Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Outlook & Malware [RESOLVED]


  • This topic is locked This topic is locked

#1
mrtlc67

mrtlc67

    Member

  • Member
  • PipPip
  • 24 posts
I am running Windows XP home, Office 2000 with 512 meg RAM. When I launch Outlook it uses somewher in excess of 256mb of RAM. Spybot S&D as well as Ad-Aware have long been on my machine. I ran NAV and McAfee Stinger to no avail. :)
I have run all the steps you recommended, and have CA EZ Armor Installed. It has noted the infection with w32.sillyDl.RX several times, but does not remove it in real time and never finds it on a full scan. Below is Hijack this log. Help please. :tazz:


Logfile of HijackThis v1.99.1
Scan saved at 8:47:46 PM, on 9/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 4.2\THGuard.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: Memory Stick Monitor.lnk.disabled
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk.disabled
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.greenapple.com/
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr...oad/tgctlcm.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CF5A0F85-1147-48B9-8AD5-CC341E93B24D} - http://www.tonservic...natiff/Boot.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...571/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.c.../zoomify305.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Hi mrtlc67,

I'd like to advise you to uninstall
ViewPoint Manager
under Add/Remove Software.

Then disable Microsoft AntiSpyware's resident protection for the time it takes to fix this.
By guarding your settings it might hinder our efforts.


Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab

Then reboot and post a new HijackThis log.

P.S. I wouldn't advise running Trojan Hunter and The Cleaner on the same computer at the same time.
I'm assuming you installed those to get rid of the infection you found, but running two AntiTrojans and or two AntiVirus program alongside is not only a waste of resources, but can lead to conflicts as well.

If the infection gets found again, can you let me know the full path and filename of the suspicious file?

Regards,
  • 0

#3
mrtlc67

mrtlc67

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Ok, I have tried to complete all you suggested as well as uninstall some other items I did not need. I defragged the hard drive after all the installing and uninstalling. I still have the same problem main problem. When I attempt to run Outlook, I get memory errors if I have anything else open and it uses at least 256 meg of memory. :tazz: Below is a fresh log.

Logfile of HijackThis v1.99.1
Scan saved at 5:50:31 PM, on 9/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: Memory Stick Monitor.lnk.disabled
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk.disabled
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.greenapple.com/
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr...oad/tgctlcm.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CF5A0F85-1147-48B9-8AD5-CC341E93B24D} - http://www.tonservic...natiff/Boot.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...571/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.c.../zoomify305.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
  • 0

#4
mrtlc67

mrtlc67

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
:tazz: I had a very difficult time getting download for update of Spybot S & D. I finally was able to, but I had to shut down my firewall, Trojan Guard & MS Anti Spyware. When I ran Spybot, I got the following error:

There were problems in the include file C:\Progam File\Spybot-
Seach_Destroy\Includes\hijackers.sbi

See "Include Errors.log" for details

When I click "ok" the scan continues, and nothing new is found and no log files were available.
  • 0

#5
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
The only thing I can imagine is that there is something wrong with the email that gets opened first.

Is your user-account the only one on that computer?

Also if you have any idea how this started, that information might give me a clue.

Regards,
  • 0

#6
mrtlc67

mrtlc67

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
I am currently the only user account. My wife and I used to each have an account. Her account was closed and I deleted it.

The problem started around the first of this month. About the same time the following infections were found and I was never able to clean them. The files referenced I could never locate. The info below is log file from "realtime" scan of Ez Antivirus. The full system scan never found the infection.

2005/09/06 17:16:32.140 File infection: C:\WINDOWS\TEMP\TMP8C.tmp is Win32.SillyDl.RX trojan.

2005/09/06 19:42:45.718 File infection: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20041020.038\0213NAV~.TMP is Win32.SillyDl.RX trojan.

2005/09/07 10:10:07.265 File infection: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20041020.038\0213NAV~.TMP is Win32.SillyDl.RX trojan.

2005/09/07 11:11:59.812 File infection: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20041020.038\0213NAV~.TMP is Win32.SillyDl.RX trojan.

2005/09/07 12:17:53.515 File infection: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20041020.038\0213NAV~.TMP is Win32.SillyDl.RX trojan.

2005/09/07 13:49:21.312 File infection: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20041020.038\0213NAV~.TMP is Win32.SillyDl.RX trojan.

2005/09/07 13:51:03.453 File infection: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20041020.038\0213NAV~.TMP is Win32.SillyDl.RX trojan.
  • 0

#7
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
The last 6 looks like a typical case of one AV finding virus-signatures in the definitions of the other.

Imagine it like this.

Norton includes a string of signs that are typical fo a certain virus inn it's definition so the scanner can recognize that virus by comparing the strings.

AVG uses the same string (or a part of it) and finds the strings in the updates from Norton.

Does that make sense?

The first one however could be a problem.

Reboot into safe mode and use the DiskCleanup Tool to empty all your Temp folders.

Then do a FindFiles for Psof1.exe
Delete it if you find it.

Copy the part in bold below into notepad and save it as sillyrx.reg
Set Filetype to "all files"

REGEDIT4

[-HKEY_CURRENT_USER\Software\Psof1]


Doubleclick that file and confirm you want to merge it with the registry.

Regards,
  • 0

#8
mrtlc67

mrtlc67

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Sure does make sense, which is why I had already removed an out of date version of NAV. I have followed the instructions, but still have the same original symptom. Outlook using excessive meory. I will add that it only does it when signed on to XP as a user, not as the administrator available under safe mode. If I open Outlook as administrator there are no accounts, but it using only about 15 to 17 meg instead of 256 to 280 meg.
  • 0

#9
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Ah yes. As expected. That is why I asked if your user-account was the only one.

Good thing you have the default administrator account. :tazz:

Click Start > Run > and copy this command in the dialog box:
regedit.exe /e C:\getaccounts.txt "HKEY_CURRENT_USER\Identities"

This will create the file C:\getaccounts.txt
Find it and post the content please.

Regards,
  • 0

#10
mrtlc67

mrtlc67

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Here ya go, it is a long file!

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Identities]
"Identity Ordinal"=dword:00000002
"Migrated5"=dword:00000001
"Last Username"="Main Identity"
"Last User ID"="{FCE5994A-7F8D-4119-B518-BDCC0D493880}"
"Default User ID"="{FCE5994A-7F8D-4119-B518-BDCC0D493880}"
"Identity Login"=dword:00098053

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}]
"Username"="Main Identity"
"User ID"="{FCE5994A-7F8D-4119-B518-BDCC0D493880}"
"Directory Name"=dword:fce5994a
"Identity Ordinal"=dword:00000001
"Attachment Path"="C:\\Documents and Settings\\New User\\troywork"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software]

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft]

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express]

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0]
"HelpUrl"="http://www.vprmatrix.com"
"VerStamp"=dword:00000003
"WindowTitle"="Outlook Express provided by Green Apple Inc."
"HideFolderBar"=dword:00000000
"Tree"=dword:00000001
"Show Outlook Bar"=dword:00000000
"ShowStatus"=dword:00000001
"Show Contacts"=dword:00000001
"Tip of the Day"=dword:00000000
"ShowToolbarIEAK"=dword:00000001
"Toolbar Text"=dword:00000001
"SpellDontIgnoreDBCS"=dword:00000001
"MSIMN"=dword:00000001
"StoreMigratedV5"=dword:00000001
"ConvertedToDBX"=dword:00000001
"Settings Upgraded"=dword:00000007
"Running"=dword:00000000
"Store Root"=hex(2):25,00,55,00,73,00,65,00,72,00,50,00,72,00,6f,00,66,00,69,\
00,6c,00,65,00,25,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,20,00,53,00,65,00,\
74,00,74,00,69,00,6e,00,67,00,73,00,5c,00,41,00,70,00,70,00,6c,00,69,00,63,\
00,61,00,74,00,69,00,6f,00,6e,00,20,00,44,00,61,00,74,00,61,00,5c,00,49,00,\
64,00,65,00,6e,00,74,00,69,00,74,00,69,00,65,00,73,00,5c,00,7b,00,46,00,43,\
00,45,00,35,00,39,00,39,00,34,00,41,00,2d,00,37,00,46,00,38,00,44,00,2d,00,\
34,00,31,00,31,00,39,00,2d,00,42,00,35,00,31,00,38,00,2d,00,42,00,44,00,43,\
00,43,00,30,00,44,00,34,00,39,00,33,00,38,00,38,00,30,00,7d,00,5c,00,4d,00,\
69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,4f,00,75,00,74,00,6c,\
00,6f,00,6f,00,6b,00,20,00,45,00,78,00,70,00,72,00,65,00,73,00,73,00,5c,00,\
00,00
"PrevToolbarTextStyle"=dword:00000001
"Outlook Bar Settings"=hex:01,00,00,00,00,00,00,00,00,00,00,00,05,00,00,00,00,\
00,00,00,00,00,00,00,04,00,00,00,05,00,00,00,06,00,00,00,07,00,00,00,08,00,\
00,00
"Migration Done"=dword:00000001
"Launch Inbox"=dword:00000001
"Saved Toolbar Settings"=hex:11,9e,00,00,ff,ff,ff,ff,01,9d,00,00,ff,ff,ff,ff,\
07,9d,00,00,c4,9c,00,00
"Saved Toolbar Settings Version"=dword:00000011
"Preview Message"=hex:00,53,00,69,f5,2e,c3,01
"FixedPOP3UidlFile"=dword:00000001
"Note Bands"=hex:0f,00,00,00,03,00,00,00,64,00,00,00,80,02,00,00,64,00,00,00,\
66,00,00,00,02,00,00,00,16,00,00,00,65,00,00,00,01,02,00,00,64,00,00,00
"Toolbar Icon Size"=dword:00000001
"Show Deleted Messages"=dword:00000001
"Show Replies To My Messages"=dword:00000000
"Browser Bands"=hex:11,00,00,00,04,00,00,00,64,00,00,00,80,02,00,00,64,00,00,\
00,66,00,00,00,02,00,00,00,16,00,00,00,65,00,00,00,01,02,00,00,64,00,00,00,\
67,00,00,00,09,00,00,00,64,00,00,00
"BodyBarPos"=dword:00000000
"Nav Pane Width"=dword:000000d2
"Nav Pane Split"=dword:00000042
"Contact Pane Sorting"=dword:00000000
"BrowserPos"=hex:2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,64,00,00,00,53,00,00,00,ba,02,00,00,e7,01,00,00
"ShowBodyBar"=dword:00000000
"SpoolerDlgPos"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,d8,00,00,00,32,00,00,00,c0,02,00,00,c1,01,00,00
"SpoolerTack"=dword:00000000
"FindPos"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,78,00,00,00,64,00,00,00,ab,02,00,00,27,02,00,00
"Expand Unread"=dword:00000001
"Dial During Poll"=dword:00000002
"Use AutoComplete"=dword:00000001
"Reply To Messages In Original Format"=dword:00000001
"Message List Tips"=dword:00000001
"Watched Message Color"=dword:0000000a
"RequestMDN"=dword:00000000
"SendMDN"=dword:00000004
"SendReceiptToList"=dword:00000001
"Signature Flags"=dword:00000001
"SpellDontAlwaysSuggest"=dword:00000001
"SpellCheckOnSend"=dword:00000000
"SpellCheckOnType"=dword:00000000
"SpellIgnoreUpper"=dword:00000000
"SpellIgnoreNumbers"=dword:00000000
"SpellDontIgnoreProtect"=dword:00000001
"SpellIgnoreURLs"=dword:00000001
"Email Security Zone"=dword:00000004
"SwitchConnectionPrompt"=dword:00000001
"Hangup After Spool"=dword:00000000
"Background Compaction"=dword:00000001
"ExpungeFolders"=dword:00000000
"Save Attachment Path"="C:\\Documents and Settings\\New User\\My Documents"
"Search Message Bodies"=dword:00000000
"Dont Encrypt For Self"=dword:00000000
"Opaque Signing"=dword:00000000
"Auto Add Senders Cert To WAB"=dword:00000001
"Revocation checking"=dword:00000000
"Show Source Editing"=dword:00000000
"Compact Check Count"=dword:00000002

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Block Senders]
"Version"=dword:00050000

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Block Senders\Mail]
"Name"="Block Sender"
"Enabled"=dword:00000001
"Version"=dword:00000002

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Block Senders\Mail\Actions]
"Order"="000"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Block Senders\Mail\Actions\000]
"Type"=dword:00000007
"Flags"=dword:00000000

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Block Senders\Mail\Criteria]
"Order"="000 001"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Block Senders\Mail\Criteria\000]
"Type"=dword:00000017
"Logic"=dword:00000001
"Flags"=dword:00000000
"ValueType"=dword:0000001e
"Value"="pureman93@yahoo.com"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Block Senders\Mail\Criteria\001]
"Type"=dword:00000017
"Logic"=dword:00000001
"Flags"=dword:00000000
"ValueType"=dword:0000001e
"Value"="jls@greenapple.com"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Columns]
"Mail Column Info (In)"=hex:10,00,00,00,06,00,00,00,0f,00,00,00,09,00,00,00,ff,\
ff,ff,ff,10,00,00,00,09,00,00,00,17,00,00,00,14,00,00,00,09,00,00,00,ff,ff,\
ff,ff,01,00,00,00,05,00,00,00,ff,ff,ff,ff,02,00,00,00,01,00,00,00,ff,ff,ff,\
ff,03,00,00,00,01,00,00,00,ff,ff,ff,ff
"Local Store Column Info"=hex:10,00,00,00,03,00,00,00,06,00,00,00,03,00,00,00,\
ff,ff,ff,ff,08,00,00,00,01,00,00,00,ff,ff,ff,ff,07,00,00,00,01,00,00,00,ff,\
ff,ff,ff
"Mail Column Info (Out)"=hex:10,00,00,00,06,00,00,00,0f,00,00,00,09,00,00,00,\
ff,ff,ff,ff,10,00,00,00,09,00,00,00,ff,ff,ff,ff,00,00,00,00,01,00,00,00,ff,\
ff,ff,ff,04,00,00,00,05,00,00,00,78,00,00,00,02,00,00,00,01,00,00,00,ff,ff,\
ff,ff,0d,00,00,00,01,00,00,00,ff,ff,ff,ff
"Find Pop Column Info"=hex:10,00,00,00,07,00,00,00,0f,00,00,00,09,00,00,00,ff,\
ff,ff,ff,10,00,00,00,09,00,00,00,ff,ff,ff,ff,14,00,00,00,09,00,00,00,ff,ff,\
ff,ff,01,00,00,00,01,00,00,00,ff,ff,ff,ff,02,00,00,00,01,00,00,00,ff,ff,ff,\
ff,03,00,00,00,01,00,00,00,ff,ff,ff,ff,06,00,00,00,03,00,00,00,ff,ff,ff,ff
"News Sub Column Info"=hex:10,00,00,00,02,00,00,00,13,00,00,00,03,00,00,00,ff,\
ff,ff,ff,0a,00,00,00,01,00,00,00,ff,ff,ff,ff
"News Account Column Info"=hex:10,00,00,00,04,00,00,00,13,00,00,00,03,00,00,00,\
ff,ff,ff,ff,08,00,00,00,01,00,00,00,ff,ff,ff,ff,07,00,00,00,01,00,00,00,ff,\
ff,ff,ff,12,00,00,00,01,00,00,00,ff,ff,ff,ff

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Dont Show Dialogs]
"Mail Empty Subject Warning"=dword:00000001
"Send Mail Warning"=dword:00000001
"Html to Plain Warning"=dword:00000001

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Find History]
"a"="sarah rockson"
"MRU List"="a"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Mail]
"ShowHybridView"=dword:00000000
"Show Header Info"=dword:00000001
"SplitDir"=dword:00000000
"Welcome Message"=dword:00000000
"Accounts Checked"=dword:00000001
"NotePosEx"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,9d,01,00,00,85,00,00,00,c9,03,00,00,38,02,00,00
"Attach VCard"=dword:00000000
"ThreadArticles"=dword:00000000
"Saved Toolbar Settings"=hex:11,9e,00,00,f0,9c,00,00,f1,9c,00,00,f4,9c,00,00,\
ff,ff,ff,ff,b4,9c,00,00,f2,9d,00,00,ff,ff,ff,ff,01,9d,00,00,ff,ff,ff,ff,07,\
9d,00,00,c4,9c,00,00
"Saved Toolbar Settings Version"=dword:00000011
"SplitHorzPct"=dword:00000032
"SplitVertPct"=dword:00000032
"Default_CodePage"=dword:00006faf
"PlaySoundOnNewMail"=dword:00000000
"Poll For Mail"=dword:0002bf20
"Check Mail on Startup"=dword:00000001
"SaveInSentItems"=dword:00000001
"Auto Add Replies To WAB"=dword:00000000
"Include Reply Msg"=dword:00000001
"Send Mail Immediately"=dword:00000001
"Message Send HTML"=dword:00000001
"Wide Stationery Name"=""
"Stationery Name Converted"=dword:00000001
"Compose Use Stationery"=dword:00000000
"Font Size"=dword:00000009
"Font Name"="Arial"
"MarkPreviewAsRead"=dword:00000002
"VCard Display Name"=""
"Digitally Sign Messages"=dword:00000000
"Encrypt Messages"=dword:00000000
"Warn on Mapi Send"=dword:00000001
"Safe Attachments"=dword:00000001
"Security Label"=dword:00000000
"Log POP3 (0/1)"=dword:00000000
"Log IMAP4 (0/1)"=dword:00000000
"Log HTTPMail (0/1)"=dword:00000000
"Delete Wastebasket On Exit"=dword:00000000
"Send Pictures With Document"=dword:00000000
"Include Certificate"=dword:00000001
"Encryption Warning Bits"=dword:00000000
"Show Adv Mail Send"=dword:00000000
"Q-PlaySoundOnNewMail"=dword:00000001
"Secure Safe Attachments"=dword:00000001

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\MailNote]
"Send Mail Toolbar Settings"=hex:db,9d,00,00,ff,ff,ff,ff,26,9d,00,00,24,9e,00,\
00,27,9d,00,00,25,9d,00,00,ff,ff,ff,ff,48,9d,00,00,47,9d,00,00,ff,ff,ff,ff,\
2d,9d,00,00,dc,9d,00,00,ff,ff,ff,ff,6b,9d,00,00,44,9d,00,00,b9,9c,00,00
"Saved Toolbar Settings Version"=dword:0000000f
"Read Mail Toolbar Settings"=hex:f0,9c,00,00,f1,9c,00,00,f4,9c,00,00,ff,ff,ff,\
ff,b4,9c,00,00,22,9e,00,00,ff,ff,ff,ff,d1,9c,00,00,d2,9c,00,00,ff,ff,ff,ff,\
07,9d,00,00

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\News]
"ShowHybridView"=dword:00000001
"Show Header Info"=dword:00000001
"SplitDir"=dword:00000000
"Accounts Checked"=dword:00000001
"SplitHorzPct"=dword:00000032
"SplitVertPct"=dword:00000032
"New group notification"=dword:00000001
"Message Send HTML"=dword:00000000
"Wide Stationery Name"=""
"Stationery Name Converted"=dword:00000001
"Compose Use Stationery"=dword:00000000
"Font Size"=dword:00000009
"Font Name"="Arial"
"Download at a time"=dword:0000012c
"Auto Expand Threads"=dword:00000000
"Auto Fill Preview"=dword:00000000
"Mark Read on Exit"=dword:00000000
"Attach VCard"=dword:00000000
"VCard Display Name"=""
"Cache Delete Message Days"=dword:00000005
"Cache Compact Percent"=dword:00000014
"Cache Read Messages"=dword:00000000
"Log"=dword:00000000
"News Dialog Position"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,58,00,00,00,58,00,00,00,c7,02,00,00,e1,01,\
00,00
"Saved Toolbar Settings"=hex:12,9e,00,00,f2,9c,00,00,f0,9c,00,00,f4,9c,00,00,\
ff,ff,ff,ff,b4,9c,00,00,dd,9c,00,00,ff,ff,ff,ff,01,9d,00,00,ff,ff,ff,ff,07,\
9d,00,00,c4,9c,00,00,79,9d,00,00,06,9d,00,00
"Saved Toolbar Settings Version"=dword:00000011

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Recent Stationery List]
"File0"="Clear Day.htm"
"File1"="Nature.htm"
"File2"="Maize.htm"
"File3"="Sunflower.htm"
"File4"="Citrus Punch.htm"
"File5"="Blank.htm"
"File6"="Leaves.htm"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Recent Stationery Wide List]
"File0"="Sunflower.htm"
"File1"="Clear Day.htm"
"File2"="Nature.htm"
"File3"="Maize.htm"
"File4"="Citrus Punch.htm"
"File5"="Blank.htm"
"File6"="Leaves.htm"
"File7"=""
"File8"=""
"File9"=""

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules]
"Messenger Auto logon"=dword:00000001

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter]
"Version"=dword:00050000
"Order"="FFA FFB FFC FFF"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFA]
"Name"="Show All Messages"
"Enabled"=dword:00000001
"Version"=dword:00000744

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFA\Actions]
"Order"="000"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFA\Actions\000]
"Type"=dword:0000000f
"Flags"=dword:00000000
"ValueType"=dword:00000013
"Value"=dword:00000001

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFA\Criteria]
"Order"="000"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFA\Criteria\000]
"Type"=dword:00000014
"Logic"=dword:00000000
"Flags"=dword:00000000

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFB]
"Name"="Hide Read Messages"
"Enabled"=dword:00000001
"Version"=dword:00000744

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFB\Actions]
"Order"="000"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFB\Actions\000]
"Type"=dword:0000000f
"Flags"=dword:00000000
"ValueType"=dword:00000013
"Value"=dword:00000002

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFB\Criteria]
"Order"="000"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFB\Criteria\000]
"Type"=dword:0000001c
"Logic"=dword:00000000
"Flags"=dword:00000000

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFC]
"Name"="Show Downloaded Messages"
"Enabled"=dword:00000001
"Version"=dword:00000744

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFC\Actions]
"Order"="000"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFC\Actions\000]
"Type"=dword:0000000f
"Flags"=dword:00000000
"ValueType"=dword:00000013
"Value"=dword:00000001

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFC\Criteria]
"Order"="000"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFC\Criteria\000]
"Type"=dword:00000019
"Logic"=dword:00000000
"Flags"=dword:00000000

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFF]
"Name"="Hide Read or Ignored Messages"
"Enabled"=dword:00000001
"Version"=dword:00000744

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFF\Actions]
"Order"="000"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFF\Actions\000]
"Type"=dword:0000000f
"Flags"=dword:00000000
"ValueType"=dword:00000013
"Value"=dword:00000002

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFF\Criteria]
"Order"="000 001"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFF\Criteria\000]
"Type"=dword:0000001b
"Logic"=dword:00000001
"Flags"=dword:00000000
"ValueType"=dword:00000013
"Value"=dword:00000002

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFF\Criteria\001]
"Type"=dword:0000001c
"Logic"=dword:00000000
"Flags"=dword:00000000

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\MRU List]

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Mail]
"Version"=dword:00050000
"Order"=""

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\News]
"Version"=dword:00050000

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Shared Settings]

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Shared Settings\Setup]
"MigToLWP"=hex:4a,99,e5,fc,8d,7f,19,41,b5,18,bd,cc,0d,49,38,80
"MigToLWPVer"="6,0,2600,0000"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\signatures]
"Default Signature"="00000000"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\signatures\00000000]
"name"="Signature #1"
"type"=dword:00000001
"text"="Mindy Conner"
"file"=""

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Trident]

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Trident\International]

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Trident\Main]
"Move System Caret"="no"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Trident\Settings]

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\WAB]

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\WAB\WAB Sort State]
"State"=hex:00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00
"Position"=hex:2c,00,00,00,3a,00,00,00,20,02,00,00,b1,01,00,00,96,00,00,00,96,\
00,00,00,64,00,00,00,64,00,00,00,01,00,00,00,09,00,11,50,8b,13,00,00,01,00,\
00,00,00,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00,01,00,00,00,00,00,00,\
00,96,00,00,00
"FindPosition"=hex:23,00,00,00,3e,00,00,00,06,02,00,00,45,01,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\WAB\WAB4]

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\WAB\WAB4\LastFind]
@="Address Book"
  • 0

Advertisements


#11
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
That's what I needed. :tazz:
Keep that file as backup in case one of the changes I'll make turns out for the worse.

Copy the part in bold below into notepad and save it as OEstart1.reg
Set Filetype to "all files"

REGEDIT4

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0]
"HelpUrl"=-
"Preview Message"=-

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Mail]
"Check Mail on Startup"=dword:00000000

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules]
"Messenger Auto logon"=dword:00000000


Doubleclick that file and confirm you want to merge it with the registry.

It may require a reboot for the changes to take effect, so do that before you try and open OE.

Regards,
  • 0

#12
mrtlc67

mrtlc67

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
While OE is showing up, I am NOT using Express. We have Office 2000 Professional insalled and using Outlook for email. Please advise. Thanks!
  • 0

#13
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Try it anyway. I think I remember reading these settings will effect all MicroSoft mail clients.

Regards,
  • 0

#14
mrtlc67

mrtlc67

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Sadly I report :tazz: no change. OE does not have same effect on memory.

Here is the getaccounts file after changing the registry and rebooting.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Identities]
"Identity Ordinal"=dword:00000002
"Migrated5"=dword:00000001
"Last Username"="Main Identity"
"Last User ID"="{FCE5994A-7F8D-4119-B518-BDCC0D493880}"
"Default User ID"="{FCE5994A-7F8D-4119-B518-BDCC0D493880}"
"Identity Login"=dword:00098053

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}]
"Username"="Main Identity"
"User ID"="{FCE5994A-7F8D-4119-B518-BDCC0D493880}"
"Directory Name"=dword:fce5994a
"Identity Ordinal"=dword:00000001
"Attachment Path"="C:\\Documents and Settings\\New User\\troywork"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software]

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft]

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express]

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0]
"VerStamp"=dword:00000003
"WindowTitle"="Outlook Express provided by Green Apple Inc."
"HideFolderBar"=dword:00000000
"Tree"=dword:00000001
"Show Outlook Bar"=dword:00000000
"ShowStatus"=dword:00000001
"Show Contacts"=dword:00000001
"Tip of the Day"=dword:00000000
"ShowToolbarIEAK"=dword:00000001
"Toolbar Text"=dword:00000001
"SpellDontIgnoreDBCS"=dword:00000001
"MSIMN"=dword:00000001
"StoreMigratedV5"=dword:00000001
"ConvertedToDBX"=dword:00000001
"Settings Upgraded"=dword:00000007
"Running"=dword:00000000
"Store Root"=hex(2):25,00,55,00,73,00,65,00,72,00,50,00,72,00,6f,00,66,00,69,\
00,6c,00,65,00,25,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,20,00,53,00,65,00,\
74,00,74,00,69,00,6e,00,67,00,73,00,5c,00,41,00,70,00,70,00,6c,00,69,00,63,\
00,61,00,74,00,69,00,6f,00,6e,00,20,00,44,00,61,00,74,00,61,00,5c,00,49,00,\
64,00,65,00,6e,00,74,00,69,00,74,00,69,00,65,00,73,00,5c,00,7b,00,46,00,43,\
00,45,00,35,00,39,00,39,00,34,00,41,00,2d,00,37,00,46,00,38,00,44,00,2d,00,\
34,00,31,00,31,00,39,00,2d,00,42,00,35,00,31,00,38,00,2d,00,42,00,44,00,43,\
00,43,00,30,00,44,00,34,00,39,00,33,00,38,00,38,00,30,00,7d,00,5c,00,4d,00,\
69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,4f,00,75,00,74,00,6c,\
00,6f,00,6f,00,6b,00,20,00,45,00,78,00,70,00,72,00,65,00,73,00,73,00,5c,00,\
00,00
"PrevToolbarTextStyle"=dword:00000001
"Outlook Bar Settings"=hex:01,00,00,00,00,00,00,00,00,00,00,00,05,00,00,00,00,\
00,00,00,00,00,00,00,04,00,00,00,05,00,00,00,06,00,00,00,07,00,00,00,08,00,\
00,00
"Migration Done"=dword:00000001
"Launch Inbox"=dword:00000001
"Saved Toolbar Settings"=hex:11,9e,00,00,ff,ff,ff,ff,01,9d,00,00,ff,ff,ff,ff,\
07,9d,00,00,c4,9c,00,00
"Saved Toolbar Settings Version"=dword:00000011
"FixedPOP3UidlFile"=dword:00000001
"Note Bands"=hex:0f,00,00,00,03,00,00,00,64,00,00,00,80,02,00,00,64,00,00,00,\
66,00,00,00,02,00,00,00,16,00,00,00,65,00,00,00,01,02,00,00,64,00,00,00
"Toolbar Icon Size"=dword:00000001
"Show Deleted Messages"=dword:00000001
"Show Replies To My Messages"=dword:00000000
"Browser Bands"=hex:11,00,00,00,04,00,00,00,64,00,00,00,80,02,00,00,64,00,00,\
00,66,00,00,00,02,00,00,00,16,00,00,00,65,00,00,00,01,02,00,00,64,00,00,00,\
67,00,00,00,09,00,00,00,64,00,00,00
"BodyBarPos"=dword:00000000
"Nav Pane Width"=dword:000000d2
"Nav Pane Split"=dword:00000042
"Contact Pane Sorting"=dword:00000000
"BrowserPos"=hex:2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,64,00,00,00,53,00,00,00,ba,02,00,00,e7,01,00,00
"ShowBodyBar"=dword:00000000
"SpoolerDlgPos"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,d8,00,00,00,32,00,00,00,c0,02,00,00,c1,01,00,00
"SpoolerTack"=dword:00000000
"FindPos"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,78,00,00,00,64,00,00,00,ab,02,00,00,27,02,00,00
"Expand Unread"=dword:00000001
"Dial During Poll"=dword:00000002
"Use AutoComplete"=dword:00000001
"Reply To Messages In Original Format"=dword:00000001
"Message List Tips"=dword:00000001
"Watched Message Color"=dword:0000000a
"RequestMDN"=dword:00000000
"SendMDN"=dword:00000004
"SendReceiptToList"=dword:00000001
"Signature Flags"=dword:00000001
"SpellDontAlwaysSuggest"=dword:00000001
"SpellCheckOnSend"=dword:00000000
"SpellCheckOnType"=dword:00000000
"SpellIgnoreUpper"=dword:00000000
"SpellIgnoreNumbers"=dword:00000000
"SpellDontIgnoreProtect"=dword:00000001
"SpellIgnoreURLs"=dword:00000001
"Email Security Zone"=dword:00000004
"SwitchConnectionPrompt"=dword:00000001
"Hangup After Spool"=dword:00000000
"Background Compaction"=dword:00000001
"ExpungeFolders"=dword:00000000
"Save Attachment Path"="C:\\Documents and Settings\\New User\\My Documents"
"Search Message Bodies"=dword:00000000
"Dont Encrypt For Self"=dword:00000000
"Opaque Signing"=dword:00000000
"Auto Add Senders Cert To WAB"=dword:00000001
"Revocation checking"=dword:00000000
"Show Source Editing"=dword:00000000
"Compact Check Count"=dword:00000002

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Block Senders]
"Version"=dword:00050000

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Block Senders\Mail]
"Name"="Block Sender"
"Enabled"=dword:00000001
"Version"=dword:00000002

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Block Senders\Mail\Actions]
"Order"="000"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Block Senders\Mail\Actions\000]
"Type"=dword:00000007
"Flags"=dword:00000000

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Block Senders\Mail\Criteria]
"Order"="000 001"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Block Senders\Mail\Criteria\000]
"Type"=dword:00000017
"Logic"=dword:00000001
"Flags"=dword:00000000
"ValueType"=dword:0000001e
"Value"="pureman93@yahoo.com"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Block Senders\Mail\Criteria\001]
"Type"=dword:00000017
"Logic"=dword:00000001
"Flags"=dword:00000000
"ValueType"=dword:0000001e
"Value"="jls@greenapple.com"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Columns]
"Mail Column Info (In)"=hex:10,00,00,00,06,00,00,00,0f,00,00,00,09,00,00,00,ff,\
ff,ff,ff,10,00,00,00,09,00,00,00,17,00,00,00,14,00,00,00,09,00,00,00,ff,ff,\
ff,ff,01,00,00,00,05,00,00,00,ff,ff,ff,ff,02,00,00,00,01,00,00,00,ff,ff,ff,\
ff,03,00,00,00,01,00,00,00,ff,ff,ff,ff
"Local Store Column Info"=hex:10,00,00,00,03,00,00,00,06,00,00,00,03,00,00,00,\
ff,ff,ff,ff,08,00,00,00,01,00,00,00,ff,ff,ff,ff,07,00,00,00,01,00,00,00,ff,\
ff,ff,ff
"Mail Column Info (Out)"=hex:10,00,00,00,06,00,00,00,0f,00,00,00,09,00,00,00,\
ff,ff,ff,ff,10,00,00,00,09,00,00,00,ff,ff,ff,ff,00,00,00,00,01,00,00,00,ff,\
ff,ff,ff,04,00,00,00,05,00,00,00,78,00,00,00,02,00,00,00,01,00,00,00,ff,ff,\
ff,ff,0d,00,00,00,01,00,00,00,ff,ff,ff,ff
"Find Pop Column Info"=hex:10,00,00,00,07,00,00,00,0f,00,00,00,09,00,00,00,ff,\
ff,ff,ff,10,00,00,00,09,00,00,00,ff,ff,ff,ff,14,00,00,00,09,00,00,00,ff,ff,\
ff,ff,01,00,00,00,01,00,00,00,ff,ff,ff,ff,02,00,00,00,01,00,00,00,ff,ff,ff,\
ff,03,00,00,00,01,00,00,00,ff,ff,ff,ff,06,00,00,00,03,00,00,00,ff,ff,ff,ff
"News Sub Column Info"=hex:10,00,00,00,02,00,00,00,13,00,00,00,03,00,00,00,ff,\
ff,ff,ff,0a,00,00,00,01,00,00,00,ff,ff,ff,ff
"News Account Column Info"=hex:10,00,00,00,04,00,00,00,13,00,00,00,03,00,00,00,\
ff,ff,ff,ff,08,00,00,00,01,00,00,00,ff,ff,ff,ff,07,00,00,00,01,00,00,00,ff,\
ff,ff,ff,12,00,00,00,01,00,00,00,ff,ff,ff,ff

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Dont Show Dialogs]
"Mail Empty Subject Warning"=dword:00000001
"Send Mail Warning"=dword:00000001
"Html to Plain Warning"=dword:00000001

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Find History]
"a"="sarah rockson"
"MRU List"="a"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Mail]
"ShowHybridView"=dword:00000000
"Show Header Info"=dword:00000001
"SplitDir"=dword:00000000
"Welcome Message"=dword:00000000
"Accounts Checked"=dword:00000001
"NotePosEx"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,9d,01,00,00,85,00,00,00,c9,03,00,00,38,02,00,00
"Attach VCard"=dword:00000000
"ThreadArticles"=dword:00000000
"Saved Toolbar Settings"=hex:11,9e,00,00,f0,9c,00,00,f1,9c,00,00,f4,9c,00,00,\
ff,ff,ff,ff,b4,9c,00,00,f2,9d,00,00,ff,ff,ff,ff,01,9d,00,00,ff,ff,ff,ff,07,\
9d,00,00,c4,9c,00,00
"Saved Toolbar Settings Version"=dword:00000011
"SplitHorzPct"=dword:00000032
"SplitVertPct"=dword:00000032
"Default_CodePage"=dword:00006faf
"PlaySoundOnNewMail"=dword:00000000
"Poll For Mail"=dword:0002bf20
"Check Mail on Startup"=dword:00000000
"SaveInSentItems"=dword:00000001
"Auto Add Replies To WAB"=dword:00000000
"Include Reply Msg"=dword:00000001
"Send Mail Immediately"=dword:00000001
"Message Send HTML"=dword:00000001
"Wide Stationery Name"=""
"Stationery Name Converted"=dword:00000001
"Compose Use Stationery"=dword:00000000
"Font Size"=dword:00000009
"Font Name"="Arial"
"MarkPreviewAsRead"=dword:00000002
"VCard Display Name"=""
"Digitally Sign Messages"=dword:00000000
"Encrypt Messages"=dword:00000000
"Warn on Mapi Send"=dword:00000001
"Safe Attachments"=dword:00000001
"Security Label"=dword:00000000
"Log POP3 (0/1)"=dword:00000000
"Log IMAP4 (0/1)"=dword:00000000
"Log HTTPMail (0/1)"=dword:00000000
"Delete Wastebasket On Exit"=dword:00000000
"Send Pictures With Document"=dword:00000000
"Include Certificate"=dword:00000001
"Encryption Warning Bits"=dword:00000000
"Show Adv Mail Send"=dword:00000000
"Q-PlaySoundOnNewMail"=dword:00000001
"Secure Safe Attachments"=dword:00000001

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\MailNote]
"Send Mail Toolbar Settings"=hex:db,9d,00,00,ff,ff,ff,ff,26,9d,00,00,24,9e,00,\
00,27,9d,00,00,25,9d,00,00,ff,ff,ff,ff,48,9d,00,00,47,9d,00,00,ff,ff,ff,ff,\
2d,9d,00,00,dc,9d,00,00,ff,ff,ff,ff,6b,9d,00,00,44,9d,00,00,b9,9c,00,00
"Saved Toolbar Settings Version"=dword:0000000f
"Read Mail Toolbar Settings"=hex:f0,9c,00,00,f1,9c,00,00,f4,9c,00,00,ff,ff,ff,\
ff,b4,9c,00,00,22,9e,00,00,ff,ff,ff,ff,d1,9c,00,00,d2,9c,00,00,ff,ff,ff,ff,\
07,9d,00,00

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\News]
"ShowHybridView"=dword:00000001
"Show Header Info"=dword:00000001
"SplitDir"=dword:00000000
"Accounts Checked"=dword:00000001
"SplitHorzPct"=dword:00000032
"SplitVertPct"=dword:00000032
"New group notification"=dword:00000001
"Message Send HTML"=dword:00000000
"Wide Stationery Name"=""
"Stationery Name Converted"=dword:00000001
"Compose Use Stationery"=dword:00000000
"Font Size"=dword:00000009
"Font Name"="Arial"
"Download at a time"=dword:0000012c
"Auto Expand Threads"=dword:00000000
"Auto Fill Preview"=dword:00000000
"Mark Read on Exit"=dword:00000000
"Attach VCard"=dword:00000000
"VCard Display Name"=""
"Cache Delete Message Days"=dword:00000005
"Cache Compact Percent"=dword:00000014
"Cache Read Messages"=dword:00000000
"Log"=dword:00000000
"News Dialog Position"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,58,00,00,00,58,00,00,00,c7,02,00,00,e1,01,\
00,00
"Saved Toolbar Settings"=hex:12,9e,00,00,f2,9c,00,00,f0,9c,00,00,f4,9c,00,00,\
ff,ff,ff,ff,b4,9c,00,00,dd,9c,00,00,ff,ff,ff,ff,01,9d,00,00,ff,ff,ff,ff,07,\
9d,00,00,c4,9c,00,00,79,9d,00,00,06,9d,00,00
"Saved Toolbar Settings Version"=dword:00000011

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Recent Stationery List]
"File0"="Clear Day.htm"
"File1"="Nature.htm"
"File2"="Maize.htm"
"File3"="Sunflower.htm"
"File4"="Citrus Punch.htm"
"File5"="Blank.htm"
"File6"="Leaves.htm"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Recent Stationery Wide List]
"File0"="Sunflower.htm"
"File1"="Clear Day.htm"
"File2"="Nature.htm"
"File3"="Maize.htm"
"File4"="Citrus Punch.htm"
"File5"="Blank.htm"
"File6"="Leaves.htm"
"File7"=""
"File8"=""
"File9"=""

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules]
"Messenger Auto logon"=dword:00000000

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter]
"Version"=dword:00050000
"Order"="FFA FFB FFC FFF"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFA]
"Name"="Show All Messages"
"Enabled"=dword:00000001
"Version"=dword:00000744

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFA\Actions]
"Order"="000"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFA\Actions\000]
"Type"=dword:0000000f
"Flags"=dword:00000000
"ValueType"=dword:00000013
"Value"=dword:00000001

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFA\Criteria]
"Order"="000"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFA\Criteria\000]
"Type"=dword:00000014
"Logic"=dword:00000000
"Flags"=dword:00000000

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFB]
"Name"="Hide Read Messages"
"Enabled"=dword:00000001
"Version"=dword:00000744

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFB\Actions]
"Order"="000"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFB\Actions\000]
"Type"=dword:0000000f
"Flags"=dword:00000000
"ValueType"=dword:00000013
"Value"=dword:00000002

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFB\Criteria]
"Order"="000"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFB\Criteria\000]
"Type"=dword:0000001c
"Logic"=dword:00000000
"Flags"=dword:00000000

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFC]
"Name"="Show Downloaded Messages"
"Enabled"=dword:00000001
"Version"=dword:00000744

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFC\Actions]
"Order"="000"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFC\Actions\000]
"Type"=dword:0000000f
"Flags"=dword:00000000
"ValueType"=dword:00000013
"Value"=dword:00000001

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFC\Criteria]
"Order"="000"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFC\Criteria\000]
"Type"=dword:00000019
"Logic"=dword:00000000
"Flags"=dword:00000000

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFF]
"Name"="Hide Read or Ignored Messages"
"Enabled"=dword:00000001
"Version"=dword:00000744

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFF\Actions]
"Order"="000"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFF\Actions\000]
"Type"=dword:0000000f
"Flags"=dword:00000000
"ValueType"=dword:00000013
"Value"=dword:00000002

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFF\Criteria]
"Order"="000 001"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFF\Criteria\000]
"Type"=dword:0000001b
"Logic"=dword:00000001
"Flags"=dword:00000000
"ValueType"=dword:00000013
"Value"=dword:00000002

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFF\Criteria\001]
"Type"=dword:0000001c
"Logic"=dword:00000000
"Flags"=dword:00000000

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\MRU List]

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\Mail]
"Version"=dword:00050000
"Order"=""

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Rules\News]
"Version"=dword:00050000

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Shared Settings]

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Shared Settings\Setup]
"MigToLWP"=hex:4a,99,e5,fc,8d,7f,19,41,b5,18,bd,cc,0d,49,38,80
"MigToLWPVer"="6,0,2600,0000"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\signatures]
"Default Signature"="00000000"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\signatures\00000000]
"name"="Signature #1"
"type"=dword:00000001
"text"="Mindy Conner"
"file"=""

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Trident]

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Trident\International]

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Trident\Main]
"Move System Caret"="no"

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\Outlook Express\5.0\Trident\Settings]

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\WAB]

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\WAB\WAB Sort State]
"State"=hex:00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00
"Position"=hex:2c,00,00,00,3a,00,00,00,20,02,00,00,b1,01,00,00,96,00,00,00,96,\
00,00,00,64,00,00,00,64,00,00,00,01,00,00,00,09,00,11,50,8b,13,00,00,01,00,\
00,00,00,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00,01,00,00,00,00,00,00,\
00,96,00,00,00
"FindPosition"=hex:23,00,00,00,3e,00,00,00,06,02,00,00,45,01,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\WAB\WAB4]

[HKEY_CURRENT_USER\Identities\{FCE5994A-7F8D-4119-B518-BDCC0D493880}\Software\Microsoft\WAB\WAB4\LastFind]
@="Address Book"
  • 0

#15
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
One more thing I'd like to try is empty the folder for attachments.

According to the registry export those should now be in a subfolder of
C:\Documents and Settings\New User\troywork

What I'd like you to do is rename that folder to attachmentsold and create a new one with the exact same name as it had before.

Let me know if that helps.

Regards,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP