Author Topic: 1.reg Malware - How to get rid of it?  (Read 43645 times)

0 Members and 1 Guest are viewing this topic.

jonathanlkm

  • Guest
1.reg Malware - How to get rid of it?
« on: October 04, 2007, 01:38:30 PM »
Hi there,

Recently, AVAST antivirus software has detected a virus(Malware,effected in 1.reg) in my computer. I had followed the recommendation which was to move to chest. However, whenever I restart my computer, AVAST will still detect the same virus. The problem of this virus/malware was that I couldn't log into the internet from time to time.
What should I do?
Please look at the picture below.

Thank you.
Jonathan

« Last Edit: October 04, 2007, 02:13:19 PM by jonathanlkm »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89025
  • No support PMs thanks
Re: 1.reg Malware - How to get rid of it?
« Reply #1 on: October 04, 2007, 02:58:11 PM »
Firstly a .reg file is a strange thing to detect as it is a text file containing entries to change your registry, which can be very harmful. It could also be that the file type has been changed and the actual file type is different, hence the VBS:malware name.

Secondly there must be something undetected or hidden restoring or downloading this file, what is your firewall ?
I would also suggest you clear out your Temp folder in case there might be something else in there.

In your image you also seem to have some strange font/character effects in the Path the backslash \ character is displayed as a W with a line through it (W), is this normal for your system ?

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode.
1.  If using winXP AVG anti-spyware (formerly Ewido) Resident scanner during trial On-Demand after trial ends. Or SUPERantispyware On-Demand only in free version. Or Spyware Terminator Resident scanner. Or a-Squared free On-Demand only with free version(if using win98/ME).

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

jonathanlkm

  • Guest
Re: 1.reg Malware - How to get rid of it?
« Reply #2 on: October 05, 2007, 04:58:09 AM »
Hi there....

Thanks for the reply......for your information, i am using korean version of windows OS, thus you could see (\) is displayed as (W) with a line through it. It's normal in my OS.
I did the AVG scan, but the software found nothing in my computer. Any ideas?

Thanks again.
« Last Edit: October 05, 2007, 04:59:50 AM by jonathanlkm »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89025
  • No support PMs thanks
Re: 1.reg Malware - How to get rid of it?
« Reply #3 on: October 05, 2007, 02:10:20 PM »
Try the next tool as malware signature databases are different from one to another anti-spyware.

There are also a couple of on-line anti-spyware scans you could try.
http://www.spywareinfo.com/xscan.php
http://www.pestscan.com/

There is a possibility that what is responsible is hidden by a rootkit. Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.
- BlackLight - http://www.f-secure.com/blacklight/
- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip.
- AVG Anti-Rootkit http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

jonathanlkm

  • Guest
Re: 1.reg Malware - How to get rid of it?
« Reply #4 on: October 06, 2007, 01:42:31 PM »
Thanks for the links.

It seems that Spyware Terminator and SUPERAntiSpyware did the job! The malware is gone now.

Thanks a lot! :)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: 1.reg Malware - How to get rid of it?
« Reply #5 on: October 06, 2007, 01:53:02 PM »
The malware is gone now.
If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with the antirootkit tools posted by David.  Also, if you still detecting strange behaviors or you want to be sure you're clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

After you're clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal. Finally, when you're clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89025
  • No support PMs thanks
Re: 1.reg Malware - How to get rid of it?
« Reply #6 on: October 06, 2007, 03:23:20 PM »
<snip>
It seems that Spyware Terminator and SUPERAntiSpyware did the job! The malware is gone now.
Thanks a lot! :)

No problem, glad we could help.

Welcome to the forums.

You didn't mention what your firewall is, it is an essential part of your system security ?
As something, what ever was detected by ST or SAS, you didn't say what it was they detected (we don't like loose ends ;D ) ?
This was possibly downloading this file and your firewall should have been part of your defence.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

jonathanlkm

  • Guest
Re: 1.reg Malware - How to get rid of it?
« Reply #7 on: October 07, 2007, 01:37:32 PM »
Well.....I think my computer is not clean yet :'(. I still encounter some problem with my computer. Eg: no internet connection/IE or Moz Firefox cannot access to the internet.

By the way, I remember my problem is caused by some paypal website (virus??) some exe file that I downloaded.

Anyway...hope this log file can help. Thanks

HijackThis log file
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\npkcmsvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\conime.exe
E:\Program Files\BitComet\BitComet.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Rootkit Free\avgarkt.exe
C:\Program Files\Grisoft\AVG Anti-Rootkit Free\RhVOc.exe
C:\Documents and Settings\Jonathan\Desktop\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: mizane.com - {B0C6B366-C1F1-4B91-ACBD-558E76B354ED} - C:\PROGRA~1\mizane\mizane1.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [BitComet] "E:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: CaptureWiz.lnk = C:\Program Files\CaptureWiz\Pro\CaptureWiz.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = %SystemRoot%\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - E:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com

jonathanlkm

  • Guest
Re: 1.reg Malware - How to get rid of it?
« Reply #8 on: October 07, 2007, 01:37:57 PM »
O16 - DPF: {057E566C-74EE-495E-81D9-7A17AA835070} (MMServer Control) - http://www.mnet.com/Ver2/App/totalApp/maxmemo/MaxMemo.cab
O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} (MyLinker Control) - http://onlinetour.contents.mylinker.co.kr/module/MyLinker.cab
O16 - DPF: {286A75C3-11FB-4FB4-AC4A-4DD1B0750050} (INISAFEWeb6 V6 Class) - http://download.banktown.com/keb/initech/plugin/down/INIS60.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://img.shinhan.com/rib/common/keyStroke/SoftCamp/40854/scsk4.cab
O16 - DPF: {3EFC2239-B769-469F-A5E6-38693AE0B9DE} (Sysinfo2 Control) - http://speed.nia.or.kr/login/sysinfo2.cab
O16 - DPF: {47BF3491-5FEB-44C7-9A9E-C02F2FB027D8} (PhotomonImageUploader Control) - http://www.photomon.com/printing/NewActiveX/PhotomonImageUploader.cab
O16 - DPF: {4C68DACE-E6BC-4650-9C7E-D036720CA729} (Nps Control) - http://update.nprotect.net/npscan2006/kor/nps.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6A2E758A-028B-46BB-A11D-0608AB5A4ED3} (DaumBGMCtrl Class) - http://listen.daum.net/52st/bgmplayer/Daum52stBGMPlayer.cab
O16 - DPF: {6CE20149-ABE3-462E-A1B4-5B549971AA38} (XecureCKKB Class) - http://ck.softforum.co.kr/CKKeyPro/yescard/CKKeyPro.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://download.softforum.co.kr/Published/XecureWeb/v7.0.5.0/xw_install.cab
O16 - DPF: {8068959B-E424-45AD-B62B-A3FA45B1FBAF} (Report Designer 4.0 Control) - http://ezhub.hanyang.ac.kr/haksa/hus/rdviewer40.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/activex/dmcc2.cab?Version=1,0,0,10
O16 - DPF: {9A829609-D923-48AC-83D9-4E82DD874DA4} (PhotoCtrl Class) - http://www.47dc.com/InnoPhotoNew/InnoPhotoNew.cab
O16 - DPF: {9FC84F7D-D177-4A75-A7BB-429DA5BD0A3E} (SG_CAppAtx Control) - http://download.signgate.com/download/common/ews/release/ewsinstaller.cab
O16 - DPF: {A9F090E5-FC80-4772-AFEE-D102AB6E77D6} (IssacWebProCMS Class) - http://pgdownload.dacom.net/dacom/IssacWebProCMS_3_1_0_1.cab
O16 - DPF: {B8C4B31D-6DCE-4DF0-BF73-44686849F67D} (PDRInst1 Class) - http://imgcdn.pandora.tv/pan_img/p3player/package/pdrinst.cab
O16 - DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} (Daum ActiveX manager Class) - http://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,3,2
O16 - DPF: {BBB0FC2D-1D95-45CA-BDCF-03B53F247FCC} (EwsLoader Class) -
O16 - DPF: {C193DE20-29F4-4B4F-963B-EB20CB3186C0} (SpeedTest Control) - http://speed.nia.or.kr/speedtest/SpeedTest.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://update.nprotect.net/keycrypt/yescard2/npkcx_inca.cab
O16 - DPF: {DC4207CE-C03E-4449-ACB1-032CA4137053} (Npz Control) - http://update.nprotect.net/nprotect2006/yescard/npz.cab
O16 - DPF: {E3FA6DAA-04BF-4AEF-9612-341B2B7A25FC} (Payplus Client Control) - http://pay.kcp.co.kr/plugin/file/payplus.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcmsvc.exe
O23 - Service: Phidget Webservice 21 (PhidgetWebservice21) - Phidgets Inc. - C:\Program Files\Phidgets\PhidgetWindowsService21.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file


jonathanlkm

  • Guest
Re: 1.reg Malware - How to get rid of it?
« Reply #9 on: October 07, 2007, 01:49:32 PM »
Quote
As something, what ever was detected by ST or SAS, you didn't say what it was they detected (we don't like loose ends  ) ?

SuperAntiSpyware detected : Adware tracking cookies, Trojan.net_SCVHOST32 & unidentified Browser Helper Object.  :o

Quote
You didn't mention what your firewall is, it is an essential part of your system security ?

I am using a router. I guess firewall is not essential part of my system security. :)
« Last Edit: October 07, 2007, 01:52:12 PM by jonathanlkm »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: 1.reg Malware - How to get rid of it?
« Reply #10 on: October 07, 2007, 02:24:11 PM »
This is part of a Korean trojan
Quote
Win-Adware/BHO.Mizane.242688 is Adware that is installed without the user's agreement. It registered as BHO monitors the user's keyword and system.

Please re-open HiJackThis and scan.  Check the boxes next to all the entries listed below.

O2 - BHO: mizane.com - {B0C6B366-C1F1-4B91-ACBD-558E76B354ED} - C:\PROGRA~1\mizane\mizane1.dll (file missing)


Now close all windows other than HiJackThis, then click Fix Checked.  Close HiJackThis.

________________________________

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\PROGRA~1\mizane


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

____________________________

There is probably a hidden file somewhere on your system triggering this so we could go on a hunt....

Download WinPFind3u.exe  to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
      Reg - Approved Shell Extensions
      Reg - File Associations

  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89025
  • No support PMs thanks
Re: 1.reg Malware - How to get rid of it?
« Reply #11 on: October 07, 2007, 03:47:30 PM »
Quote
You didn't mention what your firewall is, it is an essential part of your system security ?

I am using a router. I guess firewall is not essential part of my system security. :)

I hate to say it but yes you do, unless your router includes a firewall that also protects against unauthorised outbound connection. Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

Without a firewall cleaning your system is likely to take longer as quick as some stuff is removed there is other malware taking its place, so you need to lock down your system so it can be cleaned effectively.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

jonathanlkm

  • Guest
Re: 1.reg Malware - How to get rid of it?
« Reply #12 on: October 08, 2007, 11:48:26 AM »
WinPFind3 logfile created on: 10/8/2007 6:40:59 PM
WinPFind3U by OldTimer - Version 1.0.42   Folder = C:\Documents and Settings\Jonathan\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)
 
511.47 Mb Total Physical Memory | 212.44 Mb Available Physical Memory | 41.53% Memory free
1.22 Gb Paging File | 0.95 Gb Available in Paging File | 77.89% Paging File free
Paging file location(s): c:\pagefile.sys 768 1536;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 12.43 Gb Total Space | 1.27 Gb Free Space | 10.23% Space Free
Drive D: | 12.43 Gb Total Space | 0.34 Gb Free Space | 2.73% Space Free
Drive E: | 12.41 Gb Total Space | 1.58 Gb Free Space | 12.71% Space Free
F: Drive not present or media not loaded

Computer Name: CAPTLIM
Current User Name: Jonathan
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
acrobat_sl.exe -> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe -> Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 46200 bytes | Modified Date = 10/23/2006 1:40:14 AM | Attr =    ]
acrotray.exe -> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat\acrotray.exe -> Adobe Systems Inc. [Ver = 8.0.0.2006102200 | Size = 620152 bytes | Modified Date = 10/22/2006 11:24:02 PM | Attr =    ]
ashdisp.exe -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 9/6/2007 7:06:10 PM | Attr =    ]
ashmaisv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 9/6/2007 7:05:42 PM | Attr =    ]
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 9/6/2007 7:06:04 PM | Attr =    ]
ashwebsv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 9/6/2007 7:04:44 PM | Attr =    ]
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 9/6/2007 6:54:58 PM | Attr =    ]
ati2evxx.exe -> %System32%\ati2evxx.exe ->  [Ver =  | Size = 389120 bytes | Modified Date = 8/25/2004 2:26:56 PM | Attr =    ]
ati2evxx.exe -> %System32%\ati2evxx.exe ->  [Ver =  | Size = 389120 bytes | Modified Date = 8/25/2004 2:26:56 PM | Attr =    ]
cthelper.exe -> %System32%\CTHELPER.EXE -> Creative Technology Ltd [Ver = 1, 0, 0, 2 | Size = 24576 bytes | Modified Date = 7/2/2002 5:56:00 PM | Attr =    ]
devldr32.exe -> %System32%\devldr32.exe -> Creative Technology Ltd. [Ver = 1, 0, 0, 17 | Size = 24064 bytes | Modified Date = 8/18/2001 7:36:42 AM | Attr =    ]
fnplicensingservice.exe -> %CommonProgramFiles%\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -> Macrovision Europe Ltd. [Ver = 11.03.005 | Size = 654848 bytes | Modified Date = 5/14/2007 5:52:52 PM | Attr =    ]
guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 9:31:10 PM | Attr =    ]
hijackthis.exe -> %UserDesktop%\HiJackThis.exe -> Trend Micro Inc. [Ver = 2.00.0002 | Size = 401720 bytes | Modified Date = 10/7/2007 8:31:48 PM | Attr =    ]
hpzipm12.exe -> %System32%\HPZipm12.exe -> HP [Ver = 9, 0, 0, 0 | Size = 69632 bytes | Modified Date = 9/29/2004 12:14:36 PM | Attr =    ]
jusched.exe -> %ProgramFiles%\Java\jre1.6.0_02\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 132496 bytes | Modified Date = 7/12/2007 4:00:36 AM | Attr =    ]
npkcmsvc.exe -> %System32%\npkcmsvc.exe -> INCA Internet Co., Ltd. [Ver = 2006, 11, 6, 1 | Size = 61523 bytes | Modified Date = 5/17/2007 5:04:00 PM | Attr =    ]
realsched.exe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3959 | Size = 185896 bytes | Modified Date = 5/24/2007 12:08:42 PM | Attr =    ]
ulcdrsvr.exe -> %CommonProgramFiles%\Ulead Systems\DVD\ULCDRSvr.exe -> Ulead Systems, Inc. [Ver = 1, 0, 0, 4 | Size = 49152 bytes | Modified Date = 12/13/2004 4:34:32 AM | Attr =    ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 9/4/2007 10:47:26 AM | Attr =    ]

[Win32 Services - Non-Microsoft Only]
(Adobe LM Service) Adobe LM Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Adobe Systems Shared\Service\Adobelmsvc.exe -> Adobe Systems [Ver = 2.67.010 | Size = 72704 bytes | Modified Date = 8/28/2007 2:44:28 PM | Attr =    ]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 9/6/2007 6:54:58 PM | Attr =    ]
(Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Running] -> %System32%\ati2evxx.exe ->  [Ver =  | Size = 389120 bytes | Modified Date = 8/25/2004 2:26:56 PM | Attr =    ]
(ATI Smart) ATI Smart [Win32_Own | Auto | Stopped] -> %System32%\ati2sgag.exe ->  [Ver = 5.13.0020 | Size = 516096 bytes | Modified Date = 8/25/2004 12:52:00 PM | Attr =    ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 9/6/2007 7:06:04 PM | Attr =    ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 9/6/2007 7:05:42 PM | Attr =    ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 9/6/2007 7:04:44 PM | Attr =    ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 9:31:10 PM | Attr =    ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 12:56:50 AM | Attr =    ]
(FLEXnet Licensing Service) FLEXnet Licensing Service [Win32_Own | On_Demand | Running] -> %CommonProgramFiles%\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -> Macrovision Europe Ltd. [Ver = 11.03.005 | Size = 654848 bytes | Modified Date = 5/14/2007 5:52:52 PM | Attr =    ]
(npkcmsvc) npkcmsvc [Win32_Own | Auto | Running] -> %System32%\npkcmsvc.exe -> INCA Internet Co., Ltd. [Ver = 2006, 11, 6, 1 | Size = 61523 bytes | Modified Date = 5/17/2007 5:04:00 PM | Attr =    ]
(PhidgetWebservice21) Phidget Webservice 21 [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Phidgets\PhidgetWindowsService21.exe -> Phidgets Inc. [Ver = 1.0.0.0 | Size = 24576 bytes | Modified Date = 8/22/2007 2:35:42 PM | Attr =    ]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | Auto | Running] -> %System32%\HPZipm12.exe -> HP [Ver = 9, 0, 0, 0 | Size = 69632 bytes | Modified Date = 9/29/2004 12:14:36 PM | Attr =    ]
(UleadBurningHelper) Ulead Burning Helper [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Ulead Systems\DVD\ULCDRSvr.exe -> Ulead Systems, Inc. [Ver = 1, 0, 0, 4 | Size = 49152 bytes | Modified Date = 12/13/2004 4:34:32 AM | Attr =    ]

jonathanlkm

  • Guest
Re: 1.reg Malware - How to get rid of it?
« Reply #13 on: October 08, 2007, 11:48:56 AM »
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 4/19/2007 1:41:36 PM | Attr =    ]
AtiExtEvent -> %System32%\ati2evxx.dll ->  [Ver =  | Size = 86016 bytes | Modified Date = 8/25/2004 2:27:00 PM | Attr =    ]
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoViewOnDrive -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0 ->
< HOSTS File > (734 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1       localhost ->  ->
< Internet Explorer Settings > ->  ->
HKLM: Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKCU: Start Page -> http://www.google.com/ ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->

jonathanlkm

  • Guest
Re: 1.reg Malware - How to get rid of it?
« Reply #14 on: October 08, 2007, 11:49:20 AM »

msn.com [ - ] ->  ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 10/22/2006 11:08:42 PM | Attr =    ]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} [HKLM] -> E:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll [BitComet Helper] -> BitComet [Ver = 20070830 | Size = 513336 bytes | Modified Date = 8/30/2007 5:11:34 PM | Attr =    ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_02\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 501136 bytes | Modified Date = 7/12/2007 4:00:36 AM | Attr =    ]
{7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
{AE7CD045-E861-484f-8273-0445EE161910} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [Adobe PDF Conversion Toolbar Helper] -> Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 321120 bytes | Modified Date = 10/22/2006 11:20:26 PM | Attr =    ]
< Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{182EC0BE-5110-49C8-A062-BEB1D02A220B} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 321120 bytes | Modified Date = 10/22/2006 11:20:26 PM | Attr =    ]
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 321120 bytes | Modified Date = 10/22/2006 11:20:26 PM | Attr =    ]
WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 321120 bytes | Modified Date = 10/22/2006 11:20:26 PM | Attr =    ]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_02\bin\npjpi160_02.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 132496 bytes | Modified Date = 7/12/2007 4:00:36 AM | Attr =    ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.6.0_02\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 501136 bytes | Modified Date = 7/12/2007 4:00:36 AM | Attr =    ]
{461CC20B-FB6E-4f16-8FE8-C29359DB100E} -> Reg Data - Value does not exist [ButtonText: BitComet Search] -> File not found
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: Research] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
&D&ownload &with BitComet -> E:\Program Files\BitComet\BitComet.exe\AddLink.htm -> File not found
&D&ownload all video with BitComet -> E:\Program Files\BitComet\BitComet.exe\AddVideo.htm -> File not found
&D&ownload all with BitComet -> E:\Program Files\BitComet\BitComet.exe\AddAllLink.htm -> File not found
Append to existing PDF -> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm -> File not found
Convert link target to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm -> File not found
Convert link target to existing PDF -> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm -> File not found
Convert selected links to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll\AcroIECaptureSelLinks.htm -> File not found
Convert selected links to existing PDF -> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll\AcroIEAppendSelLinks.htm -> File not found
Convert selection to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm -> File not found
Convert selection to existing PDF -> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm -> File not found
Convert to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm -> File not found
E&xport to Microsoft Excel ->  -> File not found
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{4736237D-6678-4AC0-8B4A-5B4C8C1BD8F4} ->    () ->
{F2F94BB5-FCD6-4AB5-A066-68A8816CA58C} ->    (Realtek RTL8139 Family PCI Fast Ethernet NIC) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
skype4com -> %CommonProgramFiles%\Skype\Skype4COM.dll -> Skype Technologies [Ver = 1, 0, 27, 2 | Size = 1828176 bytes | Modified Date = 8/31/2007 6:33:52 PM | Attr = R  ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{057E566C-74EE-495E-81D9-7A17AA835070} -> MMServer Control - CodeBase = http://www.mnet.com/Ver2/App/totalApp/maxmemo/MaxMemo.cab ->
{091CDD73-1401-4643-9B9C-65B091C88685} -> MyLinker Control - CodeBase = http://onlinetour.contents.mylinker.co.kr/module/MyLinker.cab ->
{286A75C3-11FB-4FB4-AC4A-4DD1B0750050} -> INISAFEWeb6 V6 Class - CodeBase = http://download.banktown.com/keb/initech/plugin/down/INIS60.cab ->
{33564D57-0000-0010-8000-00AA00389B71} ->  - CodeBase = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB ->
{39FC0CF9-86F3-4502-B773-D16706EDEC83} -> SCSK Control - CodeBase = http://img.shinhan.com/rib/common/keyStroke/SoftCamp/40854/scsk4.cab ->
{3EFC2239-B769-469F-A5E6-38693AE0B9DE} -> Sysinfo2 Control - CodeBase = http://speed.nia.or.kr/login/sysinfo2.cab ->
{47BF3491-5FEB-44C7-9A9E-C02F2FB027D8} -> PhotomonImageUploader Control - CodeBase = http://www.photomon.com/printing/NewActiveX/PhotomonImageUploader.cab ->
{4C68DACE-E6BC-4650-9C7E-D036720CA729} -> Nps Control - CodeBase = http://update.nprotect.net/npscan2006/kor/nps.cab ->
{54B52E52-8000-4413-BD67-FC7FE24B59F2} -> EARTPatchX Class - CodeBase = http://simcity.ea.com/update/EARTPX.cab ->
{556DDE35-E955-11D0-A707-000000521957} ->  - CodeBase = http://www.xblock.com/download/xclean_micro.exe ->
{6A2E758A-028B-46BB-A11D-0608AB5A4ED3} -> DaumBGMCtrl Class - CodeBase = http://listen.daum.net/52st/bgmplayer/Daum52stBGMPlayer.cab ->
{6CE20149-ABE3-462E-A1B4-5B549971AA38} -> XecureCKKB Class - CodeBase = http://ck.softforum.co.kr/CKKeyPro/yescard/CKKeyPro.cab ->
{7E9FDB80-5316-11D4-B02C-00C04F0CD404} -> XecureWeb 4.0 Client Control - CodeBase = http://download.softforum.co.kr/Published/XecureWeb/v7.0.5.0/xw_install.cab ->
{8068959B-E424-45AD-B62B-A3FA45B1FBAF} -> Report Designer 4.0 Control - CodeBase = http://ezhub.hanyang.ac.kr/haksa/hus/rdviewer40.cab ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab ->
{938527D1-CDB7-4147-998A-B20FCA5CC976} -> Cdmcco Class - CodeBase = http://cafeimg.hanmail.net/activex/dmcc2.cab?Version=1,0,0,10 ->
{9A829609-D923-48AC-83D9-4E82DD874DA4} -> PhotoCtrl Class - CodeBase = http://www.47dc.com/InnoPhotoNew/InnoPhotoNew.cab ->
{9FC84F7D-D177-4A75-A7BB-429DA5BD0A3E} -> SG_CAppAtx Control - CodeBase = http://download.signgate.com/download/common/ews/release/ewsinstaller.cab ->
{A9F090E5-FC80-4772-AFEE-D102AB6E77D6} -> IssacWebProCMS Class - CodeBase = http://pgdownload.dacom.net/dacom/IssacWebProCMS_3_1_0_1.cab ->
{B8C4B31D-6DCE-4DF0-BF73-44686849F67D} -> PDRInst1 Class - CodeBase = http://imgcdn.pandora.tv/pan_img/p3player/package/pdrinst.cab ->
{B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} -> Daum ActiveX manager Class - CodeBase = http://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,3,2 ->
{BBB0FC2D-1D95-45CA-BDCF-03B53F247FCC} -> EwsLoader Class - CodeBase =  ->
{C193DE20-29F4-4B4F-963B-EB20CB3186C0} -> SpeedTest Control - CodeBase = http://speed.nia.or.kr/speedtest/SpeedTest.cab ->
{C36661D7-3590-45B1-80B5-520839E94DAD} -> MaxisSimCity4PatcherX Control - CodeBase = http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab ->
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_01 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab ->
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} ->  - CodeBase = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab ->
{D6FCA8ED-4715-43DE-9BD2-2789778A5B09} -> NPKCX Control - CodeBase = http://update.nprotect.net/keycrypt/yescard2/npkcx_inca.cab ->
{DC4207CE-C03E-4449-ACB1-032CA4137053} -> Npz Control - CodeBase = http://update.nprotect.net/nprotect2006/yescard/npz.cab ->
{E3FA6DAA-04BF-4AEF-9612-341B2B7A25FC} -> Payplus Client Control - CodeBase = http://pay.kcp.co.kr/plugin/file/payplus.cab ->