Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Please help remove Ceres-HijackThis log


  • Please log in to reply

#1
xcalnd1

xcalnd1

    Member

  • Member
  • PipPip
  • 18 posts
Hello, can anyone help with my issue with the Ceres popups? I've run Ad-adware and spybot in safe mode multiple times to get rid of it, and it always comes back. Here is my HijackThis log. Thanks in advance!!!



Logfile of HijackThis v1.99.1
Scan saved at 8:29:56 AM, on 6/8/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\ODI\OStore\BIN\OSCMGR6.EXE
C:\ODI\OStore\BIN\OSSERVER.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\windows\system32\dbtxei.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\windows\system32\packager.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: download.abetterinternet.com 127.0.0.1
O1 - Hosts: download.abetterinternet.com/download/cabs/CSDLL_O/ceres.cab 127.0.0.1
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {933A632C-278B-45EF-AB2E-F324BC11649D} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [dbtxei] c:\windows\system32\dbtxei.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Dell Home - {C02E3700-038B-11D6-9DFD-00065B61A109} - http://business.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://c.ancestry.co...yFamilyTree.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://walgreensphot...ploadClient.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_6us.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://walgreensphot...ploadClient.cab
O16 - DPF: {D9EA64B2-B966-E177-332C-78B69886526D} - http://download.newa...formerSetup.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: pcANYWHERE Host Service (awhost32) - Symantec Corporation - c:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\McAfee.com\Personal Firewall\MpfService.exe (file missing)
O23 - Service: ObjectStore Cache Manager R6.0 - eXcelon Corp. - C:\ODI\OStore\BIN\OSCMGR6.EXE
O23 - Service: ObjectStore Server R6.0 - eXcelon Corp. - C:\ODI\OStore\BIN\OSSERVER.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
  • 0

Advertisements


#2
Swandog46

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
Hi xcalnd1 :tazz:

Welcome to GTG. Thank you for your patience. Since it has been a few days since your original log was posted, can you please post a fresh HijackThis log for me? I would be happy to take a look at it. ;)
  • 0

#3
xcalnd1

xcalnd1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hi there and thanks for helping! I was new when I posted the original email and did not know about the steps to take before posting it. I did go through that procedure and it looks like the Ceres popups are gone, but the IE browser does not work the same as before. I keep getting 'access is denied' errors and windows update stops at 'preparing to download' the updates. I've tried reinstalling IE but the issue remains.

Could this be adware related?

Here's the new log:

Logfile of HijackThis v1.99.1
Scan saved at 10:10:51 PM, on 6/15/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\ODI\OStore\BIN\OSCMGR6.EXE
C:\ODI\OStore\BIN\OSSERVER.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {933A632C-278B-45EF-AB2E-F324BC11649D} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Dell Home - {C02E3700-038B-11D6-9DFD-00065B61A109} - http://business.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://c.ancestry.co...yFamilyTree.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://walgreensphot...ploadClient.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_6us.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://walgreensphot...ploadClient.cab
O16 - DPF: {D9EA64B2-B966-E177-332C-78B69886526D} - http://download.newa...formerSetup.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: pcANYWHERE Host Service (awhost32) - Symantec Corporation - c:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\McAfee.com\Personal Firewall\MpfService.exe (file missing)
O23 - Service: ObjectStore Cache Manager R6.0 - eXcelon Corp. - C:\ODI\OStore\BIN\OSCMGR6.EXE
O23 - Service: ObjectStore Server R6.0 - eXcelon Corp. - C:\ODI\OStore\BIN\OSSERVER.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
  • 0

#4
Swandog46

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
Hi xcalnd1 :tazz:

You got most of it, but I want to dig deeper and make sure nothing is left over and interfering with your Internet Explorer. Please run HijackThis, click Scan, and check:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O3 - Toolbar: (no name) - {933A632C-278B-45EF-AB2E-F324BC11649D} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)

Close all open windows except for HijackThis and click Fix Checked.

Please download SilentRunners from here:
http://www.silentrun...ent Runners.zip
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop. Please post the entire contents of this logfile for me to see.

Next, please download the free MWAV antivirus tool from here:
ftp://ftp.microworldsystems.com/download/tools/mwav.exe
Save it to the desktop and run it. Follow the prompts to scan your system for viruses. Then please post for me the log of infected files from the BOTTOM panel of the scan window.

Finally, please run Notepad and paste the following text into a new file:

regedit /e pol1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Policies"
regedit /e pol2.txt "HKEY_CURRENT_USER\SOFTWARE\Policies"
regedit /e pol3.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies"
regedit /e pol4.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"
copy pol1.txt + pol2.txt = pol5.txt
copy pol3.txt + pol4.txt = pol6.txt
copy pol5.txt + pol6.txt = log.txt
del pol1.txt
del pol2.txt
del pol3.txt
del pol4.txt
del pol5.txt
del pol6.txt

Save the file to the Desktop as log.bat, and make sure the "Save as type" field says "All files". Then double-click on the log.bat file on the desktop. This will create a file on your desktop called log.txt. Post the entire contents of the text here for me.

Please also restart your computer and post a new HijackThis log. ;)
  • 0

#5
xcalnd1

xcalnd1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hello and Thanks again! I removed the 4 items using hijack this and ran SilentRunners. Here's the SilentRunners log:

"Silent Runners.vbs", revision 38.1, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SystemTray" = "SysTray.Exe" [MS]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"Pure Networks Port Magic" = ""C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run" ["Pure Networks, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\ {++}
"(Default)" = (empty string)

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\soa800.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Exchange"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Microsoft Office\Office10\MLSHEXT.DLL" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Explode"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\msohev.dll" [MS]
"{FACEB421-912E-11D3-B7D5-0080AD41AF95}" = "ZipStar Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\SPEEDPROJECT\ZIPSTAR 4\ZSSHELL.DLL" ["SpeedProject"]
"{0D302F2C-8EA6-11CE-B035-444553540000}" = "pcANYWHERECallerShellExt"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshell.DLL" ["Symantec Corporation"]
"{92A681A0-9f0D-11CE-B035-444553540000}" = "pcANYWHERECallerPage"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshllpg.DLL" ["Symantec Corporation"]
"{DF44ACC1-972F-11CE-B035-444553540000}" = "pcANYWHERERemoteCtrlShellExt"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshell.DLL" ["Symantec Corporation"]
"{92a681a1-9f0d-11CE-B035-444553540000}" = "pcANYWHERERemoteCtrlPage"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshllpg.DLL" ["Symantec Corporation"]
"{DF44ACC2-972F-11CE-B035-444553540000}" = "pcANYWHEREBeHostExt"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshell.DLL" ["Symantec Corporation"]
"{92A681A2-9f0D-11CE-B035-444553540000}" = "pcANYWHEREBeHostPage"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshllpg.DLL" ["Symantec Corporation"]
"{DF44ACC3-972F-11CE-B035-444553540000}" = "pcANYWHEREOnlineSvcExt"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshell.DLL" ["Symantec Corporation"]
"{92A681A3-9f0D-11CE-B035-444553540000}" = "pcANYWHEREOnlineSvcPage"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshllpg.DLL" ["Symantec Corporation"]
"{DF44ACC4-972F-11CE-B035-444553540000}" = "pcANYWHEREGatewayExt"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshell.DLL" ["Symantec Corporation"]
"{92A681A4-9f0D-11CE-B035-444553540000}" = "pcANYWHEREGatewayPage"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshllpg.DLL" ["Symantec Corporation"]
"{1C311AAA-D8B1-4A0A-BEE5-2387FEC583DA}" = "ShellPlusContextMenu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\B4FM.dll" [null data]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\KODAK\IFSCore\kodakshx.dll" ["Eastman Kodak Company"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "GinaDLL" = "C:\WINDOWS\System32\awgina.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\WebshotsForSysadmin.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\Webshots.scr" ["Auralis, Inc."]


Startup items in "sysadmin" & "All Users" startup folders:
----------------------------------------------------------

C:\Documents and Settings\sysadmin\Start Menu\Programs\Startup
"Webshots" -> shortcut to: "C:\Program Files\Webshots\WebshotsTray.exe" ["The Webshots Corporation"]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Kodak EasyShare software" -> shortcut to: "C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe -h" ["Eastman Kodak Company"]


Enabled Scheduled Tasks:
------------------------

"Modem & Network" -> launches: "C:\WINDOWS\Desktop\modem network.BHF" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 08, 11 - 22
%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "&Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "&Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]

{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHDOCVW.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{C02E3700-038B-11D6-9DFD-00065B61A109}\
"ButtonText" = "Dell Home"
"Exec" = "http://business.dellnet.com/" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll" ["Sun Microsystems, Inc."]

{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]

{4982D40A-C53B-4615-B15B-B5B5E98D167C}\
"ButtonText" = "AOL Toolbar"
"MenuText" = "AOL Toolbar"
"CLSIDExtension" = "{4982D40A-C53B-4615-B15B-B5B5E98D167C}"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM95\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe" ["America Online, Inc."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Kodak Camera Connection Software, KodakCCS, "C:\WINDOWS\system32\drivers\KodakCCS.exe" ["Eastman Kodak Company"]
ObjectStore Cache Manager R6.0, ObjectStore Cache Manager R6.0, "C:\ODI\OStore\BIN\OSCMGR6.EXE" ["eXcelon Corp."]
ObjectStore Server R6.0, ObjectStore Server R6.0, "C:\ODI\OStore\BIN\OSSERVER.EXE" ["eXcelon Corp."]
ptssvc, ptssvc, "C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe" ["KODAK"]


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = INFECTION WARNING! "aw_host" [file not found]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------




Now, here's the log from the MWAV antivirus tool scan:

Object "saap Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "CWS.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "CWS.smartsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:\WINDOWS\SYSTEM\ATL.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:\WINDOWS\SYSTEM\danim.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:\WINDOWS\SYSTEM\ddrawex.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:\WINDOWS\SYSTEM\iuctl.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:\WINDOWS\SYSTEM\iuengine.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:\WINDOWS\SYSTEM\quartz.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:\WINDOWS\wupdmgr.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{00020344-0000-0000-C000-000000000046}" refers to invalid object "mapisrvr.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0A4550F5-9BC3-4152-B387-A6A92314EFB9}" refers to invalid object "mailui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{700B1221-CAFF-11d1-B9DE-000000001B1B}" refers to invalid object "atippaxx.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{756b000a-da70-11d5-8fe2-00c04f01a9d6}" refers to invalid object "SEAL.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{756b000b-da70-11d5-8fe2-00c04f01a9d6}" refers to invalid object "SEAL.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{756b000c-da70-11d5-8fe2-00c04f01a9d6}" refers to invalid object "SEAL.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{756b000d-da70-11d5-8fe2-00c04f01a9d6}" refers to invalid object "SEAL.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{756b000e-da70-11d5-8fe2-00c04f01a9d6}" refers to invalid object "SEAL.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{756b0015-da70-11d5-8fe2-00c04f01a9d6}" refers to invalid object "SEAL.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8B621BBF-A21D-4311-92E5-A98E7DDDF36A}" refers to invalid object "mailui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8E16892B-25C6-431f-8297-0EABCF13AC59}" refers to invalid object "mailui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{98F933D7-551D-45c5-A99A-93D438DA87D9}" refers to invalid object "mailui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9EFBF860-5685-11D3-AA3D-00C04F4C5275}" refers to invalid object "cdooff.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A15C359E-0A0E-4afa-9C6A-7AEC4F7B9C93}" refers to invalid object "msnmetal.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DC67367A-8B15-47BC-B7F8-0BA0435A504A}" refers to invalid object "MSNCON32.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DCEDFCBF-C7D1-4B81-A20F-7524D306135E}" refers to invalid object "MSNCON32.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E62DCD80-C262-11d1-A419-006097923041}" refers to invalid object "atipdsxx.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F2B8E361-D2E2-11D1-A41F-00609729B902}" refers to invalid object "atipuixx.dll". Action Taken: No Action Taken.
Entry "HKCR\AcroIEHelper.AcroIEHlprObj" refers to invalid object "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}". Action Taken: No Action Taken.
Entry "HKCR\AcroIEHelper.AcroIEHlprObj.1" refers to invalid object "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}". Action Taken: No Action Taken.
Entry "HKCR\ActiveEx.ButtonProvider" refers to invalid object "{69E5414B-B371-11D0-BCD9-00AA00C1AB1C}". Action Taken: No Action Taken.
Entry "HKCR\ActiveEx.ButtonProvider.1" refers to invalid object "{69E5414B-B371-11D0-BCD9-00AA00C1AB1C}". Action Taken: No Action Taken.
Entry "HKCR\ActiveEx.FolderChooser" refers to invalid object "{69E5414F-B371-11D0-BCD9-00AA00C1AB1C}". Action Taken: No Action Taken.
Entry "HKCR\ActiveEx.FolderChooser.1" refers to invalid object "{69E5414F-B371-11D0-BCD9-00AA00C1AB1C}". Action Taken: No Action Taken.
Entry "HKCR\ActiveEx.ScriptChooser" refers to invalid object "{69E5414D-B371-11D0-BCD9-00AA00C1AB1C}". Action Taken: No Action Taken.
Entry "HKCR\ActiveEx.ScriptChooser.1" refers to invalid object "{69E5414D-B371-11D0-BCD9-00AA00C1AB1C}". Action Taken: No Action Taken.
Entry "HKCR\ActMsg.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: No Action Taken.
Entry "HKCR\AOL.IEToolbar" refers to invalid object "{4982D40A-C53B-4615-B15B-B5B5E98D167C}". Action Taken: No Action Taken.
Entry "HKCR\AOL.IEToolbar.1" refers to invalid object "{4982D40A-C53B-4615-B15B-B5B5E98D167C}". Action Taken: No Action Taken.
Entry "HKCR\AolBridge.AolBrowserBridge" refers to invalid object "{B6069E5C-B409-11D3-BA1D-00108334265F}". Action Taken: No Action Taken.
Entry "HKCR\AolBridge.AolBrowserBridge.1" refers to invalid object "{B6069E5C-B409-11D3-BA1D-00108334265F}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACApptTypeCombo.1" refers to invalid object "{F0CABE48-0484-11D4-B137-00C04FA03009}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACCalendarDCtrl.1" refers to invalid object "{3AEE3932-59BB-11D3-A8CC-005004A0F323}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACColorPick.1" refers to invalid object "{F0CABE45-0484-11D4-B137-00C04FA03009}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACDayViewCtrl" refers to invalid object "{0410820E-D7CB-11D3-A74F-0050DA126772}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACDayViewCtrl.1" refers to invalid object "{0410820E-D7CB-11D3-A74F-0050DA126772}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACDictionary.1" refers to invalid object "{F09500A4-0A08-11D4-B137-00C04FA03009}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACMonthViewCtrl.1" refers to invalid object "{5F6B2D5A-CFEB-11D3-A74E-0050DA126772}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACMPickerCtrl.1" refers to invalid object "{F5E941E8-DA94-11D3-8B69-00105AA31C20}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACToolBarCtrl.1" refers to invalid object "{66DD4567-DA5C-11D3-A74F-0050DA126772}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACWebDlgHelper.1" refers to invalid object "{CD961C04-E3BC-11D3-A74F-0050DA126772}". Action Taken: No Action Taken.
Entry "HKCR\BackWeb.Client.ScriptHelper-" refers to invalid object "{A0EC6B8B-3129-47E0-9C0A-F5A986E6C377}". Action Taken: No Action Taken.
Entry "HKCR\cliproxy.objects" refers to invalid object "{E381F1C0-910E-11D1-AB1E-00A0C90F8F6F}". Action Taken: No Action Taken.
Entry "HKCR\cliproxy.objects.1" refers to invalid object "{E381F1C0-910E-11D1-AB1E-00A0C90F8F6F}". Action Taken: No Action Taken.
Entry "HKCR\cliscan.objects" refers to invalid object "{E381F1D0-910E-11D1-AB1E-00A0C90F8F6F}". Action Taken: No Action Taken.
Entry "HKCR\cliscan.objects.1" refers to invalid object "{E381F1D0-910E-11D1-AB1E-00A0C90F8F6F}". Action Taken: No Action Taken.
Entry "HKCR\CognosBIBatcher60.Message" refers to invalid object "{14E05213-4D9E-4B4E-BDCE-4D6D6EF952A3}". Action Taken: No Action Taken.
Entry "HKCR\CognosBIBatcher60.Send" refers to invalid object "{B868BB4B-93C0-433F-AC4E-7562993752F6}". Action Taken: No Action Taken.
Entry "HKCR\CognosBIInstMgr60.AppInstance" refers to invalid object "{9377470B-7241-4578-997B-7751F7AB84A1}". Action Taken: No Action Taken.
Entry "HKCR\CognosPowerPrompts.Model.cer1" refers to invalid object "{F38EFEF7-098B-11d4-9DCF-0010A4F9EE7E}". Action Taken: No Action Taken.
Entry "HKCR\CogUdf.CogRExp" refers to invalid object "{5D287322-AB5C-11D4-9DD5-00D0B71329D8}". Action Taken: No Action Taken.
Entry "HKCR\ComCtl2.Animation" refers to invalid object "{1E216240-1B7D-11CF-9D53-00AA003C9CB6}". Action Taken: No Action Taken.
Entry "HKCR\ComCtl2.Animation.1" refers to invalid object "{1E216240-1B7D-11CF-9D53-00AA003C9CB6}". Action Taken: No Action Taken.
Entry "HKCR\ComCtl2.UpDown" refers to invalid object "{026371C0-1B7C-11CF-9D53-00AA003C9CB6}". Action Taken: No Action Taken.
Entry "HKCR\ComCtl2.UpDown.1" refers to invalid object "{026371C0-1B7C-11CF-9D53-00AA003C9CB6}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\DameWare.Cal32Ctrl.1" refers to invalid object "{891C9A24-4070-11CF-8E46-00AA006DB209}". Action Taken: No Action Taken.
Entry "HKCR\Ebrowser.FatWallet" refers to invalid object "{E13046F7-A5DF-4574-BD7A-6DC12EC10FF5}". Action Taken: No Action Taken.
Entry "HKCR\Ebrowser.FatWallet.1" refers to invalid object "{E13046F7-A5DF-4574-BD7A-6DC12EC10FF5}". Action Taken: No Action Taken.
Entry "HKCR\Eyretel.BroadcastInterface" refers to invalid object "{6C10218F-6A4E-11D2-AB8B-00E0291154ED}". Action Taken: No Action Taken.
Entry "HKCR\Eyretel.Configuration" refers to invalid object "{AC0758BA-4675-11D3-AA6F-0060B06ABE0F}". Action Taken: No Action Taken.
Entry "HKCR\Eyretel.ControlInterface" refers to invalid object "{AC0758B4-4675-11D3-AA6F-0060B06ABE0F}". Action Taken: No Action Taken.
Entry "HKCR\Eyretel.LicenseInterface" refers to invalid object "{F0BCF754-4306-11D2-AB83-00E0291154ED}". Action Taken: No Action Taken.
Entry "HKCR\EyreTel.LicenseServer" refers to invalid object "{765E6444-20A2-11D2-9DA6-00E0291154ED}". Action Taken: No Action Taken.
Entry "HKCR\EyreTel.SecurityInterface" refers to invalid object "{E9AE7864-5DC2-11D2-AB87-00E0291154ED}". Action Taken: No Action Taken.
Entry "HKCR\Eyretel.SecurityServer" refers to invalid object "{7FADD504-2ADF-11D2-9DA8-00E0291154ED}". Action Taken: No Action Taken.
Entry "HKCR\Eyretel.Status" refers to invalid object "{AC0758B7-4675-11D3-AA6F-0060B06ABE0F}". Action Taken: No Action Taken.
Entry "HKCR\FireLink.FireLink.1" refers to invalid object "{D991B0BE-0D0D-11D1-858B-0020AFD55D4F}". Action Taken: No Action Taken.
Entry "HKCR\GraphViewLib.EdgeArrow" refers to invalid object "{DC7B46F2-09A1-11D4-9DCF-0010A4F9EE7E}". Action Taken: No Action Taken.
Entry "HKCR\GraphViewLib.GraphView" refers to invalid object "{DC7B46F7-09A1-11D4-9DCF-0010A4F9EE7E}". Action Taken: No Action Taken.
Entry "HKCR\HclFtp.Engine" refers to invalid object "{C7B3087F-E999-11D1-B0D1-006008914D5A}". Action Taken: No Action Taken.
Entry "HKCR\HclFtp.Engine.1" refers to invalid object "{C7B3087F-E999-11D1-B0D1-006008914D5A}". Action Taken: No Action Taken.
Entry "HKCR\Hummingbird.RshCtrl.1" refers to invalid object "{DE39AEC7-3D73-11D0-8E0F-00A0240B2FE9}". Action Taken: No Action Taken.
Entry "HKCR\LSClient.SSManager" refers to invalid object "{8B0DE85A-F975-11D2-A985-00A0244D507A}". Action Taken: No Action Taken.
Entry "HKCR\LSClient.SSManager.1" refers to invalid object "{8B0DE85A-F975-11D2-A985-00A0244D507A}". Action Taken: No Action Taken.
Entry "HKCR\LSClient.SubscriptionInfo" refers to invalid object "{9B3A3465-FE53-11D3-9784-005004D12CC3}". Action Taken: No Action Taken.
Entry "HKCR\LSClient.SubscriptionInfo.1" refers to invalid object "{9B3A3465-FE53-11D3-9784-005004D12CC3}". Action Taken: No Action Taken.
Entry "HKCR\LSClient.Subscriptions" refers to invalid object "{F8D14F43-FC26-11D3-9784-005004D12CC3}". Action Taken: No Action Taken.
Entry "HKCR\LSClient.Subscriptions.1" refers to invalid object "{F8D14F43-FC26-11D3-9784-005004D12CC3}". Action Taken: No Action Taken.
Entry "HKCR\LSClientUI.UserInterface" refers to invalid object "{DE2F6328-0707-11D4-9784-005004D12CC3}". Action Taken: No Action Taken.
Entry "HKCR\LSClientUI.UserInterface.1" refers to invalid object "{DE2F6328-0707-11D4-9784-005004D12CC3}". Action Taken: No Action Taken.
Entry "HKCR\MAILMON.MailmonCtrl.1" refers to invalid object "{98842923-A0FA-11CF-B2A0-0000C0A08558}". Action Taken: No Action Taken.
Entry "HKCR\MAPI.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: No Action Taken.
Entry "HKCR\MAPI.Session.1" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: No Action Taken.
Entry "HKCR\MercLink.S2MessageFilter" refers to invalid object "{F00EEA66-C5AD-11D2-84C3-00104B69AAB4}". Action Taken: No Action Taken.
Entry "HKCR\MercLink.S2MessageFilter.1" refers to invalid object "{F00EEA66-C5AD-11D2-84C3-00104B69AAB4}". Action Taken: No Action Taken.
Entry "HKCR\MERCMESSAGE.MercMessageCtrl.1" refers to invalid object "{C36A2453-7A0C-11D0-94AF-00A0246D0D5F}". Action Taken: No Action Taken.
Entry "HKCR\MONTHVW.MonthvwCtrl.1" refers to invalid object "{278B28A3-6BE1-11D1-A4FC-444553540000}". Action Taken: No Action Taken.
Entry "HKCR\OracleInProcServer.XOraServer" refers to invalid object "{5CEA8296-F9B9-11D1-9E07-00C04FC2BED8}". Action Taken: No Action Taken.
Entry "HKCR\OracleInProcServer.XOraServer.3" refers to invalid object "{5CEA8296-F9B9-11D1-9E07-00C04FC2BED8}". Action Taken: No Action Taken.
Entry "HKCR\OracleInProcServer.XOraSession" refers to invalid object "{3893B4A0-FFD8-101A-ADF2-04021C007002}". Action Taken: No Action Taken.
Entry "HKCR\OracleInProcServer.XOraSession.3" refers to invalid object "{3893B4A0-FFD8-101A-ADF2-04021C007002}". Action Taken: No Action Taken.
Entry "HKCR\ORADC.ORADCCtrl.1" refers to invalid object "{EC4CF635-D196-11CE-9027-02608C4BF3B5}". Action Taken: No Action Taken.
Entry "HKCR\OraOLEDB.ErrorLookup" refers to invalid object "{3FC8E6E4-53FF-11D2-BB7D-00C04FA30080}". Action Taken: No Action Taken.
Entry "HKCR\OraOLEDB.ErrorLookup.1" refers to invalid object "{3FC8E6E4-53FF-11D2-BB7D-00C04FA30080}". Action Taken: No Action Taken.
Entry "HKCR\OraOLEDB.Oracle" refers to invalid object "{3F63C36E-51A3-11D2-BB7D-00C04FA30080}". Action Taken: No Action Taken.
Entry "HKCR\OraOLEDB.Oracle.1" refers to invalid object "{3F63C36E-51A3-11D2-BB7D-00C04FA30080}". Action Taken: No Action Taken.
Entry "HKCR\Overview.Document" refers to invalid object "{DA23B9C9-6893-11D0-8534-00C04FD7AD0C}". Action Taken: No Action Taken.
Entry "HKCR\PShopper.PersonalShopper" refers to invalid object "{8F05DED0-B413-11D3-BA1D-00108334265F}". Action Taken: No Action Taken.
Entry "HKCR\PShopper.PersonalShopper.1" refers to invalid object "{8F05DED0-B413-11D3-BA1D-00108334265F}". Action Taken: No Action Taken.
Entry "HKCR\PShopperCOM.PSConfig" refers to invalid object "{11BE3AE6-C9DF-11D3-8E11-00805F9E26E6}". Action Taken: No Action Taken.
Entry "HKCR\PShopperCOM.PSConfig.1" refers to invalid object "{11BE3AE6-C9DF-11D3-8E11-00805F9E26E6}". Action Taken: No Action Taken.
Entry "HKCR\PShopperCOM.PSProductFinder" refers to invalid object "{C0E02720-C9D7-11D3-8E10-00805F9E26E6}". Action Taken: No Action Taken.
Entry "HKCR\PShopperCOM.PSProductFinder.1" refers to invalid object "{C0E02720-C9D7-11D3-8E10-00805F9E26E6}". Action Taken: No Action Taken.
Entry "HKCR\QFORMCTL.QFormCtlCtrl.1" refers to invalid object "{E3749279-23AE-11D0-90C5-00A024095107}". Action Taken: No Action Taken.
Entry "HKCR\S2000DISPCMDS.AlarmVarCtrl.1" refers to invalid object "{979F753D-CAD0-11D0-8547-0020AFD55D4F}". Action Taken: No Action Taken.
Entry "HKCR\S2000DISPCMDS.FormatTimeCtrl.1" refers to invalid object "{979F7539-CAD0-11D0-8547-0020AFD55D4F}". Action Taken: No Action Taken.
Entry "HKCR\S2000DISPCMDS.GenericCmdsCtrl.1" refers to invalid object "{979F7529-CAD0-11D0-8547-0020AFD55D4F}". Action Taken: No Action Taken.
Entry "HKCR\S2000DISPCMDS.NoteCtrl.1" refers to invalid object "{979F752D-CAD0-11D0-8547-0020AFD55D4F}". Action Taken: No Action Taken.
Entry "HKCR\S2000DISPCMDS.S2000DispCmds8Ctrl.1" refers to invalid object "{979F7545-CAD0-11D0-8547-0020AFD55D4F}". Action Taken: No Action Taken.
Entry "HKCR\S2000DISPCMDS.TimeStampCtrl.1" refers to invalid object "{979F7535-CAD0-11D0-8547-0020AFD55D4F}". Action Taken: No Action Taken.
Entry "HKCR\S2000DISPCMDS.TuneCtrl.1" refers to invalid object "{979F7531-CAD0-11D0-8547-0020AFD55D4F}". Action Taken: No Action Taken.
Entry "HKCR\S2000DISPCMDS.VarCtrl.1" refers to invalid object "{979F7541-CAD0-11D0-8547-0020AFD55D4F}". Action Taken: No Action Taken.
Entry "HKCR\S2MSGEDITOR.S2MsgEditorCtrl.1" refers to invalid object "{6708835D-0C6B-11D3-808F-00105AA9BDD3}". Action Taken: No Action Taken.
Entry "HKCR\S2NUMSPINNER.S2NumSpinnerCtrl.1" refers to invalid object "{965A7B86-9F03-11D1-8660-0020AFD55D4F}". Action Taken: No Action Taken.
Entry "HKCR\SCHDYLST.SchdylstCtrl.1" refers to invalid object "{85AA926D-D8F1-11CF-B2A0-0000C0A08558}". Action Taken: No Action Taken.
Entry "HKCR\SDULISTBOX.SDUListBoxCtrl.1" refers to invalid object "{1054A526-4183-11D1-85D7-0020AFD55D4F}". Action Taken: No Action Taken.
Entry "HKCR\SNOTE.SnoteCtrl.1" refers to invalid object "{36FD55C3-DF00-11CF-8224-00800F24117C}". Action Taken: No Action Taken.
Entry "HKCR\SSCalendar.SSDayCtrl.1" refers to invalid object "{643F1350-1D07-11CE-9E52-0000C0554C0A}". Action Taken: No Action Taken.
Entry "HKCR\SYMONTIME.SymonTimeCtrl.1" refers to invalid object "{22434BA5-AF5F-11D0-8521-0020AFD55D4F}". Action Taken: No Action Taken.
Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.
Entry "HKCR\TAOCMAP.TaocmapCtrl.1" refers to invalid object "{A96D76E3-EF71-11CF-B2A0-0000C0A08558}". Action Taken: No Action Taken.
Entry "HKCR\TrialEnd.TrialEnd.1" refers to invalid object "{438B8ECD-AD2A-11D1-ADEB-0000F87734F0}". Action Taken: No Action Taken.
Entry "HKCR\xxxSubClasser.clsTimer" refers to invalid object "{9D78E757-09A1-11D4-9DCF-0010A4F9EE7E}". Action Taken: No Action Taken.
Entry "HKCR\xxxSubClasser.GSubClass" refers to invalid object "{9D78E755-09A1-11D4-9DCF-0010A4F9EE7E}". Action Taken: No Action Taken.
File C:\WINDOWS\Cliff.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\sysadmin\Application Data\Mozilla\Profiles\A C\hcgc1nc1.slt\Cache\042ED42Dd01 infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\sysadmin\Local Settings\Application Data\Microsoft\MSN\db\Mail (ACHAVEZ0939@msn.com)\stm0xf000133.000 tagged as not-a-virus:Garbage.HTML.Fraud.gen. No Action Taken.
File C:\My Documents\My Downloads\NSuperEB_install_22.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\America Online 9.0\Jiti\Jiti_mm.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\BitTorrent\uninstall.exe tagged as not-a-virus:Tool.Win32.Processor.1001. No Action Taken.
File C:\Program Files\Common Files\aolback\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\All Users\Application Data\AOL Downloads\setup90\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\WhenUSaveNow2.zip infected by "Password-protected-EXE" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\Cliff.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\OPTIONS\CABS\OLS\AOL\AOL40AU.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\OPTIONS\CABS\OLS\AOL\AOL40CA.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\OPTIONS\CABS\OLS\AOL\AOL40UK.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\OPTIONS\CABS\OLS\AOL\AOL40US.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\OPTIONS\CABS\OLS\AT&T\ATTKIT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\OPTIONS\CABS\OLS\CSI\USKIT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\OPTIONS\CABS\WIN98_66.CAB tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.


Here is the log.txt from running the log.bat file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Conferencing]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\System]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\System\DNSclient]
"UserNameString"="User Name:"
"PasswordString"="Password:"
"DomainString"="Domain:"
"CredentialsString"="The credentials used for Dynamic DNS registration:"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ca]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ca\Certificates]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ca\CRLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ca\CTLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\disallowed]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\disallowed\Certificates]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\disallowed\CRLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\disallowed\CTLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\EFS]
"EFSBlob"=hex:01,00,01,00,01,00,00,00,6f,02,00,00,6b,02,00,00,1c,00,00,00,02,\
00,00,00,33,02,00,00,38,00,00,00,73,00,00,00,16,00,04,00,01,05,00,00,00,00,\
00,05,15,00,00,00,be,04,3e,32,da,16,eb,23,07,e5,3b,2b,e8,03,00,00,30,82,02,\
2f,30,82,01,9c,a0,03,02,01,02,02,10,8f,e7,f9,ea,50,10,15,88,4e,62,01,a0,59,\
5f,d3,9c,30,09,06,05,2b,0e,03,02,1d,05,00,30,4b,31,11,30,0f,06,03,55,04,03,\
13,08,73,79,73,61,64,6d,69,6e,31,0c,30,0a,06,03,55,04,07,13,03,45,46,53,31,\
28,30,26,06,03,55,04,0b,13,1f,45,46,53,20,46,69,6c,65,20,45,6e,63,72,79,70,\
74,69,6f,6e,20,43,65,72,74,69,66,69,63,61,74,65,30,20,17,0d,30,34,30,37,32,\
30,30,31,30,37,34,37,5a,18,0f,32,31,30,34,30,36,32,36,30,31,30,37,34,37,5a,\
30,4b,31,11,30,0f,06,03,55,04,03,13,08,73,79,73,61,64,6d,69,6e,31,0c,30,0a,\
06,03,55,04,07,13,03,45,46,53,31,28,30,26,06,03,55,04,0b,13,1f,45,46,53,20,\
46,69,6c,65,20,45,6e,63,72,79,70,74,69,6f,6e,20,43,65,72,74,69,66,69,63,61,\
74,65,30,81,9f,30,0d,06,09,2a,86,48,86,f7,0d,01,01,01,05,00,03,81,8d,00,30,\
81,89,02,81,81,00,ba,1e,86,4c,13,b9,17,14,2c,57,d2,02,e0,63,a2,17,69,db,08,\
33,5b,ef,2c,2d,9f,7b,c8,88,dc,ee,f7,fb,e4,d4,da,e6,a3,9d,65,1b,f5,60,75,c3,\
ae,8d,ac,1e,0f,12,f3,ea,73,7f,74,46,b6,cd,43,09,68,09,51,e7,50,91,c2,d3,a2,\
99,2c,58,e7,b3,00,70,8e,ae,c7,d6,d4,aa,a4,28,79,22,b1,78,fb,be,bb,01,df,46,\
b5,58,4b,85,5f,39,f6,53,14,e3,56,9a,4d,92,8b,df,30,d0,9e,70,4c,bc,3b,02,56,\
48,38,1b,3e,69,68,e8,01,8f,02,03,01,00,01,a3,1a,30,18,30,16,06,03,55,1d,25,\
04,0f,30,0d,06,0b,2b,06,01,04,01,82,37,0a,03,04,01,30,09,06,05,2b,0e,03,02,\
1d,05,00,03,81,81,00,b6,93,38,38,8d,62,30,09,6b,31,12,3e,48,57,04,0b,6a,51,\
b1,6e,19,54,9b,a9,a0,f9,e9,60,b5,1f,d3,c1,f8,5f,e1,65,5f,dd,36,c8,11,51,fc,\
af,7c,89,5b,ae,4e,09,53,dc,de,bb,cc,ce,8c,00,e1,b6,65,7f,7b,66,ef,09,ec,25,\
5d,65,06,01,b2,09,2b,df,5d,c2,70,58,f7,a3,da,82,2d,27,7f,9a,2f,29,eb,7c,e5,\
5d,e8,7d,c0,1f,23,00,0f,b2,4d,bf,31,88,da,3d,7a,e9,e5,14,73,ce,ba,73,b7,1e,\
8e,33,8c,29,dc,cd,5a,aa,81,d3

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\EFS\Certificates]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\EFS\Certificates\7A14F39ACBC0F10040FA1A2F547195D3D86A3DE5]
"Blob"=hex:03,00,00,00,01,00,00,00,14,00,00,00,7a,14,f3,9a,cb,c0,f1,00,40,fa,\
1a,2f,54,71,95,d3,d8,6a,3d,e5,02,00,00,00,01,00,00,00,c4,00,00,00,1c,00,00,\
00,6c,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,\
34,00,35,00,66,00,30,00,33,00,32,00,65,00,39,00,2d,00,61,00,36,00,62,00,31,\
00,2d,00,34,00,39,00,32,00,63,00,2d,00,61,00,63,00,32,00,34,00,2d,00,35,00,\
39,00,35,00,64,00,31,00,39,00,37,00,33,00,35,00,30,00,61,00,39,00,00,00,00,\
00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,\
42,00,61,00,73,00,65,00,20,00,43,00,72,00,79,00,70,00,74,00,6f,00,67,00,72,\
00,61,00,70,00,68,00,69,00,63,00,20,00,50,00,72,00,6f,00,76,00,69,00,64,00,\
65,00,72,00,20,00,76,00,31,00,2e,00,30,00,00,00,00,00,20,00,00,00,01,00,00,\
00,33,02,00,00,30,82,02,2f,30,82,01,9c,a0,03,02,01,02,02,10,8f,e7,f9,ea,50,\
10,15,88,4e,62,01,a0,59,5f,d3,9c,30,09,06,05,2b,0e,03,02,1d,05,00,30,4b,31,\
11,30,0f,06,03,55,04,03,13,08,73,79,73,61,64,6d,69,6e,31,0c,30,0a,06,03,55,\
04,07,13,03,45,46,53,31,28,30,26,06,03,55,04,0b,13,1f,45,46,53,20,46,69,6c,\
65,20,45,6e,63,72,79,70,74,69,6f,6e,20,43,65,72,74,69,66,69,63,61,74,65,30,\
20,17,0d,30,34,30,37,32,30,30,31,30,37,34,37,5a,18,0f,32,31,30,34,30,36,32,\
36,30,31,30,37,34,37,5a,30,4b,31,11,30,0f,06,03,55,04,03,13,08,73,79,73,61,\
64,6d,69,6e,31,0c,30,0a,06,03,55,04,07,13,03,45,46,53,31,28,30,26,06,03,55,\
04,0b,13,1f,45,46,53,20,46,69,6c,65,20,45,6e,63,72,79,70,74,69,6f,6e,20,43,\
65,72,74,69,66,69,63,61,74,65,30,81,9f,30,0d,06,09,2a,86,48,86,f7,0d,01,01,\
01,05,00,03,81,8d,00,30,81,89,02,81,81,00,ba,1e,86,4c,13,b9,17,14,2c,57,d2,\
02,e0,63,a2,17,69,db,08,33,5b,ef,2c,2d,9f,7b,c8,88,dc,ee,f7,fb,e4,d4,da,e6,\
a3,9d,65,1b,f5,60,75,c3,ae,8d,ac,1e,0f,12,f3,ea,73,7f,74,46,b6,cd,43,09,68,\
09,51,e7,50,91,c2,d3,a2,99,2c,58,e7,b3,00,70,8e,ae,c7,d6,d4,aa,a4,28,79,22,\
b1,78,fb,be,bb,01,df,46,b5,58,4b,85,5f,39,f6,53,14,e3,56,9a,4d,92,8b,df,30,\
d0,9e,70,4c,bc,3b,02,56,48,38,1b,3e,69,68,e8,01,8f,02,03,01,00,01,a3,1a,30,\
18,30,16,06,03,55,1d,25,04,0f,30,0d,06,0b,2b,06,01,04,01,82,37,0a,03,04,01,\
30,09,06,05,2b,0e,03,02,1d,05,00,03,81,81,00,b6,93,38,38,8d,62,30,09,6b,31,\
12,3e,48,57,04,0b,6a,51,b1,6e,19,54,9b,a9,a0,f9,e9,60,b5,1f,d3,c1,f8,5f,e1,\
65,5f,dd,36,c8,11,51,fc,af,7c,89,5b,ae,4e,09,53,dc,de,bb,cc,ce,8c,00,e1,b6,\
65,7f,7b,66,ef,09,ec,25,5d,65,06,01,b2,09,2b,df,5d,c2,70,58,f7,a3,da,82,2d,\
27,7f,9a,2f,29,eb,7c,e5,5d,e8,7d,c0,1f,23,00,0f,b2,4d,bf,31,88,da,3d,7a,e9,\
e5,14,73,ce,ba,73,b7,1e,8e,33,8c,29,dc,cd,5a,aa,81,d3

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\EFS\CRLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\EFS\CTLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\root]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\root\Certificates]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\root\CRLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\root\CTLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Cache]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{72385235-70FA-11D1-864C-14A300000000}]
"ClassName"="ipsecFilter"
"ipsecID"="{72385235-70FA-11D1-864C-14A300000000}"
"ipsecName"="All ICMP Traffic"
"ipsecDataType"=dword:00000100
"description"="Matches all ICMP packets between this computer and any other computer."
"ipsecOwnersReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,4e,00,46,00,41,00,7b,00,37,00,31,00,34,00,41,00,39,00,46,00,36,\
00,45,00,2d,00,31,00,44,00,31,00,45,00,2d,00,34,00,39,00,46,00,38,00,2d,00,\
42,00,38,00,38,00,38,00,2d,00,36,00,45,00,34,00,42,00,37,00,34,00,38,00,36,\
00,41,00,30,00,41,00,45,00,7d,00,00,00,53,00,4f,00,46,00,54,00,57,00,41,00,\
52,00,45,00,5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,\
00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,\
64,00,6f,00,77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,\
00,6c,00,69,00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,\
70,00,73,00,65,00,63,00,4e,00,46,00,41,00,7b,00,31,00,34,00,45,00,45,00,46,\
00,36,00,33,00,46,00,2d,00,41,00,37,00,34,00,42,00,2d,00,34,00,37,00,42,00,\
37,00,2d,00,42,00,46,00,43,00,36,00,2d,00,31,00,37,00,33,00,30,00,38,00,37,\
00,41,00,32,00,44,00,39,00,31,00,36,00,7d,00,00,00,00,00
"ipsecData"=hex:b5,20,dc,80,c8,2e,d1,11,a8,9e,00,a0,24,8d,30,21,52,00,00,00,01,\
00,00,00,02,00,00,00,00,00,02,00,00,00,00,00,0a,00,00,00,49,00,43,00,4d,00,\
50,00,00,00,cd,70,b8,f3,94,7b,6f,4f,ba,7b,81,4b,91,ad,60,ad,01,00,00,00,00,\
00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00
"whenChanged"=dword:40fc6a9a
"name"="ipsecFilter{72385235-70FA-11D1-864C-14A300000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{7238523A-70FA-11D1-864C-14A300000000}]
"ClassName"="ipsecFilter"
"ipsecID"="{7238523A-70FA-11D1-864C-14A300000000}"
"ipsecName"="All IP Traffic"
"ipsecDataType"=dword:00000100
"description"="Matches all IP packets from this computer to any other computer, except broadcast, multicast, Kerberos, RSVP and ISAKMP (IKE)."
"ipsecOwnersReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,4e,00,46,00,41,00,7b,00,33,00,35,00,43,00,42,00,37,00,34,00,31,\
00,34,00,2d,00,38,00,31,00,33,00,31,00,2d,00,34,00,35,00,31,00,46,00,2d,00,\
38,00,37,00,30,00,37,00,2d,00,32,00,39,00,32,00,36,00,46,00,42,00,43,00,35,\
00,33,00,35,00,42,00,44,00,7d,00,00,00,53,00,4f,00,46,00,54,00,57,00,41,00,\
52,00,45,00,5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,\
00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,\
64,00,6f,00,77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,\
00,6c,00,69,00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,\
70,00,73,00,65,00,63,00,4e,00,46,00,41,00,7b,00,41,00,36,00,38,00,35,00,45,\
00,38,00,38,00,34,00,2d,00,33,00,39,00,35,00,37,00,2d,00,34,00,37,00,44,00,\
32,00,2d,00,42,00,35,00,46,00,33,00,2d,00,44,00,35,00,31,00,36,00,33,00,42,\
00,39,00,35,00,42,00,31,00,44,00,38,00,7d,00,00,00,00,00
"ipsecData"=hex:b5,20,dc,80,c8,2e,d1,11,a8,9e,00,a0,24,8d,30,21,4a,00,00,00,01,\
00,00,00,02,00,00,00,00,00,02,00,00,00,00,00,02,00,00,00,00,00,f8,01,10,14,\
5f,a7,0a,47,9c,5a,7b,21,1b,36,0c,6f,01,00,00,00,00,00,00,00,ff,ff,ff,ff,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"whenChanged"=dword:40fc6a9a
"name"="ipsecFilter{7238523A-70FA-11D1-864C-14A300000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385231-70FA-11D1-864C-14A300000000}]
"ClassName"="ipsecISAKMPPolicy"
"ipsecID"="{72385231-70FA-11D1-864C-14A300000000}"
"ipsecName"="{72385231-70FA-11D1-864C-14A300000000}"
"ipsecDataType"=dword:00000100
"description"="Ā"
"ipsecOwnersReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,50,00,6f,00,6c,00,69,00,63,00,79,00,7b,00,37,00,32,00,33,00,38,\
00,35,00,32,00,33,00,30,00,2d,00,37,00,30,00,46,00,41,00,2d,00,31,00,31,00,\
44,00,31,00,2d,00,38,00,36,00,34,00,43,00,2d,00,31,00,34,00,41,00,33,00,30,\
00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,7d,00,00,00,00,00
"ipsecData"=hex:b8,20,dc,80,c8,2e,d1,11,a8,9e,00,a0,24,8d,30,21,40,01,00,00,a7,\
70,57,b3,5d,b8,92,48,80,21,3f,78,4b,e1,ea,32,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,30,00,03,00,00,00,40,00,00,00,\
08,00,00,00,02,00,00,00,40,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,80,70,00,00,08,00,\
00,00,00,00,00,00,03,00,00,00,40,00,00,00,08,00,00,00,01,00,00,00,40,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,30,00,02,00,00,00,\
00,00,00,00,00,00,00,00,80,70,00,00,84,03,00,00,00,00,00,00,01,00,00,00,40,\
00,00,00,08,00,00,00,02,00,00,00,40,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,65,00,01,00,00,00,00,00,00,00,00,00,00,00,80,70,00,\
00,84,03,00,00,00,00,00,00,01,00,00,00,40,00,00,00,08,00,00,00,01,00,00,00,\
40,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,7b,00,01,\
00,00,00,00,00,00,00,00,00,00,00,80,70,00,00,7d,00,00,00,00
"whenChanged"=dword:40fc6a9a
"name"="ipsecISAKMPPolicy{72385231-70FA-11D1-864C-14A300000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385234-70FA-11D1-864C-14A300000000}]
"ClassName"="ipsecISAKMPPolicy"
"ipsecID"="{72385234-70FA-11D1-864C-14A300000000}"
"ipsecName"="Built-in Default IKE Settings"
"ipsecDataType"=dword:00000100
"description"="Built-in Default IKE Settings"
"ipsecData"=hex:b8,20,dc,80,c8,2e,d1,11,a8,9e,00,a0,24,8d,30,21,40,01,00,00,07,\
7d,16,aa,90,de,43,45,b7,9e,23,44,5c,4e,fd,1b,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,03,00,00,00,40,00,00,00,\
08,00,00,00,02,00,00,00,40,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,80,70,00,00,01,10,\
08,00,00,00,2d,00,03,00,00,00,40,00,00,00,08,00,00,00,01,00,00,00,40,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,02,00,00,00,\
00,00,00,00,00,00,00,00,80,70,00,00,02,00,00,00,00,00,39,00,01,00,00,00,40,\
00,00,00,08,00,00,00,02,00,00,00,40,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,01,00,00,01,00,00,00,00,00,00,00,00,00,00,00,80,70,00,\
00,01,00,00,00,00,00,65,00,01,00,00,00,40,00,00,00,08,00,00,00,01,00,00,00,\
40,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,\
00,00,00,00,00,00,00,00,00,00,00,80,70,00,00,01,00,00,00,00
"whenChanged"=dword:40fc6a9a
"name"="ipsecISAKMPPolicy{72385234-70FA-11D1-864C-14A300000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385237-70FA-11D1-864C-14A300000000}]
"ClassName"="ipsecISAKMPPolicy"
"ipsecID"="{72385237-70FA-11D1-864C-14A300000000}"
"ipsecName"="{72385237-70FA-11D1-864C-14A300000000}"
"ipsecDataType"=dword:00000100
"description"="Ā"
"ipsecOwnersReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,50,00,6f,00,6c,00,69,00,63,00,79,00,7b,00,37,00,32,00,33,00,38,\
00,35,00,32,00,33,00,36,00,2d,00,37,00,30,00,46,00,41,00,2d,00,31,00,31,00,\
44,00,31,00,2d,00,38,00,36,00,34,00,43,00,2d,00,31,00,34,00,41,00,33,00,30,\
00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,7d,00,00,00,00,00
"ipsecData"=hex:b8,20,dc,80,c8,2e,d1,11,a8,9e,00,a0,24,8d,30,21,40,01,00,00,ec,\
41,f1,04,97,b3,e5,43,b4,6f,15,d2,04,d6,48,4d,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,03,00,00,00,40,00,00,00,\
08,00,00,00,02,00,00,00,40,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,01,00,00,02,00,00,00,00,00,00,00,00,00,00,00,80,70,00,00,01,00,\
00,00,00,00,00,00,03,00,00,00,40,00,00,00,08,00,00,00,01,00,00,00,40,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,02,00,00,02,00,00,00,\
00,00,00,00,00,00,00,00,80,70,00,00,98,01,65,00,00,00,02,04,01,00,00,00,40,\
00,00,00,08,00,00,00,02,00,00,00,40,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,11,00,01,00,00,00,00,00,00,00,00,00,00,00,80,70,00,\
00,24,8d,30,21,00,00,16,00,01,00,00,00,40,00,00,00,08,00,00,00,01,00,00,00,\
40,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,50,00,01,\
00,00,00,00,00,00,00,00,00,00,00,80,70,00,00,01,01,0c,00,00
"whenChanged"=dword:40fc6a9a
"name"="ipsecISAKMPPolicy{72385237-70FA-11D1-864C-14A300000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wind
  • 0

#6
xcalnd1

xcalnd1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Looks like not all of my logs can fit on a post. I'm attaching the requested info instead. Thanks again and let me know if any more suggestions on my case!!

Regards,
xcalnd1


And here is the latest Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 10:09:34 PM, on 6/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\ODI\OStore\BIN\OSCMGR6.EXE
C:\ODI\OStore\BIN\OSSERVER.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINDOWS\System32\svchost.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Dell Home - {C02E3700-038B-11D6-9DFD-00065B61A109} - http://business.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://c.ancestry.co...yFamilyTree.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://walgreensphot...ploadClient.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_6us.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://walgreensphot...ploadClient.cab
O16 - DPF: {D9EA64B2-B966-E177-332C-78B69886526D} - http://download.newa...formerSetup.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: pcANYWHERE Host Service (awhost32) - Symantec Corporation - c:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\McAfee.com\Personal Firewall\MpfService.exe (file missing)
O23 - Service: ObjectStore Cache Manager R6.0 - eXcelon Corp. - C:\ODI\OStore\BIN\OSCMGR6.EXE
O23 - Service: ObjectStore Server R6.0 - eXcelon Corp. - C:\ODI\OStore\BIN\OSSERVER.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

Attached Files


  • 0

#7
Swandog46

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
Hi xcalnd1,

Well, I'm a little perplexed because I don't see anything obvious in any of your logs. Are you still having the problems? --- if so, can you describe them in as much detail as possible?

I also want to confer with some of the others here about this entry, which I have never seen before:

Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = INFECTION WARNING! "aw_host" [file not found]


and I will get back to you as soon as I have more information. :tazz:
  • 0

#8
Swandog46

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
That entry turns out to be legitimate. Let's try one more scan --- and please do let me know if you are still having the symptoms, and describe them.

Please download Grinler's pfind from here:
http://www.bleepingc...r/pfind-new.zip
Unzip it to the desktop.

Open the patterns.txt text file, which will contain a few lines of text and symbols. At the very bottom of the file add a line to it with the text:

ceres

Then save the file and close it. Run pfind.bat. When it is finished, close the resulting window --- do not save it as it will not be a complete log.

Then post the complete contents for me of the file c:\log.txt :tazz:
  • 0

#9
xcalnd1

xcalnd1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Thanks again. It's reassuring to hear that you do not see any issues. Here's more details on my IE issues. If I click on a popup link that is supposed to open a new browser window I get an error. One recent example is clicking on a link to:

java script:openwindow('http://salazar.senate.gov/contact/email.cfm');

The window wont come up and I get an error:

Line: 19
Char: 4
Error: Access is denied.
Code: 0
URL: http....

Or if I click a print link, a link to:

java script:window.print()

I get an 'error has occured in the script' of:

Line:228
Char:1
Error: 'dialogArguments.___IE_PrintType is null or not an object
Code: 0
URL: res://C\WINDOWS\system32\shdoclc.dll/preview.dlg

Click ok on this error and there's another underneath:
Line: 1
Char: 1
Error: Access is denied.
Code: 0
URL : http....

And also if I try to run windows update, It hangs at the prompt of 'preparing for download'. So I cant get the latest security updates.

I ran pfind as requested.
The log.txt file you mentioned had no information in it, but the pfind.txt that popped up after the tool was done seems to have logged everything. The pfind log is below:



Files found with this application may be legitimate.
Only remove files that you know are malware related.


Checking the C: folder



Checking the C:\Program Files folder



Checking the C:\WINDOWS folder

C:\WINDOWS\flashax.exe: .aspack
C:\WINDOWS\Garfield Guide to Cats.scr: .aspack
C:\WINDOWS\HH_screensaver_v3.scr: .aspack
C:\WINDOWS\setupapi.log: An unsigned or incorrectly signed file (d:\temp\drtemp\ceres.inf) was installed. Error 0x800b0003: The form specified for the subject is not one supported or known by the specified trust provider.
C:\WINDOWS\setupapi.log: Copying file D:\Temp\DrTemp\ceres.dll to C:\WINDOWS\ceres.dll.
C:\WINDOWS\setupapi.log: An unsigned or incorrectly signed file (D:\Temp\DrTemp\ceres.dll) was installed. Error 0xe000022f: The third-party INF does not contain digital signature information.
C:\WINDOWS\setupapi.log: Copying file D:\Temp\DrTemp\ceres.inf to C:\WINDOWS\INF\ceres.inf.
C:\WINDOWS\setupapi.log: An unsigned or incorrectly signed file (D:\Temp\DrTemp\ceres.inf) was installed. Error 0xe000022f: The third-party INF does not contain digital signature information.
C:\WINDOWS\setupapi.log: An unsigned or incorrectly signed file (d:\temp\drtemp\ceres.inf) was installed. Error 0x800b0003: The form specified for the subject is not one supported or known by the specified trust provider.
C:\WINDOWS\setupapi.log: Copying file D:\Temp\DrTemp\ceres.dll to C:\WINDOWS\ceres.dll.
C:\WINDOWS\setupapi.log: An unsigned or incorrectly signed file (D:\Temp\DrTemp\ceres.dll) was installed. Error 0xe000022f: The third-party INF does not contain digital signature information.
C:\WINDOWS\setupapi.log: Copying file D:\Temp\DrTemp\ceres.inf to C:\WINDOWS\INF\ceres.inf.
C:\WINDOWS\setupapi.log: An unsigned or incorrectly signed file (D:\Temp\DrTemp\ceres.inf) was installed. Error 0xe000022f: The third-party INF does not contain digital signature information.
C:\WINDOWS\setupapi.log: An unsigned or incorrectly signed file (d:\temp\drtemp\ceres.inf) was installed. Error 0x800b0003: The form specified for the subject is not one supported or known by the specified trust provider.
C:\WINDOWS\setupapi.log: Copying file D:\Temp\DrTemp\ceres.dll to C:\WINDOWS\ceres.dll.
C:\WINDOWS\setupapi.log: An unsigned or incorrectly signed file (D:\Temp\DrTemp\ceres.dll) was installed. Error 0xe000022f: The third-party INF does not contain digital signature information.
C:\WINDOWS\setupapi.log: Copying file D:\Temp\DrTemp\ceres.inf to C:\WINDOWS\INF\ceres.inf.
C:\WINDOWS\setupapi.log: An unsigned or incorrectly signed file (D:\Temp\DrTemp\ceres.inf) was installed. Error 0xe000022f: The third-party INF does not contain digital signature information.
C:\WINDOWS\setupapi.log: An unsigned or incorrectly signed file (d:\temp\drtemp\ceres.inf) was installed. Error 0x800b0003: The form specified for the subject is not one supported or known by the specified trust provider.
C:\WINDOWS\setupapi.log: Copying file D:\Temp\DrTemp\ceres.dll to C:\WINDOWS\ceres.dll.
C:\WINDOWS\setupapi.log: An unsigned or incorrectly signed file (D:\Temp\DrTemp\ceres.dll) was installed. Error 0xe000022f: The third-party INF does not contain digital signature information.
C:\WINDOWS\setupapi.log: Copying file D:\Temp\DrTemp\ceres.inf to C:\WINDOWS\INF\ceres.inf.
C:\WINDOWS\setupapi.log: An unsigned or incorrectly signed file (D:\Temp\DrTemp\ceres.inf) was installed. Error 0xe000022f: The third-party INF does not contain digital signature information.
C:\WINDOWS\setupapi.log: An unsigned or incorrectly signed file (d:\temp\drtemp\ceres.inf) was installed. Error 0x800b0003: The form specified for the subject is not one supported or known by the specified trust provider.
C:\WINDOWS\setupapi.log: Copying file D:\Temp\DrTemp\ceres.dll to C:\WINDOWS\ceres.dll.
C:\WINDOWS\setupapi.log: An unsigned or incorrectly signed file (D:\Temp\DrTemp\ceres.dll) was installed. Error 0xe000022f: The third-party INF does not contain digital signature information.
C:\WINDOWS\setupapi.log: Copying file D:\Temp\DrTemp\ceres.inf to C:\WINDOWS\INF\ceres.inf.
C:\WINDOWS\setupapi.log: An unsigned or incorrectly signed file (D:\Temp\DrTemp\ceres.inf) was installed. Error 0xe000022f: The third-party INF does not contain digital signature information.
C:\WINDOWS\setupapi.log: An unsigned or incorrectly signed file (d:\temp\drtemp\ceres.inf) was installed. Error 0x800b0003: The form specified for the subject is not one supported or known by the specified trust provider.
C:\WINDOWS\setupapi.log: Copying file D:\Temp\DrTemp\ceres.dll to C:\WINDOWS\ceres.dll.
C:\WINDOWS\setupapi.log: An unsigned or incorrectly signed file (D:\Temp\DrTemp\ceres.dll) was installed. Error 0xe000022f: The third-party INF does not contain digital signature information.
C:\WINDOWS\setupapi.log: Copying file D:\Temp\DrTemp\ceres.inf to C:\WINDOWS\INF\ceres.inf.
C:\WINDOWS\setupapi.log: An unsigned or incorrectly signed file (D:\Temp\DrTemp\ceres.inf) was installed. Error 0xe000022f: The third-party INF does not contain digital signature information.
C:\WINDOWS\setupapi.log: An unsigned or incorrectly signed file (d:\temp\drtemp\ceres.inf) was installed. Error 0x800b0003: The form specified for the subject is not one supported or known by the specified trust provider.
C:\WINDOWS\setupapi.log: Copying file D:\Temp\DrTemp\ceres.dll to C:\WINDOWS\ceres.dll.
C:\WINDOWS\setupapi.log: An unsigned or incorrectly signed file (D:\Temp\DrTemp\ceres.dll) was installed. Error 0xe000022f: The third-party INF does not contain digital signature information.
C:\WINDOWS\setupapi.log: Copying file D:\Temp\DrTemp\ceres.inf to C:\WINDOWS\INF\ceres.inf.
C:\WINDOWS\setupapi.log: An unsigned or incorrectly signed file (D:\Temp\DrTemp\ceres.inf) was installed. Error 0xe000022f: The third-party INF does not contain digital signature information.
C:\WINDOWS\setupapi.log: An unsigned or incorrectly signed file (d:\temp\drtemp\ceres.inf) was installed. Error 0x800b0003: The form specified for the subject is not one supported or known by the specified trust provider.
C:\WINDOWS\setupapi.log: Copying file D:\Temp\DrTemp\ceres.dll to C:\WINDOWS\ceres.dll.
C:\WINDOWS\setupapi.log: An unsigned or incorrectly signed file (D:\Temp\DrTemp\ceres.dll) was installed. Error 0xe000022f: The third-party INF does not contain digital signature information.
C:\WINDOWS\setupapi.log: Copying file D:\Temp\DrTemp\ceres.inf to C:\WINDOWS\INF\ceres.inf.
C:\WINDOWS\setupapi.log: An unsigned or incorrectly signed file (D:\Temp\DrTemp\ceres.inf) was installed. Error 0xe000022f: The third-party INF does not contain digital signature information.


Checking the C:\WINDOWS\SYSTEM32 folder

C:\WINDOWS\SYSTEM32\B4FM.dll: UPX!
C:\WINDOWS\SYSTEM32\msimsg.dll: S'estan creant dreceres
C:\WINDOWS\SYSTEM32\msimsg.dll: S'estan suprimint dreceres


Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder

C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: error finding UPX! header
C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: FSG!u1
C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: UPX!


Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\All Users\Application Data folder




Checking the C:\Documents and Settings\sysadmin\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\sysadmin\Application Data folder




Checking the Windows folder for system and hidden files within the last 60 days


C:\WINDOWS\
qtfont.qfn Fri Jun 17 2005 1:30:10p A..H. 54,156 52.89 K
shelli~1 Mon Jun 20 2005 10:32:24p ...H. 832,868 813.35 K

C:\WINDOWS\CSC\
00000001 Mon Jun 20 2005 10:34:32p A.S.. 64 0.06 K
00000002 Thu Jun 16 2005 10:42:02p A.S.. 64 0.06 K

C:\WINDOWS\DOWNLO~1\
desktop.ini Wed Jun 8 2005 8:28:10a ...H. 65 0.06 K

C:\WINDOWS\OCCACHE\
desktop.ini Wed Jun 8 2005 8:28:10a ...H. 65 0.06 K

C:\WINDOWS\OFFLIN~1\
desktop.ini Wed Jun 8 2005 8:28:08a ...H. 65 0.06 K

C:\WINDOWS\REPAIR\
ntuser~1.log Wed May 11 2005 9:37:00p A..H. 0 0.00 K

C:\WINDOWS\WEB\
ftp.htt Wed Jun 8 2005 8:28:16a ...H. 11,083 10.82 K

C:\WINDOWS\ALLUSE~1\DRM\
drmv2.sst Wed Apr 27 2005 7:24:32p A.SH. 7,680 7.50 K

C:\WINDOWS\SYSTEM32\CONFIG\
default.log Mon Jun 20 2005 10:36:32p A..H. 1,024 1.00 K
sam.log Mon Jun 20 2005 10:34:34p A..H. 1,024 1.00 K
security.log Mon Jun 20 2005 10:34:28p A..H. 1,024 1.00 K
software.log Mon Jun 20 2005 11:00:24p A..H. 1,024 1.00 K

14 items found: 14 files, 0 directories.
Total of file sizes: 910,206 bytes 888.87 K
  • 0

#10
Swandog46

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
Hmmm. Let's try this: please download the IEFix utility:
http://windowsxp.mvp...utils/IEFix.zip
Run it and repair Internet Explorer. Restart, and see if the issue is resolved. If not, let me know and we'll keep trying. I don't think it is malware though... :tazz:
  • 0

Advertisements


#11
xcalnd1

xcalnd1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Thanks! I know it's been a while, but if anyone's still available to help, that'd be great! I did run the IEfix tool but it did make a difference. I still have the issues with popups not working and printing, and with windows update in IE. I've been using Firefox as a workaround, but would like to get IE going again sometime.
  • 0

#12
Swandog46

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
Hi xcalnd1 :tazz:

Sorry for the wait, I only saw this now. Can I see a fresh HJT log please? ;)
  • 0

#13
xcalnd1

xcalnd1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Thanks again! Firefox is working, but some of my applications require IE, so it'd be great to get IE working like it is supposed to.

Here's the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:30:50 PM, on 7/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\ODI\OStore\BIN\OSCMGR6.EXE
C:\ODI\OStore\BIN\OSSERVER.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINDOWS\System32\svchost.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://c.ancestry.co...yFamilyTree.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://walgreensphot...ploadClient.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_6us.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://walgreensphot...ploadClient.cab
O16 - DPF: {D9EA64B2-B966-E177-332C-78B69886526D} - http://download.newa...formerSetup.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: pcANYWHERE Host Service (awhost32) - Symantec Corporation - c:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\McAfee.com\Personal Firewall\MpfService.exe (file missing)
O23 - Service: ObjectStore Cache Manager R6.0 - eXcelon Corp. - C:\ODI\OStore\BIN\OSCMGR6.EXE
O23 - Service: ObjectStore Server R6.0 - eXcelon Corp. - C:\ODI\OStore\BIN\OSSERVER.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
  • 0

#14
Swandog46

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
Hi xcalnd1 :tazz:

Please run HijackThis, click Scan, and check:

R3 - Default URLSearchHook is missing

Close all open windows and click Fix Checked.

About IE, let's try this:

Please go to Start -> Run -> cmd and press Enter. At the command prompt type sfc /scannow, making sure to put a space between the "c" and the slash, and then press Enter. This will run the System File Checker. Follow the prompts, and insert your Windows installation CD if requested. Then please restart your computer.

Does this fix it? ;)
  • 0

#15
xcalnd1

xcalnd1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Many thanks again! I have done as you requested, and pop-ups and print links still don't work in IE (same issues as occur in my detailed description of issue), any other suggestions you can think of would be great.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP