Author Topic: Win2000 Registry - Does anyone recognize this??? (Read 34944 times)

clulessuser · « **on:** June 19, 2007, 05:37:52 AM »

I've had this key popping up in my registry now for some time. I have no idea what it is, if it might be some artifact of a registry bug or not...

It looks like no 'language' I've ever seen. Here is a sample:

Quote

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]
"HRZR_PGYFRFFVBA"=hex:5b,8b,3d,0e,08,00,00,00
"HRZR_PGYPHNPbhag:pgbe"=hex:00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00
"HRZR_HVGBBYONE"=hex:08,00,00,00,5e,00,00,00,c0,06,c1,89,13,b2,c7,01
"HRZR_HVGBBYONE:0k4,702r"=hex:01,00,00,00,07,00,00,00,e0,62,ae,15,ea,a9,c7,01
"HRZR_HVGBBYONE:0k1,133"=hex:07,00,00,00,0f,00,00,00,70,fb,ea,bd,95,af,c7,01
"HRZR_HVGBBYONE:0k1,130"=hex:05,00,00,00,0f,00,00,00,a0,b6,d9,31,8a,ae,c7,01
"HRZR_HVGBBYONE:0k1,120"=hex:07,00,00,00,0e,00,00,00,30,e3,46,65,6b,b1,c7,01
"HRZR_HVGBBYONE:0k1,7011"=hex:08,00,00,00,1d,00,00,00,c0,06,c1,89,13,b2,c7,01
"HRZR_HVGBBYONE:0k4,7011"=hex:08,00,00,00,1d,00,00,00,c0,06,c1,89,13,b2,c7,01
"HRZR_HVGBBYONE:0k1,123"=hex:07,00,00,00,09,00,00,00,e0,ea,0c,74,95,af,c7,01

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}]
"Version"=dword:00000003

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count]
"HRZR_PGYFRFFVBA"=hex:74,8b,3d,0e,08,00,00,00
"HRZR_PGYPHNPbhag:pgbe"=hex:00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00
"HRZR_EHACNGU"=hex:08,00,00,00,2e,01,00,00,60,68,a3,e6,13,b2,c7,01
"HRZR_EHACNGU:P:\\JVAAG\\flfgrz32\\EHAQYY32.RKR"=hex:08,00,00,00,1c,00,00,00,\
40,33,da,b5,12,b2,c7,01
"HRZR_EHACNGU:P:\\Cebtenz Svyrf\\Wnin\\wer1.6.0_01\\ova\\whfpurq.rkr"=hex:01,\
00,00,00,07,00,00,00,c0,90,a0,c8,9a,aa,c7,01
"HRZR_EHACNGU:Q:\\NYJVYF~1\\Ninfg4\\nfuQvfc.rkr"=hex:08,00,00,00,16,00,00,00,\
20,f0,69,b6,12,b2,c7,01
"HRZR_EHACNGU:Q:\\Ncf\\Erzvaq!\\erzvaq.rkr"=hex:08,00,00,00,16,00,00,00,40,33,\
4b,b8,12,b2,c7,01
"HRZR_EHACNGU:P:\\Cebtenz Svyrf\\Pbzzba Svyrf\\VFCPBZC\\VafgnyyFreivpr.rkr"=hex:08,\
00,00,00,15,00,00,00,50,95,50,b9,12,b2,c7,01
"HRZR_EHACNGU:Q:\\Ncf\\SnkGnyx\\ABU\\SGAbuZTE.rkr"=hex:08,00,00,00,16,00,00,00,\
30,2c,0a,bb,12,b2,c7,01
"HRZR_EHACNGU:Q:\\Ncf\\ZF Bssvpr\\Bssvpr\\ZFBSSVPR.RKR"=hex:08,00,00,00,17,00,\
00,00,30,67,0f,bc,12,b2,c7,01
"HRZR_EHACNGU:P:\\Cebtenz Svyrf\\Vagrearg Rkcybere\\Pbaarpgvba Jvmneq\\vpjpbaa1.rkr"=hex:00,\
00,00,00,06,00,00,00,e0,a2,c3,f3,e8,a9,c7,01
"HRZR_EHAPCY"=hex:05,00,00,00,0b,00,00,00,d0,ac,26,c4,89,ae,c7,01
"HRZR_EHAPCY:FLFQZ.PCY"=hex:05,00,00,00,06,00,00,00,d0,ac,26,c4,89,ae,c7,01
"HRZR_EHACVQY:%pfvqy2%\\Fgneghc"=hex:05,00,00,00,08,00,00,00,90,81,f0,cb,28,ae,\
c7,01
"HRZR_EHACVQY:%pfvqy2%\\Frphevgl"=hex:07,00,00,00,06,00,00,00,e0,9a,76,4d,5a,\
b1,c7,01
"HRZR_EHACVQY:%pfvqy2%\\Pbzzhavpngvbaf"=hex:02,00,00,00,06,00,00,00,80,c1,f3,\
26,3d,ac,c7,01
"HRZR_EHACVQY:%pfvqy2%\\Npprffbevrf"=hex:05,00,00,00,06,00,00,00,00,9f,bb,9f,\
92,ae,c7,01
"HRZR_EHACVQY:%pfvqy2%\\Vagrearg Rkcybere.yax"=hex:00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00
"HRZR_EHACNGU:P:\\JVAAG\\Flfgrz32\\argcyjvm.qyy"=hex:00,00,00,00,06,00,00,00,\
d0,76,10,4c,e9,a9,c7,01
"HRZR_EHAPCY:\"P:\\JVAAG\\flfgrz32\\nccjvm.pcy\",Nqq/Erzbir Cebtenzf"=hex:00,\
00,00,00,06,00,00,00,50,33,78,61,e9,a9,c7,01
"HRZR_EHAPCY:\"P:\\JVAAG\\flfgrz32\\GJRNXHV.PCY\",Gjrnx HV"=hex:00,00,00,00,06,\
00,00,00,b0,57,86,79,e9,a9,c7,01
"HRZR_HVFPHG"=hex:08,00,00,00,12,00,00,00,30,7a,41,61,b0,b1,c7,01
"HRZR_EHACNGU:Q:\\Nyjvy Fbsgjner\\Ninfg4\\nfuNinfg.rkr"=hex:08,00,00,00,06,00,\
00,00,60,4a,67,7c,a6,b1,c7,01
"HRZR_EHACNGU:P:\\JVAAG\\flfgrz32\\furyy32.qyy"=hex:04,00,00,00,07,00,00,00,90,\
5e,26,55,f1,ad,c7,01
"HRZR_EHACNGU:P:\\JVAAG\\flfgrz32\\abgrcnq.rkr"=hex:08,00,00,00,39,00,00,00,60,\
68,a3,e6,13,b2,c7,01
"HRZR_EHACNGU:Q:\\Ncf\\Sversbk\\Zbmvyyn Sversbk\\sversbk.rkr"=hex:07,00,00,00,\
15,00,00,00,50,ff,3f,f5,5f,b1,c7,01
"HRZR_HVDPHG"=hex:08,00,00,00,3b,00,00,00,e0,c2,4d,c2,12,b2,c7,01
"HRZR_EHACNGU:Q:\\Ncf\\Guhaqreoveq\\guhaqreoveq.rkr"=hex:07,00,00,00,18,00,00,\
00,b0,c8,e1,54,58,b1,c7,01
"HRZR_EHACNGU:P:\\Cebtenz Svyrf\\Argfpncr Vagrearg Freivpr\\AFPyvrag.rkr"=hex:08,\
00,00,00,19,00,00,00,f0,09,44,7c,b1,b1,c7,01
"HRZR_EHACVQY:%pfvqy2%\\Hgvyvgvrf & Gbbyf\\Flfgrz Gbbyf"=hex:01,00,00,00,02,00,\
00,00,00,00,00,00,00,00,00,00
"HRZR_EHACVQY:%pfvqy2%\\Fgneghc\\Zvpebfbsg Bssvpr Fubegphg One.yax"=hex:05,00,\
00,00,08,00,00,00,90,81,f0,cb,28,ae,c7,01
"HRZR_EHACNGU:Q:\\Hgvyf\\xrcnff\\XrrCnff.rkr"=hex:05,00,00,00,08,00,00,00,40,\
7e,da,e8,92,ae,c7,01
"HRZR_EHACNGU:P:\\JVAAG\\rkcybere.rkr"=hex:08,00,00,00,1a,00,00,00,40,30,cb,c2,\
12,b2,c7,01
"HRZR_EHACNGU:P:\\JVAAG\\Flfgrz32\\pnyp.rkr"=hex:01,00,00,00,06,00,00,00,60,23,\
98,34,a5,aa,c7,01
"HRZR_EHACVQY:%pfvqy2%\\Pbzzhavpngvbaf\\SnkGnyx ZBU.yax"=hex:02,00,00,00,06,00,\
00,00,80,c1,f3,26,3d,ac,c7,01
"HRZR_EHACVQY:%pfvqy2%\\Npprffbevrf\\Abgrcnq.yax"=hex:05,00,00,00,06,00,00,00,\
20,0b,b7,9f,92,ae,c7,01
"HRZR_EHACVQY:%pfvqy2%\\Npprffbevrf\\Flfgrz Gbbyf\\Fpurqhyrq Gnfxf.yax"=hex:01,\
00,00,00,02,00,00,00,00,00,00,00,00,00,00,00
"HRZR_EHACVQY:%pfvqy2%\\Npprffbevrf\\Flfgrz Gbbyf\\Trggvat Fgnegrq.yax"=hex:01,\
00,00,00,02,00,00,00,00,00,00,00,00,00,00,00
"HRZR_EHACVQY:%pfvqy2%\\Npprffbevrf\\Flfgrz Gbbyf\\Qvfx Pyrnahc.yax"=hex:01,00,\
00,00,02,00,00,00,00,00,00,00,00,00,00,00
"HRZR_EHACVQY:%pfvqy2%\\Hgvyvgvrf & Gbbyf\\Flfgrz Gbbyf\\Flfgrz Vasbezngvba.yax"=hex:01,\
00,00,00,02,00,00,00,00,00,00,00,00,00,00,00
"HRZR_EHACVQY:%pfvqy2%\\Hgvyvgvrf & Gbbyf\\Flfgrz Gbbyf\\Fpurqhyrq Gnfxf.yax"=hex:01,\
00,00,00,02,00,00,00,00,00,00,00,00,00,00,00
"HRZR_EHACVQY:%pfvqy2%\\Hgvyvgvrf & Gbbyf\\Flfgrz Gbbyf\\Trggvat Fgnegrq.yax"=hex:01,\
00,00,00,02,00,00,00,00,00,00,00,00,00,00,00
"HRZR_EHACVQY:%pfvqy2%\\Hgvyvgvrf & Gbbyf\\Flfgrz Gbbyf\\Qvfx Qrsentzragre.yax"=hex:01,\
00,00,00,02,00,00,00,00,00,00,00,00,00,00,00
"HRZR_EHACVQY:%pfvqy2%\\Hgvyvgvrf & Gbbyf\\Flfgrz Gbbyf\\Qvfx Pyrnahc.yax"=hex:01,\
00,00,00,02,00,00,00,00,00,00,00,00,00,00,00
"HRZR_EHACVQY:%pfvqy2%\\Hgvyvgvrf & Gbbyf\\Flfgrz Gbbyf\\Punenpgre Znc.yax"=hex:01,\
00,00,00,02,00,00,00,00,00,00,00,00,00,00,00
"HRZR_EHACVQY:%pfvqy2%\\Hgvyvgvrf & Gbbyf\\Flfgrz Gbbyf\\Onpxhc.yax"=hex:01,00,\
00,00,02,00,00,00,00,00,00,00,00,00,00,00
"HRZR_EHACNGU:Q:\\NCF\\SVERSBK\\ZBMVYY~1\\SVERSBK.RKR"=hex:01,00,00,00,06,00,\
00,00,70,24,df,b0,a8,aa,c7,01
"HRZR_EHACVQY:%pfvqy2%\\Pbzzhavpngvbaf\\ZF Snk\\Fraq Pbire Cntr Snk.yax"=hex:02,\
00,00,00,02,00,00,00,00,00,00,00,00,00,00,00

This is just a snippet. They can become quite long. I've taken to exporting this 'user assist' key and then deleting it. It keeps popping back up, so something is 'creating' it as it goes.

Does it look familiar to the panel of experts here?

essexboy · « **Reply #1 on:** June 19, 2007, 10:53:16 PM »

What it is is a rot13 encryption e.g

"HRZR_EHACVQY:%pfvqy2%\\Frphevgl"=hex:07,00,00,00,06,00,00,00,e0,9a,76,4d,5a,\
b1,c7,01
is

UEME_RUNPATH:C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe"=urk:00,\
00,00,00,06,00,00,00,r0,n2,p3,s3,r8,n9,p7,01

A quote about its uses

Quote

"Rot13 is a simple Caesar-cypher encryption, that replaces each English letter with the one 13 places forward or back along the alphabet. The Rot13 cypher is used to obfuscate text in the Windows registry, to make captured data on your browsing habits and recent files less noticable."

So do you have security encryption on your system a decoder is available here

http://www.tele-pro.co.uk/scripts/misc/rot13.htm

Lisandro · « **Reply #2 on:** June 19, 2007, 10:55:51 PM »

Quote from: cluelessuser on June 19, 2007, 05:37:52 AM

I've had this key popping up in my registry now for some time.
It keeps popping back up, so something is 'creating' it as it goes.

Can you post a screenshot? See http://forum.avast.com/index.php?topic=8982.0
You can use Gadwin PrintScreen to get a screenshot (http://www.gadwin.com/printscreen/) or the free version of WinSnap 1.1.10 (http://www.filehippo.com/download_winsnap/?2173).

It's strange that a registry key is there. You seem to be protected this way: double-clicking (executing) the .reg file does not add the file to registry but edit the file. So you're not messing your registry yet.

Can you post a HijackThis Log? It can be downloaded here: http://www.bleepingcomputer.com/files/hijackthis.php

clulessuser · « **Reply #3 on:** June 21, 2007, 01:15:04 AM »

Quote from: essexboy on June 19, 2007, 10:53:16 PM

What it is is a rot13 encryption...

Yes, thank you. That is what I found after researching the key - apparently the same question has been asked on a number of forums. Do you know if it is in anyway related to the 'Windows File Protection' service? I have not found that information.

UPDATE: Just found that it may be related to Explorer's Launchpad file folder:

http://seclists.org/pen-test/2000/Nov/

Quote from: Tech on June 19, 2007, 10:55:51 PM

Quote from: cluelessuser on June 19, 2007, 05:37:52 AM
I've had this key popping up in my registry now for some time.
It keeps popping back up, so something is 'creating' it as it goes.
Can you post a screenshot? See http://forum.avast.com/index.php?topic=8982.0
You can use Gadwin PrintScreen to get a screenshot (http://www.gadwin.com/printscreen/) or the free version of WinSnap 1.1.10 (http://www.filehippo.com/download_winsnap/?2173).

It's strange that a registry key is there.

Apologies - I used imprecise wording. It is not literally 'popping up' as in a pop-up window or in the Avast scanner message - I simply meant it keeps re-appearing in my registry. Not sure a screenshot would show anything better than the text of the actual reg key export file.

Quote from: Tech on June 19, 2007, 10:55:51 PM

Can you post a HijackThis Log? It can be downloaded here: http://www.bleepingcomputer.com/files/hijackthis.php

I downloaded it... It may take me several years to move through the instructions on how to use it!

Thank you for pointing to this. I will read it and try to use it to create a log file. Not sure, but think I've been 'hijacked' quite a bit recently. It does say one needs an 'expert' to interpret it, so - fair warning again - I may be back!

Thanks & best regards to you both!

Lisandro · « **Reply #4 on:** June 21, 2007, 03:06:51 AM »

Quote from: cluelessuser on June 21, 2007, 01:15:04 AM

Apologies - I used imprecise wording. It is not literally 'popping up' as in a pop-up window or in the Avast scanner message - I simply meant it keeps re-appearing in my registry. Not sure a screenshot would show anything better than the text of the actual reg key export file.

How are you monitoring the registry, I mean, how did you find that, each time, this registry key is rewritten?

Quote from: Tech on June 19, 2007, 10:55:51 PM

It does say one needs an 'expert' to interpret it

But indeed interpret the log is not an easy task... Take care. Better post the log here.

clulessuser · « **Reply #5 on:** June 21, 2007, 04:51:29 PM »

Quote from: Tech on June 21, 2007, 03:06:51 AM

How are you monitoring the registry, I mean, how did you find that, each time, this registry key is rewritten?

I found it initially by accident searching the registry for another key. Then, I kept an eye on it.

Quote from: Tech on June 19, 2007, 10:55:51 PM

But indeed interpret the log is not an easy task... Take care. Better post the log here.

Here is log and start-up list. But it is not complete. There is one service not there that I am wondering about: HID.DLL. I do not recall seeing it before, but it is now running on start-up. This morning, I set the service to 'manual start' and will see what happens. But it was running when I did the initial Hijack this scan.

Another new event. Kerio FW will now not recognize nor open ports for Netscape or Thunderbird. TCPView sees them, however. Outcome: cannot connect to URLs with SPF Kerio FW ruinning...

Quote

Logfile of HijackThis v1.99.1
Scan saved at 9:50:35 AM, on 6/21/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
D:\ALWILS~1\Avast4\ashDisp.exe
D:\Aps\Remind!\remind.exe
C:\Program Files\Common Files\ISPCOMP\InstallService.exe
D:\Aps\FaxTalk\NOH\FTNohMGR.exe
D:\Aps\MS Office\Office\MSOFFICE.EXE
D:\Aps\Firefox\Mozilla Firefox\firefox.exe
C:\Program Files\Netscape Internet Service\NSClient.exe
C:\Program Files\Common Files\ISPCOMP\SystemTrayIcon.exe
C:\Program Files\Netscape Internet Service\_NSWatchman.exe
D:\Utils\MS TCP View\Tcpview.exe
C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe
D:\Aps\Thunderbird\thunderbird.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Devices\nohijackthist\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Sun Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [avast!] d:\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Remind!] D:\Aps\Remind!\remind.exe
O4 - HKLM\..\Run: [Netscape] C:\Program Files\Common Files\ISPCOMP\InstallService.exe
O4 - HKLM\..\Run: [NetOnHold] .\FTNOHMgr.EXE /autoload
O4 - Global Startup: FaxTalk MOH.lnk = D:\Aps\FaxTalk\NOH\FTNohMGR.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = D:\Aps\MS Office\Office\MSOFFICE.EXE
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Sun Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Sun Java\jre1.6.0_01\bin\npjpi160_01.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181312103709
O17 - HKLM\System\CCS\Services\Tcpip\..\{75A803A6-D1C5-442C-A88B-F265B9CD0635}: NameServer = 205.188.146.145
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - d:\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - d:\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - d:\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

clulessuser · « **Reply #6 on:** June 21, 2007, 04:53:28 PM »

StartupList report, 6/20/2007, 11:12:04 PM
StartupList version: 1.52.2
Started from : C:\Devices\nohijackthist\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
d:\Alwil Software\Avast4\aswUpdSv.exe
d:\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\locator.exe
D:\utils\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
d:\Alwil Software\Avast4\ashWebSv.exe
d:\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\Explorer.EXE
D:\ALWILS~1\Avast4\ashDisp.exe
D:\Aps\Remind!\remind.exe
D:\Aps\FaxTalk\NOH\FTNohMGR.exe
D:\Aps\MS Office\Office\MSOFFICE.EXE
C:\WINNT\system32\stisvc.exe
C:\Devices\nohijackthist\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
Shortcut to remind_backup.bat.lnk = D:\Aps\Remind!\backup\remind_backup.bat

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
FaxTalk MOH.lnk = D:\Aps\FaxTalk\NOH\FTNohMGR.exe
Microsoft Office Shortcut Bar.lnk = D:\Aps\MS Office\Office\MSOFFICE.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
avast! = d:\ALWILS~1\Avast4\ashDisp.exe
Remind! = D:\Aps\Remind!\remind.exe
Netscape = C:\Program Files\Common Files\ISPCOMP\InstallService.exe
NetOnHold = .\FTNOHMgr.EXE /autoload
NetscapeClient =

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

clulessuser · « **Reply #7 on:** June 21, 2007, 04:55:02 PM »

-------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINNT\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINNT\System32\setup\wmpocm.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = "C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = "C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigOE

[>{A9E8FC4B-FDB2-4F07-8FA5-973302667A77}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\mplayer2.inf,PerUserStub.NT

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\system32\updcrl.exe -e -u %SystemRoot%\system32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\system32\sspipes.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Sun Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[WUWebControl Class]
InProcServer32 = C:\WINNT\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181312103709

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Sun Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Sun Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Sun Java\jre1.6.0_01\bin\npjpi160_01.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINNT\System32\rnr20.dll
NameSpace #2: C:\WINNT\System32\winrnr.dll
Protocol #1: C:\WINNT\system32\msafd.dll
Protocol #2: C:\WINNT\system32\msafd.dll
Protocol #3: C:\WINNT\system32\msafd.dll
Protocol #4: C:\WINNT\system32\rsvpsp.dll
Protocol #5: C:\WINNT\system32\rsvpsp.dll
Protocol #6: C:\WINNT\system32\msafd.dll
Protocol #7: C:\WINNT\system32\msafd.dll
Protocol #8: C:\WINNT\system32\msafd.dll
Protocol #9: C:\WINNT\system32\msafd.dll
Protocol #10: C:\WINNT\system32\msafd.dll
Protocol #11: C:\WINNT\system32\msafd.dll
Protocol #12: C:\WINNT\system32\msafd.dll
Protocol #13: C:\WINNT\system32\msafd.dll

--------------------------------------------------

clulessuser · « **Reply #8 on:** June 21, 2007, 04:57:47 PM »

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINNT\System32\setup\wmpocm.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = "C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = "C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigOE

[>{A9E8FC4B-FDB2-4F07-8FA5-973302667A77}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\mplayer2.inf,PerUserStub.NT

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\system32\updcrl.exe -e -u %SystemRoot%\system32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\system32\sspipes.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Sun Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

clulessuser · « **Reply #9 on:** June 21, 2007, 04:59:44 PM »

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[WUWebControl Class]
InProcServer32 = C:\WINNT\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181312103709

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Sun Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Sun Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Sun Java\jre1.6.0_01\bin\npjpi160_01.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINNT\System32\rnr20.dll
NameSpace #2: C:\WINNT\System32\winrnr.dll
Protocol #1: C:\WINNT\system32\msafd.dll
Protocol #2: C:\WINNT\system32\msafd.dll
Protocol #3: C:\WINNT\system32\msafd.dll
Protocol #4: C:\WINNT\system32\rsvpsp.dll
Protocol #5: C:\WINNT\system32\rsvpsp.dll
Protocol #6: C:\WINNT\system32\msafd.dll
Protocol #7: C:\WINNT\system32\msafd.dll
Protocol #8: C:\WINNT\system32\msafd.dll
Protocol #9: C:\WINNT\system32\msafd.dll
Protocol #10: C:\WINNT\system32\msafd.dll
Protocol #11: C:\WINNT\system32\msafd.dll
Protocol #12: C:\WINNT\system32\msafd.dll
Protocol #13: C:\WINNT\system32\msafd.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Alerter: %SystemRoot%\System32\services.exe (autostart)
Application Management: %SystemRoot%\system32\services.exe (autostart)
avast! iAVS4 Control Service: "d:\Alwil Software\Avast4\aswUpdSv.exe" (autostart)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
avast! Antivirus: "d:\Alwil Software\Avast4\ashServ.exe" (autostart)
avast! Mail Scanner: "d:\Alwil Software\Avast4\ashMaiSv.exe" /service (manual start)
avast! Web Scanner: "d:\Alwil Software\Avast4\ashWebSv.exe" /service (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k BITSgroup (autostart)
Computer Browser: %SystemRoot%\System32\services.exe (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINNT\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
Crystal WDM Audio Codec Driver: system32\drivers\cwbwdm.sys (manual start)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\services.exe (manual start)
Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\services.exe (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (autostart)
Fax Service: %systemroot%\system32\faxsvc.exe (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Firewall Driver: \SystemRoot\system32\drivers\fwdrv.sys (system)
GlidePoint PS/2 Touchpad Filter: system32\DRIVERS\glideps2.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
HID Input Service: %SystemRoot%\system32\hidserv.exe (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (autostart)
i

clulessuser · « **Reply #10 on:** June 21, 2007, 05:00:24 PM »

i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
IntelC51: system32\DRIVERS\IntelC51.sys (manual start)
IntelC52: system32\DRIVERS\IntelC52.sys (manual start)
IntelC53: system32\DRIVERS\IntelC53.sys (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Kerio HIPS Driver: \SystemRoot\system32\drivers\khips.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\services.exe (manual start)
Workstation: %SystemRoot%\System32\services.exe (autostart)
LexBce Server: C:\WINNT\system32\LEXBCES.EXE (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (manual start)
Messenger: %SystemRoot%\System32\services.exe (disabled)
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)
mohfilt: system32\DRIVERS\mohfilt.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
Windows Installer: C:\WINNT\system32\msiexec.exe /V (autostart)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (autostart)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Parallel class driver: System32\DRIVERS\parallel.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (system)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCI Utility: \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PCIUtil.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start)
S3Inc: System32\DRIVERS\s3mt3d.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (disabled)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (manual start)
RunAs Service: %SystemRoot%\system32\services.exe (manual start)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Simple TCP/IP Services: %SystemRoot%\System32\tcpsvcs.exe (disabled)
SNMP Service: %SystemRoot%\System32\snmp.exe (disabled)
SNMP Trap Service: %SystemRoot%\System32\snmptrap.exe (manual start)
Sunbelt Personal Firewall 4: "C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
Still Image Service: %systemroot%\system32\stisvc.exe (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Telnet: %SystemRoot%\system32\tlntsvr.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (manual start)
TVICHW32: \??\C:\WINNT\system32\DRIVERS\TVICHW32.SYS (manual start)
Microsoft USB Universal Host Controller Driver: System32\DRIVERS\uhcd.sys (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
User Profile Hive Cleanup: D:\utils\UPHClean\uphclean.exe (autostart)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
USB 2.0 Root Hub Support: System32\DRIVERS\usbhub20.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Windows Time: %SystemRoot%\System32\services.exe (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart)
Wireless Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\system32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 27,684 bytes
Report generated in 0.381 seconds

essexboy · « **Reply #11 on:** June 21, 2007, 08:13:04 PM »

hidusb.sys is for the usb hub. Have you placed a new hub on your system or started using a usb device

clulessuser · « **Reply #12 on:** June 21, 2007, 08:33:20 PM »

Thank you, I just found the same information from another utility.

Yes, 3 months ago I installed a new Lexmark All-in-One device. It was working fine, then the scanner stopped working. Lexmark says ship the machine to them and they'll send a new one. I think it is a driver problem. This is one of many problems that have been arising lately. The Lexmark set-up sets it up automatically as as 'server' printer, though it is only used as a local printer. I've disabled the server service for the moment (a couple of days ago). It prints just fine. The scanner/copier stopped working about a month ago.

I am connected with only Avast's network & web shield at the moment (no firewall). Sunbelt is looking at my FW problem.

BTW, I tried DavidR's Drop My Rights (took awhile to find it, the link here is out of date), but it tells me that it cannot find an entrance through the ADVAVI32.dll.

ComputerVet · « **Reply #13 on:** June 21, 2007, 08:44:22 PM »

Your Hijackthis log shows an O17 entry which typically indicates a domain hijack. The address appears to point to an AOL proxy server, but I don't see the typical signs of an AOL installation. If this entry doesn't point to your ISP I suggest you remove it.

clulessuser · « **Reply #14 on:** June 21, 2007, 09:00:48 PM »

Quote from: ComputerVet on June 21, 2007, 08:44:22 PM

Your Hijackthis log shows an O17 entry which typically indicates a domain hijack. The address appears to point to an AOL proxy server, but I don't see the typical signs of an AOL installation. If this entry doesn't point to your ISP I suggest you remove it.

In terms of 'branding', my ISP is Netscape & the 'dialer is Netscape. In terms of proxies, servers, & DNS, it is really AOL - I just do not have the AOL bells & whistles.

AFAIK, the entry is as it should be. Here is a 'diagnostics report from my NS Web Accelerator:

Quote

System Information:
Thu Jun 21 14:03:28 2007
Microsoft Windows 2000 Professional Service Pack 4 (Build 2195)
Disk space (C drive)
Available space to user = 1069 MB
Total space = 4024 MB
Free space on drive = 1069 MB
Memory Usage
Load = 91%
Total Physical = 127 MB
Free Physical = 10 MB
Complete.

Internet Settings:
IE Version = 1.2
Active Connections
Netscape
Local Area Network
All Connections
Netscape
Server = "http=127.0.0.1:5400"
Bypass = "<local>;127.0.0.1:5400;update.microsoft.com;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;service1.symantec.com;*.nai.com;*.networkassociates.com;*mcafee.com;*.mapquest.com;*.phobos.apple.com;update.adobe.com;admin.isp.netscape.com"
Local Area Network
Server = "http=127.0.0.1:5400"
Bypass = "<local>;127.0.0.1:5400;update.microsoft.com;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;service1.symantec.com;*.nai.com;*.networkassociates.com;*mcafee.com;*.mapquest.com;*.phobos.apple.com;update.adobe.com;admin.isp.netscape.com"
Listening TCP Ports
ANY:135
ANY:445
ANY:1025
ANY:1029
ANY:1034
ANY:44334
ANY:44501
127.0.0.1:5400
127.0.0.1:12080
127.0.0.1:12110
127.0.0.1:12143
172.147.109.113:139
Complete.

Registry Information:
Local Machine - SlipStream (Installation)
InstallerVer = "1.0"
Current User - SlipStream
RSH = "webaccelerator.isp.netscape.com"
RSIP = "205.188.146.146"
PEL = "update.microsoft.com"
Popup Blocker
Unregistered
Internet Settings
Default browser
C:\Program Files\Internet Explorer\iexplore.exe
6.00.2800.1106
User Agent = "Mozilla/4.0 (compatible; MSIE 6.0; Win32)"
Proxy Enable = 1
Proxy Server = "http=127.0.0.1:5400"
Enable Http 1.1 = 1
Proxy Http 1.1 = 0
Max Connections 1.0 = 16
Network Settings
Complete.

LSP Information:
Could not start process
Complete.

Branding Information:
$COMPANY$ = "Netscape"
$APP$ = "Netscape Web Accelerator"
$APPSHORT$ = "Netscape Web Accelerator"
$SERVICE$ = "Netscape Internet Service"
$EMAIL$ = "Netscape Email Accelerator"
$LOGIN$ = "Enter your Netscape screenname/password."
$ISP$ = "ISP"
$CUSTSERV$ = "Netscape Member Services"
Complete.

Process Information:
Memory Information
Page Fault Count = 2142
Total Usage = 2392 KB
Peak Usage = 5756 KB
Modules
ntdll.dll     5.00.2195.7006
comctl32.dll    5.81
gdi32.dll     5.00.2195.7133
kernel32.dll    5.00.2195.7099
user32.dll    5.00.2195.7133
advapi32.dll    5.00.2195.7038
rpcrt4.dll    5.00.2195.7085
wininet.dll     6.00.2800.1593
msvcrt.dll    6.10.9844.0
shlwapi.dll     6.00.2800.1907 (xpsp2.070219-1040)
crypt32.dll     5.131.2195.6926
msasn1.dll    5.00.2195.6905
oleaut32.dll    2.40.4522
ole32.dll     5.00.2195.7059
rasapi32.dll    5.00.2195.6920
rasman.dll    5.00.2195.6824
ws2_32.dll    5.00.2195.6601
ws2help.dll     5.00.2134.1
tapi32.dll    5.00.2195.6664
shell32.dll     5.00.3900.7105
iphlpapi.dll    5.00.2195.7097
icmp.dll    5.00.2134.1
mprapi.dll    5.00.2181.1
samlib.dll    5.00.2195.6944
netapi32.dll    5.00.2195.7108
secur32.dll     5.00.2195.6695
ntdsapi.dll     5.00.2195.6666
dnsapi.dll    5.00.2195.7100
wsock32.dll     5.00.2195.6603
wldap32.dll     5.00.2195.7017
netrap.dll    5.00.2134.1
activeds.dll    5.00.2195.6601
adsldpc.dll     5.00.2195.6993
rtutils.dll     5.00.2168.1
setupapi.dll    5.00.2195.6622
userenv.dll     5.00.2195.7002
dhcpcsvc.dll    5.00.2195.7085
version.dll     5.00.2195.6623
lz32.dll    5.00.2195.6611
psapi.dll     4.00
imagehlp.dll    5.00.2195.6613
sensapi.dll     5.00.2195.6627
clbcatq.dll     2000.2.3529.0
sdicore.dll     3.2.12
msafd.dll     5.00.2195.6602
wshtcpip.dll    5.00.2195.6601
rsabase.dll     5.00.2195.6619
Complete.

Diagnostic Tests:
Test 1 - DNS Test
Resolved: www.cnn.com
Resolved: www.yahoo.com
Resolved: www.google.com
Resolved: webaccelerator.isp.netscape.com
Test 2 - Server Proxy Test
Connected to server
Test 3 - Direct Connect
Connected directly
Direct connection speed = 91.74 Kbps
Test 4 - Proxy Connect
Connected to accelerated client proxy
Accelerated connection speed = 206.76 Kbps
Test 5 - Features Enabled
Acceleration: High
Image Quality: Very Good
Email: Disabled
Popup Blocker: Enabled
Complete.

Author Topic: Win2000 Registry - Does anyone recognize this??? (Read 34944 times)

clulessuser

Win2000 Registry - Does anyone recognize this???

essexboy

Re: Win2000 Registry - Does anyone recognize this???

Lisandro

Re: Win2000 Registry - Does anyone recognize this???

clulessuser

Re: Win2000 Registry - Does anyone recognize this???

Lisandro

Re: Win2000 Registry - Does anyone recognize this???

clulessuser

Re: Win2000 Registry - Does anyone recognize this???

clulessuser

Re: Win2000 Registry - Startup Rpt Part I

clulessuser

Re: Win2000 Registry - Startup Rpt Part II

clulessuser

Re: Win2000 Registry - Startup Report Part III

clulessuser

Re: Win2000 Registry - Startup Report Part IV

clulessuser

Re: Win2000 Registry - Startup Report Part V

essexboy

Re: Win2000 Registry - Does anyone recognize this???

clulessuser

Re: Win2000 Registry - Does anyone recognize this???

ComputerVet

Re: Win2000 Registry - Does anyone recognize this???

clulessuser

Re: Win2000 Registry - Does anyone recognize this???