WNSO.EXE help please.........

system · 2007-10-21T16:12:23.000Z

[Registry - Non-Microsoft Only]
< Run [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
!AVG Anti-Spyware → %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe → GRISOFT s.r.o. [Ver = 7, 5, 1, 43 | Size = 6731312 bytes | Modified Date = 6/11/2007 4:25:42 AM | Attr = ]
ATIPTA → %ProgramFiles%\ATI Technologies\ATI Control Panel\atiptaxx.exe → ATI Technologies, Inc. [Ver = 6.14.10.5142 | Size = 339968 bytes | Modified Date = 3/8/2005 9:05:00 PM | Attr = ]
avast! → %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 9/6/2007 5:06:10 AM | Attr = ]
HPHmon05 → %System32%\hphmon05.exe → Hewlett-Packard [Ver = 5,0,84 | Size = 483328 bytes | Modified Date = 5/22/2003 9:55:38 PM | Attr = ]
SearchIndexer → %System32%\xytoqfrl.dll [rundll32.exe “C:\WINDOWS\system32\xytoqfrl.dll”,sitypnow] → [Ver = | Size = 83008 bytes | Modified Date = 10/21/2007 9:57:50 AM | Attr = ]
SynTPEnh → %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe → Synaptics, Inc. [Ver = 7.5.18.1 15Jul03 | Size = 618496 bytes | Modified Date = 7/15/2003 2:08:10 PM | Attr = ]
SynTPLpr → %ProgramFiles%\Synaptics\SynTP\SynTPLpr.exe → Synaptics, Inc. [Ver = 7.5.18.1 15Jul03 | Size = 110592 bytes | Modified Date = 7/15/2003 2:09:18 PM | Attr = ]
< OptionalComponents [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ →
IMAIL → Installed = 1 →
MAPI → Installed = 1 →
MSFS → Installed = 1 →
< Common Startup > → C:\Documents and Settings\All Users\Start Menu\Programs\Startup →
%AllUsersStartup%\WNSO.lnk → %CommonProgramFiles%\RGGZS\WNSO.exe → File not found
< ShellExecuteHooks [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks →
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] → %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] → GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 5/30/2007 7:29:58 AM | Attr = ]
{733E9132-53CA-4C97-9AC9-145C4502FA20} [HKLM] → %System32%\rqrqomm.dll → File not found
< SecurityProviders [HKLM] > → HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders →
< Winlogon settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
< Winlogon settings [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
< Winlogon\Notify settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ →
AtiExtEvent → %System32%\ati2evxx.dll → ATI Technologies Inc. [Ver = 6.14.10.4113 | Size = 61440 bytes | Modified Date = 3/8/2005 4:34:34 PM | Attr = ]
WgaLogon → Reg Data - Value does not exist → File not found
< CurrentVersion Policy Settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} → 1073741857 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1} → 32 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\dontdisplaylastusername → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticecaption → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticetext → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\shutdownwithoutlogon → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\undockwithoutlogon → 1 →
< CurrentVersion Policy Settings [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun → 145 →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\DisableRegistryTools → 0 →
< HOSTS File > (764 bytes) → C:\WINDOWS\System32\drivers\etc\Hosts →
127.0.0.1 localhost → →
192.168.1.109 HP000D9D182CA5 → →
< Internet Explorer Settings > → →
HKLM: Default_Page_URL → http://us8l.hpwis.com →
HKLM: Main\Default_Search_URL → http://www.google.com/ie →
HKLM: Local Page → %SystemRoot%\system32\blank.htm →
HKLM: Search Page → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch →
HKLM: Start Page → http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home →
HKLM: CustomizeSearch → http://seek.3721.com/srchcust.htm →
HKLM: Search\Default_Search_URL → http://www.google.com/ie →
HKLM: SearchAssistant → http://www.google.com/ie →
HKCU: Local Page → C:\WINDOWS\system32\blank.htm →
HKCU: Search Bar → http://www.google.com/ie →
HKCU: Search Page → http://www.google.com →
HKCU: Start Page → http://us8l.hpwis.com/ →
HKCU: SearchAssistant → http://www.google.com/ie →
HKCU: ProxyEnable → 0 →
HKCU: ProxyOverride → 127.0.0.1 →
< Trusted Sites > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ →
msn.com [ - ] → →
< BHO’s > → HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ →
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] → %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] → Adobe Systems Incorporated [Ver = 7.0.7.2006011200 | Size = 63128 bytes | Modified Date = 1/12/2006 8:38:22 PM | Attr = ]
{387EDF53-1CF2-4523-BC2F-13462651BE8C} [HKLM] → %System32%\BhoCitUS.dll [CitiUSBrowserHelper Class] → Orbiscom Ltd. All rights reserved. [Ver = 3, 7, 0, 0, 134 | Size = 139264 bytes | Modified Date =

system · 2007-10-21T16:13:12.000Z

8/12/2004 2:55:00 PM | Attr = ]
{733E9132-53CA-4C97-9AC9-145C4502FA20} [HKLM] → %System32%\rqrqomm.dll [Reg Data - Value does not exist] → File not found
{7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] → Reg Data - Key not found [Reg Data - Key not found] → File not found
{89AD4D75-2429-462e-BD4E-443F233F6033} [HKLM] → %System32%\vtquqiex.dll [Reg Data - Value does not exist] → File not found
{E8A11B0B-1C19-4C36-B956-F0C213CF18DF} [HKLM] → %System32%\vturr.dll [Reg Data - Value does not exist] → [Ver = | Size = 244832 bytes | Modified Date = 9/19/2007 4:49:34 AM | Attr = ]
< Internet Explorer Bars [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ →
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] → Reg Data - Key not found [Reg Data - Key not found] → File not found
< Internet Explorer ToolBars [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar →
[HKLM] → Reg Data - Key not found → File not found
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} [HKLM] → %ProgramFiles%\Hewlett-Packard\Digital Imaging\bin\HPDTLK02.dll [HP View] → Hewlett-Packard Company [Ver = 1.0.0.7 | Size = 98304 bytes | Modified Date = 11/21/2003 4:26:28 AM | Attr = ]
{E0E899AB-F487-11D5-8D29-0050BA6940E3} [HKLM] → Reg Data - Key not found [Reg Data - Key not found] → File not found
< Internet Explorer ToolBars [HKCU] > → HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ →
ShellBrowser\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} [HKLM] → %ProgramFiles%\Hewlett-Packard\Digital Imaging\bin\HPDTLK02.dll [HP View] → Hewlett-Packard Company [Ver = 1.0.0.7 | Size = 98304 bytes | Modified Date = 11/21/2003 4:26:28 AM | Attr = ]
< Internet Explorer Menu Extensions [HKCU] > → HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ →
E&xport to Microsoft Excel → → File not found
< User Agent Post Platform [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform →
SV1 → →
< DNS Name Servers [HKLM] > → HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ →
{1AF1AB90-7611-4EF5-9EAC-76B4D4CF6D36} → (Realtek RTL8139/810x Family Fast Ethernet NIC) →
{22EC5A37-74D9-46B2-963C-7E18D6427A2E} → (1394 Net Adapter) →
{32564508-58B8-45A1-9A54-0B1E9C5D32A3} → (1394 Net Adapter) →
{5C79B13D-D4E6-41B5-8537-A193B74756ED} → () →
{690E8785-F190-4F25-8406-EAEDB088921C} → (Realtek RTL8139/810x Family Fast Ethernet NIC) →
{7C777C7A-6DEF-4F41-91BB-8AC28D08D0D7} → (1394 Net Adapter) →
{7D4EEF3A-321A-4114-8A31-619F7E7D68E3} → (1394 Net Adapter) →
{B0043B74-DEA3-411A-AEA4-86C8487645A8} → (Broadcom 802.11b) →
{B146B9C6-05FB-40C5-AAF9-4424DAD1C800} → (1394 Net Adapter) →
{C1D6AC56-DFF8-49B8-9E4A-81C6919FE1BA} → (Broadcom 802.11b) →
{EECAB3FF-1C5B-4C5B-B679-9AF04C2FC3B3} → (1394 Net Adapter) →
< Protocol Handlers [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ →
cetihpz → %ProgramFiles%\HP\hpcoretech\comp\hpuiprot.dll → Hewlett-Packard Company [Ver = 2.1.6.2 | Size = 81920 bytes | Modified Date = 1/12/2005 2:54:56 PM | Attr = ]
ipp → Reg Data - Key not found → File not found
msdaipp → Reg Data - Key not found → File not found
< Downloaded Program Files > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ →
{00000055-9980-0010-8000-00AA00389B71} → - CodeBase = http://codecs.microsoft.com/codecs/i386/fhg.CAB →
{D27CDB6E-AE6D-11CF-96B8-444553540000} → - CodeBase = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab →
Microsoft XML Parser for Java → - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab →

[Registry - Additional Scans - Non-Microsoft Only]
< Security Settings > → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Type → 32 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Start → 2 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\ErrorControl → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\ImagePath → %SystemRoot%\System32\svchost.exe -k netsvcs →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\DisplayName → Background Intelligent Transfer Service →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\DependOnService → Rpcss; →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\DependOnGroup → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\ObjectName → LocalSystem →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Description → Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled. →

system · 2007-10-21T16:14:36.000Z

8/12/2004 2:55:00 PM | Attr = ]
{733E9132-53CA-4C97-9AC9-145C4502FA20} [HKLM] → %System32%\rqrqomm.dll [Reg Data - Value does not exist] → File not found
{7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] → Reg Data - Key not found [Reg Data - Key not found] → File not found
{89AD4D75-2429-462e-BD4E-443F233F6033} [HKLM] → %System32%\vtquqiex.dll [Reg Data - Value does not exist] → File not found
{E8A11B0B-1C19-4C36-B956-F0C213CF18DF} [HKLM] → %System32%\vturr.dll [Reg Data - Value does not exist] → [Ver = | Size = 244832 bytes | Modified Date = 9/19/2007 4:49:34 AM | Attr = ]
< Internet Explorer Bars [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ →
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] → Reg Data - Key not found [Reg Data - Key not found] → File not found
< Internet Explorer ToolBars [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar →
[HKLM] → Reg Data - Key not found → File not found
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} [HKLM] → %ProgramFiles%\Hewlett-Packard\Digital Imaging\bin\HPDTLK02.dll [HP View] → Hewlett-Packard Company [Ver = 1.0.0.7 | Size = 98304 bytes | Modified Date = 11/21/2003 4:26:28 AM | Attr = ]
{E0E899AB-F487-11D5-8D29-0050BA6940E3} [HKLM] → Reg Data - Key not found [Reg Data - Key not found] → File not found
< Internet Explorer ToolBars [HKCU] > → HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ →
ShellBrowser\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} [HKLM] → %ProgramFiles%\Hewlett-Packard\Digital Imaging\bin\HPDTLK02.dll [HP View] → Hewlett-Packard Company [Ver = 1.0.0.7 | Size = 98304 bytes | Modified Date = 11/21/2003 4:26:28 AM | Attr = ]
< Internet Explorer Menu Extensions [HKCU] > → HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ →
E&xport to Microsoft Excel → → File not found
< User Agent Post Platform [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform →
SV1 → →
< DNS Name Servers [HKLM] > → HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ →
{1AF1AB90-7611-4EF5-9EAC-76B4D4CF6D36} → (Realtek RTL8139/810x Family Fast Ethernet NIC) →
{22EC5A37-74D9-46B2-963C-7E18D6427A2E} → (1394 Net Adapter) →
{32564508-58B8-45A1-9A54-0B1E9C5D32A3} → (1394 Net Adapter) →
{5C79B13D-D4E6-41B5-8537-A193B74756ED} → () →
{690E8785-F190-4F25-8406-EAEDB088921C} → (Realtek RTL8139/810x Family Fast Ethernet NIC) →
{7C777C7A-6DEF-4F41-91BB-8AC28D08D0D7} → (1394 Net Adapter) →
{7D4EEF3A-321A-4114-8A31-619F7E7D68E3} → (1394 Net Adapter) →
{B0043B74-DEA3-411A-AEA4-86C8487645A8} → (Broadcom 802.11b) →
{B146B9C6-05FB-40C5-AAF9-4424DAD1C800} → (1394 Net Adapter) →
{C1D6AC56-DFF8-49B8-9E4A-81C6919FE1BA} → (Broadcom 802.11b) →
{EECAB3FF-1C5B-4C5B-B679-9AF04C2FC3B3} → (1394 Net Adapter) →
< Protocol Handlers [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ →
cetihpz → %ProgramFiles%\HP\hpcoretech\comp\hpuiprot.dll → Hewlett-Packard Company [Ver = 2.1.6.2 | Size = 81920 bytes | Modified Date = 1/12/2005 2:54:56 PM | Attr = ]
ipp → Reg Data - Key not found → File not found
msdaipp → Reg Data - Key not found → File not found
< Downloaded Program Files > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ →
{00000055-9980-0010-8000-00AA00389B71} → - CodeBase = http://codecs.microsoft.com/codecs/i386/fhg.CAB →
{D27CDB6E-AE6D-11CF-96B8-444553540000} → - CodeBase = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab →
Microsoft XML Parser for Java → - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab →

[Registry - Additional Scans - Non-Microsoft Only]
< Security Settings > → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Type → 32 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Start → 2 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\ErrorControl → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\ImagePath → %SystemRoot%\System32\svchost.exe -k netsvcs →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\DisplayName → Background Intelligent Transfer Service →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\DependOnService → Rpcss; →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\DependOnGroup → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\ObjectName → LocalSystem →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Description → Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled. →

system · 2007-10-21T16:15:24.000Z

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\usmt\migwiz.exe → C:\WINDOWS\system32\usmt\migwiz.exe::Enabled:Files and Settings Transfer Wizard →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\D:\Setup\HPZnet01.exe → D:\Setup\HPZnet01.exe::Disabled:ICE Network Plug in →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\rlflnmk.exe → C:\WINDOWS\system32\rlflnmk.exe::Disabled:pop →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\rgeeihf.exe → C:\WINDOWS\system32\rgeeihf.exe::Disabled:pop →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\1717986.exe → C:\WINDOWS\system32\1717986.exe::Disabled:pop →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32-200431.exe → C:\WINDOWS\system32-200431.exe::Disabled:pop →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32-16767.exe → C:\WINDOWS\system32-16767.exe::Disabled:pop →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\yjiklkd.exe → C:\Program Files\Internet Explorer\yjiklkd.exe::Enabled:pop →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\zfkhggn.exe → C:\WINDOWS\system32\zfkhggn.exe::Enabled:pop →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\HP\tlchiil.exe → C:\Program Files\HP\tlchiil.exe::Enabled:pop →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\MSN Messenger\msnmsgr.exe → C:\Program Files\MSN Messenger\msnmsgr.exe::Enabled:Windows Live Messenger 8.1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\MSN Messenger\livecall.exe → C:\Program Files\MSN Messenger\livecall.exe::Enabled:Windows Live Messenger 8.1 (Phone) →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\ljnhokqn.exe → C:\WINDOWS\system32\ljn →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\1900:UDP → 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\2869:TCP → 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\139:TCP → 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\445:TCP → 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\137:UDP → 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\138:UDP → 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy‚—\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy‚—\C:\WINDOWS\system32-200431.exe → C:\WINDOWS\system32-200431.exe:*:Enabled:pop →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\Security →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\ServiceUpgrade → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\{690E8785-F190-4F25-8406-EAEDB088921C} → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\{7C777C7A-6DEF-4F41-91BB-8AC28D08D0D7} → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\{B0043B74-DEA3-411A-AEA4-86C8487645A8} → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\0 → Root\LEGACY_SHAREDACCESS\0000 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\Count → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\NextInstance → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Type → 32 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Start → 2 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ErrorControl → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ImagePath → %systemroot%\system32\svchost.exe -k netsvcs →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\DisplayName → Automatic Updates →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ObjectName → LocalSystem →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Description → Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site. →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ServiceDll → C:\WINDOWS\system32\wuauserv.dll →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\Security →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\0 → Root\LEGACY_WUAUSERV\0000 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\Count → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\NextInstance → 1 →
< Software Policy Settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\policies\ →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Conferencing\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\DesktopSearch\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\DesktopSearch\PreventIndexingOutlook → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\DesktopSearch\PreventIndexingOutlookExpress → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\DesktopSearch\PreventIndexingEmailAttachments → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\DesktopSearch\DisableReplacingStartSearch → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\DesktopSearch\FRW → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\DesktopSearch\db → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\MRT\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\RTC\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\RTC{A5B45060-354F-4097-A928-5125436C46F1}\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\RTC{A5B45060-354F-4097-A928-5125436C46F1}\DisableServerCheck → 1 →

system · 2007-10-21T16:16:35.000Z

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\RTC{A5B45060-354F-4097-A928-5125436C46F1}\LegacyPresence → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Installer\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Installer\EnableAdminTSRemote → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\ExecutableTypes → ADE;ADP;BAS;BAT;CHM;CMD;COM;CPL;CRT;EXE;HLP;HTA;INF;INS;ISP;LNK;MDB;MDE;MSC;MSI;MSP;MST;OCX;PCD;PIF;REG;SCR;SHS;URL;VB;WSC; →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\DefaultLevel → 262144 →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\PolicyScope → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{349d35ab-37b5-462f-9b89-edd5fbde1328}\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{349d35ab-37b5-462f-9b89-edd5fbde1328}\Description → Stop the download of this file →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{349d35ab-37b5-462f-9b89-edd5fbde1328}\FriendlyName → Mdac11.cab →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{349d35ab-37b5-462f-9b89-edd5fbde1328}\SaferFlags → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{349d35ab-37b5-462f-9b89-edd5fbde1328}\HashAlg → 32771 →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{349d35ab-37b5-462f-9b89-edd5fbde1328}\ItemData → ^«0O•zI‰j
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{349d35ab-37b5-462f-9b89-edd5fbde1328}\LastModified → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{349d35ab-37b5-462f-9b89-edd5fbde1328}\ItemSize → ; →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\Description → Stop the download of this file →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\FriendlyName → mdac20.cab →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\SaferFlags → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\HashAlg → 32771 →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\ItemData → g°Ô‹4:?Ó¼éÜdgó” →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\LastModified → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\ItemSize → ; →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\Description → Stop the download of this file →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\FriendlyName → mdac20_a.cab →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\SaferFlags → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\HashAlg → 32771 →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\ItemData → 2xÜþøÈ“ÜŠ°Ý„} →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\LastModified → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\ItemSize → –; →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{94e3e076-8f53-42a5-8411-085bcc18a68d}\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{94e3e076-8f53-42a5-8411-085bcc18a68d}\Description → Stop the download of this file →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{94e3e076-8f53-42a5-8411-085bcc18a68d}\FriendlyName → msadc10.cab →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{94e3e076-8f53-42a5-8411-085bcc18a68d}\SaferFlags → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{94e3e076-8f53-42a5-8411-085bcc18a68d}\HashAlg → 32771 →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{94e3e076-8f53-42a5-8411-085bcc18a68d}\ItemData → ½š*ÛBëØV%Mø/g →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{94e3e076-8f53-42a5-8411-085bcc18a68d}\LastModified → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{94e3e076-8f53-42a5-8411-085bcc18a68d}\ItemSize → å; →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\Description → Stop the download of this file →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\FriendlyName → msadc11.cab →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\SaferFlags → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\HashAlg → 32771 →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\ItemData → 8k„ìöiÓk•j"À€ →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\LastModified → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\ItemSize → r; →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths{dda3f824-d8cb-441b-834d-be2efd2c1a33}\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths{dda3f824-d8cb-441b-834d-be2efd2c1a33}\Description → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths{dda3f824-d8cb-441b-834d-be2efd2c1a33}\SaferFlags → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths{dda3f824-d8cb-441b-834d-be2efd2c1a33}\ItemData → %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths{dda3f824-d8cb-441b-834d-be2efd2c1a33}\LastModified → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows NT\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows NT\Terminal Services\ → →
< Software Policy Settings [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\policies\ →
HKEY_CURRENT_USER\Software\Policies\ → →
HKEY_CURRENT_USER\Software\Policies\Microsoft\ → →

system · 2007-10-21T16:17:15.000Z

[Files/Folders - Created Within 30 days]
SDFix → %SystemDrive%\SDFix → [Folder | Created Date = 10/16/2007 9:00:38 PM | Attr = ]
SDFix.zip → %SystemDrive%\SDFix.zip → [Ver = | Size = 1346060 bytes | Created Date = 10/16/2007 10:30:09 PM | Attr = ]
$NtUninstallKB922120$ → %SystemRoot%$NtUninstallKB922120$ → [Folder | Created Date = 10/5/2007 7:11:30 PM | Attr = H ]
$NtUninstallKB933729$ → %SystemRoot%$NtUninstallKB933729$ → [Folder | Created Date = 10/10/2007 10:13:12 PM | Attr = H ]
$NtUninstallKB939653$ → %SystemRoot%$NtUninstallKB939653$ → [Folder | Created Date = 10/10/2007 10:11:30 PM | Attr = H ]
$NtUninstallKB941202$ → %SystemRoot%$NtUninstallKB941202$ → [Folder | Created Date = 10/10/2007 10:09:57 PM | Attr = H ]
winshow.exe → %SystemRoot%\winshow.exe → [Ver = 23.03.0020 | Size = 35328 bytes | Created Date = 10/20/2007 4:51:38 PM | Attr = ]
bcwhocfi.exe → %System32%\bcwhocfi.exe → [Ver = | Size = 75328 bytes | Created Date = 1/1/1601 6:00:00 AM | Attr = ]
fnajvskc.ini → %System32%\fnajvskc.ini → [Ver = | Size = 693911 bytes | Created Date = 10/20/2007 2:22:48 PM | Attr = HS]
lrfqotyx.ini → %System32%\lrfqotyx.ini → [Ver = | Size = 694030 bytes | Created Date = 10/21/2007 8:57:48 AM | Attr = HS]
rrutv.bak2 → %System32%\rrutv.bak2 → [Ver = | Size = 641284 bytes | Created Date = 10/21/2007 3:26:34 AM | Attr = HS]
xytoqfrl.dll → %System32%\xytoqfrl.dll → [Ver = | Size = 83008 bytes | Created Date = 10/21/2007 8:57:48 AM | Attr = ]
AvgAsCln.sys → %System32%\drivers\AvgAsCln.sys → GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Created Date = 10/14/2007 6:45:17 PM | Attr = ]

[Files/Folders - Modified Within 30 days]
avenger → %SystemDrive%\avenger → [Folder | Modified Date = 10/15/2007 8:23:18 PM | Attr = ]
boot.ini → %SystemDrive%\boot.ini → [Ver = | Size = 209 bytes | Modified Date = 10/20/2007 6:41:56 PM | Attr = RHS]
Config.Msi → %SystemDrive%\Config.Msi → [Folder | Modified Date = 9/23/2007 11:00:48 AM | Attr = H ]
Program Files → %ProgramFiles% → [Folder | Modified Date = 10/14/2007 7:44:58 PM | Attr = R ]
SDFix → %SystemDrive%\SDFix → [Folder | Modified Date = 10/15/2007 7:33:38 PM | Attr = ]
SDFix.zip → %SystemDrive%\SDFix.zip → [Ver = | Size = 1346060 bytes | Modified Date = 10/16/2007 11:30:12 PM | Attr = ]
System Volume Information → %SystemDrive%\System Volume Information → [Folder | Modified Date = 10/17/2007 7:11:50 PM | Attr = HS]
WINDOWS → %SystemRoot% → [Folder | Modified Date = 10/21/2007 10:15:24 AM | Attr = ]
$hf_mig$ → %SystemRoot%$hf_mig$ → [Folder | Modified Date = 10/10/2007 11:13:10 PM | Attr = H ]
$NtUninstallKB922120$ → %SystemRoot%$NtUninstallKB922120$ → [Folder | Modified Date = 10/5/2007 8:11:32 PM | Attr = H ]
$NtUninstallKB933729$ → %SystemRoot%$NtUninstallKB933729$ → [Folder | Modified Date = 10/10/2007 11:13:14 PM | Attr = H ]
$NtUninstallKB939653$ → %SystemRoot%$NtUninstallKB939653$ → [Folder | Modified Date = 10/10/2007 11:11:40 PM | Attr = H ]
$NtUninstallKB941202$ → %SystemRoot%$NtUninstallKB941202$ → [Folder | Modified Date = 10/10/2007 11:09:58 PM | Attr = H ]
assembly → %SystemRoot%\assembly → [Folder | Modified Date = 9/23/2007 10:50:36 AM | Attr = R S]
bootstat.dat → %SystemRoot%\bootstat.dat → [Ver = | Size = 2048 bytes | Modified Date = 10/21/2007 10:13:10 AM | Attr = S]
cookies.ini → %SystemRoot%\cookies.ini → [Ver = | Size = 2021 bytes | Modified Date = 10/21/2007 9:58:12 AM | Attr = ]
Help → %SystemRoot%\Help → [Folder | Modified Date = 10/11/2007 11:08:44 PM | Attr = ]
imsins.BAK → %SystemRoot%\imsins.BAK → [Ver = | Size = 1393 bytes | Modified Date = 10/10/2007 11:13:08 PM | Attr = ]
inf → %SystemRoot%\inf → [Folder | Modified Date = 10/10/2007 11:13:32 PM | Attr = H ]
Installer → %SystemRoot%\Installer → [Folder | Modified Date = 9/23/2007 10:44:24 AM | Attr = HS]
Microsoft.NET → %SystemRoot%\Microsoft.NET → [Folder | Modified Date = 9/23/2007 10:48:10 AM | Attr = ]
netdet.ini → %SystemRoot%\netdet.ini → [Ver = | Size = 520 bytes | Modified Date = 10/8/2007 10:59:26 PM | Attr = ]
Prefetch → %SystemRoot%\Prefetch → [Folder | Modified Date = 10/21/2007 10:50:02 AM | Attr = ]
pss → %SystemRoot%\pss → [Folder | Modified Date = 10/16/2007 11:23:10 PM | Attr = ]
QTFont.qfn → %SystemRoot%\QTFont.qfn → [Ver = | Size = 54156 bytes | Modified Date = 10/9/2007 5:23:46 PM | Attr = H ]
system.ini → %SystemRoot%\system.ini → [Ver = | Size = 435 bytes | Modified Date = 10/20/2007 6:41:56 PM | Attr = ]
system32 → %System32% → [Folder | Modified Date = 10/21/2007 10:55:32 AM | Attr = ]
Tasks → %SystemRoot%\Tasks → [Folder | Modified Date = 10/20/2007 3:53:42 PM | Attr = S]
Temp → %SystemRoot%\Temp → [Folder | Modified Date = 10/21/2007 10:17:06 AM | Attr = ]
Thumbs.db → %SystemRoot%\Thumbs.db → [Ver = | Size = 73216 bytes | Modified Date = 10/11/2007 8:56:02 PM | Attr = HS]
@Alternate Data Stream - 0 bytes → %SystemRoot%\Thumbs.db:encryptable →
win.ini → %SystemRoot%\win.ini → [Ver = | Size = 730 bytes | Modified Date = 10/20/2007 6:41:56 PM | Attr = ]
winshow.exe → %SystemRoot%\winshow.exe → [Ver = 23.03.0020 | Size = 35328 bytes | Modified Date = 10/4/2007 12:19:48 AM | Attr = ]
WinSxS → %SystemRoot%\WinSxS → [Folder | Modified Date = 9/23/2007 10:39:30 AM | Attr = ]
SA.DAT → %SystemRoot%\tasks\SA.DAT → [Ver = | Size = 6 bytes | Modified Date = 10/21/2007 10:14:02 AM | Attr = H ]
Win_Update_Program.job → %SystemRoot%\tasks\Win_Update_Program.job → [Ver = | Size = 222 bytes | Modified Date = 10/21/2007 10:00:00 AM | Attr = ]
bcwhocfi.exe → %System32%\bcwhocfi.exe → [Ver = | Size = 75328 bytes | Modified Date = 10/21/2007 9:57:28 AM | Attr = ]
CatRoot2 → %System32%\CatRoot2 → [Folder | Modified Date = 10/18/2007 5:17:24 AM | Attr = ]
dllcache → %System32%\dllcache → [Folder | Modified Date = 10/17/2007 10:31:40 PM | Attr = RHS]
drivers → %System32%\drivers → [Folder | Modified Date = 10/15/2007 8:23:22 PM | Attr = ]
fnajvskc.ini → %System32%\fnajvskc.ini → [Ver = | Size = 693911 bytes | Modified Date = 10/21/2007 9:53:48 AM | Attr = HS]
FNTCACHE.DAT → %System32%\FNTCACHE.DAT → [Ver = | Size = 376056 bytes | Modified Date = 9/22/2007 5:00:14 AM | Attr = ]
lrfqotyx.ini → %System32%\lrfqotyx.ini → [Ver = | Size = 694030 bytes | Modified Date = 10/21/2007 10:17:36 AM | Attr = HS]
perfc009.dat → %System32%\perfc009.dat → [Ver = | Size = 63166 bytes | Modified Date = 9/23/2007 10:42:22 AM | Attr = ]
perfh009.dat → %System32%\perfh009.dat → [Ver = | Size = 403604 bytes | Modified Date = 9/23/2007 10:42:22 AM | Attr = ]
PerfStringBackup.INI → %System32%\PerfStringBackup.INI → [Ver = | Size = 457498 bytes | Modified Date = 9/23/2007 10:42:22 AM | Attr = ]
Restore → %System32%\Restore → [Folder | Modified Date = 10/17/2007 7:11:50 PM | Attr = ]
rrutv.bak2 → %System32%\rrutv.bak2 → [Ver = | Size = 641284 bytes | Modified Date = 10/21/2007 4:26:36 AM | Attr = HS]
rrutv.ini → %System32%\rrutv.ini → [Ver = | Size = 642589 bytes | Modified Date = 10/21/2007 10:55:42 AM | Attr = HS]
wpa.dbl → %System32%\wpa.dbl → [Ver = | Size = 1158 bytes | Modified Date = 10/5/2007 10:09:30 PM | Attr = ]
xytoqfrl.dll → %System32%\xytoqfrl.dll → [Ver = | Size = 83008 bytes | Modified Date = 10/21/2007 9:57:50 AM | Attr = ]
HpUsbPVR → %System32%\drivers\HpUsbPVR → [Folder | Modified Date = 10/7/2007 11:55:42 AM | Attr = ]

[File String Scan - Non-Microsoft Only]
@Alternate Data Stream - 0 bytes → %SystemDrive%\Thumbs.db:encryptable →
Thawte Consulting , → %SystemRoot%\HPBroker.dll → [Ver = 1, 0, 0, 18 | Size = 91848 bytes | Modified Date = 11/17/2006 11:34:40 AM | Attr = ]
@Alternate Data Stream - 0 bytes → %SystemRoot%\Thumbs.db:encryptable →
UPX! , UPX0 , → %System32%\aswBoot.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 801144 bytes | Modified Date = 9/6/2007 5:09:50 AM | Attr = ]
PEC2 , → %System32%\dfrg.msc → [Ver = | Size = 41397 bytes | Modified Date = 7/30/2003 11:00:00 PM | Attr = ]
PEC2 , PECompact2 , → %System32%\DivX.dll → DivX, Inc. [Ver = 6.6.1.4 | Size = 740442 bytes | Modified Date = 7/25/2007 9:50:22 PM | Attr = ]
PTech , → %System32%\LegitCheckControl.DLL → Microsoft® Corporation [Ver = 1.3.0272.0 | Size = 520968 bytes | Modified Date = 8/29/2005 2:27:12 PM | Attr = ]
aspack , → %System32%\LibHupSink.dll → [Ver = | Size = 206848 bytes | Modified Date = 8/27/2006 2:22:24 PM | Attr = ]
@Alternate Data Stream - 0 bytes → %System32%\Thumbs.db:encryptable →
winsync , → %System32%\wbdbase.deu → [Ver = | Size = 1309184 bytes | Modified Date = 7/30/2003 11:00:00 PM | Attr = ]
Thawte Consulting , → %System32%\XceedZip.dll → Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com [Ver = 4.5.77.0 | Size = 397856 bytes | Modified Date = 10/29/2001 9:44:36 AM | Attr = R ]
Thawte Consulting , → %System32%\xupload.ocx → Persits Software, Inc. [Ver = 2, 1, 0, 0 | Size = 227672 bytes | Modified Date = 11/22/2000 12:47:08 PM | Attr = ]
MZKERNEL32.DLL , → %System32%\zfkhggn.exe → [Ver = | Size = 49816 bytes | Modified Date = 5/9/2005 7:02:04 PM | Attr = ]
WSUD , UPX0 , → %System32%\dllcache\hwxjpn.dll → [Ver = | Size = 13463552 bytes | Modified Date = 7/30/2003 3:00:00 PM | Attr = ]
PTech , → %System32%\drivers\mtlstrm.sys → Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/3/2004 10:41:38 PM | Attr = ]

< End of report >

polonus · 2007-10-21T22:17:21.000Z

Hi Mark and Mauserme,

If necessary I think you have to bring up avenger. As you have cleansed it so far, Mauserme, you can also guide Mark through the avenger routine. I think with you and essexboy we have all the expertise here at the avast webforum we need, and if you are at the end of this cleansing routine MarkLoehndorf, I hope you will come to join us and learn to help others to get clean of malware

Damian

system · 2007-10-21T22:20:54.000Z

Thanks for everything so far. I will run Avenger tonight and post any results. If I am capable to help anyone else, I would be more than happy to lend a hand.

system · 2007-10-21T23:52:44.000Z

I ran Avenger, to no avail. I’m at a loss now of what to do…
Here is the report
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mqiagmoy

Script file located at: ??\C:\WINDOWS\system32\vecoxyxq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

Beginning to process script file:

Folder C:\Program Files\Common files\RGGZS not found!
Deletion of folder C:\Program Files\Common files\RGGZS failed!

Could not process line:
C:\Program Files\Common files\RGGZS
Status: 0xc0000034

Completed script processing.

Finished! Terminate.

system · 2007-10-22T03:31:29.000Z

Mark, please be very carefull with the Avenger. It works at the API level - lower than Window’s protection. That’s its strength - it almost never fails to delete the specified files. But that’s also what brings the risk - if the script is written incorrectly it’s possible to wipe your drive with this tool and Window’s won’t be able to stop you. I’m not saying what you ran was wrong, but we’ll try a more targeted path in a bit.

Open WinPFind again and Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.

[Registry - Non-Microsoft Only] < Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup YN -> %AllUsersStartup%\WNSO.lnk -> %CommonProgramFiles%\RGGZS\WNSO.exe < ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks YN -> {733E9132-53CA-4C97-9AC9-145C4502FA20} [HKLM] -> %System32%\rqrqomm.dll [] < Internet Explorer Settings > -> YN -> HKLM: CustomizeSearch -> http://seek.3721.com/srchcust.htm [Files/Folders - Created Within 30 days] NY -> winshow.exe -> %SystemRoot%\winshow.exe NY -> bcwhocfi.exe -> %System32%\bcwhocfi.exe NY -> fnajvskc.ini -> %System32%\fnajvskc.ini NY -> lrfqotyx.ini -> %System32%\lrfqotyx.ini NY -> rrutv.bak2 -> %System32%\rrutv.bak2 NY -> xytoqfrl.dll -> %System32%\xytoqfrl.dll [Files/Folders - Modified Within 30 days] NY -> rrutv.ini -> %System32%\rrutv.ini

Post the results in your next response as you did before.

Now, having sufficiently scared you about the Avenger I’ll ask you to open it once again

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WNSO.lnk
C:\Program Files\Common Files\RGGZS\WNSO.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
Under “Script file to execute” choose “Input Script Manually”.

Now click on the Magnifying Glass icon which will open a new window titled “View/edit script”

Paste the text copied to clipboard into this window by pressing (Ctrl+V).

Then download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

polonus · 2007-10-22T16:51:12.000Z

Hi Markloehndorf,

Mauserme is right when he points out to you not to underestimate the strength of some of the anti-malware tools of to-day. When you are addressing your OS at API-level some strange things can happen, if you are not completely aware what you are doing. Such a program is API-Spy, if you work this tool without caution you can ruin your registry, and have to deal with duplicate start-ups or worse even. An awful tool in the hands of those who want to evaluate and devastating in the hands of malcreants.
That is why people should have ample experience to be able to guide malware victims through malware cleansing, for others just follow their instructions to the dot. Seems like Hogwarts’s Higher Magic to you now Mark but wait until you learn to work it right. Mauserme has been to bootcamp to work these tools, and polonus learned through experience…

polonus

system · 2007-10-23T01:20:46.000Z

I ran WinpFnd and here’s what was reported.
[Registry - Non-Microsoft Only]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WNSO.lnk moved successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WNSO.lnk moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{733E9132-53CA-4C97-9AC9-145C4502FA20} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{733E9132-53CA-4C97-9AC9-145C4502FA20} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\CustomizeSearch deleted successfully.
[Files/Folders - Created Within 30 days]
C:\WINDOWS\winshow.exe moved successfully.
C:\WINDOWS\SYSTEM32\bcwhocfi.exe moved successfully.
C:\WINDOWS\SYSTEM32\fnajvskc.ini moved successfully.
C:\WINDOWS\SYSTEM32\lrfqotyx.ini moved successfully.
C:\WINDOWS\SYSTEM32\rrutv.bak2 moved successfully.
C:\WINDOWS\SYSTEM32\xytoqfrl.dll moved successfully.
[Files/Folders - Modified Within 30 days]
C:\WINDOWS\SYSTEM32\rrutv.ini moved successfully.
< End of log >
Created on 10/22/2007 20:17:46

I’ll do the following steps next…

system · 2007-10-23T03:18:26.000Z

After Avebger…
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\hkyvcnju

Script file located at: ??\C:\Documents and Settings\cvttiwqo.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

Beginning to process script file:

File C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WNSO.lnk deleted successfully.

Could not open file C:\Program Files\Common Files\RGGZS\WNSO.exe for deletion
Deletion of file C:\Program Files\Common Files\RGGZS\WNSO.exe failed!

Could not process line:
C:\Program Files\Common Files\RGGZS\WNSO.exe
Status: 0xc000003a

Completed script processing.

Finished! Terminate.

system · 2007-10-23T03:41:52.000Z

Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Now see if you find

C:\Program Files\Common Files\RGGZS\WNSO.exe

If found, rename the file to wnso.old (if possible) and let me know the results.

polonus · 2007-10-23T11:11:26.000Z

Hi MarkLoehndorf,

You could also try killbox. Download from here: http://download.bleepingcomputer.com/spyware/KillBox.exe
Instruction how to use it here: http://www.killbox.net/help.html

Maybe while working killbox you have to disable system restore, and enable it again when the executable has been succesfully killed.
How to do that, follow instructions in the link below:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

polonus

P.S. What we have here at hand could be win32.Troj.agent.lh.3996 and/or a malware infection by the name of Dmad

Type: Adware
Type Description: Software that usually displays various advertising popups and it is packed and installed together with other software.
Level of Danger: Medium
Default action: Remove
File Name: fsprot.sys, moprot.sys, procserv.sys, wsorem.dll, citing.dll, sobar.dll, wnso.exe, wsomain.exe

D.

system · 2007-10-27T21:56:19.000Z

I’m back after encountering a major problem. I did get rid of the WNSO, but when the pc rebooted afterwards, it wouldn’t boot up. I was missing a windows file, couldn’t boot into safe mode or any other mode. I tried to use the Windows Repair, to no avail. So I decided to just bite the bullet and wipe the drive clean (it hasn’t been done since I bought it 2 years ago and has been running slowly) and start from scratch. I’ll keep in touch to see if anyone else gets hit by this WNSO. And I will keep using Avast… Mark

polonus · 2007-10-27T22:33:03.000Z

Hi Mark,

That is really a sour outcome of things, but there are occasions when such things alas cannot be avoided. It is almost like a mourning process when you have to say goodbye to an OS configuration (save as much of your data in backups next time around), and you have to start from scratch. Hopefully you learned a lot this way about the right attitude to avoid malware the second time around. Work from a normal user account to go onto the Internet, and an full admin account for updates and installing software, fully update the software that is on your comp, and keep it that way, also you av and fw and other anti-malware software (ad-aware, etc)… Use in-browser security like NoScript, Cookie Editor, Stealther add-ons inside your Mozilla browser of choice (Firefox or Flock), search your queries with scandoo.com , and use the DrWeb’s hyperlink av scanner plug-in inside your browser. If in need of anonymity use the best of two worlds America and Germany: the tor-firefox browser, called xB-Browser (formerly known as Torpark), and the Jap2FFV0.5.16 add-on (proxy service mix from Uni Dresden) together with NoScript, Stealther and Distrust, you can run that from an USB stick, and carry it around in your pocket, and you are well protected by this formula, my friend…

wishing you’ll stay free of malware for the future,

Damian

system · 2007-10-27T23:13:36.000Z

I’m sorry to hear that Mark. I’m at a loss to understand it though. We weren’t anywhere near the system files during this part and renaming a program file shouldn’t kill your OS - it should just prevent the program from running.

There might have been something else going on that we didn’t see, but I suppose we’ll never know …

system · 2007-10-28T21:49:52.000Z

I did learn a few things, and was reminded of some others also. I now have a network backup drive to archive any data that needs to be kept. Luckily, I didn’t lose anything from my old setup, just have to reinstall a lot of software. Luckily, I was already using another of my older pc’s as a backup. It could have been worse… Once again thanks all. Mark

DavidR · 2007-10-28T22:46:28.000Z

Now you have a network drive for data, I would suggest you also look disk imaging software.

I use Drive Image 7.1, the last version by PowerQuest before it was bought by Symantec and merged into its Norton Ghost disk imaging software, another option id Acronis true Image, there are others, most of them are paid options.

I take an image back-up of my primary hard disk partitions every week as part of my system maintenance. This is saved to my second HDD or it can also be written to a DVD. I also back-up volatile data files, .doc, .xls, etc. along with emails, bookmarks, address book, registration keys, etc. (anything you don’t want to lose) every day sometimes several times a day.

So if I experience a problem like yours (haven’t to date) then I just restore my last back-up disk image (takes about 15 minutes) followed by the last daily data back-up (takes seconds rather than minutes) and I will have lost virtually nothing.

Compare that with your experience and the money I paid for my disk imaging software would have paid for itself if it had to be used just once if you valued your time at just £5 per hour. I have had to use it several times (not virus related) where it has hauled my a** out of the fire, it is an absolute god send.

Announcements