Win2000 Registry - Does anyone recognize this???

I’ve had this key popping up in my registry now for some time. I have no idea what it is, if it might be some artifact of a registry bug or not… ???

It looks like no ‘language’ I’ve ever seen. Here is a sample:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count] "HRZR_PGYFRFFVBA"=hex:5b,8b,3d,0e,08,00,00,00 "HRZR_PGYPHNPbhag:pgbe"=hex:00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00 "HRZR_HVGBBYONE"=hex:08,00,00,00,5e,00,00,00,c0,06,c1,89,13,b2,c7,01 "HRZR_HVGBBYONE:0k4,702r"=hex:01,00,00,00,07,00,00,00,e0,62,ae,15,ea,a9,c7,01 "HRZR_HVGBBYONE:0k1,133"=hex:07,00,00,00,0f,00,00,00,70,fb,ea,bd,95,af,c7,01 "HRZR_HVGBBYONE:0k1,130"=hex:05,00,00,00,0f,00,00,00,a0,b6,d9,31,8a,ae,c7,01 "HRZR_HVGBBYONE:0k1,120"=hex:07,00,00,00,0e,00,00,00,30,e3,46,65,6b,b1,c7,01 "HRZR_HVGBBYONE:0k1,7011"=hex:08,00,00,00,1d,00,00,00,c0,06,c1,89,13,b2,c7,01 "HRZR_HVGBBYONE:0k4,7011"=hex:08,00,00,00,1d,00,00,00,c0,06,c1,89,13,b2,c7,01 "HRZR_HVGBBYONE:0k1,123"=hex:07,00,00,00,09,00,00,00,e0,ea,0c,74,95,af,c7,01

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{75048700-EF1F-11D0-9888-006097DEACF9}]
“Version”=dword:00000003

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{75048700-EF1F-11D0-9888-006097DEACF9}\Count]
“HRZR_PGYFRFFVBA”=hex:74,8b,3d,0e,08,00,00,00
“HRZR_PGYPHNPbhag:pgbe”=hex:00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00
“HRZR_EHACNGU”=hex:08,00,00,00,2e,01,00,00,60,68,a3,e6,13,b2,c7,01
“HRZR_EHACNGU:P:\JVAAG\flfgrz32\EHAQYY32.RKR”=hex:08,00,00,00,1c,00,00,00,
40,33,da,b5,12,b2,c7,01
“HRZR_EHACNGU:P:\Cebtenz Svyrf\Wnin\wer1.6.0_01\ova\whfpurq.rkr”=hex:01,
00,00,00,07,00,00,00,c0,90,a0,c8,9a,aa,c7,01
“HRZR_EHACNGU:Q:\NYJVYF~1\Ninfg4\nfuQvfc.rkr”=hex:08,00,00,00,16,00,00,00,
20,f0,69,b6,12,b2,c7,01
“HRZR_EHACNGU:Q:\Ncf\Erzvaq!\erzvaq.rkr”=hex:08,00,00,00,16,00,00,00,40,33,
4b,b8,12,b2,c7,01
“HRZR_EHACNGU:P:\Cebtenz Svyrf\Pbzzba Svyrf\VFCPBZC\VafgnyyFreivpr.rkr”=hex:08,
00,00,00,15,00,00,00,50,95,50,b9,12,b2,c7,01
“HRZR_EHACNGU:Q:\Ncf\SnkGnyx\ABU\SGAbuZTE.rkr”=hex:08,00,00,00,16,00,00,00,
30,2c,0a,bb,12,b2,c7,01
“HRZR_EHACNGU:Q:\Ncf\ZF Bssvpr\Bssvpr\ZFBSSVPR.RKR”=hex:08,00,00,00,17,00,
00,00,30,67,0f,bc,12,b2,c7,01
“HRZR_EHACNGU:P:\Cebtenz Svyrf\Vagrearg Rkcybere\Pbaarpgvba Jvmneq\vpjpbaa1.rkr”=hex:00,
00,00,00,06,00,00,00,e0,a2,c3,f3,e8,a9,c7,01
“HRZR_EHAPCY”=hex:05,00,00,00,0b,00,00,00,d0,ac,26,c4,89,ae,c7,01
“HRZR_EHAPCY:FLFQZ.PCY”=hex:05,00,00,00,06,00,00,00,d0,ac,26,c4,89,ae,c7,01
“HRZR_EHACVQY:%pfvqy2%\Fgneghc”=hex:05,00,00,00,08,00,00,00,90,81,f0,cb,28,ae,
c7,01
“HRZR_EHACVQY:%pfvqy2%\Frphevgl”=hex:07,00,00,00,06,00,00,00,e0,9a,76,4d,5a,
b1,c7,01
“HRZR_EHACVQY:%pfvqy2%\Pbzzhavpngvbaf”=hex:02,00,00,00,06,00,00,00,80,c1,f3,
26,3d,ac,c7,01
“HRZR_EHACVQY:%pfvqy2%\Npprffbevrf”=hex:05,00,00,00,06,00,00,00,00,9f,bb,9f,
92,ae,c7,01
“HRZR_EHACVQY:%pfvqy2%\Vagrearg Rkcybere.yax”=hex:00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00
“HRZR_EHACNGU:P:\JVAAG\Flfgrz32\argcyjvm.qyy”=hex:00,00,00,00,06,00,00,00,
d0,76,10,4c,e9,a9,c7,01
“HRZR_EHAPCY:"P:\JVAAG\flfgrz32\nccjvm.pcy",Nqq/Erzbir Cebtenzf”=hex:00,
00,00,00,06,00,00,00,50,33,78,61,e9,a9,c7,01
“HRZR_EHAPCY:"P:\JVAAG\flfgrz32\GJRNXHV.PCY",Gjrnx HV”=hex:00,00,00,00,06,
00,00,00,b0,57,86,79,e9,a9,c7,01
“HRZR_HVFPHG”=hex:08,00,00,00,12,00,00,00,30,7a,41,61,b0,b1,c7,01
“HRZR_EHACNGU:Q:\Nyjvy Fbsgjner\Ninfg4\nfuNinfg.rkr”=hex:08,00,00,00,06,00,
00,00,60,4a,67,7c,a6,b1,c7,01
“HRZR_EHACNGU:P:\JVAAG\flfgrz32\furyy32.qyy”=hex:04,00,00,00,07,00,00,00,90,
5e,26,55,f1,ad,c7,01
“HRZR_EHACNGU:P:\JVAAG\flfgrz32\abgrcnq.rkr”=hex:08,00,00,00,39,00,00,00,60,
68,a3,e6,13,b2,c7,01
“HRZR_EHACNGU:Q:\Ncf\Sversbk\Zbmvyyn Sversbk\sversbk.rkr”=hex:07,00,00,00,
15,00,00,00,50,ff,3f,f5,5f,b1,c7,01
“HRZR_HVDPHG”=hex:08,00,00,00,3b,00,00,00,e0,c2,4d,c2,12,b2,c7,01
“HRZR_EHACNGU:Q:\Ncf\Guhaqreoveq\guhaqreoveq.rkr”=hex:07,00,00,00,18,00,00,
00,b0,c8,e1,54,58,b1,c7,01
“HRZR_EHACNGU:P:\Cebtenz Svyrf\Argfpncr Vagrearg Freivpr\AFPyvrag.rkr”=hex:08,
00,00,00,19,00,00,00,f0,09,44,7c,b1,b1,c7,01
“HRZR_EHACVQY:%pfvqy2%\Hgvyvgvrf & Gbbyf\Flfgrz Gbbyf”=hex:01,00,00,00,02,00,
00,00,00,00,00,00,00,00,00,00
“HRZR_EHACVQY:%pfvqy2%\Fgneghc\Zvpebfbsg Bssvpr Fubegphg One.yax”=hex:05,00,
00,00,08,00,00,00,90,81,f0,cb,28,ae,c7,01
“HRZR_EHACNGU:Q:\Hgvyf\xrcnff\XrrCnff.rkr”=hex:05,00,00,00,08,00,00,00,40,
7e,da,e8,92,ae,c7,01
“HRZR_EHACNGU:P:\JVAAG\rkcybere.rkr”=hex:08,00,00,00,1a,00,00,00,40,30,cb,c2,
12,b2,c7,01
“HRZR_EHACNGU:P:\JVAAG\Flfgrz32\pnyp.rkr”=hex:01,00,00,00,06,00,00,00,60,23,
98,34,a5,aa,c7,01
“HRZR_EHACVQY:%pfvqy2%\Pbzzhavpngvbaf\SnkGnyx ZBU.yax”=hex:02,00,00,00,06,00,
00,00,80,c1,f3,26,3d,ac,c7,01
“HRZR_EHACVQY:%pfvqy2%\Npprffbevrf\Abgrcnq.yax”=hex:05,00,00,00,06,00,00,00,
20,0b,b7,9f,92,ae,c7,01
“HRZR_EHACVQY:%pfvqy2%\Npprffbevrf\Flfgrz Gbbyf\Fpurqhyrq Gnfxf.yax”=hex:01,
00,00,00,02,00,00,00,00,00,00,00,00,00,00,00
“HRZR_EHACVQY:%pfvqy2%\Npprffbevrf\Flfgrz Gbbyf\Trggvat Fgnegrq.yax”=hex:01,
00,00,00,02,00,00,00,00,00,00,00,00,00,00,00
“HRZR_EHACVQY:%pfvqy2%\Npprffbevrf\Flfgrz Gbbyf\Qvfx Pyrnahc.yax”=hex:01,00,
00,00,02,00,00,00,00,00,00,00,00,00,00,00
“HRZR_EHACVQY:%pfvqy2%\Hgvyvgvrf & Gbbyf\Flfgrz Gbbyf\Flfgrz Vasbezngvba.yax”=hex:01,
00,00,00,02,00,00,00,00,00,00,00,00,00,00,00
“HRZR_EHACVQY:%pfvqy2%\Hgvyvgvrf & Gbbyf\Flfgrz Gbbyf\Fpurqhyrq Gnfxf.yax”=hex:01,
00,00,00,02,00,00,00,00,00,00,00,00,00,00,00
“HRZR_EHACVQY:%pfvqy2%\Hgvyvgvrf & Gbbyf\Flfgrz Gbbyf\Trggvat Fgnegrq.yax”=hex:01,
00,00,00,02,00,00,00,00,00,00,00,00,00,00,00
“HRZR_EHACVQY:%pfvqy2%\Hgvyvgvrf & Gbbyf\Flfgrz Gbbyf\Qvfx Qrsentzragre.yax”=hex:01,
00,00,00,02,00,00,00,00,00,00,00,00,00,00,00
“HRZR_EHACVQY:%pfvqy2%\Hgvyvgvrf & Gbbyf\Flfgrz Gbbyf\Qvfx Pyrnahc.yax”=hex:01,
00,00,00,02,00,00,00,00,00,00,00,00,00,00,00
“HRZR_EHACVQY:%pfvqy2%\Hgvyvgvrf & Gbbyf\Flfgrz Gbbyf\Punenpgre Znc.yax”=hex:01,
00,00,00,02,00,00,00,00,00,00,00,00,00,00,00
“HRZR_EHACVQY:%pfvqy2%\Hgvyvgvrf & Gbbyf\Flfgrz Gbbyf\Onpxhc.yax”=hex:01,00,
00,00,02,00,00,00,00,00,00,00,00,00,00,00
“HRZR_EHACNGU:Q:\NCF\SVERSBK\ZBMVYY~1\SVERSBK.RKR”=hex:01,00,00,00,06,00,
00,00,70,24,df,b0,a8,aa,c7,01
“HRZR_EHACVQY:%pfvqy2%\Pbzzhavpngvbaf\ZF Snk\Fraq Pbire Cntr Snk.yax”=hex:02,
00,00,00,02,00,00,00,00,00,00,00,00,00,00,00

This is just a snippet. They can become quite long. I’ve taken to exporting this ‘user assist’ key and then deleting it. It keeps popping back up, so something is ‘creating’ it as it goes.

Does it look familiar to the panel of experts here? ???

What it is is a rot13 encryption e.g

“HRZR_EHACVQY:%pfvqy2%\Frphevgl”=hex:07,00,00,00,06,00,00,00,e0,9a,76,4d,5a,
b1,c7,01
is

UEME_RUNPATH:C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe"=urk:00,
00,00,00,06,00,00,00,r0,n2,p3,s3,r8,n9,p7,01

A quote about its uses

“Rot13 is a simple Caesar-cypher encryption, that replaces each English letter with the one 13 places forward or back along the alphabet. The Rot13 cypher is used to obfuscate text in the Windows registry, to make captured data on your browsing habits and recent files less noticable.”
So do you have security encryption on your system a decoder is available here

http://www.tele-pro.co.uk/scripts/misc/rot13.htm

Can you post a screenshot? See http://forum.avast.com/index.php?topic=8982.0
You can use Gadwin PrintScreen to get a screenshot (http://www.gadwin.com/printscreen/) or the free version of WinSnap 1.1.10 (http://www.filehippo.com/download_winsnap/?2173).

It’s strange that a registry key is there. You seem to be protected this way: double-clicking (executing) the .reg file does not add the file to registry but edit the file. So you’re not messing your registry yet.

Can you post a HijackThis Log? It can be downloaded here: http://www.bleepingcomputer.com/files/hijackthis.php

Yes, thank you. That is what I found after researching the key - apparently the same question has been asked on a number of forums. Do you know if it is in anyway related to the ‘Windows File Protection’ service? I have not found that information.

UPDATE: Just found that it may be related to Explorer’s Launchpad file folder:

http://seclists.org/pen-test/2000/Nov/

Apologies - I used imprecise wording. It is not literally ‘popping up’ as in a pop-up window or in the Avast scanner message - I simply meant it keeps re-appearing in my registry. Not sure a screenshot would show anything better than the text of the actual reg key export file.

I downloaded it… It may take me several years to move through the instructions on how to use it! :o

Thank you for pointing to this. I will read it and try to use it to create a log file. Not sure, but think I’ve been ‘hijacked’ quite a bit recently. It does say one needs an ‘expert’ to interpret it, so - fair warning again - I may be back! ::slight_smile:

Thanks & best regards to you both!

How are you monitoring the registry, I mean, how did you find that, each time, this registry key is rewritten?

But indeed interpret the log is not an easy task… Take care. Better post the log here.

I found it initially by accident searching the registry for another key. Then, I kept an eye on it.

Here is log and start-up list. But it is not complete. There is one service not there that I am wondering about: HID.DLL. I do not recall seeing it before, but it is now running on start-up. This morning, I set the service to ‘manual start’ and will see what happens. But it was running when I did the initial Hijack this scan.

Another new event. Kerio FW will now not recognize nor open ports for Netscape or Thunderbird. TCPView sees them, however. Outcome: cannot connect to URLs with SPF Kerio FW ruinning… :frowning:

Logfile of HijackThis v1.99.1 Scan saved at 9:50:35 AM, on 6/21/2007 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
D:\ALWILS~1\Avast4\ashDisp.exe
D:\Aps\Remind!\remind.exe
C:\Program Files\Common Files\ISPCOMP\InstallService.exe
D:\Aps\FaxTalk\NOH\FTNohMGR.exe
D:\Aps\MS Office\Office\MSOFFICE.EXE
D:\Aps\Firefox\Mozilla Firefox\firefox.exe
C:\Program Files\Netscape Internet Service\NSClient.exe
C:\Program Files\Common Files\ISPCOMP\SystemTrayIcon.exe
C:\Program Files\Netscape Internet Service_NSWatchman.exe
D:\Utils\MS TCP View\Tcpview.exe
C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe
D:\Aps\Thunderbird\thunderbird.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Devices\nohijackthist\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Sun Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM..\Run: [avast!] d:\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Remind!] D:\Aps\Remind!\remind.exe
O4 - HKLM..\Run: [Netscape] C:\Program Files\Common Files\ISPCOMP\InstallService.exe
O4 - HKLM..\Run: [NetOnHold] .\FTNOHMgr.EXE /autoload
O4 - Global Startup: FaxTalk MOH.lnk = D:\Aps\FaxTalk\NOH\FTNohMGR.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = D:\Aps\MS Office\Office\MSOFFICE.EXE
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Sun Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Sun Java\jre1.6.0_01\bin\npjpi160_01.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181312103709
O17 - HKLM\System\CCS\Services\Tcpip..{75A803A6-D1C5-442C-A88B-F265B9CD0635}: NameServer = 205.188.146.145
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - d:\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - d:\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - d:\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

StartupList report, 6/20/2007, 11:12:04 PM
StartupList version: 1.52.2
Started from : C:\Devices\nohijackthist\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

  • Using default options
  • Including empty and uninteresting sections
  • Showing rarely important sections
    ==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
d:\Alwil Software\Avast4\aswUpdSv.exe
d:\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\locator.exe
D:\utils\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
d:\Alwil Software\Avast4\ashWebSv.exe
d:\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\Explorer.EXE
D:\ALWILS~1\Avast4\ashDisp.exe
D:\Aps\Remind!\remind.exe
D:\Aps\FaxTalk\NOH\FTNohMGR.exe
D:\Aps\MS Office\Office\MSOFFICE.EXE
C:\WINNT\system32\stisvc.exe
C:\Devices\nohijackthist\HijackThis.exe


Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
Shortcut to remind_backup.bat.lnk = D:\Aps\Remind!\backup\remind_backup.bat

Shell folders AltStartup:
Folder not found

User shell folders Startup:
Folder not found

User shell folders AltStartup:
Folder not found

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
FaxTalk MOH.lnk = D:\Aps\FaxTalk\NOH\FTNohMGR.exe
Microsoft Office Shortcut Bar.lnk = D:\Aps\MS Office\Office\MSOFFICE.EXE

Shell folders Common AltStartup:
Folder not found

User shell folders Common Startup:
Folder not found

User shell folders Alternate Common Startup:
Folder not found


Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
Registry key not found

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
Registry value not found

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
Registry key not found


Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
avast! = d:\ALWILS~1\Avast4\ashDisp.exe
Remind! = D:\Aps\Remind!\remind.exe
Netscape = C:\Program Files\Common Files\ISPCOMP\InstallService.exe
NetOnHold = .\FTNOHMgr.EXE /autoload
NetscapeClient =


Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

No values found


Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

No values found


Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Registry key not found


Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

Registry key not found


Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Registry key not found


Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

No values found


Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

Registry key not found


Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

Registry key not found


Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

Registry key not found


Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

Registry key not found


Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

Registry key not found


Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
No subkeys found


Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
No subkeys found


Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
No subkeys found


Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Registry key not found


Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
Registry key not found


Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Registry key not found


Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
No subkeys found


Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
Registry key not found


Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Registry key not found


Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
Registry key not found


Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
Registry key not found


Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
Registry key not found


File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = “%1” %*


File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = “%1” %*


File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = “%1” %*


File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = “%1” %*


File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = “%1” /S



File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINNT\system32\mshta.exe “%1” %*


File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1


Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINNT\System32\setup\wmpocm.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = “C:\WINNT\system32\shmgrate.exe” OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = “C:\WINNT\system32\shmgrate.exe” OCInstallUserConfigOE

[>{A9E8FC4B-FDB2-4F07-8FA5-973302667A77}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\mplayer2.inf,PerUserStub.NT

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = “%ProgramFiles%\Outlook Express\setup50.exe” /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:“S 2 true 3 true 4 true 5 true 6 true 7 true” initpki.dll

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = “%ProgramFiles%\Outlook Express\setup50.exe” /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\system32\updcrl.exe -e -u %SystemRoot%\system32\verisignpub1.crl


Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

Registry key not found


Load/Run keys from C:\WINNT\WIN.INI:

load=INI section not found
run=INI section not found

Load/Run keys from Registry:

HKLM..\Windows NT\CurrentVersion\WinLogon: load=Registry value not found
HKLM..\Windows NT\CurrentVersion\WinLogon: run=Registry value not found
HKLM..\Windows\CurrentVersion\WinLogon: load=Registry key not found
HKLM..\Windows\CurrentVersion\WinLogon: run=Registry key not found
HKCU..\Windows NT\CurrentVersion\WinLogon: load=Registry value not found
HKCU..\Windows NT\CurrentVersion\WinLogon: run=Registry value not found
HKCU..\Windows\CurrentVersion\WinLogon: load=Registry key not found
HKCU..\Windows\CurrentVersion\WinLogon: run=Registry key not found
HKCU..\Windows NT\CurrentVersion\Windows: load=
HKCU..\Windows NT\CurrentVersion\Windows: run=Registry value not found
HKLM..\Windows NT\CurrentVersion\Windows: load=Registry value not found
HKLM..\Windows NT\CurrentVersion\Windows: run=Registry value not found
HKLM..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=


Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=INI section not found
SCRNSAVE.EXE=INI section not found
drivers=INI section not found

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\system32\sspipes.scr
drivers=Registry value not found

Policies Shell key:

HKCU..\Policies: Shell=Registry key not found
HKLM..\Policies: Shell=Registry value not found


Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present


Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden


Verifying REGEDIT.EXE integrity:

  • Regedit.exe found in C:\WINNT
  • .reg open command is normal (regedit.exe %1)
  • Company name OK: ‘Microsoft Corporation’
  • Original filename OK: ‘REGEDIT.EXE’
  • File description: ‘Registry Editor’

Registry check passed


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Sun Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}


Enumerating Task Scheduler jobs:

No jobs found


Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[WUWebControl Class]
InProcServer32 = C:\WINNT\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181312103709

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Sun Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Sun Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Sun Java\jre1.6.0_01\bin\npjpi160_01.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab


Enumerating Winsock LSP files:

NameSpace #1: C:\WINNT\System32\rnr20.dll
NameSpace #2: C:\WINNT\System32\winrnr.dll
Protocol #1: C:\WINNT\system32\msafd.dll
Protocol #2: C:\WINNT\system32\msafd.dll
Protocol #3: C:\WINNT\system32\msafd.dll
Protocol #4: C:\WINNT\system32\rsvpsp.dll
Protocol #5: C:\WINNT\system32\rsvpsp.dll
Protocol #6: C:\WINNT\system32\msafd.dll
Protocol #7: C:\WINNT\system32\msafd.dll
Protocol #8: C:\WINNT\system32\msafd.dll
Protocol #9: C:\WINNT\system32\msafd.dll
Protocol #10: C:\WINNT\system32\msafd.dll
Protocol #11: C:\WINNT\system32\msafd.dll
Protocol #12: C:\WINNT\system32\msafd.dll
Protocol #13: C:\WINNT\system32\msafd.dll



Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINNT\System32\setup\wmpocm.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = “C:\WINNT\system32\shmgrate.exe” OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = “C:\WINNT\system32\shmgrate.exe” OCInstallUserConfigOE

[>{A9E8FC4B-FDB2-4F07-8FA5-973302667A77}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\mplayer2.inf,PerUserStub.NT

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = “%ProgramFiles%\Outlook Express\setup50.exe” /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:“S 2 true 3 true 4 true 5 true 6 true 7 true” initpki.dll

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = “%ProgramFiles%\Outlook Express\setup50.exe” /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\system32\updcrl.exe -e -u %SystemRoot%\system32\verisignpub1.crl


Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

Registry key not found


Load/Run keys from C:\WINNT\WIN.INI:

load=INI section not found
run=INI section not found

Load/Run keys from Registry:

HKLM..\Windows NT\CurrentVersion\WinLogon: load=Registry value not found
HKLM..\Windows NT\CurrentVersion\WinLogon: run=Registry value not found
HKLM..\Windows\CurrentVersion\WinLogon: load=Registry key not found
HKLM..\Windows\CurrentVersion\WinLogon: run=Registry key not found
HKCU..\Windows NT\CurrentVersion\WinLogon: load=Registry value not found
HKCU..\Windows NT\CurrentVersion\WinLogon: run=Registry value not found
HKCU..\Windows\CurrentVersion\WinLogon: load=Registry key not found
HKCU..\Windows\CurrentVersion\WinLogon: run=Registry key not found
HKCU..\Windows NT\CurrentVersion\Windows: load=
HKCU..\Windows NT\CurrentVersion\Windows: run=Registry value not found
HKLM..\Windows NT\CurrentVersion\Windows: load=Registry value not found
HKLM..\Windows NT\CurrentVersion\Windows: run=Registry value not found
HKLM..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=


Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=INI section not found
SCRNSAVE.EXE=INI section not found
drivers=INI section not found

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\system32\sspipes.scr
drivers=Registry value not found

Policies Shell key:

HKCU..\Policies: Shell=Registry key not found
HKLM..\Policies: Shell=Registry value not found


Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present


Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden


Verifying REGEDIT.EXE integrity:

  • Regedit.exe found in C:\WINNT
  • .reg open command is normal (regedit.exe %1)
  • Company name OK: ‘Microsoft Corporation’
  • Original filename OK: ‘REGEDIT.EXE’
  • File description: ‘Registry Editor’

Registry check passed


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Sun Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}


Enumerating Task Scheduler jobs:

No jobs found


Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[WUWebControl Class]
InProcServer32 = C:\WINNT\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181312103709

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Sun Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Sun Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Sun Java\jre1.6.0_01\bin\npjpi160_01.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab


Enumerating Winsock LSP files:

NameSpace #1: C:\WINNT\System32\rnr20.dll
NameSpace #2: C:\WINNT\System32\winrnr.dll
Protocol #1: C:\WINNT\system32\msafd.dll
Protocol #2: C:\WINNT\system32\msafd.dll
Protocol #3: C:\WINNT\system32\msafd.dll
Protocol #4: C:\WINNT\system32\rsvpsp.dll
Protocol #5: C:\WINNT\system32\rsvpsp.dll
Protocol #6: C:\WINNT\system32\msafd.dll
Protocol #7: C:\WINNT\system32\msafd.dll
Protocol #8: C:\WINNT\system32\msafd.dll
Protocol #9: C:\WINNT\system32\msafd.dll
Protocol #10: C:\WINNT\system32\msafd.dll
Protocol #11: C:\WINNT\system32\msafd.dll
Protocol #12: C:\WINNT\system32\msafd.dll
Protocol #13: C:\WINNT\system32\msafd.dll


Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Alerter: %SystemRoot%\System32\services.exe (autostart)
Application Management: %SystemRoot%\system32\services.exe (autostart)
avast! iAVS4 Control Service: “d:\Alwil Software\Avast4\aswUpdSv.exe” (autostart)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
avast! Antivirus: “d:\Alwil Software\Avast4\ashServ.exe” (autostart)
avast! Mail Scanner: “d:\Alwil Software\Avast4\ashMaiSv.exe” /service (manual start)
avast! Web Scanner: “d:\Alwil Software\Avast4\ashWebSv.exe” /service (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k BITSgroup (autostart)
Computer Browser: %SystemRoot%\System32\services.exe (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINNT\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
Crystal WDM Audio Codec Driver: system32\drivers\cwbwdm.sys (manual start)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\services.exe (manual start)
Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\services.exe (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (autostart)
Fax Service: %systemroot%\system32\faxsvc.exe (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Firewall Driver: \SystemRoot\system32\drivers\fwdrv.sys (system)
GlidePoint PS/2 Touchpad Filter: system32\DRIVERS\glideps2.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
HID Input Service: %SystemRoot%\system32\hidserv.exe (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (autostart)
i

i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
IntelC51: system32\DRIVERS\IntelC51.sys (manual start)
IntelC52: system32\DRIVERS\IntelC52.sys (manual start)
IntelC53: system32\DRIVERS\IntelC53.sys (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Kerio HIPS Driver: \SystemRoot\system32\drivers\khips.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\services.exe (manual start)
Workstation: %SystemRoot%\System32\services.exe (autostart)
LexBce Server: C:\WINNT\system32\LEXBCES.EXE (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (manual start)
Messenger: %SystemRoot%\System32\services.exe (disabled)
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)
mohfilt: system32\DRIVERS\mohfilt.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
Windows Installer: C:\WINNT\system32\msiexec.exe /V (autostart)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (autostart)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Parallel class driver: System32\DRIVERS\parallel.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (system)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCI Utility: ??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PCIUtil.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start)
S3Inc: System32\DRIVERS\s3mt3d.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (disabled)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (manual start)
RunAs Service: %SystemRoot%\system32\services.exe (manual start)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Simple TCP/IP Services: %SystemRoot%\System32\tcpsvcs.exe (disabled)
SNMP Service: %SystemRoot%\System32\snmp.exe (disabled)
SNMP Trap Service: %SystemRoot%\System32\snmptrap.exe (manual start)
Sunbelt Personal Firewall 4: “C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe” (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
Still Image Service: %systemroot%\system32\stisvc.exe (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Telnet: %SystemRoot%\system32\tlntsvr.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (manual start)
TVICHW32: ??\C:\WINNT\system32\DRIVERS\TVICHW32.SYS (manual start)
Microsoft USB Universal Host Controller Driver: System32\DRIVERS\uhcd.sys (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
User Profile Hive Cleanup: D:\utils\UPHClean\uphclean.exe (autostart)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
USB 2.0 Root Hub Support: System32\DRIVERS\usbhub20.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Windows Time: %SystemRoot%\System32\services.exe (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart)
Wireless Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)


Enumerating Windows NT logon/logoff scripts:
No scripts set to run

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT ‘Wininit.ini’:
PendingFileRenameOperations: Registry value not found


Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\system32\webcheck.dll
SysTray: stobject.dll


Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

Registry key not found


Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

Registry key not found


End of report, 27,684 bytes
Report generated in 0.381 seconds

hidusb.sys is for the usb hub. Have you placed a new hub on your system or started using a usb device

Thank you, I just found the same information from another utility.

Yes, 3 months ago I installed a new Lexmark All-in-One device. It was working fine, then the scanner stopped working. Lexmark says ship the machine to them and they’ll send a new one. I think it is a driver problem. This is one of many problems that have been arising lately. The Lexmark set-up sets it up automatically as as ‘server’ printer, though it is only used as a local printer. I’ve disabled the server service for the moment (a couple of days ago). It prints just fine. The scanner/copier stopped working about a month ago.

I am connected with only Avast’s network & web shield at the moment (no firewall). Sunbelt is looking at my FW problem.

BTW, I tried DavidR’s Drop My Rights (took awhile to find it, the link here is out of date), but it tells me that it cannot find an entrance through the ADVAVI32.dll.

Your Hijackthis log shows an O17 entry which typically indicates a domain hijack. The address appears to point to an AOL proxy server, but I don’t see the typical signs of an AOL installation. If this entry doesn’t point to your ISP I suggest you remove it.

In terms of ‘branding’, my ISP is Netscape & the 'dialer is Netscape. In terms of proxies, servers, & DNS, it is really AOL - I just do not have the AOL bells & whistles.

AFAIK, the entry is as it should be. Here is a 'diagnostics report from my NS Web Accelerator:

System Information: Thu Jun 21 14:03:28 2007 Microsoft Windows 2000 Professional Service Pack 4 (Build 2195) Disk space (C drive) Available space to user = 1069 MB Total space = 4024 MB Free space on drive = 1069 MB Memory Usage Load = 91% Total Physical = 127 MB Free Physical = 10 MB Complete.

Internet Settings:
IE Version = 1.2
Active Connections
Netscape
Local Area Network
All Connections
Netscape
Server = “http=127.0.0.1:5400”
Bypass = “;127.0.0.1:5400;update.microsoft.com;windowsupdate.microsoft.com;windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;service1.symantec.com;.nai.com;.networkassociates.com;mcafee.com;.mapquest.com;.phobos.apple.com;update.adobe.com;admin.isp.netscape.com"
Local Area Network
Server = “http=127.0.0.1:5400”
Bypass = ";127.0.0.1:5400;update.microsoft.com;windowsupdate.microsoft.com;windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;service1.symantec.com;.nai.com;.networkassociates.com;mcafee.com;.mapquest.com;
.phobos.apple.com;update.adobe.com;admin.isp.netscape.com
Listening TCP Ports
ANY:135
ANY:445
ANY:1025
ANY:1029
ANY:1034
ANY:44334
ANY:44501
127.0.0.1:5400
127.0.0.1:12080
127.0.0.1:12110
127.0.0.1:12143
172.147.109.113:139
Complete.

Registry Information:
Local Machine - SlipStream (Installation)
InstallerVer = “1.0”
Current User - SlipStream
RSH = “webaccelerator.isp.netscape.com
RSIP = “205.188.146.146”
PEL = “update.microsoft.com
Popup Blocker
Unregistered
Internet Settings
Default browser
C:\Program Files\Internet Explorer\iexplore.exe
6.00.2800.1106
User Agent = “Mozilla/4.0 (compatible; MSIE 6.0; Win32)”
Proxy Enable = 1
Proxy Server = “http=127.0.0.1:5400”
Enable Http 1.1 = 1
Proxy Http 1.1 = 0
Max Connections 1.0 = 16
Network Settings
Complete.

LSP Information:
Could not start process
Complete.

Branding Information:
$COMPANY$ = “Netscape”
$APP$ = “Netscape Web Accelerator”
$APPSHORT$ = “Netscape Web Accelerator”
$SERVICE$ = “Netscape Internet Service”
$EMAIL$ = “Netscape Email Accelerator”
$LOGIN$ = “Enter your Netscape screenname/password.”
$ISP$ = “ISP”
$CUSTSERV$ = “Netscape Member Services”
Complete.

Process Information:
Memory Information
Page Fault Count = 2142
Total Usage = 2392 KB
Peak Usage = 5756 KB
Modules
ntdll.dll 5.00.2195.7006
comctl32.dll 5.81
gdi32.dll 5.00.2195.7133
kernel32.dll 5.00.2195.7099
user32.dll 5.00.2195.7133
advapi32.dll 5.00.2195.7038
rpcrt4.dll 5.00.2195.7085
wininet.dll 6.00.2800.1593
msvcrt.dll 6.10.9844.0
shlwapi.dll 6.00.2800.1907 (xpsp2.070219-1040)
crypt32.dll 5.131.2195.6926
msasn1.dll 5.00.2195.6905
oleaut32.dll 2.40.4522
ole32.dll 5.00.2195.7059
rasapi32.dll 5.00.2195.6920
rasman.dll 5.00.2195.6824
ws2_32.dll 5.00.2195.6601
ws2help.dll 5.00.2134.1
tapi32.dll 5.00.2195.6664
shell32.dll 5.00.3900.7105
iphlpapi.dll 5.00.2195.7097
icmp.dll 5.00.2134.1
mprapi.dll 5.00.2181.1
samlib.dll 5.00.2195.6944
netapi32.dll 5.00.2195.7108
secur32.dll 5.00.2195.6695
ntdsapi.dll 5.00.2195.6666
dnsapi.dll 5.00.2195.7100
wsock32.dll 5.00.2195.6603
wldap32.dll 5.00.2195.7017
netrap.dll 5.00.2134.1
activeds.dll 5.00.2195.6601
adsldpc.dll 5.00.2195.6993
rtutils.dll 5.00.2168.1
setupapi.dll 5.00.2195.6622
userenv.dll 5.00.2195.7002
dhcpcsvc.dll 5.00.2195.7085
version.dll 5.00.2195.6623
lz32.dll 5.00.2195.6611
psapi.dll 4.00
imagehlp.dll 5.00.2195.6613
sensapi.dll 5.00.2195.6627
clbcatq.dll 2000.2.3529.0
sdicore.dll 3.2.12
msafd.dll 5.00.2195.6602
wshtcpip.dll 5.00.2195.6601
rsabase.dll 5.00.2195.6619
Complete.

Diagnostic Tests:
Test 1 - DNS Test
Resolved: www.cnn.com
Resolved: www.yahoo.com
Resolved: www.google.com
Resolved: webaccelerator.isp.netscape.com
Test 2 - Server Proxy Test
Connected to server
Test 3 - Direct Connect
Connected directly
Direct connection speed = 91.74 Kbps
Test 4 - Proxy Connect
Connected to accelerated client proxy
Accelerated connection speed = 206.76 Kbps
Test 5 - Features Enabled
Acceleration: High
Image Quality: Very Good
Email: Disabled
Popup Blocker: Enabled
Complete.

What is strange is that IE has been changed to my default browser…

UPDATE - However, FF tells me IT is the default browser… ???

Ok, scratch that. Here’s A full write up on your question.

http://www.personal-computer-tutor.com/abc3/v29/vic29.htm

Thank you. That confirms essexboy’s original answer to my original question.

Perhaps I should start a new thread? The information on past browsing is there in the registry due to this ‘feature’ of IE (whether IE Is the browser you actually use or not). From what I’ve read so far, there are some ‘bugs’ that can decrypt and use this information for non-legitimate means, including some form of browser ‘hijacking’.

If Avast cannot find it, what are other recommendations?

The better will be a HijackThis log.

It will be good, too, if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

I just closed Firefox because I could not even connect to my ISP account page, much less to this forum… Yet without changing my connection whatsoever, I open IE and have no problem bringing up these URLs…

PS: So, something has not only changed my ‘default’ browser to IE, it changed my IE ‘homepage’ setting (back to MSN), and has done SOMETHING that lets IE connect to the Internet, but does not let Firefox and Thunderbird connect.

IE is not my preferred browser…

Yes, I posted that earlier in this thread:

http://forum.avast.com/index.php?topic=28910.msg237143#msg237143

Well, my bandwidth shrinks over time as I stay connected. But I will try to download one of these.

Thank you. :slight_smile: