEM32;Adware.Msearch;Incurable.Moved.;
logonmgr.dll;D:\Program Files\MSNDELL\MSNCoreFiles;Probably DLOADER.Trojan;Incurable.Moved.;
F3CJPEG.DLL;D:\Program Files\MyWebSearch\bar\2.bin;Adware.Msearch;Incurable.Moved.;
F3HTMLMU.DLL;D:\Program Files\MyWebSearch\bar\2.bin;Adware.Msearch;Incurable.Moved.;
F3POPSWT.DLL;D:\Program Files\MyWebSearch\bar\2.bin;Adware.Msearch;Incurable.Moved.;
F3PSSAVR.SCR;D:\Program Files\MyWebSearch\bar\2.bin;Adware.Msearch;Incurable.Moved.;
F3REPROX.DLL;D:\Program Files\MyWebSearch\bar\2.bin;Adware.Msearch;Incurable.Moved.;
F3RESTUB.DLL;D:\Program Files\MyWebSearch\bar\2.bin;Adware.Msearch;Incurable.Moved.;
F3SCRCTR.DLL;D:\Program Files\MyWebSearch\bar\2.bin;Probably DLOADER.Trojan;Incurable.Moved.;
F3WPHOOK.DLL;D:\Program Files\MyWebSearch\bar\2.bin;Adware.Msearch;Incurable.Moved.;
M3OUTLCN.DLL;D:\Program Files\MyWebSearch\bar\2.bin;Adware.Msearch;Incurable.Moved.;
M3SKIN.DLL;D:\Program Files\MyWebSearch\bar\2.bin;Adware.Msearch;Incurable.Moved.;
MWSOEMON.EXE;D:\Program Files\MyWebSearch\bar\2.bin;Adware.Msearch;Incurable.Moved.;
MWSOESTB.DLL;D:\Program Files\MyWebSearch\bar\2.bin;Adware.Msearch;Incurable.Moved.;
MWSSRCAS.DLL;D:\Program Files\MyWebSearch\SrchAstt\2.bin;Adware.Websa;Incurable.Moved.;

HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 8:14:41 PM, on 2/28/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\ifconfig.exe
C:\WINNT\system32\rtvcscan.exe
D:\Program Files\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis\Scanner.exe.exe
C:\WINNT\System32\WBEM\WinMgmt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
R3 - URLSearchHook: CnsHook Class - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINNT\DOWNLO~1\CnsHook.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINNT\DOWNLO~1\CnsHook.dll
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [] ifconfig.exe
O4 - HKLM\..\Run: [Microsoft] rtvcscan.exe
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINNT\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\RunServices: [] ifconfig.exe
O4 - HKLM\..\RunServices: [Microsoft] rtvcscan.exe
O4 - HKCU\..\Run: [] ifconfig.exe
O4 - HKCU\..\Run: [Microsoft] rtvcscan.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Chinese Keyword - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm (file missing)
O9 - Extra button: (no name) - {BF1F4A1A-BDCD-43ac-9D17-261D2C197AB8} - http://assistant.3721.com/uninstall.htm (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm (file missing)
O11 - Options group: [!CNS] Chinese keywords
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\bin\iPodService.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: OracleOra9ias_homeClientCache - Unknown owner - C:\ora9ias\BIN\ONRSD.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Mr_JAk3
2007-03-01, 21:29
Hi :)

The files were moved to a backup location and we'll clean that later.

You got some new infections :(

One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this (http://www.dslreports.com/faq/10451) article too.

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Miopip
2007-03-03, 02:06
One or more of the identified infections steal information.

Which infections? How did I pick these up?

Mr_JAk3
2007-03-03, 11:59
Hi :)

All these are backdoors:

O4 - HKLM\..\Run: [] ifconfig.exe
O4 - HKLM\..\Run: [Microsoft] rtvcscan.exe
O4 - HKLM\..\RunServices: [] ifconfig.exe
O4 - HKLM\..\RunServices: [Microsoft] rtvcscan.exe
O4 - HKCU\..\Run: [] ifconfig.exe
O4 - HKCU\..\Run: [Microsoft] rtvcscan.exe

You're not clean yet so it is possible that these infections have loaded new infections.

Miopip
2007-03-03, 23:32
SDFix: Version 1.69

Run by administrator - Sat 03/03/2007 @ 16:02:34.77

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:





Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINNT\system32\ifconfig.exe - Deleted
C:\WINNT\system32\rtvcscan.exe - Deleted
C:\WINNT\system32\TFTP2928 - Deleted
C:\WINNT\Temp\removalfile.bat - Deleted



ADS Check:

C:\WINNT\system32
No streams found.


Final Check:

Remaining Services:
------------------



Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\Documents and Settings\jianquin.lu.old\prf102.tmp
C:\Documents and Settings\jianquin.lu.old\prf20.tmp
C:\Documents and Settings\jianquin.lu.old\prf30.tmp
C:\Documents and Settings\jianquin.lu.old\prf7A.tmp
C:\Documents and Settings\jianquin.lu.old\prf9F.tmp
C:\Documents and Settings\jianquin.lu.old\prfAD.tmp
C:\Documents and Settings\jianquin.lu.old\prfCD.tmp
C:\WINNT\Temp\OLD283.tmp
C:\WINNT\Temp\OLD284.tmp
C:\WINNT\Temp\OLD2F1.tmp
C:\WINNT\Temp\OLD2F2.tmp
C:\WINNT\Temp\OLD51.tmp
C:\WINNT\Temp\OLD52.tmp
C:\WINNT\Temp\OLD7F.tmp
C:\WINNT\Temp\OLD80.tmp
C:\WINNT\Temp\OLD92.tmp
C:\WINNT\Temp\OLD93.tmp
C:\WINNT\Temp\OLD99.tmp
C:\WINNT\Temp\OLD9A.tmp
C:\WINNT\Temp\OLDD.tmp
C:\WINNT\Temp\OLDE.tmp

Add/Remove Programs List:

Adaptec Easy CD Creator 4
Adobe Acrobat 5.0
Adobe Shockwave Player
ATI Win2k Display Driver
AVG Anti-Spyware 7.5
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Chinese keywords
Canon Camera Support Core Library
Canon Utilities EOS Utility
EPSON Printer Software
Formatter Plus V1.4
HijackThis 1.99.1
Canon Utilities RemoteCapture 2.7
Canon RemoteCapture Task for ZoomBrowser EX
Canon Camera TWAIN Driver 6.0
Canon Utilities File Viewer Utility 1.3
iPod Updater 2004-08-06
Canon Camera TWAIN Driver 6.6
Canon Utilities PhotoStitch 3.1
LiveUpdate 2.6 (Symantec Corporation)
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Internet Explorer Q903235
Quest Software TOAD Professional Edition 7.6
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Shockwave
Adobe Flash Player 9 ActiveX
Update Rollup 1 for Windows 2000 SP4
Microsoft VGX Q833989
Windows 2000 Service Pack 4
WinZip
Canon Utilities ZoomBrowser EX
Microsoft Office 2000 Professional
Database Design Samples
Borders and Backgrounds
Sample Drawings
RemoteCapture 2.7.5
Advanced Network Diagramming Samples
Software Design
RemoteCapture Task
Block Diagrams
Canon Camera TWAIN Driver
File Viewer Utility 1.3.2
Project Schedules
Microsoft Project 2000
iPod Updater 2004-08-06
Symantec AntiVirus
Canon Camera TWAIN Driver
iTunes
Internet Diagrams
QuickTime
Block Diagrams Samples
Flowcharts Samples
Forms and Charts Samples
Shape Explorer Help
VSAdd-in for Internet Explorer
Shape Explorer
Save as HTML
SmartShape Wizard
Database Wizard
Graphics Filters
Visio Core Files
Microsoft Visio Professional 2002 [English]
Microsoft Visio Viewer 2002
DiskeeperWorkstation
Windows 2000 Application Compatibility Update
Apple Software Update
ArcSoft Camera Suite
Internet Diagrams Help
Directory Services Help
Hummingbird Exceed V7.0
Add-ons
Symantec Ghost
VBA
Microsoft Visual Studio Service Pack 3
PhotoStitch
Solutions
Directory Services

Finished


Logfile of HijackThis v1.99.1
Scan saved at 4:30:02 PM, on 3/3/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\notepad.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis\Scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
R3 - URLSearchHook: CnsHook Class - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINNT\DOWNLO~1\CnsHook.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINNT\DOWNLO~1\CnsHook.dll
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINNT\DOWNLO~1\CnsMin.dll,Rundll32
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Chinese Keyword - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm (file missing)
O9 - Extra button: (no name) - {BF1F4A1A-BDCD-43ac-9D17-261D2C197AB8} - http://assistant.3721.com/uninstall.htm (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm (file missing)
O11 - Options group: [!CNS] Chinese keywords
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\bin\iPodService.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: OracleOra9ias_homeClientCache - Unknown owner - C:\ora9ias\BIN\ONRSD.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


I got this when I tried to remove the 'junk' using HJT:
SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
Event Info: Open Process
Action Taken: Blocked
Actor Process: C:\Documents and Settings\Administrator\Desktop\HijackThis\Scanner.exe.exe (PID 424)
Time: Saturday, March 03, 2007 4:31:47 PM

Miopip
2007-03-03, 23:33
So these backdoors are gone, if I read the SDFix log right?

Below files will be copied to Backups folder then removed:

C:\WINNT\system32\ifconfig.exe - Deleted
C:\WINNT\system32\rtvcscan.exe - Deleted
C:\WINNT\system32\TFTP2928 - Deleted
C:\WINNT\Temp\removalfile.bat - Deleted

Mr_JAk3
2007-03-04, 09:34
Hi :)

Yes, those backdoors are gone.

We'll install a firewall. You don't seem to have a third-party firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) installed. You must install one firewall.

These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)
Comodo (http://www.personalfirewall.comodo.com)

Please download the OTMoveIt by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe).

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


C:\WINNT\Downloaded Program Files\3721
C:\WINNT\Downloaded Program Files\CnsMin.dll
C:\WINNT\Downloaded Program Files\CnsHook.dll
C:\WINNT\Downloaded Program Files\CnsMinEx.dll

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

R3 - URLSearchHook: CnsHook Class - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINNT\DOWNLO~1\CnsHook.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINNT\DOWNLO~1\CnsHook.dll
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINNT\DOWNLO~1\CnsMin.dll,Rundll32
O9 - Extra button: Chinese Keyword - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm (file missing)
O9 - Extra button: (no name) - {BF1F4A1A-BDCD-43ac-9D17-261D2C197AB8} - http://assistant.3721.com/uninstall.htm (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm (file missing)
O11 - Options group: [!CNS] Chinese keywords

Restart your computer and post a fresh HijackThis log. :bigthumb:

Miopip
2007-03-04, 19:10
From the list of HJT files that, if there, you suggested I delete I had:
R3, the CnsHook Class
04 CnsMin.dll/Rundll32
011 Options group

I also had R1 Search page: http://www.yahoo.com.cn which I deleted.

Here's the log after restart:
Logfile of HijackThis v1.99.1
Scan saved at 12:13:12 PM, on 3/4/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis\Scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://seek.3721.com/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://seek.3721.com/srchcust.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\bin\iPodService.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: OracleOra9ias_homeClientCache - Unknown owner - C:\ora9ias\BIN\ONRSD.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Miopip
2007-03-04, 19:12
Am I reading the HJT log correctly? Seems like the problems are:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://seek.3721.com/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://seek.3721.com/srchcust.htm

Mr_JAk3
2007-03-04, 21:55
Hi again :)

Looks much better.

Yes, fix the following entries with HijackThis:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://seek.3721.com/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://seek.3721.com/srchcust.htm

Then we'll run a one more scan just in case.

Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post along with a HijackThis log

Miopip
2007-03-05, 04:18
Ugh. I'm gettting an error: 'some components are damaged or not present. Please reinstall the application' when trying to run Kaspersky. Any suggestions?

Mr_JAk3
2007-03-05, 07:18
Hmm, please try Panda instead:

Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run PandaActiveScan...

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)

When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.

How is the computer running?

Miopip
2007-03-05, 17:49
Thanks, I'll try the Panda and let you know.

The computer seems to be running more efficiently, particularly the Net. I was getting a ton of popups; they're reduced practically to nil and it's really just popups from Orbitz.

All these programs I've downloaded, which should I keep? Obviously the firewall (I chose ZoneAlarm). And probably HJT; I'd used that one in the past and it did well. But what about all the others?

:bigthumb:

Mr_JAk3
2007-03-05, 19:11
Hi :)

Firewall and Antivirus are very important. Most of the tools we used are just serch tools that can be removed when we're done.

Just noticed that you have a few McAfee leftovers, you could run this cleanup tool --> Link (http://ts.mcafeehelp.com/displaydoc.asp?frames=1&docid=408302&CategoryId=107187)

Post the Panda results when ready :bigthumb:

Miopip
2007-03-06, 03:36
:mad:

This is strange. When trying to download Panda I get the following error. I've even tried rebooting. I have enough disk space for this so I'm not sure what's happening. Could it be that the ActiveX is not being allowed to download?

An error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try againPossible causes of this error are:

Not allowing the application's ActiveX control to be downloaded.

Problems with the Internet connection.

The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,...

Mr_JAk3
2007-03-06, 09:08
Hi :)

Ok, the problem is propably in the Internet Explorer settings, they wont allow ActiveX components. But it is good to have tight IE settings.

You could update your Norton and run a full system scan instead of Panda.

:bigthumb:

Miopip
2007-03-06, 19:58
Ok, will run the full system scan. Should I post results? Also noticed rtvcscan.exe is back.

Mr_JAk3
2007-03-06, 21:12
Ok please post the results if possible and also a fresh HijackThis log. :bigthumb:

Miopip
2007-03-07, 17:54
Will do. I'm having some trouble...I tried running a full scan but was told I didn't have enough disk space. That confused me. I have 2 hard drives. C:/ is a 6 GB drive that is essentially full. D:/ is a 40 GB drive with 9 GB remaining. I'm scratching my head. I ran a full scan about a week before we started troubleshooting and I had no trouble running the scan.

Mr_JAk3
2007-03-07, 21:19
Hi :)

Hmm...

We may use this scanner too:

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download MWav (http://www.spywareinfo.dk/download/mwav.exe):

Unzip it to its predetermined directory (C:\Kaspersky)
Locate kavupd.exe in the new folder and double-click to Update.
If your firewall gives any messages about this program accessing to internet, allow it.
If it says the signatures are more than 30 days old, keep trying, until you get the actual definition updates.
When you see Updates Downloaded Successfully, hit Enter to continue.
Restart onto Safe Mode (http://www.pchell.com/support/safemode.shtml) and locate the Kaspersky folder.
Locate mwavscan.com and double-click on it to launch the MWAV Scanner.Now lets do the settings:
Leave the Default Settings checked.
Add a check to Drives
This will light up All Drives
Add a check to Scan all Files
Click Scan Clean to begin.
This scan might take around 3+ hours to finish when set to scan everything.
Please be sure it has finished before proceeding.
Once the Scan has finished, all entries identified as Infected, will be displayed in the lower panel.
Highlight everything that is inside the lower panel and hit Ctrl+C at the same time to copy.
Open an empty notepad file and paste the results (Ctrl+V) to it. Save the notepad to your desktop, name it as you want (e.g; MWav Results).Reboot into normal Windows and post the results here along with a fresh HijackThis log.

Miopip
2007-03-12, 14:39
I'll post results of scan in the next 24 hours. Sorry for delay.

I ran a Hijack This log and noticed rtvcscan.exe is back. Why/how are they coming back?

Mr_JAk3
2007-03-12, 21:44
Why/how are they coming back?
They seem to like your computer :)

Well sometimes if something bad is left to the computer, they download more baddies. Your entries may be some leftovers too, I'll be able to tell more when I see the latest logs...

:bigthumb:

Miopip
2007-03-13, 16:40
If you hear a sound all the way over there it's my angered scream. I'm sorry but even having difficulty downloading your suggested MWav. Here's the issue- my pc has 2 hard drives, C:/ is tiny and so I keep running into issues of having enough space, D:/ has 9 GB remaining. I tried downloading MWav to D:/ but it wouldn't take. So my next step I think is to see what can be removed from C:/, unless you have any other suggestions.

:mad:

Mr_JAk3
2007-03-13, 21:20
Hmm...

Could you post a fresh HijackThis log :bigthumb:

Miopip
2007-03-14, 05:27
Sure, here's the log:

These guys are back:
O4 - HKLM\..\Run: [Microsoft] rtvcscan.exe
O4 - HKLM\..\RunServices: [Microsoft] rtvcscan.exe
O4 - HKCU\..\Run: [Microsoft] rtvcscan.exe

And this one looks new:
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)

Logfile of HijackThis v1.99.1
Scan saved at 11:29:40 PM, on 3/13/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\qttask.exe
D:\Program Files\iTunes 7\iTunesHelper.exe
C:\WINNT\system32\rtvcscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis\Scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes 7\iTunesHelper.exe"
O4 - HKLM\..\Run: [Microsoft] rtvcscan.exe
O4 - HKLM\..\RunServices: [Microsoft] rtvcscan.exe
O4 - HKCU\..\Run: [Microsoft] rtvcscan.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: OracleOra9ias_homeClientCache - Unknown owner - C:\ora9ias\BIN\ONRSD.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Mr_JAk3
2007-03-15, 11:14
Hmm I wonder how it came back. You have a firewall so this is bit odd...

Please remove the previous versions of SDFix.

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

:bigthumb:

Miopip
2007-03-17, 17:23
SDFix: Version 1.73

Run by administrator - Sat 03/17/2007 - 10:50:44.41

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\Documents and Settings\Administrator\Desktop\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINNT\system32\rtvcscan.exe - Deleted



ADS Check:

C:\WINNT\system32
No streams found.


Final Check:

Remaining Services:
------------------



Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\ADMINI~1\Desktop\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Documents and Settings\jianquin.lu.old\prf102.tmp
C:\Documents and Settings\jianquin.lu.old\prf20.tmp
C:\Documents and Settings\jianquin.lu.old\prf30.tmp
C:\Documents and Settings\jianquin.lu.old\prf7A.tmp
C:\Documents and Settings\jianquin.lu.old\prf9F.tmp
C:\Documents and Settings\jianquin.lu.old\prfAD.tmp
C:\Documents and Settings\jianquin.lu.old\prfCD.tmp
C:\WINNT\Temp\OLD283.tmp
C:\WINNT\Temp\OLD284.tmp
C:\WINNT\Temp\OLD2F1.tmp
C:\WINNT\Temp\OLD2F2.tmp
C:\WINNT\Temp\OLD51.tmp
C:\WINNT\Temp\OLD52.tmp
C:\WINNT\Temp\OLD7F.tmp
C:\WINNT\Temp\OLD80.tmp
C:\WINNT\Temp\OLD92.tmp
C:\WINNT\Temp\OLD93.tmp
C:\WINNT\Temp\OLD99.tmp
C:\WINNT\Temp\OLD9A.tmp
C:\WINNT\Temp\OLDD.tmp
C:\WINNT\Temp\OLDE.tmp

Finished

Logfile of HijackThis v1.99.1
Scan saved at 11:26:59 AM, on 3/17/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\qttask.exe
D:\Program Files\iTunes 7\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis\Scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes 7\iTunesHelper.exe"
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: OracleOra9ias_homeClientCache - Unknown owner - C:\ora9ias\BIN\ONRSD.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

What is: O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)?

Mr_JAk3
2007-03-17, 23:24
Ok Hjt log looks good now.

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)

Seems to be a leftover. You've had Ati videocard/software installed?

=======

Please run a new scan with GMER and post the log to here. Also you could update Norton and run a complete system scan.

:bigthumb:

Miopip
2007-03-18, 14:26
GMER is running now....results to follow.

As it runs I'm gettting ant-virus popups, including:
SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
Event Info: Open Process
Action Taken: Blocked
Actor Process: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\gmer.exe (PID 1656)
Time: Sunday, March 18, 2007 8:29:27 AM

Miopip
2007-03-18, 15:56
GMER results:

GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-03-18 09:58:19
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [BCB5B880] vsdatant.sys

---- EOF - GMER 1.0.12 ----

NOTE: I still have the VS Add in under Add/Remove Programs. How do I get rid of that? When I try add/remove nothing happens...

Miopip
2007-03-18, 15:57
Oh, and yes, I had ATI installed. (Not by me; this PC was given to me)

Mr_JAk3
2007-03-19, 13:29
Ok it is beginning to look good :)

For the Ati leftover:

Disable the bad service
Start
Run
Type services.msc to the field and press enter.
A window opens, scroll down to Ati HotKey Poller
Rightclick it and choose Stop
Then choose Properties
Set Startup to Disabled
Click Apply and OK.

Then, open HijackThis.
Open the Misc Tools section
Delete an NT service
Copy the following line to the box and press OK; Ati HotKey Poller
Answer Yes
Close HIjackThis

Then the VS-Add in leftover...

Open HijackThis.
Open the Misc Tools section
Open Uninstall Manager
Scroll down to the following entry and select it with your mouse; Vs-add in
Delete this entry
Answer Yes
Close HIjackThis

Let me know how things are running :bigthumb:

Miopip
2007-03-19, 17:29
Thanks. I will try that. REason for this post: I ran another HiJack This scan and saw that my old nemesis rtvcscan is back again! The last scan looked clean after running SDFix. But less than 24 hrs later it returned. What could be the cause of this? Like you said, I've got that firewall on, I get many popups from ZoneAlarm indicating that access to my pc was blocked.

Miopip
2007-03-20, 15:32
That worked. I do not see the VSAdd-in under Add/Remove Programs anymore. Computer is running pretty good. My only concern now is the rtvcscan that keeps reappearing. I manually delete from HiJack This when I do a scan but it comes back every day.

Mr_JAk3
2007-03-21, 13:57
I'm sorry for the huge delay, I've been very busy the last two days...

Ok that rtvcscan is very bad....we'll do some more research....


1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Miopip
2007-03-22, 01:47
No worries. Ok, downloaded this to desktop and several icons appeared on desktop. I opened the ComboFix and got a window that said 'Cannot find the file specified'. I uninstalled and went to reinstall and got a 'not enough free disk space' so I'm cleaning up my C:/, which could take a ton of time. Very sloooowly happening. I'll keep you posted on my progress.

I did notice something strange that I didn't see before ComboFix. My clock is in military time and when I scroll over time my date is in 07-03-21 format and not in March 21, 2007. Strange!

Miopip
2007-03-22, 03:08
Well, I got the clock fixed. What the heck could have caused that??

Mr_JAk3
2007-03-22, 08:58
Hello :)

Were you able to run ComboFix?
You may move the ComboFix.exe in the root of C-Drive if it doesn't want to run (C:\ComboFix.exe). Post the log to here when ready.

Hmm I haven't noticed ComboFix changing the clock output...

Miopip
2007-03-24, 18:29
Sorry for the delay. Thanks for the suggestion. I saved ComboFix at the root of C:/.

Here's the logfile. And there's rtvcscan.exe. I saw this process running in Task Manager and stopped it. But every time I run the HJT scan I see it returning. There is also an rtvscan.exe but that one, I understand, is legitimate.

Let me know what's next when you have a minute!

"administrator" - Sat 03/24/2007 12:23:02 Service Pack 4
ComboFix 07-03-23 - Running from: "C:\"

((((((((((((((((((((((((((((((( Files Created from 2007-02-24 to 2007-03-24 ))))))))))))))))))))))))))))))))))


2007-03-24 11:58 1,112,630 --a--c--- C:\ComboFix.exe
2007-03-23 16:04 <DIR> d-------- C:\Program Files\Verizon
2007-03-18 13:27 602,112 -r-hs---- C:\WINNT\system32\rtvcscan.exe
2007-03-07 19:13 <DIR> d-------- C:\Program Files\iPod
2007-03-07 18:27 <DIR> d-------- C:\Program Files\Apple Software Update
2007-03-06 23:02 <DIR> d-------- C:\Program Files\Yahoo!
2007-03-06 21:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-03-05 19:32 <DIR> d-------- C:\WINNT\system32\ActiveScan
2007-03-04 20:36 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2007-03-04 09:50 4,212 ---h----- C:\WINNT\system32\zllictbl.dat
2007-03-04 09:48 75,512 --a------ C:\WINNT\zllsputility.exe
2007-03-04 09:47 11,264 --a------ C:\WINNT\system32\SpOrder.dll
2007-03-04 09:34 1,087,216 --a------ C:\WINNT\system32\zpeng24.dll
2007-03-04 09:33 <DIR> d-a------ C:\WINNT\system32\ZoneLabs
2007-03-04 09:30 <DIR> d-a------ C:\WINNT\Internet Logs
2007-02-27 08:11 35,328 --a------ C:\WINNT\system32\drivers\marjle.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-24 12:20 -------- d-------- C:\Program Files\symantec antivirus
2007-03-07 18:23 754 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\adobedlm.log
2007-03-07 17:28 902 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\dm.ini
2007-02-18 13:41 -------- d-------- C:\Program Files\google
2007-01-22 09:05 103550 --a------ C:\mix0x.exe
2007-01-11 13:27 1482752 --a------ C:\s1st1fu.exe
2007-01-09 20:01 1190400 --a------ C:\stfu.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Microsoft"="rtvcscan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NGClient"="C:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"QuickTime Task"="\"D:\\Program Files\\qttask.exe\" -atboottime"
"iTunesHelper"="\"D:\\Program Files\\iTunes 7\\iTunesHelper.exe\""
"Microsoft"="rtvcscan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft"="rtvcscan.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"


[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
@="ifconfig.exe"
"Microsoft"="rtvcscan.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ERASERUTILDRV10710
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_RASAUTO


Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\AppleSoftwareUpdate.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: Sat 2007-03-24 12:29:26

Mr_JAk3
2007-03-25, 12:45
Hi again :)

Ok I can see the buggers now. Let's see what these really are:

Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINNT\system32\drivers\marjle.sys
Click on Send
Wait for the scan to end.

Copy & Paste the scan results to here.

Do the same for these and post the results to here

C:\mix0x.exe
C:\s1st1fu.exe
C:\stfu.exe

:bigthumb:

Miopip
2007-03-25, 17:28
STATUS: FINISHEDComplete scanning result of "marjle.sys", received in VirusTotal at 03.25.2007, 16:11:26 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.3.24.1 03.24.2007 no virus found
AntiVir 7.3.1.44 03.25.2007 no virus found
Authentium 4.93.8 03.24.2007 no virus found
Avast 4.7.936.0 03.23.2007 no virus found
AVG 7.5.0.447 03.25.2007 no virus found
BitDefender 7.2 03.25.2007 no virus found
CAT-QuickHeal 9.00 03.23.2007 no virus found
ClamAV devel-20070312 03.25.2007 no virus found
DrWeb 4.33 03.25.2007 no virus found
eSafe 7.0.14.0 03.22.2007 no virus found
eTrust-Vet 30.6.3506 03.23.2007 no virus found
Ewido 4.0 03.25.2007 no virus found
FileAdvisor 1 03.25.2007 no virus found
Fortinet 2.85.0.0 03.25.2007 no virus found
F-Prot 4.3.1.45 03.23.2007 no virus found
F-Secure 6.70.13030.0 03.24.2007 no virus found
Ikarus T3.1.1.3 03.25.2007 no virus found
Kaspersky 4.0.2.24 03.25.2007 no virus found
McAfee 4991 03.23.2007 no virus found
Microsoft 1.2306 03.25.2007 VirTool:WinNT/Protmin.gen!B
NOD32v2 2144 03.25.2007 no virus found
Norman 5.80.02 03.23.2007 no virus found
Panda 9.0.0.4 03.24.2007 no virus found
Prevx1

STATUS: FINISHEDComplete scanning result of "mix0x.exe", received in VirusTotal at 03.25.2007, 16:19:03 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.3.24.1 03.24.2007 no virus found
AntiVir 7.3.1.44 03.25.2007 TR/Crypt.XPACK.Gen
Authentium 4.93.8 03.24.2007 no virus found
Avast 4.7.936.0 03.23.2007 Win32:SpyBot-A334
AVG 7.5.0.447 03.25.2007 no virus found
BitDefender 7.2 03.25.2007 no virus found
CAT-QuickHeal 9.00 03.23.2007 (Suspicious) - DNAScan
ClamAV devel-20070312 03.25.2007 no virus found
DrWeb 4.33 03.25.2007 no virus found
eSafe 7.0.14.0 03.22.2007 suspicious Trojan/Worm
eTrust-Vet 30.6.3506 03.23.2007 no virus found
Ewido 4.0 03.25.2007 no virus found
FileAdvisor 1 03.25.2007 no virus found
Fortinet 2.85.0.0 03.25.2007 suspicious
F-Prot 4.3.1.45 03.23.2007 W32/Ircbot1.gen
F-Secure 6.70.13030.0 03.24.2007 Backdoor.Win32.Rbot.gen
Ikarus T3.1.1.3 03.25.2007 no virus found
Kaspersky 4.0.2.24 03.25.2007 Backdoor.Win32.Rbot.gen
McAfee 4991 03.23.2007 no virus found
Microsoft 1.2306 03.25.2007 Backdoor:Win32/Rbot.gen
NOD32v2 2144 03.25.2007 a variant of Win32/Rbot
Norman 5.80.02 03.23.2007 W32/Spybot.BIHK
Panda 9.0.0.4 03.24.2007 Suspicious file
Prevx1 V2 03.25.2007 no virus found
Sophos 4.15.0 03.23.2007 W32/Rbot-GHN
Sunbelt 2.2.907.0 03.24.2007 VIPRE.Suspicious
Symantec 10 03.25.2007 no virus found
TheHacker 6.1.6.080 03.23.2007 no virus found
UNA 1.83

Kaspersky 4.0.2.24 03.25.2007 Backdoor.Win32.Rbot.gen ???

Miopip
2007-03-25, 17:44
STATUS: FINISHEDComplete scanning result of "s1st1fu.exe", received in VirusTotal at 03.25.2007, 16:29:09 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.3.24.1 03.24.2007 no virus found
AntiVir 7.3.1.44 03.25.2007 no virus found
Authentium 4.93.8 03.24.2007 no virus found
Avast 4.7.936.0 03.23.2007 no virus found
AVG 7.5.0.447 03.25.2007 no virus found
BitDefender 7.2 03.25.2007 no virus found
CAT-QuickHeal 9.00 03.23.2007 no virus found
ClamAV devel-20070312 03.25.2007 no virus found
DrWeb 4.33 03.25.2007 no virus found
eSafe 7.0.14.0 03.22.2007 no virus found
eTrust-Vet 30.6.3506 03.23.2007 no virus found
Ewido 4.0 03.25.2007 no virus found
FileAdvisor 1 03.25.2007 no virus found
Fortinet 2.85.0.0 03.25.2007 no virus found
F-Prot 4.3.1.45 03.23.2007 no virus found
F-Secure 6.70.13030.0 03.24.2007 no virus found
Ikarus T3.1.1.3 03.25.2007 no virus found
Kaspersky 4.0.2.24 03.25.2007 no virus found
McAfee 4991 03.23.2007 no virus found
Microsoft 1.2306 03.25.2007 no virus found
NOD32v2 2144 03.25.2007 no virus found
Norman 5.80.02 03.23.2007 no virus found
Panda 9.0.0.4 03.24.2007 Suspicious file
Prevx1 V2 03.25.2007 no virus found
Sophos 4.15.0 03.23.2007 no virus found
Sunbelt 2.2.907.0 03.24.2007 no virus found
Symantec 10 03.25.2007 no virus found
TheHacker 6.1.6.080 03.23.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.2 03.24.2007 no virus found
VirusBuster 4.3.7:9 03.25.2007 no virus found
Webwasher-Gateway 6.0.1 03.25.2007 Win32.Malware.gen (suspicious)


STATUS: FINISHEDComplete scanning result of "stfu.exe", received in VirusTotal at 03.25.2007, 16:35:46 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.3.24.1 03.24.2007 no virus found
AntiVir 7.3.1.44 03.25.2007 TR/Agent.1190400
Authentium 4.93.8 03.24.2007 no virus found
Avast 4.7.936.0 03.23.2007 no virus found
AVG 7.5.0.447 03.25.2007 no virus found
BitDefender 7.2 03.25.2007 DeepScan:Generic.Malware.G!I!!FLMWX!!Bg.58283A94
CAT-QuickHeal 9.00 03.23.2007 no virus found
ClamAV devel-20070312 03.25.2007 no virus found
DrWeb 4.33 03.25.2007 no virus found
eSafe 7.0.14.0 03.22.2007 no virus found
eTrust-Vet 30.6.3506 03.23.2007 no virus found
Ewido 4.0 03.25.2007 no virus found
FileAdvisor 1 03.25.2007 no virus found
Fortinet 2.85.0.0 03.25.2007 suspicious
F-Prot 4.3.1.45 03.23.2007 no virus found
F-Secure 6.70.13030.0 03.24.2007 no virus found
Ikarus T3.1.1.3 03.25.2007 Backdoor.VB.EV
Kaspersky 4.0.2.24 03.25.2007 no virus found
McAfee 4991 03.23.2007 no virus found
Microsoft 1.2306 03.25.2007 no virus found
NOD32v2 2144 03.25.2007 no virus found
Norman 5.80.02 03.23.2007 no virus found
Panda 9.0.0.4 03.24.2007 no virus found
Prevx1 V2 03.25.2007 Covert.Sys.Exec
Sophos 4.15.0 03.23.2007 no virus found
Sunbelt 2.2.907.0 03.24.2007 VIPRE.Suspicious
Symantec 10 03.25.2007 no virus found
TheHacker 6.1.6.080 03.23.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.2 03.24.2007 no virus found
VirusBuster 4.3.7:9 03.25.2007 no virus found
Webwasher-Gateway 6.0.1 03.25.2007 Trojan.Agent.1190400

Miopip
2007-03-25, 18:47
Do you need the additional info, as well? Here is is for stfu and marjle.

Aditional Information on stfu.exe scan:
File size: 1190400 bytes
MD5: 014a162e66c1ebd116c1834ee6bec45f
SHA1: b913ceb9fb4b3e3fec51ceae222fe6bf8471c40b
packers: Themida
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=2ba369153975
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

Aditional Information on marjle.sys
File size: 35328 bytes
MD5: 54a971826b86e397ac02dbc7bf2cfcc2
SHA1: 04edab2b0ad045e2d0d6b64df1a8d3b695cb9e6d

Miopip
2007-03-25, 18:48
Do you need the 'additional info', as well? Here it is for stfu and marjle.

Aditional Information on stfu.exe scan:
File size: 1190400 bytes
MD5: 014a162e66c1ebd116c1834ee6bec45f
SHA1: b913ceb9fb4b3e3fec51ceae222fe6bf8471c40b
packers: Themida
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=2ba369153975
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

Aditional Information on marjle.sys
File size: 35328 bytes
MD5: 54a971826b86e397ac02dbc7bf2cfcc2
SHA1: 04edab2b0ad045e2d0d6b64df1a8d3b695cb9e6d

Mr_JAk3
2007-03-25, 21:35
Hi again, we'll continue :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.

rtvcscan.exe


Backup your registry:
Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :


REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Microsoft"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Microsoft"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft"=-


[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
@=-
"Microsoft"=-



Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.


Please download the OTMoveIt by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe).

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


C:\WINNT\system32\rtvcscan.exe
C:\WINNT\system32\drivers\marjle.sys
C:\mix0x.exe
C:\s1st1fu.exe
C:\stfu.exe


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Restart the computer. Run ComboFix again and post the log to here.

Miopip
2007-03-26, 04:52
ComboFix log:

"administrator" - Sun 03/25/2007 21:43:23 Service Pack 4
ComboFix 07-03-23 - Running from: "C:\"

((((((((((((((((((((((((((((((( Files Created from 2007-02-25 to 2007-03-25 ))))))))))))))))))))))))))))))))))


2007-03-25 21:23 40,803,056 --a--c--- C:\RegBackUp.reg
2007-03-24 11:58 1,112,630 --a--c--- C:\ComboFix.exe
2007-03-23 16:04 <DIR> d-------- C:\Program Files\Verizon
2007-03-07 19:13 <DIR> d-------- C:\Program Files\iPod
2007-03-07 18:27 <DIR> d-------- C:\Program Files\Apple Software Update
2007-03-06 23:02 <DIR> d-------- C:\Program Files\Yahoo!
2007-03-06 21:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-03-05 19:32 <DIR> d-------- C:\WINNT\system32\ActiveScan
2007-03-04 20:36 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2007-03-04 09:50 4,212 ---h----- C:\WINNT\system32\zllictbl.dat
2007-03-04 09:48 75,512 --a------ C:\WINNT\zllsputility.exe
2007-03-04 09:47 11,264 --a------ C:\WINNT\system32\SpOrder.dll
2007-03-04 09:34 1,087,216 --a------ C:\WINNT\system32\zpeng24.dll
2007-03-04 09:33 <DIR> d-a------ C:\WINNT\system32\ZoneLabs
2007-03-04 09:30 <DIR> d-a------ C:\WINNT\Internet Logs


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-25 21:39 -------- d-------- C:\Program Files\symantec antivirus
2007-03-07 18:23 754 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\adobedlm.log
2007-03-07 17:28 902 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\dm.ini
2007-02-18 13:41 -------- d-------- C:\Program Files\google


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NGClient"="C:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"QuickTime Task"="\"D:\\Program Files\\qttask.exe\" -atboottime"
"iTunesHelper"="\"D:\\Program Files\\iTunes 7\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ERASERUTILDRV10710


Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\AppleSoftwareUpdate.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: Sun 2007-03-25 21:48:19
C:\ComboFix2.txt ... 07-03-24 12:29

Mr_JAk3
2007-03-26, 21:10
Hello :)

Looks that we nailed it :)
Any issues ?

Miopip
2007-03-27, 04:46
Hey! I think we're all good. My HJT log (unless I'm missing something looks clean). I can't tell you how excited I am. This is awesome! You rock!

Logfile of HijackThis v1.99.1
Scan saved at 9:48:39 PM, on 3/26/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\qttask.exe
D:\Program Files\iTunes 7\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\iTunes 7\iTunes.exe
C:\Program Files\Apple Software Update\SoftwareUpdate.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis\Scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes 7\iTunesHelper.exe"
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: OracleOra9ias_homeClientCache - Unknown owner - C:\ora9ias\BIN\ONRSD.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Mr_JAk3
2007-03-27, 20:42
Hi again, it is looking clean now :)

Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.
You can delete the folder, C:\_OtMoveIT

Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)

Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)

Miopip
2007-03-28, 19:10
Excellent! If there's any way I can tell others you work with on this site please let me know. You were extremely patient and unbelievably helpful. I, and my PC, thank you for your time, patience and efforts. Well done!

-Miodrag

:bigthumb:

Mr_JAk3
2007-03-29, 19:28
Thank you for the kind words and you're very welcome :D:

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help :2thumb: