0

Whenever I load up windows, explorer.exe will not start. I can open up task manager and launch it from there, but it will close within the next ten seconds. I have done a Malware Bytes Anti Malware scan, and it turns out I have a vundo infection.

Here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:41:02 PM, on 11/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Kevin's Desktop\My Documents\Downloads\FixVundo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Content Filter\mfp.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\HijackThis\imabunny.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1060929
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1060929
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\\system32\\userinit.exe
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.206.201.8 oemantivir.microsoft.com
O1 - Hosts: 91.206.201.8 oemantivir.com
O1 - Hosts: 91.206.201.8 www.oemantivir.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll (file missing)
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (file missing)
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\m8F5I5cAG.exe" /runcleanupscript
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKCU\..\RunOnce: [UniblueRegistryBooster] "C:\Program Files\Uniblue\RegistryBooster 2010\launcher.exe" delay 20000
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Broken Internet access because of LSP provider 'icf.dll' missing
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab57176.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CDD0115A-5FED-479B-B841-811C9B5803F3}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL ,sozewema.dll c:\windows\system32\ralasife.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: yahidetuj - {ff0c3b8e-1f28-4d76-8cc5-7f6674b75d1d} - (no file)
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Any help would be appreciated.

2
Contributors
46
Replies
47
Views
7 Years
Discussion Span
Last Post by PhilliePhan
0

I seem to have gotten rid of the Vundo infection, however explorer.exe shows as running but is not appearing at the bottom of the screen.

1

I seem to have gotten rid of the Vundo infection, however explorer.exe shows as running but is not appearing at the bottom of the screen.

You HJT is out of date - go ahead and delete it.

-- Can you post your MBAM scanlog?

-- Please download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.


I or one of the other volunteers will check back as time permits.
I'll be gone until Tuesday evening EST.

Cheers :)
PP

Votes + Comments
Very helpful.
0

Here is DDS.txt


DDS (Ver_09-10-26.01) - NTFSx86
Run by Kevin's Desktop at 16:22:47.83 on Tue 11/10/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1278.651 [GMT -5:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Malwarebytes' Anti-Malware\m8F5I5cAG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Kevin's Desktop\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar =
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1060929
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1060929
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [UniblueRegistryBooster] "c:\program files\uniblue\registrybooster 2010\launcher.exe" delay 20000
mRun: [D-Link AirPlus G] c:\program files\d-link\airplus g\AirGCFG.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\m8F5I5cAG.exe" /runcleanupscript
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} - hxxp://messenger.zone.msn.com/binary/WoF.cab57176.cab
TCP: {CDD0115A-5FED-479B-B841-811C9B5803F3} = 192.168.0.1
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll ,c:\windows\system32\ralasife.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll,nasikaje.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: yahidetuj - {ff0c3b8e-1f28-4d76-8cc5-7f6674b75d1d} -
STS: {ff0c3b8e-1f28-4d76-8cc5-7f6674b75d1d}: tokatiluy
LSA: Notification Packages = scecli vutofudi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kevin'~1\applic~1\mozilla\firefox\profiles\v2jw9bm7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL -
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\kevin's desktop\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\kevin's desktop\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\program files\byond\bin\npbyond.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbyond.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-9-3 28544]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-10 24652]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-3-22 450400]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-11-7 38224]
S3 dsreader;MaxDrive Driver (dsreader.sys);c:\windows\system32\drivers\dsreader.sys [2007-8-4 19677]
S4 gupdate1c994aa5602f89a;Google Update Service (gupdate1c994aa5602f89a);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]

=============== Created Last 30 ================

2009-11-10 20:25:54 0 ---ha-w- c:\windows\system32\BIT2.tmp
2009-11-10 03:43:31 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-11-10 03:43:31 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-11-10 03:41:18 0 d-----w- c:\program files\Kaspersky Lab
2009-11-10 03:41:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-11-10 03:23:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-11-10 01:17:39 1033216 ----a-w- c:\windows\test.exe
2009-11-09 23:53:29 0 d-----w- c:\program files\Uniblue
2009-11-09 23:16:57 0 d-----w- c:\docume~1\kevin'~1\applic~1\Uniblue
2009-11-09 22:56:44 54386 ----a-w- C:\crash.dmp
2009-11-09 22:56:02 281616 ----a-w- c:\windows\sediag.exe
2009-11-08 01:17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 01:17:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-08 01:17:07 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-30 02:17:15 0 d-----w- c:\program files\LimeWire
2009-10-29 23:54:44 0 d-----w- c:\program files\common files\TI Shared
2009-10-29 23:52:01 253672 ----a-w- c:\windows\system32\drivers\windrvr6.sys
2009-10-29 23:50:44 0 d-----w- c:\program files\Vernier Software
2009-10-29 02:03:30 0 d-----w- c:\program files\Audacity
2009-10-21 01:34:56 219664 ----a-w- c:\windows\system32\klogon.dll
2009-10-15 02:18:34 36880 ----a-w- c:\windows\system32\drivers\klbg.sys

==================== Find3M ====================

2009-10-20 00:00:35 3070976 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-11 02:36:28 0 -c--a-w- c:\windows\system32\drivers\lvuvc.hs
2009-10-11 02:36:26 0 -c--a-w- c:\windows\system32\drivers\logiflt.iad
2009-10-03 00:39:44 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys
2009-10-01 20:11:09 38 ----a-w- c:\documents and settings\kevin's desktop\jagex_runescape_preferences.dat
2009-10-01 20:09:15 45 ----a-w- c:\documents and settings\kevin's desktop\jagex_runescape_preferences2.dat
2009-09-25 05:49:02 668672 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:49:02 668672 ----a-w- c:\windows\system32\dllcache\wininet.dll
2009-09-25 05:49:02 628224 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-09-25 05:49:02 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-09-25 05:49:02 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-09-25 05:49:01 532480 ----a-w- c:\windows\system32\dllcache\mstime.dll
2009-09-25 05:49:01 449024 ------w- c:\windows\system32\dllcache\mshtmled.dll
2009-09-25 05:49:01 39424 ------w- c:\windows\system32\dllcache\pngfilt.dll
2009-09-25 05:49:01 146432 ------w- c:\windows\system32\dllcache\msrating.dll
2009-09-25 05:48:59 96256 ----a-w- c:\windows\system32\dllcache\inseng.dll
2009-09-25 05:48:59 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-25 05:48:59 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2009-09-25 05:48:59 55808 ----a-w- c:\windows\system32\dllcache\extmgr.dll
2009-09-25 05:48:59 251904 ------w- c:\windows\system32\dllcache\iepeers.dll
2009-09-25 05:48:59 16384 ----a-w- c:\windows\system32\dllcache\jsproxy.dll
2009-09-25 05:48:58 357888 ------w- c:\windows\system32\dllcache\dxtmsft.dll
2009-09-25 05:48:58 205312 ------w- c:\windows\system32\dllcache\dxtrans.dll
2009-09-25 05:48:58 151040 ------w- c:\windows\system32\dllcache\cdfview.dll
2009-09-25 05:48:58 1054208 ----a-w- c:\windows\system32\dllcache\danim.dll
2009-09-25 05:48:57 1024000 ------w- c:\windows\system32\dllcache\browseui.dll
2009-09-22 23:23:04 12380 -c--a-w- c:\docume~1\kevin'~1\applic~1\wklnhst.dat
2009-09-18 09:46:06 18432 ------w- c:\windows\system32\dllcache\iedw.exe
2009-09-14 19:42:46 32272 ----a-w- c:\windows\system32\drivers\klim5.sys
2009-09-11 14:03:37 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:03:37 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 20:45:26 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\dllcache\strmdll.dll
2009-08-21 09:46:35 450560 ------w- c:\windows\system32\dllcache\jscript.dll
2009-08-18 04:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2007-07-07 20:26:43 22 -c--a-w- c:\program files\New Compressed (zipped) Folder.zip
2008-01-19 16:10:22 8 --sh--r- c:\windows\system32\7A7C3F9537.sys
2009-08-08 01:00:49 37888 --sha-w- c:\windows\system32\batujuko.dll
2009-08-10 20:25:23 52224 --sha-w- c:\windows\system32\bogerijo.dll
2009-08-09 20:25:53 61440 --sha-w- c:\windows\system32\dobonede.dll
2008-09-25 21:05:53 88 -csh--r- c:\windows\system32\E2614D71A5.sys
2009-08-09 20:25:53 38912 --sha-w- c:\windows\system32\hinirole.dll
2008-09-25 21:05:57 3558 -csha-w- c:\windows\system32\KGyGaAvL.sys
2009-08-10 20:25:56 52224 --sha-w- c:\windows\system32\vutofudi.dll

============= FINISH: 16:24:56.58 ===============

After restarting my computer, I have run another malware bytes scan and here is my log.

Malwarebytes' Anti-Malware 1.40
Database version: 2631
Windows 5.1.2600 Service Pack 2

8/15/2009 9:06:47 PM
mbam-log-2009-08-15 (21-06-47).txt

Scan type: Quick Scan
Objects scanned: 93546
Time elapsed: 9 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winhld32 (Dialer) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Tool (Fake.SystemTool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Tool (Fake.SystemTool) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\rscdhf\earosysguard.exe (Fake.SystemTool) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winhld32.dll (Dialer) -> Quarantined and deleted successfully.

Attachments
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 10/7/2006 9:59:13 AM
System Uptime: 11/10/2009 3:19:48 PM (1 hours ago)

Motherboard: Dell Computer Corp. |  | 0WF887
Processor:                 Intel(R) Celeron(R) CPU 2.53GHz | Microprocessor | 2526/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 53 GiB total, 5.759 GiB free.
D: is FIXED (NTFS) - 18 GiB total, 3.584 GiB free.
E: is CDROM ()
F: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP827: 8/24/2009 7:36:44 PM - Software Distribution Service 3.0
RP828: 8/24/2009 7:36:45 PM - System Checkpoint
RP829: 8/24/2009 7:36:45 PM - Software Distribution Service 3.0
RP830: 8/24/2009 7:36:46 PM - System Checkpoint
RP831: 8/24/2009 7:36:47 PM - Software Distribution Service 3.0
RP832: 8/24/2009 7:36:47 PM - System Checkpoint
RP833: 8/24/2009 7:36:48 PM - Software Distribution Service 3.0
RP834: 8/24/2009 7:36:48 PM - System Checkpoint
RP835: 8/24/2009 7:36:48 PM - Software Distribution Service 3.0
RP836: 8/24/2009 7:36:48 PM - Removed Steam
RP837: 8/24/2009 7:36:49 PM - Software Distribution Service 3.0
RP838: 8/24/2009 7:36:49 PM - System Checkpoint
RP839: 8/24/2009 7:36:49 PM - Software Distribution Service 3.0
RP840: 8/24/2009 7:36:49 PM - Removed AVG 8.5
RP841: 8/24/2009 7:36:50 PM - Installed AVG 8.5
RP842: 8/24/2009 7:36:50 PM - Software Distribution Service 3.0
RP843: 8/24/2009 7:36:50 PM - Software Distribution Service 3.0
RP844: 8/24/2009 7:36:51 PM - Printer Driver Microsoft XPS Document Writer Installed
RP845: 8/24/2009 7:36:51 PM - Software Distribution Service 3.0
RP846: 8/24/2009 7:36:51 PM - Software Distribution Service 3.0
RP847: 8/24/2009 7:36:51 PM - Software Distribution Service 3.0
RP848: 8/24/2009 7:36:52 PM - Software Distribution Service 3.0
RP849: 8/24/2009 7:36:52 PM - Software Distribution Service 3.0
RP850: 8/24/2009 7:36:52 PM - Software Distribution Service 3.0
RP851: 8/24/2009 7:36:52 PM - Software Distribution Service 3.0
RP852: 8/24/2009 7:36:53 PM - Software Distribution Service 3.0
RP853: 8/24/2009 7:36:53 PM - Software Distribution Service 3.0
RP854: 8/24/2009 7:36:53 PM - Software Distribution Service 3.0
RP855: 8/25/2009 9:52:13 PM - Software Distribution Service 3.0
RP856: 8/26/2009 10:13:14 PM - Software Distribution Service 3.0
RP857: 8/27/2009 11:10:19 PM - Software Distribution Service 3.0
RP858: 8/29/2009 12:24:23 AM - Software Distribution Service 3.0
RP859: 8/29/2009 10:56:06 PM - Software Distribution Service 3.0
RP860: 9/7/2009 1:38:22 AM - System Checkpoint
RP861: 9/8/2009 4:17:20 PM - System Checkpoint
RP862: 9/9/2009 9:39:09 PM - System Checkpoint
RP863: 9/10/2009 10:22:49 PM - Software Distribution Service 3.0
RP864: 9/12/2009 2:24:09 PM - System Checkpoint
RP865: 9/15/2009 7:13:18 PM - System Checkpoint
RP866: 9/17/2009 4:52:19 PM - System Checkpoint
RP867: 9/18/2009 5:44:25 PM - System Checkpoint
RP868: 9/19/2009 6:39:29 PM - System Checkpoint
RP869: 9/20/2009 8:44:59 PM - System Checkpoint
RP870: 9/21/2009 10:19:05 PM - System Checkpoint
RP871: 9/23/2009 10:20:47 PM - System Checkpoint
RP872: 9/24/2009 11:00:54 PM - System Checkpoint
RP873: 9/26/2009 1:31:06 PM - System Checkpoint
RP874: 9/27/2009 3:42:27 PM - System Checkpoint
RP875: 9/30/2009 5:19:12 PM - Installed Poladroid
RP876: 10/1/2009 5:40:14 PM - System Checkpoint
RP877: 10/2/2009 6:26:41 PM - System Checkpoint
RP878: 10/3/2009 7:19:42 PM - System Checkpoint
RP879: 10/6/2009 5:53:25 PM - System Checkpoint
RP880: 10/7/2009 9:02:54 PM - System Checkpoint
RP881: 10/9/2009 3:41:45 PM - System Checkpoint
RP882: 10/10/2009 3:18:16 PM - Installed Steam
RP883: 10/11/2009 11:53:23 PM - System Checkpoint
RP884: 10/12/2009 11:56:01 PM - System Checkpoint
RP885: 10/13/2009 9:18:13 PM - Software Distribution Service 3.0
RP886: 10/16/2009 12:20:02 PM - System Checkpoint
RP887: 10/17/2009 12:27:05 PM - System Checkpoint
RP888: 10/18/2009 12:42:39 PM - System Checkpoint
RP889: 10/19/2009 4:03:27 PM - System Checkpoint
RP890: 10/20/2009 4:18:19 PM - System Checkpoint
RP891: 10/21/2009 5:03:57 PM - System Checkpoint
RP892: 10/22/2009 6:07:53 PM - System Checkpoint
RP893: 10/23/2009 6:28:28 PM - System Checkpoint
RP894: 10/24/2009 6:30:48 PM - System Checkpoint
RP895: 10/26/2009 4:19:08 PM - System Checkpoint
RP896: 10/27/2009 4:26:24 PM - System Checkpoint
RP897: 10/28/2009 4:27:29 PM - System Checkpoint
RP898: 10/29/2009 4:29:11 PM - System Checkpoint
RP899: 10/29/2009 7:50:42 PM - Installed Graphical Analysis 3.2
RP900: 10/30/2009 11:43:31 PM - System Checkpoint
RP901: 11/1/2009 1:23:05 AM - System Checkpoint
RP902: 11/2/2009 5:01:09 PM - System Checkpoint
RP903: 11/3/2009 5:57:30 PM - System Checkpoint
RP904: 11/3/2009 10:39:01 PM - Software Distribution Service 3.0
RP905: 11/4/2009 10:53:52 PM - Software Distribution Service 3.0
RP906: 11/6/2009 7:18:58 PM - System Checkpoint
RP907: 11/7/2009 8:52:48 PM - System Checkpoint
RP908: 11/8/2009 8:02:12 PM - System Checkpoint
RP909: 11/9/2009 10:32:14 PM - Removed Ask Toolbar.
RP910: 11/9/2009 10:40:48 PM - Installed Kaspersky Internet Security 2010.

==== Installed Programs ======================

Action Replay Code Manager
Adobe AIR
Adobe Anchor Service CS3
Adobe Anchor Service CS4
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge CS4
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit CS4
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS3
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 7.0.8
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Shockwave Player 11.5
Adobe Stock Photos CS3
Adobe Type Support CS4
Adobe Update Manager CS3
Adobe Update Manager CS4
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
AIM 6
AirPlus G
ANIO Service
ANIWZCS2 Service
AOLIcon
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
Audacity 1.3.7 (Unicode)
Axife Mouse Recorder DEMO 5.01
BufferChm
Build Your Own Net Dream (remove only)
Canon Camera Access Library
Canon Camera Support Core Library
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Colorizer 1.0.0.1
Conexant D850 56K V.9x DFVc Modem
Connect
ConvertHelper 2.2
Critical Update for Windows Media Player 11 (KB959772)
CustomerResearchQFolder
D4100
D4100_Help
Dell CinePlayer
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Support 3.2
Dell System Restore
DeviceManagementQFolder
Digital Content Portal
Digital Line Detect
Documentation & Support Launcher
Dynex mini card reader 
ELIcon
eSupportQFolder
FinalAlert 2 Yuri's Revenge
Games, Music, & Photos Launcher
Google Desktop
Google Earth
Google Talk Plugin
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
Graphical Analysis 3.2
Half-Life 2
HijackThis 1.99.1
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB908673)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Photo and Imaging 2.0 - Deskjet Series
HP Photosmart and Deskjet 7.0 Software
HP Photosmart Essential
hp print screen utility
HP Software Update
HP Solution Center 7.0
hph_ProductContext
hph_readme
hph_software
hph_software_req
HPPhotoSmartExpress
HPProductAssistant
IMRemote
InstantShareDevicesMFC
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Service Offers Launcher
iTunes
J2SE Runtime Environment 5.0 Update 6
Java DB 10.4.1.3
Java(TM) 6 Update 14
Java(TM) SE Development Kit 6 Update 11
Kaspersky Internet Security 2010
kuler
LimeWire 5.3.6
Logitech QuickCam
Logitech QuickCam Driver Package
Malwarebytes' Anti-Malware
MarketResearch
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 6.3
Microsoft IntelliType Pro 6.3
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft
0

. . . . explorer.exe shows as running but is not appearing at the bottom of the screen.

Can you clarify what you mean by that?

You have some baddies remaining - Let's do this:

FIRST:
Please download JavaRa.zip to your Desktop and Extract it to its own folder.

-- Make sure ALL browsers are CLOSED.
-- DoubleClick on JavaRa.exe to run it and then select your language of choice.
-- Click Remove Older Versions.
-- Follow the prompts and a log will pop up. You can post this if you wish - I really don't need it, though.
-- Then, please go to http://www.java.com/en/ to download and install the latest version of Java.

THEN:
If you already have Combofix on your machine, DELETE it.
Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Will check back as time permits.

Cheers :)
PP

Edited by PhilliePhan: The Usual. . . .

0

Unfortunately, due to my system not letting me run explorer.exe, I cannot unzip JavaRa.zip, so far I have been using Task Manager to create new tasks to run programs. Whenever I try to run something I get the message
"The application or DLL C:\\WINDOWS\system32\nasikaje.dll is not a valid Windows image. Please check this against your installation diskette."
I can run .exe files however.

0

Unfortunately, due to my system not letting me run explorer.exe, I cannot unzip JavaRa.zip . . .
I can run .exe files however.

Go ahead and do the combofix step. Let me know if you run into any problems.

PP :)

0

Done and done, everything worked perfectly.

ComboFix 09-11-09.02 - Kevin's Desktop 11/10/2009 22:57.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1278.790 [GMT -5:00]
Running from: c:\documents and settings\Kevin's Desktop\My Documents\Downloads\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\batujuko.dll
c:\windows\system32\dobonede.dll
c:\windows\system32\hinirole.dll
c:\windows\system32\junetike.dll.tmp
c:\windows\system32\meridewa.dll.tmp
c:\windows\system32\nasikaje.dll
c:\windows\system32\nelesoye.dll.tmp
c:\windows\system32\sujuwido.dll.tmp
c:\windows\system32\vileyela.dll.tmp
c:\windows\system32\yapakati.dll.tmp
c:\windows\system32\yusifabo.dll.tmp
c:\windows\Tasks\opqdxwfu.job
c:\windows\Tasks\tdkuwcek.job
c:\windows\TEMP\logishrd\LVPrcInj05.dll

----- BITS: Possible infected sites -----

hxxp://82.98.231.98
hxxp://82.98.231.99
.
((((((((((((((((((((((((( Files Created from 2009-10-11 to 2009-11-11 )))))))))))))))))))))))))))))))
.

2009-11-10 03:53 . 2009-11-10 03:53 932368 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2009-11-10 03:53 . 2009-11-10 03:53 678416 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2009-11-10 03:53 . 2009-11-10 03:53 604688 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2009-11-10 03:53 . 2009-11-10 03:53 1096208 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2009-11-10 03:53 . 2009-11-10 03:53 522768 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
2009-11-10 03:43 . 2009-11-10 03:43 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-11-10 03:43 . 2009-11-10 03:43 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-11-10 03:41 . 2009-11-10 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-11-10 03:41 . 2009-11-10 03:41 -------- d-----w- c:\program files\Kaspersky Lab
2009-11-10 03:23 . 2009-11-10 03:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-11-10 01:17 . 2007-06-13 10:23 1033216 ----a-w- c:\windows\test.exe
2009-11-09 23:53 . 2009-11-09 23:53 -------- d-----w- c:\program files\Uniblue
2009-11-09 23:16 . 2009-11-09 23:16 -------- d-----w- c:\documents and settings\Kevin's Desktop\Application Data\Uniblue
2009-11-09 22:56 . 2009-10-19 21:24 281616 ----a-w- c:\windows\sediag.exe
2009-11-08 01:17 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 01:17 . 2009-11-08 16:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 01:17 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-31 21:04 . 2009-10-31 21:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-10-30 02:17 . 2009-10-30 02:17 -------- d-----w- c:\program files\LimeWire
2009-10-29 23:54 . 2009-10-29 23:54 -------- d-----w- c:\program files\Common Files\TI Shared
2009-10-29 23:52 . 2003-05-21 22:58 253672 ----a-w- c:\windows\system32\drivers\windrvr6.sys
2009-10-29 23:50 . 2009-10-29 23:50 -------- d-----w- c:\program files\Vernier Software
2009-10-29 02:03 . 2009-10-29 02:03 -------- d-----w- c:\program files\Audacity
2009-10-21 01:34 . 2009-10-21 01:34 219664 ----a-w- c:\windows\system32\klogon.dll
2009-10-20 16:54 . 2009-10-20 16:54 59992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.736\English\setup.exe
2009-10-15 02:18 . 2009-10-15 02:18 36880 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-10-13 19:41 . 2009-10-13 19:41 -------- d-----w- c:\documents and settings\Kevin's Desktop\Local Settings\Application Data\AIM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 20:25 . 2009-11-10 20:25 0 ---ha-w- c:\windows\system32\BIT2.tmp
2009-11-10 03:39 . 2009-03-12 21:36 -------- d-----w- c:\program files\Colorizer
2009-11-10 03:27 . 2009-08-29 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-10 00:16 . 2008-02-05 02:24 -------- d-----w- c:\program files\Red Kawa
2009-11-09 22:55 . 2006-09-29 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-08 16:58 . 2009-10-10 19:18 -------- d-----w- c:\program files\Steam
2009-11-08 03:33 . 2008-10-09 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-07 01:08 . 2006-10-08 03:54 74360 -c--a-w- c:\documents and settings\Kevin's Desktop\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-05 02:57 . 2007-02-09 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-04 02:42 . 2006-09-29 15:21 -------- d-----w- c:\program files\Microsoft Works
2009-10-31 02:25 . 2008-11-08 18:51 -------- d-----w- c:\documents and settings\Kevin's Desktop\Application Data\LimeWire
2009-10-29 02:03 . 2009-03-04 20:48 -------- d-----w- c:\documents and settings\Kevin's Desktop\Application Data\Audacity
2009-10-20 22:06 . 2008-10-21 20:06 -------- d-----w- c:\documents and settings\Kevin's Desktop\Application Data\CameraWindowDC
2009-10-20 22:06 . 2008-10-21 20:11 -------- d-----w- c:\documents and settings\Kevin's Desktop\Application Data\ZoomBrowser EX
2009-10-11 02:36 . 2008-12-27 03:34 0 -c--a-w- c:\windows\system32\drivers\lvuvc.hs
2009-10-11 02:36 . 2008-12-27 03:34 0 -c--a-w- c:\windows\system32\drivers\logiflt.iad
2009-10-10 19:03 . 2008-09-13 15:54 -------- d-----w- c:\program files\SystemRequirementsLab
2009-10-10 19:03 . 2009-10-10 19:03 138240 ----a-w- c:\documents and settings\Kevin's Desktop\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_d.dll
2009-10-10 19:03 . 2009-10-10 19:03 138240 ----a-w- c:\documents and settings\Kevin's Desktop\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_c.dll
2009-10-10 19:03 . 2009-10-10 19:03 138240 ----a-w- c:\documents and settings\Kevin's Desktop\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_b.dll
2009-10-10 19:03 . 2009-10-10 19:03 138240 ----a-w- c:\documents and settings\Kevin's Desktop\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_a.dll
2009-10-10 19:03 . 2008-09-13 15:54 -------- d-----w- c:\documents and settings\Kevin's Desktop\Application Data\SystemRequirementsLab
2009-10-03 00:39 . 2009-10-03 00:39 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys
2009-10-01 20:11 . 2008-07-01 16:12 38 ----a-w- c:\documents and settings\Kevin's Desktop\jagex_runescape_preferences.dat
2009-10-01 20:09 . 2009-09-02 20:42 45 ----a-w- c:\documents and settings\Kevin's Desktop\jagex_runescape_preferences2.dat
2009-09-30 21:19 . 2009-09-30 21:19 -------- d-----w- c:\program files\Poladroid
2009-09-25 05:49 . 2004-08-10 17:51 668672 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:48 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-23 21:12 . 2006-09-29 15:18 -------- d-----w- c:\program files\McAfee
2009-09-22 23:23 . 2006-10-17 00:50 12380 -c--a-w- c:\documents and settings\Kevin's Desktop\Application Data\wklnhst.dat
2009-09-22 00:51 . 2008-11-19 22:34 -------- d-----w- c:\program files\SwiftKit
2009-09-14 19:42 . 2009-09-14 19:42 32272 ----a-w- c:\windows\system32\drivers\klim5.sys
2009-09-11 14:03 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 00:01 . 2009-09-10 00:01 27675 ----a-w- c:\windows\system32\drivers\klopp.dat
2009-09-04 20:45 . 2004-08-10 17:51 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 20:29 . 2009-09-01 20:29 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-08-26 08:16 . 2004-08-10 17:51 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 04:33 . 2009-08-18 04:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 21:04 . 2009-08-14 21:04 239088 ----a-w- c:\documents and settings\Kevin's Desktop\Application Data\Mozilla\plugins\npgoogletalk.dll
2007-07-07 20:26 . 2007-07-07 20:26 22 -c--a-w- c:\program files\New Compressed (zipped) Folder.zip
2008-01-19 16:10 . 2008-01-19 16:10 8 --sh--r- c:\windows\system32\7A7C3F9537.sys
2009-08-10 20:25 . 2009-08-10 20:25 52224 --sha-w- c:\windows\system32\bogerijo.dll
2008-09-25 21:05 . 2006-11-19 15:37 88 -csh--r- c:\windows\system32\E2614D71A5.sys
2008-09-25 21:05 . 2006-11-19 15:37 3558 -csha-w- c:\windows\system32\KGyGaAvL.sys
2009-08-10 20:25 . 2009-08-10 20:25 52224 --sha-w- c:\windows\system32\vutofudi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"UniblueRegistryBooster"="c:\program files\Uniblue\RegistryBooster 2010\launcher.exe" [2009-09-29 59184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2005-03-18 1228800]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\m8F5I5cAG.exe" [2009-11-08 1312080]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 49152]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BYOND\\bin\\dreamseeker.exe"=
"c:\\Program Files\\BYOND\\bin\\byond.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\BYOND\\bin\\dreamdaemon.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Kevin's Desktop\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Kevin's Desktop\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"43594:TCP"= 43594:TCP:Mopar
"8000:TCP"= 8000:TCP:Shoutcast
"1080:TCP"= 1080:TCP:Dream Seeker
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"88:TCP"= 88:TCP:Xbox1
"3074:TCP"= 3074:TCP:Xbox2

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [9/3/2009 3:54 PM 28544]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/10/2007 5:03 PM 24652]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [3/22/2005 6:17 PM 450400]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
S3 dsreader;MaxDrive Driver (dsreader.sys);c:\windows\system32\drivers\dsreader.sys [8/4/2007 3:57 PM 19677]
S4 gupdate1c994aa5602f89a;Google Update Service (gupdate1c994aa5602f89a);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-178163009-3832439473-3373767962-1007Core.job
- c:\documents and settings\Kevin's Desktop\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-04 19:32]

2009-11-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-178163009-3832439473-3373767962-1007UA.job
- c:\documents and settings\Kevin's Desktop\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-04 19:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1060929
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
TCP: {CDD0115A-5FED-479B-B841-811C9B5803F3} = 192.168.0.1
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
FF - ProfilePath - c:\documents and settings\Kevin's Desktop\Application Data\Mozilla\Firefox\Profiles\v2jw9bm7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL -
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\Kevin's Desktop\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\Kevin's Desktop\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\program files\BYOND\bin\npbyond.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbyond.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
SharedTaskScheduler-{ff0c3b8e-1f28-4d76-8cc5-7f6674b75d1d} - (no file)
SSODL-yahidetuj-{ff0c3b8e-1f28-4d76-8cc5-7f6674b75d1d} - (no file)
SafeBoot-Lavasoft Ad-Aware Service
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-Colorizer 1.0.0.1 - c:\progra~1\COLORI~1\UNWISE.EXE
AddRemove-Google Updater - c:\program files\Google\Google Updater\GoogleUpdater.exe
AddRemove-HijackThis - c:\program files\HijackThis\HijackThis.exe
AddRemove-{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\Google\Google Toolbar\Component\GoogleToolbarManager_E582EA556D8DE101.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-10 23:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe >>UNKNOWN [0x8A7A2808]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0x8a7a2808
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-178163009-3832439473-3373767962-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0A8CA16A-C292-5E3E-9663-94F025F4EA6E}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abkahkaadijlibbfgilalckliclgdpnmnp"=hex:61,61,00,00
"bbkahkaadijlibbfgiiaicbplhngehhepmfg"=hex:61,61,00,00

[HKEY_USERS\S-1-5-21-178163009-3832439473-3373767962-1007\Software\SecuROM\License information*]
"datasecu"=hex:cb,4a,48,8e,2c,73,8c,30,65,5e,ff,7e,b4,a7,cd,c2,d0,48,d7,37,b7,
2d,19,53,f1,29,f8,57,7b,52,b9,53,d0,99,d3,f4,0c,48,eb,e2,77,03,dd,aa,08,05,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
------------------------ Other Running Processes ------------------------
.
c:\program files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-11 23:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-11 04:32

Pre-Run: 6,068,080,640 bytes free
Post-Run: 5,902,925,824 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 145F4397D0E6C5393D1E3445C6B24DC7

0

Done and done, everything worked perfectly.

Great! We are making some progress - still a bunch to do, though.

Please do this first:
-- Download mbr.exe to your C:\ Drive ---> C:\mbr.exe
-- Navigate to C:\mbr.exe and DoubleClick it to run it. It will run quickly and a log will appear on your C:\Drive ---> C:\mbr.log
--Please Rename that to mbr-1.log

THEN:
Click START > RUN > type or Copy&Paste mbr.exe -f ENTER
(note the space between .exe <space> -f if you type it)
-- Let the tool run and another mbr.log will appear on C:\Drive.

Please post Both logs for me and we'll go from there.

PP:)

0

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

mbr.exe -f

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

0

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net. . . . .

Ooops - In my haste I forgot to use the -t switch for the first mbr scan. That's why both logs look alike.
No worries - we were going to run the -f anyway which renders the whole issue moot....

-- There are still some issues in the combofix log - I'll post the next steps as soon as I have time.

-- Is explorer.exe still borked? If so, we'll deal with that as well.

PP:)

0

explorer.exe is what runs the start bar, and the desktop, and basically navigating the file system. It will run for a second, and die. I'm ready for anything that can help, thanks a ton.

0

explorer.exe is what runs the start bar, and the desktop, and basically navigating the file system. It will run for a second, and die. I'm ready for anything that can help, thanks a ton.

OK - Let's do this first:

-- Please delete your copy of ComboFix and download a fresh one to c:\documents and settings\Kevin's Desktop
-- Download the attached file CFScript.txt to c:\documents and settings\Kevin's Desktop as well

-- Click START > RUN > type "C:\documents and settings\Kevin's Desktop\combofix.exe" "C:\documents and settings\Kevin's Desktop\CFScript.txt" and hit ENTER.

-- Let Combofix run as before and post me that log.


THEN:
-- Please download Look.bat to where you can find it.
Run Look.bat. A command box will pop up - no worries. Let it run and a log should pop up. Please post that for me. along with the new combofix log and we'll have a go at this explorer.exe problem.

Cheers :)
PP

0

look.bat

Microsoft Windows XP [Version 5.1.2600]
Thu 11/12/2009 
06:29 PM


C:\WINDOWS\explorer.exe BUILTIN\Users:R 
                        BUILTIN\Administrators:F 
                        NT AUTHORITY\SYSTEM:F 


 Volume in drive C has no label.
 Volume Serial Number is 2035-74A0

 Directory of C:\WINDOWS

06/13/2007  05:23 AM         1,033,216 explorer.exe
               1 File(s)      1,033,216 bytes

 Directory of C:\WINDOWS\$hf_mig$\KB938828\SP2QFE

06/13/2007  06:26 AM         1,033,216 explorer.exe
               1 File(s)      1,033,216 bytes

 Directory of C:\WINDOWS\$NtUninstallKB938828$

08/04/2004  05:00 AM         1,032,192 explorer.exe
               1 File(s)      1,032,192 bytes

 Directory of C:\WINDOWS\ERDNT\cache

06/13/2007  05:23 AM         1,033,216 explorer.exe
               1 File(s)      1,033,216 bytes

 Directory of C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e

04/13/2008  07:12 PM         1,033,728 explorer.exe
               1 File(s)      1,033,728 bytes

 Directory of C:\WINDOWS\system32\dllcache

06/13/2007  05:23 AM         1,033,216 explorer.exe
               1 File(s)      1,033,216 bytes

     Total Files Listed:
               6 File(s)      6,198,784 bytes
               0 Dir(s)   5,709,918,208 bytes free


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AutoRestartShell"=dword:00000001
"DefaultDomainName"="COMPUTER"
"DefaultUserName"="Kevin's Desktop"
"LegalNoticeCaption"=""
"LegalNoticeText"=""
"PowerdownAfterShutdown"="0"
"ReportBootOk"="1"
"ShutdownWithoutLogon"="0"
"System"=""
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"VmApplet"="rundll32 shell32,Control_RunDLL \"sysdm.cpl\""
"SfcQuota"=dword:ffffffff
"allocatecdroms"="0"
"allocatedasd"="0"
"allocatefloppies"="0"
"cachedlogonscount"="10"
"forceunlocklogon"=dword:00000000
"passwordexpirywarning"=dword:0000000e
"scremoveoption"="0"
"AllowMultipleTSSessions"=dword:00000001
"UIHost"=hex(2):6c,00,6f,00,67,00,6f,00,6e,00,75,00,69,00,2e,00,65,00,78,00,65,\
  00,00,00
"LogonType"=dword:00000001
"Background"="0 0 0"
"DebugServerCommand"="no"
"SFCDisable"=dword:00000000
"WinStationsDisabled"="0"
"HibernationPreviouslyEnabled"=dword:00000001
"ShowLogonOptions"=dword:00000001
"AltDefaultUserName"="Kevin's Desktop"
"AltDefaultDomainName"="COMPUTER"
"Shell"="Explorer.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=hex(2):64,00,73,00,6b,00,71,00,75,00,6f,00,74,00,61,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@="Internet Explorer Zonemapping"
"DllName"=hex(2):69,00,65,00,64,00,6b,00,63,00,73,00,33,00,32,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=hex(2):73,00,63,00,65,00,63,00,6c,00,69,00,2e,00,64,00,6c,00,6c,00,\
  00,00
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"=hex(2):69,00,65,00,64,00,6b,00,63,00,73,00,33,00,32,00,2e,00,64,00,\
  6c,00,6c,00,00,00
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=hex(2):73,00,63,00,65,00,63,00,6c,00,69,00,2e,00,64,00,6c,00,6c,00,\
  00,00
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@="Microsoft Offline Files"
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,\
  00,73,00,63,00,75,00,69,00,2e,00,64,00,6c,00,6c,00,00,00
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@="Software Installation"
"DllName"=hex(2):61,00,70,00,70,00,6d,00,67,00,6d,00,74,00,73,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=hex(7):28,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,\
  00,6f,00,6e,00,20,00,4d,00,61,00,6e,00,61,00,67,00,65,00,6d,00,65,00,6e,00,\
  74,00,2c,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,00,6f,00,6e,\
  00,29,00,00,00,28,00,4d,00,73,00,69,00,49,00,6e,00,73,00,74,00,61,00,6c,00,\
  6c,00,65,00,72,00,2c,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,\
  00,6f,00,6e,00,29,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxdev.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
"Asynchronous"=dword:00000000
@=""
"Impersonate"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\klogon.dll"
"Logon"="WLEventStop"
"Startup"="WLEventStart"
"Lock"="WLEventStart"
"Unlock"="WLEventStop"
"Logoff"="WLEventStart"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Event"=dword:00000000
"EulaAccepted"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
  00,00,ca,24,97,3d,00,10,64,41,82,00,bf,e7,b6,7d,bb,1f,04,00,00,00,04,00,00,\
  00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,05,9d,aa,a5,e0,dd,50,25,\
  4c,45,c9,ab,97,c7,8f,81,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,80,\
  80,a8,07,e5,19,c4,3b,9b,15,dc,07,73,e8,84,fd,b0,01,00,00,a2,21,53,ed,55,b1,\
  5f,98,c5,a9,40,5b,27,d3,35,0e,2e,e8,f2,95,12,10,7d,19,76,6b,16,7c,9e,34,c9,\
  3f,0f,63,c1,9f,02,da,7a,9a,e7,30,ca,db,09,ca,9a,64,30,14,c5,0a,1f,01,46,a9,\
  00,50,1a,60,88,03,50,32,e8,68,dd,74,ab,b1,4f,1a,f2,93,a8,6b,72,99,f2,dc,7d,\
  2c,52,ca,51,bb,4a,96,a5,6d,f8,47,55,c5,f8,64,3d,de,85,84,5d,b1,85,37,70,12,\
  54,0d,9b,48,5f,87,d9,02,5c,f5,79,d1,ca,99,44,19,95,33,ec,26,78,d5,19,ce,57,\
  99,fc,88,78,fd,3d,fe,d4,6a,1a,4b,1e,d1,64,49,ad,22,2b,47,3a,ab,f3,dc,82,1a,\
  e4,24,4b,8a,56,ab,03,c8,20,fa,41,31,96,a9,60,c0,e9,c0,5d,b8,33,26,40,75,9e,\
  fa,47,04,98,12,92,54,ba,c9,0d,69,61,60,f9,f5,ac,25,cb,a5,ee,52,1e,ba,c3,2f,\
  16,78,e3,76,7a,ad,cd,44,20,af,37,f9,a1,dd,60,ca,0d,71,4f,63,ec,3a,7f,60,9f,\
  eb,97,61,5c,16,e1,a7,12,e8,50,71,f8,59,6e,e9,8a,e4,96,ff,71,4c,a1,c1,78,2a,\
  8f,87,4d,7f,1d,d5,a0,12,d3,33,09,78,b2,53,79,9f,25,dc,78,b5,10,35,f5,ba,28,\
  8c,50,79,cf,5e,18,1e,a5,14,b2,67,29,44,78,61,27,c0,c3,54,ea,50,c4,51,fa,21,\
  96,e8,48,35,73,b8,b9,37,68,86,6e,87,ee,3b,34,f6,31,1c,cb,4c,fb,90,5b,a2,97,\
  2a,49,65,ab,a3,5e,34,72,c7,28,69,77,ea,5b,d7,60,ac,cb,dd,3d,b3,62,f2,1b,bd,\
  ee,62,fa,b3,04,8c,5d,4a,72,eb,d0,26,13,fa,c3,16,a7,cf,55,16,a0,ae,dd,0f,15,\
  9f,b7,96,5f,9c,15,ec,84,78,be,81,60,4f,11,7f,74,c0,63,94,6e,23,10,72,18,6f,\
  87,56,08,40,78,94,f3,39,fb,13,c9,05,b9,39,35,dc,4c,53,64,27,72,d5,eb,06,16,\
  ba,14,00,00,00,42,3e,2b,25,cc,2a,50,87,bf,82,9f,33,a3,e0,4c,4e,2c,73,84,d2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"ASPNET"=dword:00000000

[B]ComboFix[/B]

ComboFix 09-11-13.04 - Kevin's Desktop 11/12/2009 18:02.2.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.1278.926 [GMT -5:00]
Running from: c:\documents and settings\Kevin's Desktop\Desktop\Combofix.exe
Command switches used :: c:\documents and settings\Kevin's Desktop\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::
"c:\windows\system32\bogerijo.dll"
"c:\windows\system32\drivers\pavboot.sys"
"c:\windows\system32\vutofudi.dll"
"c:\windows\test.exe"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bogerijo.dll
c:\windows\system32\drivers\pavboot.sys
c:\windows\system32\vutofudi.dll
c:\windows\test.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PAVBOOT
-------\Service_pavboot


(((((((((((((((((((((((((   Files Created from 2009-10-12 to 2009-11-12  )))))))))))))))))))))))))))))))
.

2009-11-12 04:23 . 2009-11-12 04:23 737280  ----a-w-    c:\windows\iun6002.exe
2009-11-12 04:23 . 2009-11-12 04:23 --------    d-----w-    c:\program files\West Point Bridge Designer 2007
2009-11-11 22:22 . 2009-11-11 22:19 77312   ----a-w-    C:\mbr.exe
2009-11-10 03:53 . 2009-11-10 03:53 932368  ----a-w-    c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2009-11-10 03:53 . 2009-11-10 03:53 678416  ----a-w-    c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2009-11-10 03:53 . 2009-11-10 03:53 604688  ----a-w-    c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2009-11-10 03:53 . 2009-11-10 03:53 1096208 ----a-w-    c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2009-11-10 03:53 . 2009-11-10 03:53 522768  ----a-w-    c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
2009-11-10 03:43 . 2009-11-10 03:43 95259   ----a-w-    c:\windows\system32\drivers\klick.dat
2009-11-10 03:43 . 2009-11-10 03:43 108059  ----a-w-    c:\windows\system32\drivers\klin.dat
2009-11-10 03:41 . 2009-11-10 21:49 --------    d-----w-    c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-11-10 03:41 . 2009-11-10 03:41 --------    d-----w-    c:\program files\Kaspersky Lab
2009-11-10 03:23 . 2009-11-10 03:23 --------    d-----w-    c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-11-09 23:53 . 2009-11-09 23:53 --------    d-----w-    c:\program files\Uniblue
2009-11-09 23:16 . 2009-11-09 23:16 --------    d-----w-    c:\documents and settings\Kevin's Desktop\Application Data\Uniblue
2009-11-09 22:56 . 2009-10-19 21:24 281616  ----a-w-    c:\windows\sediag.exe
2009-11-08 01:17 . 2009-09-10 19:54 38224   ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 01:17 . 2009-11-08 16:49 --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2009-11-08 01:17 . 2009-09-10 19:53 19160   ----a-w-    c:\windows\system32\drivers\mbam.sys
2009-10-31 21:04 . 2009-10-31 21:04 --------    d-----w-    c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-10-30 02:17 . 2009-10-30 02:17 --------    d-----w-    c:\program files\LimeWire
2009-10-29 23:54 . 2009-10-29 23:54 --------    d-----w-    c:\program files\Common Files\TI Shared
2009-10-29 23:52 . 2003-05-21 22:58 253672  ----a-w-    c:\windows\system32\drivers\windrvr6.sys
2009-10-29 23:50 . 2009-10-29 23:50 --------    d-----w-    c:\program files\Vernier Software
2009-10-29 02:03 . 2009-10-29 02:03 --------    d-----w-    c:\program files\Audacity
2009-10-21 01:34 . 2009-10-21 01:34 219664  ----a-w-    c:\windows\system32\klogon.dll
2009-10-20 16:54 . 2009-10-20 16:54 59992   ----a-w-    c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.736\English\setup.exe
2009-10-15 02:18 . 2009-10-15 02:18 36880   ----a-w-    c:\windows\system32\drivers\klbg.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-11 08:04 . 2007-02-09 01:59 --------    d-----w-    c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-10 20:25 . 2009-11-10 20:25 0   ---ha-w-    c:\windows\system32\BIT2.tmp
2009-11-10 03:39 . 2009-03-12 21:36 --------    d-----w-    c:\program files\Colorizer
2009-11-10 03:27 . 2009-08-29 03:30 --------    d-----w-    c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-10 00:16 . 2008-02-05 02:24 --------    d-----w-    c:\program files\Red Kawa
2009-11-09 22:55 . 2006-09-29 15:18 --------    d-----w-    c:\documents and settings\All Users\Application Data\McAfee
2009-11-08 16:58 . 2009-10-10 19:18 --------    d-----w-    c:\program files\Steam
2009-11-08 03:33 . 2008-10-09 17:56 --------    d-----w-    c:\documents and settings\All Users\Application Data\Google Updater
2009-11-07 01:08 . 2006-10-08 03:54 74360   -c--a-w-    c:\documents and settings\Kevin's Desktop\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-04 02:42 . 2006-09-29 15:21 --------    d-----w-    c:\program files\Microsoft Works
2009-10-31 02:25 . 2008-11-08 18:51 --------    d-----w-    c:\documents and settings\Kevin's Desktop\Application Data\LimeWire
2009-10-29 02:03 . 2009-03-04 20:48 --------    d-----w-    c:\documents and settings\Kevin's Desktop\Application Data\Audacity
2009-10-20 22:06 . 2008-10-21 20:06 --------    d-----w-    c:\documents and settings\Kevin's Desktop\Application Data\CameraWindowDC
2009-10-20 22:06 . 2008-10-21 20:11 --------    d-----w-    c:\documents and settings\Kevin's Desktop\Application Data\ZoomBrowser EX
2009-10-11 02:36 . 2008-12-27 03:34 0   -c--a-w-    c:\windows\system32\drivers\lvuvc.hs
2009-10-11 02:36 . 2008-12-27 03:34 0   -c--a-w-    c:\windows\system32\drivers\logiflt.iad
2009-10-10 19:03 . 2008-09-13 15:54 --------    d-----w-    c:\program files\SystemRequirementsLab
2009-10-10 19:03 . 2009-10-10 19:03 138240  ----a-w-    c:\documents and settings\Kevin's Desktop\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_d.dll
2009-10-10 19:03 . 2009-10-10 19:03 138240  ----a-w-    c:\documents and settings\Kevin's Desktop\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_c.dll
2009-10-10 19:03 . 2009-10-10 19:03 138240  ----a-w-    c:\documents and settings\Kevin's Desktop\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_b.dll
2009-10-10 19:03 . 2009-10-10 19:03 138240  ----a-w-    c:\documents and settings\Kevin's Desktop\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_a.dll
2009-10-10 19:03 . 2008-09-13 15:54 --------    d-----w-    c:\documents and settings\Kevin's Desktop\Application Data\SystemRequirementsLab
2009-10-03 00:39 . 2009-10-03 00:39 19472   ----a-w-    c:\windows\system32\drivers\klmouflt.sys
2009-10-01 20:11 . 2008-07-01 16:12 38  ----a-w-    c:\documents and settings\Kevin's Desktop\jagex_runescape_preferences.dat
2009-10-01 20:09 . 2009-09-02 20:42 45  ----a-w-    c:\documents and settings\Kevin's Desktop\jagex_runescape_preferences2.dat
2009-09-30 21:19 . 2009-09-30 21:19 --------    d-----w-    c:\program files\Poladroid
2009-09-25 05:49 . 2004-08-10 17:51 668672  ------w-    c:\windows\system32\wininet.dll
2009-09-25 05:48 . 2004-08-10 17:51 81920   ----a-w-    c:\windows\system32\ieencode.dll
2009-09-23 21:12 . 2006-09-29 15:18 --------    d-----w-    c:\program files\McAfee
2009-09-22 23:23 . 2006-10-17 00:50 12380   -c--a-w-    c:\documents and settings\Kevin's Desktop\Application Data\wklnhst.dat
2009-09-22 00:51 . 2008-11-19 22:34 --------    d-----w-    c:\program files\SwiftKit
2009-09-14 19:42 . 2009-09-14 19:42 32272   ----a-w-    c:\windows\system32\drivers\klim5.sys
2009-09-11 14:03 . 2004-08-10 17:51 136192  ----a-w-    c:\windows\system32\msv1_0.dll
2009-09-10 00:01 . 2009-09-10 00:01 27675   ----a-w-    c:\windows\system32\drivers\klopp.dat
2009-09-04 20:45 . 2004-08-10 17:51 58880   ----a-w-    c:\windows\system32\msasn1.dll
2009-09-01 20:29 . 2009-09-01 20:29 128016  ----a-w-    c:\windows\system32\drivers\kl1.sys
2009-08-26 08:16 . 2004-08-10 17:51 247326  ----a-w-    c:\windows\system32\strmdll.dll
2009-08-18 04:33 . 2009-08-18 04:33 1193832 ----a-w-    c:\windows\system32\FM20.DLL
2007-07-07 20:26 . 2007-07-07 20:26 22  -c--a-w-    c:\program files\New Compressed (zipped) Folder.zip
2008-01-19 16:10 . 2008-01-19 16:10 8   --sh--r-    c:\windows\system32\7A7C3F9537.sys
2008-09-25 21:05 . 2006-11-19 15:37 88  -csh--r-    c:\windows\system32\E2614D71A5.sys
2008-09-25 21:05 . 2006-11-19 15:37 3558    -csha-w-    c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((   SnapShot@2009-11-11_04.14.21   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-12 23:16 . 2009-11-12 23:16   16384              c:\windows\temp\Perflib_Perfdata_284.dat
+ 2009-05-11 23:57 . 2009-11-11 08:04   35088              c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-05-11 23:57 . 2009-11-05 02:57   35088              c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-05-11 23:57 . 2009-11-11 08:04   18704              c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-05-11 23:57 . 2009-11-05 02:57   18704              c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-05-11 23:57 . 2009-11-05 02:57   20240              c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-05-11 23:57 . 2009-11-11 08:04   20240              c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-11-12 23:16 . 2008-07-26 13:25   109080              c:\windows\temp\logishrd\LVPrcInj01.dll
- 2009-11-11 04:13 . 2008-07-26 13:25   109080              c:\windows\Temp\logishrd\LVPrcInj01.dll
- 2009-05-11 23:57 . 2009-11-05 02:57   888080              c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-05-11 23:57 . 2009-11-11 08:04   888080              c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-05-11 23:57 . 2009-11-05 02:57   922384              c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-05-11 23:57 . 2009-11-11 08:04   922384              c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-05-11 23:57 . 2009-11-11 08:04   217864              c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
- 2009-05-11 23:57 . 2009-11-05 02:57   217864              c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
+ 2009-05-11 23:57 . 2009-11-11 08:04   184080              c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
- 2009-05-11 23:57 . 2009-11-05 02:57   184080              c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
+ 2004-08-10 17:51 . 2009-08-14 12:19   1850112              c:\windows\system32\win32k.sys
+ 2004-08-10 17:57 . 2009-11-11 08:20   2345496              c:\windows\system32\FNTCACHE.DAT
- 2004-08-10 17:57 . 2009-11-04 20:21   2345496              c:\windows\system32\FNTCACHE.DAT
+ 2007-03-08 13:47 . 2009-08-14 12:19   1850112              c:\windows\system32\dllcache\win32k.sys
+ 2009-08-18 17:58 . 2009-08-18 17:58   8301056              c:\windows\Installer\d08ef0.msp
+ 2009-08-18 17:57 . 2009-08-18 17:57   9122304              c:\windows\Installer\d08ede.msp
- 2009-05-11 23:57 . 2009-11-05 02:57   1172240              c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-05-11 23:57 . 2009-11-11 08:04   1172240              c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-11-11 08:01 . 2009-11-05 14:36   26768832              c:\windows\system32\MRT.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"UniblueRegistryBooster"="c:\program files\Uniblue\RegistryBooster 2010\launcher.exe" [2009-09-29 59184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2005-03-18 1228800]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\m8F5I5cAG.exe" [2009-11-08 1312080]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 49152]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BYOND\\bin\\dreamseeker.exe"=
"c:\\Program Files\\BYOND\\bin\\byond.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\BYOND\\bin\\dreamdaemon.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Kevin's Desktop\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Kevin's Desktop\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"43594:TCP"= 43594:TCP:Mopar
"8000:TCP"= 8000:TCP:Shoutcast
"1080:TCP"= 1080:TCP:Dream Seeker
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"88:TCP"= 88:TCP:Xbox1
"3074:TCP"= 3074:TCP:Xbox2

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/10/2007 5:03 PM 24652]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [3/22/2005 6:17 PM 450400]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
S3 dsreader;MaxDrive Driver (dsreader.sys);c:\windows\system32\drivers\dsreader.sys [8/4/2007 3:57 PM 19677]
S4 gupdate1c994aa5602f89a;Google Update Service (gupdate1c994aa5602f89a);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-178163009-3832439473-3373767962-1007Core.job
- c:\documents and settings\Kevin's Desktop\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-04 19:32]

2009-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-178163009-3832439473-3373767962-1007UA.job
- c:\documents and settings\Kevin's Desktop\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-04 19:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1060929
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Windows &Live Favorites - [url]http://favorites.live.com/quickadd.aspx[/url]
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
TCP: {CDD0115A-5FED-479B-B841-811C9B5803F3} = 192.168.0.1
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
FF - ProfilePath - c:\documents and settings\Kevin's Desktop\Application Data\Mozilla\Firefox\Profiles\v2jw9bm7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [url]www.google.com[/url]
FF - prefs.js: keyword.URL - 
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\Kevin's Desktop\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\Kevin's Desktop\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\program files\BYOND\bin\npbyond.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbyond.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2009-11-12 18:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [url]http://www.gmer.net[/url]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe >>UNKNOWN [0x8A7B4708]<< 
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0x8a7b4708
Warning: possible MBR rootkit infection !
user & kernel MBR OK 
Use "Recovery Console" command "fixmbr" to clear infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-178163009-3832439473-3373767962-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0A8CA16A-C292-5E3E-9663-94F025F4EA6E}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abkahkaadijlibbfgilalckliclgdpnmnp"=hex:61,61,00,00
"bbkahkaadijlibbfgiiaicbplhngehhepmfg"=hex:61,61,00,00

[HKEY_USERS\S-1-5-21-178163009-3832439473-3373767962-1007\Software\SecuROM\License information*]
"datasecu"=hex:cb,4a,48,8e,2c,73,8c,30,65,5e,ff,7e,b4,a7,cd,c2,d0,48,d7,37,b7,
   2d,19,53,f1,29,f8,57,7b,52,b9,53,d0,99,d3,f4,0c,48,eb,e2,77,03,dd,aa,08,05,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
------------------------ Other Running Processes ------------------------
.
c:\program files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
.
**************************************************************************
.
Completion time: 2009-11-12 18:28 - machine was rebooted
ComboFix-quarantined-files.txt  2009-11-12 23:28

Pre-Run: 5,715,587,072 bytes free
Post-Run: 5,676,363,776 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 65D6E442399D8E6B120EC71393F96E51

Edited by Nick Evan: Fixed formatting

0

AllRightyThen . . . . Let's see if we can do this explorer.exe fix the easy way (might work) as opposed to the long and drawn out way (which will definitely work).

Please download this file and place it in your C:\ Drive

Then, please download these to the C:\Drive as well:
File One
File Two
RunThis.bat

Please run RunThis.bat.
A log ought to pop up - please post it for me.
Reboot and see if the problem remains - If so, we'll fix it the long and drawn out way ;)

PP

Edited by PhilliePhan: The Usual . . .

0

Microsoft Windows XP [Version 5.1.2600]
Fri 11/13/2009
05:12 PM

SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 (C)
*******************************************************************************
File: C:\WINDOWS\explorer.exe

Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
COMPUTER\Users
Allowed Read and Execute This Folder/File Only (Inherited)
COMPUTER\Administrators
Allowed Full Control This Folder/File Only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Full Control This Folder/File Only (Inherited)

No Auditing set

Owner: Administrators (COMPUTER\Administrators)

File: "C:\WINDOWS\explorer.exe"
Granting NTFS rights (F access for This Folder and Files) for "Everyone"
*******************************************************************************
File: C:\WINDOWS\explorer.exe

Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
\Everyone
Allowed Full Control This Folder/File Only
COMPUTER\Users
Allowed Read and Execute This Folder/File Only (Inherited)
COMPUTER\Administrators
Allowed Full Control This Folder/File Only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Full Control This Folder/File Only (Inherited)

No Auditing set

Owner: Administrators (COMPUTER\Administrators)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe]
"ApplicationGoo"=hex:14,02,00,00,10,02,00,00,00,02,00,00,90,04,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,00,00,07,00,0b,00,00,00,00,\
00,07,00,0b,00,00,00,3f,00,00,00,02,00,00,00,04,00,01,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,44,00,00,00,01,00,56,00,61,00,72,00,46,00,69,\
00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,00,00,24,00,04,00,00,00,54,00,\
72,00,61,00,6e,00,73,00,6c,00,61,00,74,00,69,00,6f,00,6e,00,00,00,00,00,09,\
04,e4,04,f0,03,00,00,01,00,53,00,74,00,72,00,69,00,6e,00,67,00,46,00,69,00,\
6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,cc,03,00,00,01,00,30,00,34,00,30,\
00,39,00,30,00,34,00,45,00,34,00,00,00,4a,00,19,00,01,00,43,00,6f,00,6d,00,\
6d,00,65,00,6e,00,74,00,73,00,00,00,43,00,72,00,79,00,73,00,74,00,61,00,6c,\
00,20,00,53,00,51,00,4c,00,20,00,44,00,65,00,73,00,69,00,67,00,6e,00,65,00,\
72,00,20,00,37,00,2e,00,30,00,00,00,00,00,88,00,34,00,01,00,43,00,6f,00,6d,\
00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,00,00,53,00,65,00,\
61,00,67,00,61,00,74,00,65,00,20,00,53,00,6f,00,66,00,74,00,77,00,61,00,72,\
00,65,00,20,00,49,00,6e,00,66,00,6f,00,72,00,6d,00,61,00,74,00,69,00,6f,00,\
6e,00,20,00,4d,00,61,00,6e,00,61,00,67,00,65,00,6d,00,65,00,6e,00,74,00,20,\
00,47,00,72,00,6f,00,75,00,70,00,2c,00,20,00,49,00,6e,00,63,00,2e,00,00,00,\
ae,00,45,00,01,00,4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,\
00,69,00,67,00,68,00,74,00,00,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,\
68,00,74,00,20,00,28,00,63,00,29,00,20,00,31,00,39,00,39,00,31,00,2d,00,31,\
00,39,00,39,00,10,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.ax]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE]
"DisableHeapLookAside"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe]
"ApplicationGoo"=hex:54,09,00,00,54,02,00,00,00,02,00,00,8c,03,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,02,00,a8,11,2e,04,00,00,02,\
00,a8,11,2e,04,00,00,3f,00,00,00,20,00,00,00,04,00,00,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,ec,02,00,00,01,00,53,00,74,00,72,00,69,00,6e,\
00,67,00,46,00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,c8,02,00,00,\
01,00,30,00,30,00,30,00,30,00,30,00,34,00,62,00,30,00,00,00,38,00,10,00,01,\
00,43,00,6f,00,6d,00,6d,00,65,00,6e,00,74,00,73,00,00,00,4f,00,72,00,69,00,\
67,00,6e,00,61,00,6c,00,20,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,\
00,42,00,11,00,01,00,43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,\
6d,00,65,00,00,00,00,00,53,00,41,00,50,00,20,00,41,00,47,00,2c,00,20,00,57,\
00,61,00,6c,00,6c,00,64,00,6f,00,72,00,66,00,00,00,00,00,5a,00,19,00,01,00,\
46,00,69,00,6c,00,65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,69,\
00,6f,00,6e,00,00,00,00,00,53,00,41,00,50,00,20,00,46,00,72,00,6f,00,6e,00,\
74,00,65,00,6e,00,64,00,20,00,66,00,6f,00,72,00,20,00,57,00,69,00,6e,00,64,\
00,6f,00,77,00,73,00,00,00,00,00,3c,00,0e,00,01,00,46,00,69,00,6c,00,65,00,\
56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,00,00,34,00,35,00,32,00,30,\
00,2e,00,32,00,2e,00,30,00,2e,00,31,00,30,00,37,00,30,00,00,00,32,00,09,00,\
01,00,49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,4e,00,61,00,6d,00,65,\
00,00,00,46,00,45,00,57,00,46,00,52,00,4f,00,4e,00,54,00,00,00,00,00,7a,00,\
2b,00,01,00,4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,00,69,\
00,67,00,68,00,02,00,00,00,00,00,00,00,01,00,00,00,4c,00,00,00,3c,fd,06,00,\
04,00,00,00,00,00,00,00,65,05,00,00,02,00,00,00,03,00,00,00,00,00,01,00,53,\
00,65,00,72,00,76,00,69,00,63,00,65,00,20,00,50,00,61,00,63,00,6b,00,20,00,\
33,00,00,00,23,00,54,02,00,00,00,02,00,00,8c,03,34,00,00,00,56,00,53,00,5f,\
00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,46,00,4f,00,\
00,00,00,00,bd,04,ef,fe,00,00,01,00,03,00,9e,11,26,04,00,00,03,00,9e,11,26,\
04,00,00,3f,00,00,00,20,00,00,00,04,00,00,00,01,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,ec,02,00,00,01,00,53,00,74,00,72,00,69,00,6e,00,67,00,46,\
00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,c8,02,00,00,01,00,30,00,\
30,00,30,00,30,00,30,00,34,00,62,00,30,00,00,00,38,00,10,00,01,00,43,00,6f,\
00,6d,00,6d,00,65,00,6e,00,74,00,73,00,00,00,4f,00,72,00,69,00,67,00,6e,00,\
61,00,6c,00,20,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,42,00,11,\
00,01,00,43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,\
00,00,00,00,53,00,41,00,50,00,20,00,41,00,47,00,2c,00,20,00,57,00,61,00,6c,\
00,6c,00,64,00,6f,00,72,00,66,00,00,00,00,00,5a,00,19,00,01,00,46,00,69,00,\
6c,00,65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,69,00,6f,00,6e,\
00,00,00,00,00,53,00,41,00,50,00,20,00,46,00,72,00,6f,00,6e,00,74,00,65,00,\
6e,00,64,00,20,00,66,00,6f,00,72,00,20,00,57,00,69,00,6e,00,64,00,6f,00,77,\
00,73,00,00,00,00,00,3c,00,0e,00,01,00,46,00,69,00,6c,00,65,00,56,00,65,00,\
72,00,73,00,69,00,6f,00,6e,00,00,00,00,00,34,00,35,00,31,00,30,00,2e,00,33,\
00,2e,00,30,00,2e,00,31,00,30,00,36,00,32,00,00,00,32,00,09,00,01,00,49,00,\
6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,4e,00,61,00,6d,00,65,00,00,00,46,\
00,45,00,57,00,46,00,52,00,4f,00,4e,00,54,00,00,00,00,00,7a,00,2b,00,01,00,\
4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,\
00,02,00,00,00,00,00,00,00,01,00,00,00,4c,00,00,00,3c,fd,06,00,04,00,00,00,\
00,00,00,00,65,05,00,00,02,00,00,00,03,00,00,00,00,00,01,00,53,00,65,00,72,\
00,76,00,69,00,63,00,65,00,20,00,50,00,61,00,63,00,6b,00,20,00,33,00,00,00,\
23,00,54,02,00,00,00,02,00,00,20,03,34,00,00,00,56,00,53,00,5f,00,56,00,45,\
00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,46,00,4f,00,00,00,00,00,\
bd,04,ef,fe,00,00,01,00,00,00,04,00,f0,03,00,00,00,00,04,00,f0,03,00,00,3f,\
00,00,00,00,00,00,00,04,00,01,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,7e,02,00,00,01,00,53,00,74,00,72,00,69,00,6e,00,67,00,46,00,69,00,6c,\
00,65,00,49,00,6e,00,66,00,6f,00,00,00,5a,02,00,00,01,00,30,00,34,00,30,00,\
39,00,30,00,34,00,45,00,34,00,00,00,2e,00,07,00,01,00,43,00,6f,00,6d,00,70,\
00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,00,00,53,00,41,00,50,00,\
20,00,41,00,47,00,00,00,00,00,5a,00,19,00,01,00,46,00,69,00,6c,00,65,00,44,\
00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,69,00,6f,00,6e,00,00,00,00,00,\
53,00,41,00,50,00,20,00,46,00,72,00,6f,00,6e,00,74,00,65,00,6e,00,64,00,20,\
00,66,00,6f,00,72,00,20,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,00,00,\
00,00,36,00,0b,00,01,00,46,00,69,00,6c,00,65,00,56,00,65,00,72,00,73,00,69,\
00,6f,00,6e,00,00,00,00,00,34,00,2e,00,30,00,2e,00,30,00,2e,00,31,00,30,00,\
30,00,38,00,00,00,00,00,2c,00,06,00,01,00,49,00,6e,00,74,00,65,00,72,00,6e,\
00,61,00,6c,00,4e,00,61,00,6d,00,65,00,00,00,46,00,52,00,4f,00,4e,00,54,00,\
00,00,5e,00,1d,00,01,00,4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,\
00,72,00,69,00,67,00,68,00,74,00,00,00,43,00,6f,00,70,00,79,00,72,00,69,00,\
67,00,68,00,74,00,20,00,a9,00,20,00,31,00,39,00,39,00,33,00,2d,00,31,00,39,\
00,39,00,37,00,20,00,53,00,41,00,50,00,20,00,41,00,47,00,00,00,00,00,28,00,\
00,00,01,00,4c,00,65,00,67,00,61,00,6c,00,54,00,72,00,61,00,64,00,02,00,00,\
00,00,00,00,00,01,00,00,00,4c,00,00,00,3c,fd,06,00,04,00,00,00,00,00,00,00,\
65,05,00,00,02,00,00,00,03,00,00,00,00,00,01,00,53,00,65,00,72,00,76,00,69,\
00,63,00,65,00,20,00,50,00,61,00,63,00,6b,00,20,00,33,00,00,00,23,00,54,02,\
00,00,00,02,00,00,18,03,34,00,00,00,56,00,53,00,5f,00,56,00,45,00,52,00,53,\
00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,46,00,4f,00,00,00,00,00,bd,04,ef,fe,\
00,00,01,00,00,00,04,00,dd,03,00,00,00,00,04,00,dd,03,00,00,3f,00,00,00,00,\
00,00,00,04,00,01,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,78,02,\
00,00,01,00,53,00,74,00,72,00,69,00,6e,00,67,00,46,00,69,00,6c,00,65,00,49,\
00,6e,00,66,00,6f,00,00,00,54,02,00,00,01,00,30,00,34,00,30,00,39,00,30,00,\
34,00,45,00,34,00,00,00,2e,00,07,00,01,00,43,00,6f,00,6d,00,70,00,61,00,6e,\
00,79,00,4e,00,61,00,6d,00,65,00,00,00,00,00,53,00,41,00,50,00,20,00,41,00,\
47,00,00,00,00,00,5a,00,19,00,01,00,46,00,69,00,6c,00,65,00,44,00,65,00,73,\
00,63,00,72,00,69,00,70,00,74,00,69,00,6f,00,6e,00,00,00,00,00,53,00,41,00,\
50,00,20,00,46,00,72,00,6f,00,6e,00,74,00,65,00,6e,00,64,00,20,00,66,00,6f,\
00,72,00,20,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,00,00,00,00,34,00,\
0a,00,01,00,46,00,69,00,6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,\
00,00,00,00,00,34,00,2e,00,30,00,2e,00,30,00,2e,00,39,00,38,00,39,00,00,00,\
2c,00,06,00,01,00,49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,4e,00,61,\
00,6d,00,65,00,00,00,46,00,52,00,4f,00,4e,00,54,00,00,00,5e,00,1d,00,01,00,\
4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,\
00,74,00,00,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,00,74,00,20,00,\
a9,00,20,00,31,00,39,00,39,00,33,00,2d,00,31,00,39,00,39,00,37,00,20,00,53,\
00,41,00,50,00,20,00,41,00,47,00,00,00,00,00,28,00,00,00,01,00,4c,00,65,00,\
67,00,61,00,6c,00,54,00,72,00,61,00,64,00,65,00,6d,00,02,00,00,00,00,00,00,\
00,01,00,00,00,4c,00,00,00,3c,fd,06,00,04,00,00,00,00,00,00,00,65,05,00,00,\
02,00,00,00,03,00,00,00,00,00,01,00,53,00,65,00,72,00,76,00,69,00,63,00,65,\
00,20,00,50,00,61,00,63,00,6b,00,20,00,33,00,00,00,23,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLL]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocx]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocx]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe]
"ApplicationGoo"=hex:58,02,00,00,54,02,00,00,00,02,00,00,6c,07,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,05,00,05,00,07,00,a8,07,05,\
00,05,00,07,00,a8,07,3f,00,00,00,00,00,00,00,04,00,04,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,cc,06,00,00,01,00,53,00,74,00,72,00,69,00,6e,\
00,67,00,46,00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,54,03,00,00,\
01,00,30,00,34,00,30,00,39,00,30,00,34,00,42,00,30,00,00,00,18,00,00,00,01,\
00,43,00,6f,00,6d,00,6d,00,65,00,6e,00,74,00,73,00,00,00,4c,00,16,00,01,00,\
43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,00,\
00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,43,00,6f,00,\
72,00,70,00,6f,00,72,00,61,00,74,00,69,00,6f,00,6e,00,00,00,68,00,20,00,01,\
00,46,00,69,00,6c,00,65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,\
69,00,6f,00,6e,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,\
00,74,00,20,00,45,00,78,00,63,00,68,00,61,00,6e,00,67,00,65,00,20,00,53,00,\
65,00,72,00,76,00,65,00,72,00,20,00,53,00,65,00,74,00,75,00,70,00,00,00,36,\
00,0b,00,01,00,46,00,69,00,6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,\
6e,00,00,00,00,00,35,00,2e,00,35,00,2e,00,31,00,39,00,36,00,30,00,2e,00,37,\
00,00,00,00,00,2c,00,06,00,01,00,49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,\
6c,00,4e,00,61,00,6d,00,65,00,00,00,53,00,65,00,74,00,75,00,70,00,00,00,9c,\
00,3c,00,01,00,4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,00,\
69,00,67,00,68,00,74,00,00,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,\
00,74,00,20,00,02,00,00,00,00,00,00,00,01,00,00,00,4c,00,00,00,3c,fd,06,00,\
05,00,00,00,00,00,00,00,65,05,00,00,02,00,00,00,03,00,00,00,02,00,00,00,53,\
00,65,00,72,00,76,00,69,00,63,00,65,00,20,00,50,00,61,00,63,00,6b,00,20,00,\
34,00,00,00,23,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javai.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe]
"ApplicationGoo"=hex:58,02,00,00,54,02,00,00,00,02,00,00,44,02,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,01,00,01,00,0c,00,00,00,01,\
00,01,00,0c,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,44,00,00,00,00,00,56,00,61,00,72,00,46,00,69,\
00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,00,00,24,00,04,00,00,00,54,00,\
72,00,61,00,6e,00,73,00,6c,00,61,00,74,00,69,00,6f,00,6e,00,00,00,00,00,09,\
04,b0,04,a4,01,00,00,01,00,53,00,74,00,72,00,69,00,6e,00,67,00,46,00,69,00,\
6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,80,01,00,00,01,00,30,00,34,00,30,\
00,39,00,30,00,34,00,42,00,30,00,00,00,40,00,20,00,01,00,43,00,6f,00,6d,00,\
70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,00,00,44,00,65,00,4c,\
00,6f,00,72,00,6d,00,65,00,20,00,4d,00,61,00,70,00,70,00,69,00,6e,00,67,00,\
00,00,44,00,22,00,01,00,50,00,72,00,6f,00,64,00,75,00,63,00,74,00,4e,00,61,\
00,6d,00,65,00,00,00,00,00,52,00,65,00,67,00,20,00,28,00,44,00,4c,00,69,00,\
62,00,62,00,79,00,5c,00,6d,00,73,00,66,00,29,00,00,00,00,00,34,00,14,00,01,\
00,46,00,69,00,6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,\
00,00,31,00,2e,00,30,00,31,00,2e,00,30,00,30,00,31,00,32,00,00,00,38,00,14,\
00,01,00,50,00,72,00,6f,00,64,00,75,00,63,00,74,00,56,00,65,00,72,00,73,00,\
69,00,6f,00,6e,00,00,00,31,00,2e,00,30,00,31,00,2e,00,30,00,30,00,31,00,32,\
00,00,00,34,00,12,00,01,00,49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,\
4e,00,61,00,6d,00,65,00,00,00,4d,00,4e,00,47,00,52,00,45,00,47,00,33,00,32,\
00,00,00,00,00,02,00,00,00,00,00,00,00,01,00,00,00,4c,00,00,00,3c,fd,06,00,\
04,00,00,00,00,00,00,00,65,05,00,00,02,00,00,00,03,00,00,00,00,00,01,00,53,\
00,65,00,72,00,76,00,69,00,63,00,65,00,20,00,50,00,61,00,63,00,6b,00,20,00,\
33,00,00,00,23,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVideoFX.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE]
"GlobalFlag"="0x00200000"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE]
"GlobalFlag"="0x00200000"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE]
"DisableHeapLookAside"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE]
"DisableHeapLookAside"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe]
"ApplicationGoo"=hex:14,02,00,00,10,02,00,00,00,02,00,00,b4,02,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,35,00,07,00,00,00,00,00,35,\
00,07,00,00,00,00,00,3f,00,00,00,00,00,00,00,04,00,00,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,12,02,00,00,01,00,53,00,74,00,72,00,69,00,6e,\
00,67,00,46,00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,ee,01,00,00,\
01,00,30,00,34,00,30,00,39,00,30,00,34,00,62,00,30,00,00,00,42,00,11,00,01,\
00,43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,\
00,00,50,00,65,00,6f,00,70,00,6c,00,65,00,53,00,6f,00,66,00,74,00,2c,00,20,\
00,49,00,6e,00,63,00,2e,00,00,00,00,00,28,00,00,00,01,00,46,00,69,00,6c,00,\
65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,69,00,6f,00,6e,00,00,\
00,00,00,2a,00,05,00,01,00,46,00,69,00,6c,00,65,00,56,00,65,00,72,00,73,00,\
69,00,6f,00,6e,00,00,00,00,00,37,00,2e,00,35,00,33,00,00,00,00,00,9c,00,3c,\
00,01,00,4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,00,69,00,\
67,00,68,00,74,00,00,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,00,74,\
00,20,00,a9,00,20,00,31,00,39,00,38,00,38,00,2d,00,31,00,39,00,39,00,38,00,\
20,00,50,00,65,00,6f,00,70,00,6c,00,65,00,53,00,6f,00,66,00,74,00,2c,00,20,\
00,49,00,6e,00,63,00,2e,00,20,00,20,00,41,00,6c,00,6c,00,20,00,52,00,69,00,\
67,00,68,00,74,00,73,00,20,00,52,00,65,00,73,00,65,00,72,00,76,00,65,00,64,\
00,00,00,3c,00,0a,00,01,00,4f,00,72,00,69,00,67,00,69,00,6e,00,61,00,6c,00,\
46,00,69,00,6c,00,65,00,6e,00,61,00,6d,00,65,00,00,00,70,00,73,00,64,00,6d,\
00,74,00,2e,00,10,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE]
"DisableHeapLookAside"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE]
"DisableHeapLookAside"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\salwrap.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe]
"ApplicationGoo"=hex:00,07,00,00,54,02,00,00,00,02,00,00,84,07,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,05,00,05,00,07,00,a8,07,05,\
00,05,00,07,00,a8,07,3f,00,00,00,00,00,00,00,04,00,04,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,e4,06,00,00,01,00,53,00,74,00,72,00,69,00,6e,\
00,67,00,46,00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,60,03,00,00,\
01,00,30,00,34,00,30,00,39,00,30,00,34,00,42,00,30,00,00,00,18,00,00,00,01,\
00,43,00,6f,00,6d,00,6d,00,65,00,6e,00,74,00,73,00,00,00,4c,00,16,00,01,00,\
43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,00,\
00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,43,00,6f,00,\
72,00,70,00,6f,00,72,00,61,00,74,00,69,00,6f,00,6e,00,00,00,68,00,20,00,01,\
00,46,00,69,00,6c,00,65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,\
69,00,6f,00,6e,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,\
00,74,00,20,00,45,00,78,00,63,00,68,00,61,00,6e,00,67,00,65,00,20,00,53,00,\
65,00,72,00,76,00,65,00,72,00,20,00,53,00,65,00,74,00,75,00,70,00,00,00,36,\
00,0b,00,01,00,46,00,69,00,6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,\
6e,00,00,00,00,00,35,00,2e,00,35,00,2e,00,31,00,39,00,36,00,30,00,2e,00,37,\
00,00,00,00,00,2c,00,06,00,01,00,49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,\
6c,00,4e,00,61,00,6d,00,65,00,00,00,53,00,65,00,74,00,75,00,70,00,00,00,9e,\
00,3d,00,01,00,4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,00,\
69,00,67,00,68,00,74,00,00,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,\
00,74,00,20,00,02,00,00,00,00,00,00,00,01,00,00,00,4c,00,00,00,3c,fd,06,00,\
05,00,00,00,00,00,00,00,65,05,00,00,02,00,00,00,00,00,00,00,00,00,00,00,53,\
00,65,00,72,00,76,00,69,00,63,00,65,00,20,00,50,00,61,00,63,00,6b,00,20,00,\
33,00,00,00,24,00,54,02,00,00,00,02,00,00,a4,08,34,00,00,00,56,00,53,00,5f,\
00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,46,00,4f,00,\
00,00,00,00,bd,04,ef,fe,00,00,01,00,05,00,05,00,07,00,a8,07,05,00,05,00,07,\
00,a8,07,3f,00,00,00,00,00,00,00,04,00,04,00,01,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,04,08,00,00,01,00,53,00,74,00,72,00,69,00,6e,00,67,00,46,\
00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,f0,03,00,00,01,00,30,00,\
34,00,30,00,39,00,30,00,34,00,42,00,30,00,00,00,18,00,00,00,01,00,43,00,6f,\
00,6d,00,6d,00,65,00,6e,00,74,00,73,00,00,00,4c,00,16,00,01,00,43,00,6f,00,\
6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,00,00,4d,00,69,\
00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,43,00,6f,00,72,00,70,00,\
6f,00,72,00,61,00,74,00,69,00,6f,00,6e,00,00,00,68,00,20,00,01,00,46,00,69,\
00,6c,00,65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,69,00,6f,00,\
6e,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,\
00,45,00,78,00,63,00,68,00,61,00,6e,00,67,00,65,00,20,00,53,00,65,00,72,00,\
76,00,65,00,72,00,20,00,53,00,65,00,74,00,75,00,70,00,00,00,36,00,0b,00,01,\
00,46,00,69,00,6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,\
00,00,35,00,2e,00,35,00,2e,00,31,00,39,00,36,00,30,00,2e,00,37,00,00,00,00,\
00,2c,00,06,00,01,00,49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,4e,00,\
61,00,6d,00,65,00,00,00,53,00,65,00,74,00,75,00,70,00,00,00,a6,00,41,00,01,\
00,4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,\
68,00,74,00,00,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,00,74,00,20,\
00,02,00,00,00,00,00,00,00,01,00,00,00,4c,00,00,00,3c,fd,06,00,05,00,00,00,\
00,00,00,00,65,05,00,00,02,00,00,00,00,00,00,00,00,00,00,00,53,00,65,00,72,\
00,76,00,69,00,63,00,65,00,20,00,50,00,61,00,63,00,6b,00,20,00,33,00,00,00,\
24,00,54,02,00,00,00,02,00,00,18,04,34,00,00,00,56,00,53,00,5f,00,56,00,45,\
00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,46,00,4f,00,00,00,00,00,\
bd,04,ef,fe,00,00,01,00,05,00,05,00,07,00,a8,07,05,00,05,00,07,00,a8,07,3f,\
00,00,00,00,00,00,00,04,00,04,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,78,03,00,00,01,00,53,00,74,00,72,00,69,00,6e,00,67,00,46,00,69,00,6c,\
00,65,00,49,00,6e,00,66,00,6f,00,00,00,54,03,00,00,01,00,30,00,34,00,30,00,\
39,00,30,00,34,00,42,00,30,00,00,00,18,00,00,00,01,00,43,00,6f,00,6d,00,6d,\
00,65,00,6e,00,74,00,73,00,00,00,4c,00,16,00,01,00,43,00,6f,00,6d,00,70,00,\
61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,00,00,4d,00,69,00,63,00,72,\
00,6f,00,73,00,6f,00,66,00,74,00,20,00,43,00,6f,00,72,00,70,00,6f,00,72,00,\
61,00,74,00,69,00,6f,00,6e,00,00,00,68,00,20,00,01,00,46,00,69,00,6c,00,65,\
00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,69,00,6f,00,6e,00,00,00,\
00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,45,00,78,\
00,63,00,68,00,61,00,6e,00,67,00,65,00,20,00,53,00,65,00,72,00,76,00,65,00,\
72,00,20,00,53,00,65,00,74,00,75,00,70,00,00,00,36,00,0b,00,01,00,46,00,69,\
00,6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,00,00,35,00,\
2e,00,35,00,2e,00,31,00,39,00,36,00,30,00,2e,00,37,00,00,00,00,00,2c,00,06,\
00,01,00,49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,4e,00,61,00,6d,00,\
65,00,00,00,53,00,65,00,74,00,75,00,70,00,00,00,9a,00,3b,00,01,00,4c,00,65,\
00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,00,74,00,\
00,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,00,74,00,20,00,02,00,00,\
00,00,00,00,00,01,00,00,00,4c,00,00,00,3c,fd,06,00,05,00,00,00,00,00,00,00,\
65,05,00,00,02,00,00,00,00,00,00,00,00,00,00,00,53,00,65,00,72,00,76,00,69,\
00,63,00,65,00,20,00,50,00,61,00,63,00,6b,00,20,00,33,00,00,00,24,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll]
"ApplicationGoo"=hex:14,02,00,00,10,02,00,00,00,02,00,00,04,03,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,1c,00,08,00,00,00,00,00,00,\
00,08,00,00,00,00,00,3f,00,00,00,00,00,00,00,04,00,00,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,64,02,00,00,01,00,53,00,74,00,72,00,69,00,6e,\
00,67,00,46,00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,40,02,00,00,\
01,00,30,00,34,00,30,00,39,00,30,00,34,00,62,00,30,00,00,00,44,00,12,00,01,\
00,43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,\
00,00,43,00,6f,00,72,00,65,00,6c,00,20,00,43,00,6f,00,72,00,70,00,6f,00,72,\
00,61,00,74,00,69,00,6f,00,6e,00,00,00,4e,00,13,00,01,00,46,00,69,00,6c,00,\
65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,69,00,6f,00,6e,00,00,\
00,00,00,43,00,6f,00,72,00,65,00,6c,00,20,00,53,00,65,00,74,00,75,00,70,00,\
20,00,57,00,69,00,7a,00,61,00,72,00,64,00,00,00,00,00,2c,00,06,00,01,00,46,\
00,69,00,6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,00,00,\
38,00,2e,00,30,00,32,00,38,00,00,00,46,00,13,00,01,00,49,00,6e,00,74,00,65,\
00,72,00,6e,00,61,00,6c,00,4e,00,61,00,6d,00,65,00,00,00,43,00,6f,00,72,00,\
65,00,6c,00,20,00,53,00,65,00,74,00,75,00,70,00,20,00,57,00,69,00,7a,00,61,\
00,72,00,64,00,00,00,00,00,6c,00,24,00,01,00,4c,00,65,00,67,00,61,00,6c,00,\
43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,00,74,00,00,00,43,00,6f,00,70,\
00,79,00,72,00,69,00,67,00,68,00,74,00,20,00,a9,00,20,00,31,00,39,00,39,00,\
37,00,2c,00,20,00,43,00,6f,00,72,00,65,00,6c,00,20,00,43,00,6f,00,72,00,70,\
00,6f,00,72,00,08,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe]
"ApplicationGoo"=hex:14,02,00,00,10,02,00,00,00,02,00,00,38,03,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,02,00,0a,00,01,00,0a,00,02,\
00,0a,00,01,00,0a,00,00,00,00,00,00,00,00,00,04,00,01,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,98,02,00,00,01,00,53,00,74,00,72,00,69,00,6e,\
00,67,00,46,00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,74,02,00,00,\
01,00,30,00,34,00,30,00,39,00,30,00,34,00,45,00,34,00,00,00,4a,00,15,00,01,\
00,43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,\
00,00,53,00,79,00,6d,00,61,00,6e,00,74,00,65,00,63,00,20,00,43,00,6f,00,72,\
00,70,00,6f,00,72,00,61,00,74,00,69,00,6f,00,6e,00,00,00,00,00,60,00,1c,00,\
01,00,46,00,69,00,6c,00,65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,\
00,69,00,6f,00,6e,00,00,00,00,00,53,00,79,00,6d,00,61,00,6e,00,74,00,65,00,\
63,00,20,00,53,00,79,00,6d,00,65,00,76,00,65,00,6e,00,74,00,20,00,49,00,6e,\
00,73,00,74,00,61,00,6c,00,6c,00,65,00,72,00,00,00,34,00,0a,00,01,00,46,00,\
69,00,6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,00,00,31,\
00,30,00,2e,00,32,00,2e,00,31,00,30,00,2e,00,31,00,00,00,30,00,08,00,01,00,\
49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,4e,00,61,00,6d,00,65,00,00,\
00,53,00,45,00,56,00,49,00,4e,00,53,00,54,00,00,00,7e,00,2d,00,01,00,4c,00,\
65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,00,74,\
00,00,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,00,74,00,20,00,28,00,\
43,00,29,00,20,00,53,00,79,00,6d,00,61,00,6e,00,74,00,65,00,63,00,20,00,43,\
00,6f,00,72,00,01,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.DLL]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE]
"DisableHeapLookAside"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE]
"DisableHeapLookAside"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dll]
"CheckAppHelp"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE]
"ApplicationGoo"=hex:14,02,00,00,10,02,00,00,00,02,00,00,7c,03,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,00,00,01,00,09,00,26,00,00,\
00,01,00,09,00,26,00,3f,00,00,00,00,00,00,00,04,00,00,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,dc,02,00,00,01,00,53,00,74,00,72,00,69,00,6e,\
00,67,00,46,00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,b8,02,00,00,\
01,00,30,00,34,00,30,00,39,00,30,00,34,00,62,00,30,00,00,00,66,00,27,00,01,\
00,43,00,6f,00,6d,00,6d,00,65,00,6e,00,74,00,73,00,00,00,42,00,75,00,73,00,\
69,00,6e,00,65,00,73,00,73,00,20,00,49,00,6e,00,74,00,65,00,6c,00,6c,00,69,\
00,67,00,65,00,6e,00,63,00,65,00,20,00,6f,00,6e,00,20,00,45,00,76,00,65,00,\
72,00,79,00,20,00,44,00,65,00,73,00,6b,00,74,00,6f,00,70,00,00,00,00,00,48,\
00,14,00,01,00,43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,\
65,00,00,00,00,00,43,00,6f,00,67,00,6e,00,6f,00,73,00,20,00,49,00,6e,00,63,\
00,6f,00,72,00,70,00,6f,00,72,00,61,00,74,00,65,00,64,00,00,00,60,00,1c,00,\
01,00,46,00,69,00,6c,00,65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,\
00,69,00,6f,00,6e,00,00,00,00,00,43,00,6f,00,67,00,6e,00,6f,00,73,00,20,00,\
47,00,65,00,6e,00,65,00,72,00,69,00,63,00,20,00,49,00,6e,00,73,00,74,00,61,\
00,6c,00,6c,00,61,00,74,00,69,00,6f,00,6e,00,00,00,38,00,0c,00,01,00,46,00,\
69,00,6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,00,00,31,\
00,2c,00,20,00,30,00,2c,00,20,00,33,00,38,00,2c,00,20,00,39,00,00,00,30,00,\
08,00,01,00,49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,4e,00,61,00,6d,\
00,65,00,00,00,01,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path]
"Debugger"="ntsd -d"
"GlobalFlag"="0x000010F0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE]
"ApplicationGoo"=hex:14,02,00,00,10,02,00,00,00,02,00,00,a4,02,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,00,00,01,00,01,00,00,00,00,\
00,01,00,01,00,00,00,3f,00,00,00,00,00,00,00,01,00,01,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,04,02,00,00,01,00,53,00,74,00,72,00,69,00,6e,\
00,67,00,46,00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,e0,01,00,00,\
01,00,30,00,34,00,30,00,39,00,30,00,34,00,45,00,34,00,00,00,20,00,00,00,01,\
00,43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,\
00,00,58,00,18,00,01,00,46,00,69,00,6c,00,65,00,44,00,65,00,73,00,63,00,72,\
00,69,00,70,00,74,00,69,00,6f,00,6e,00,00,00,00,00,49,00,4e,00,53,00,54,00,\
41,00,4c,00,4c,00,20,00,4d,00,46,00,43,00,20,00,41,00,70,00,70,00,6c,00,69,\
00,63,00,61,00,74,00,69,00,6f,00,6e,00,00,00,30,00,08,00,01,00,46,00,69,00,\
6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,00,00,31,00,2e,\
00,30,00,2e,00,30,00,30,00,31,00,00,00,30,00,08,00,01,00,49,00,6e,00,74,00,\
65,00,72,00,6e,00,61,00,6c,00,4e,00,61,00,6d,00,65,00,00,00,49,00,4e,00,53,\
00,54,00,41,00,4c,00,4c,00,00,00,24,00,00,00,01,00,4c,00,65,00,67,00,61,00,\
6c,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,00,74,00,00,00,28,00,00,\
00,01,00,4c,00,65,00,67,00,61,00,6c,00,54,00,72,00,61,00,64,00,65,00,6d,00,\
61,00,72,00,6b,00,73,00,00,00,00,00,40,00,0c,00,01,00,4f,00,72,00,69,00,67,\
00,69,00,6e,00,61,00,6c,00,46,00,69,00,6c,00,65,00,6e,00,61,00,6d,00,65,00,\
00,00,49,00,4e,00,53,00,54,00,41,00,4c,00,4c,00,2e,00,45,00,58,00,45,00,00,\
00,30,00,08,00,08,00,00,00,00,00,00,00

0

Did you reboot and see if back to normal?

No joy?

Let me know - I put together a little tool that will automate the "long and drawn out" process that constitutes Plan B....

PP:)

0

No joy. :[
I wonder what could possibly be wrong.

It is probably infected - Hopefully none of the other copies on your machine are infected as well....

I've automated the process:

-- Please download PhilliePhix to your Desktop.
-- DoubleClick on it to run it. Follow the prompt and post the log for me.

Reboot

-- You should now have your desktop, etc... back, but you need to run PhilliePhix again to restore the normal settings. Post me the 2nd log and Reboot again.


Then let me know how things are running.
If this doesn't work, we'll need to get you an uninfected copy of Explorer.exe.....

Cheers :)
PP

Edited by PhilliePhan: n/a

0

Copying Explorer.exe From ServicePackFiles\i386 To C:
The system cannot find the path specified.
Renaming C:\Explorer.exe to Phillies.exe
Changing Winlogon Shell Value To Phillies.exe

The operation completed successfully
Copying C:\Phillies.exe to C:\WINDOWS
The system cannot find the file specified.
Deleting C:\Phillies.exe


No such luck.

0

No such luck.

My fault - sorry. :$

I changed the link about 5 minutes after I posted it. You must've gotten the first one....

I wrote it to copy from ServicePackFiles\i386\explorer.exe . . . which I then checked and saw that you don't have on your machine. So I rewrote it and reposted it.

Please download PhilliePhix.bat again and run it as before and post the logs.

If it doesn't work, we'll need an uninfected copy of Explorer.exe. Do you have a Windows disk?

PP :)

0

Again no such luck. This seems to hate me. I do not have the windows disk from this machine, however I believe I have one from a different CPU

0

Again no such luck. This seems to hate me.

I'd need to see the accompanying logs....

Let's try a different way.

Please download Phillies.exe to your C:\Drive

Let me know when you've done this and we'll go from there.

PP:)

0

Lost the first log, the last two logs are identical and are

Deleting Old C:\WINDOWS\Explorer.exe
Changing Winlogon Shell Value Back To Explorer.exe

The operation completed successfully
Copying Explorer.exe From C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e To C:\WINDOWS
1 file(s) copied.
Done!

0

Lost the first log, the last two logs are identical and are . . ..

LOL! - It might be faster to do this manually step by step....

Anyhoo, download the previously linked Phillies.exe to C:\Phillies.exe

Download ReplaceIt.bat to the desktop.
Run ReplaceIt.bat once and post me the log.

Then, Reboot and see if that works.

PP :)

0

Changing Winlogon Shell Value To Phillies.exe

The operation completed successfully
Copying C:\Phillies.exe to C:\WINDOWS
1 file(s) copied.


Rebooting

-------

Again nope lol, this is hopeless.

Edited by FirstTimeUser: Update

0

Microsoft Windows XP [Version 5.1.2600]
Sun 11/15/2009
08:43 PM

C:\WINDOWS\explorer.exe BUILTIN\Users:R 
                        BUILTIN\Administrators:F 
                        NT AUTHORITY\SYSTEM:F 


 Volume in drive C has no label.
 Volume Serial Number is 2035-74A0

 Directory of C:\WINDOWS

06/13/2007  05:23 AM         1,033,216 explorer.exe
               1 File(s)      1,033,216 bytes

 Directory of C:\WINDOWS\$hf_mig$\KB938828\SP2QFE

06/13/2007  06:26 AM         1,033,216 explorer.exe
               1 File(s)      1,033,216 bytes

 Directory of C:\WINDOWS\$NtUninstallKB938828$

08/04/2004  05:00 AM         1,032,192 explorer.exe
               1 File(s)      1,032,192 bytes

 Directory of C:\WINDOWS\ERDNT\cache

06/13/2007  05:23 AM         1,033,216 explorer.exe
               1 File(s)      1,033,216 bytes

 Directory of C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e

04/13/2008  07:12 PM         1,033,728 explorer.exe
               1 File(s)      1,033,728 bytes

 Directory of C:\WINDOWS\system32\dllcache

06/13/2007  05:23 AM         1,033,216 explorer.exe
               1 File(s)      1,033,216 bytes

     Total Files Listed:
               6 File(s)      6,198,784 bytes
               0 Dir(s)   5,911,330,816 bytes free


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AutoRestartShell"=dword:00000001
"DefaultDomainName"="COMPUTER"
"DefaultUserName"="Kevin's Desktop"
"LegalNoticeCaption"=""
"LegalNoticeText"=""
"PowerdownAfterShutdown"="0"
"ReportBootOk"="1"
"ShutdownWithoutLogon"="0"
"System"=""
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"VmApplet"="rundll32 shell32,Control_RunDLL \"sysdm.cpl\""
"SfcQuota"=dword:ffffffff
"allocatecdroms"="0"
"allocatedasd"="0"
"allocatefloppies"="0"
"cachedlogonscount"="10"
"forceunlocklogon"=dword:00000000
"passwordexpirywarning"=dword:0000000e
"scremoveoption"="0"
"AllowMultipleTSSessions"=dword:00000001
"UIHost"=hex(2):6c,00,6f,00,67,00,6f,00,6e,00,75,00,69,00,2e,00,65,00,78,00,65,\
  00,00,00
"LogonType"=dword:00000001
"Background"="0 0 0"
"DebugServerCommand"="no"
"SFCDisable"=dword:00000000
"WinStationsDisabled"="0"
"HibernationPreviouslyEnabled"=dword:00000001
"ShowLogonOptions"=dword:00000001
"AltDefaultUserName"="Kevin's Desktop"
"AltDefaultDomainName"="COMPUTER"
"Shell"="Explorer.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=hex(2):64,00,73,00,6b,00,71,00,75,00,6f,00,74,00,61,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@="Internet Explorer Zonemapping"
"DllName"=hex(2):69,00,65,00,64,00,6b,00,63,00,73,00,33,00,32,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=hex(2):73,00,63,00,65,00,63,00,6c,00,69,00,2e,00,64,00,6c,00,6c,00,\
  00,00
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"=hex(2):69,00,65,00,64,00,6b,00,63,00,73,00,33,00,32,00,2e,00,64,00,\
  6c,00,6c,00,00,00
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=hex(2):73,00,63,00,65,00,63,00,6c,00,69,00,2e,00,64,00,6c,00,6c,00,\
  00,00
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@="Microsoft Offline Files"
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,\
  00,73,00,63,00,75,00,69,00,2e,00,64,00,6c,00,6c,00,00,00
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@="Software Installation"
"DllName"=hex(2):61,00,70,00,70,00,6d,00,67,00,6d,00,74,00,73,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=hex(7):28,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,\
  00,6f,00,6e,00,20,00,4d,00,61,00,6e,00,61,00,67,00,65,00,6d,00,65,00,6e,00,\
  74,00,2c,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,00,6f,00,6e,\
  00,29,00,00,00,28,00,4d,00,73,00,69,00,49,00,6e,00,73,00,74,00,61,00,6c,00,\
  6c,00,65,00,72,00,2c,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,\
  00,6f,00,6e,00,29,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxdev.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
"Asynchronous"=dword:00000000
@=""
"Impersonate"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\klogon.dll"
"Logon"="WLEventStop"
"Startup"="WLEventStart"
"Lock"="WLEventStart"
"Unlock"="WLEventStop"
"Logoff"="WLEventStart"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Event"=dword:00000000
"EulaAccepted"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
  00,00,ca,24,97,3d,00,10,64,41,82,00,bf,e7,b6,7d,bb,1f,04,00,00,00,04,00,00,\
  00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,7e,36,b0,64,1b,b2,f9,ab,\
  d4,89,62,51,e6,f1,c8,b4,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,db,\
  76,b5,e8,53,17,3c,9e,2d,de,3b,ba,8b,b0,49,3f,b0,01,00,00,62,d8,5e,f7,6a,3d,\
  64,69,18,e3,c1,4a,45,c1,50,c7,27,98,94,20,97,30,b4,74,a6,85,e9,a4,93,cb,01,\
  86,9c,b5,e1,84,47,25,a9,9a,c7,c1,6e,cb,a8,04,77,9f,99,54,37,8c,99,d4,e8,55,\
  23,29,f5,73,e2,06,97,b6,5d,8b,ad,10,3c,39,ed,04,8f,1c,17,53,64,70,7d,ed,00,\
  7e,e5,fd,23,87,fe,9c,99,e8,49,17,ec,01,9b,25,10,84,c5,c1,7f,fc,08,fb,4d,3d,\
  a4,cd,f0,5b,d8,1a,b9,29,70,35,34,9f,b8,e5,c3,86,4f,b4,cc,18,be,51,0f,f6,fa,\
  b1,3b,ca,e2,a9,06,5e,f4,41,d5,7a,68,9b,22,6d,c4,f3,e4,61,92,58,25,ad,ec,24,\
  b5,37,80,6c,94,f1,cd,6a,bd,49,35,37,c4,68,f9,7a,12,26,46,b2,29,ad,1f,4a,2c,\
  c8,42,c0,76,f1,68,d3,4f,d1,1d,20,2c,4c,fe,1c,3a,46,9c,80,70,94,d6,76,ec,27,\
  cf,52,e3,21,09,fe,e8,b4,4b,bd,ce,7c,b1,e2,7d,57,7b,57,fc,cb,b2,92,72,87,ba,\
  41,1c,1b,d7,44,81,a4,a3,8a,7a,b6,ca,e2,5c,69,52,31,dc,63,8e,34,64,a6,39,b2,\
  2c,0f,ba,25,1f,ff,6d,5c,22,32,6f,33,cb,08,f6,45,de,54,ec,9e,35,1a,5e,aa,b0,\
  8f,3f,b4,71,e8,cc,90,86,b1,58,fb,e2,b9,d3,a3,01,3e,91,17,74,ef,dd,bf,b0,06,\
  1b,f7,c2,b8,0c,40,14,32,50,4d,16,b9,ae,7a,bd,2d,6a,e2,bc,00,2d,4b,7d,2a,a6,\
  44,a0,07,85,9f,51,9b,c1,7d,a0,8b,d7,48,78,0b,28,c4,16,b7,1a,a1,22,60,02,f6,\
  17,79,64,f9,9e,08,4e,23,fc,dc,57,1d,8d,2e,04,d4,1f,43,7c,f7,71,7a,05,f7,37,\
  76,ee,a3,79,cf,c6,64,5c,d9,5a,7b,44,97,6f,e8,f1,87,4f,b7,70,91,51,ef,0c,54,\
  9e,6e,5f,ab,1a,67,e9,2d,5f,2e,45,d3,14,2b,d0,28,6f,8e,a6,6f,ed,02,c4,7c,59,\
  c2,14,00,00,00,71,cd,7a,f6,49,0b,d7,81,03,ca,ce,1f,75,39,e5,fa,48,68,66,95

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"ASPNET"=dword:00000000

Edited by Reverend Jim: Fixed formatting

0

Changing Winlogon Shell Value To Phillies.exe

The operation completed successfully
Copying C:\Phillies.exe to C:\WINDOWS
1 file(s) copied.


Rebooting

-------

Again nope lol, this is hopeless.

See - this is odd:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
......................................
"Shell"="Explorer.exe"

Unless you ran replaceIt.bat TWICE, that should be Shell=Phillies.exe

-- Are you comfortable with Regedit & editing the registry?

PP :)

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.