mr-baluba Nybegynder

27. august 2006 - 15:42 Der er 29 kommentarer og
1 løsning

HijackThis log til gennemsyn

Min gamle maskine her har i længere tid været noget ustabil. Harddisken arbejder konstant næsten. Mange ting tager uretfærdigt lang tid. Jeg har kørt diverse scannere som er nævnt herinde og det har også fjernet en hel masse. Det hjalp lidt på hastigheden. Men harddisken tonser stadig videre.

Er der en kyndig der vil kaste et blik på min log? :)

Synes godt om

mr-baluba Nybegynder

27. august 2006 - 15:43 #1

Logfile of HijackThis v1.99.1
Scan saved at 15:25:05, on 27-08-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Ulrich Green\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {B9D572AB-9E8B-2AF8-A8E7-E84BCE158751} - C:\WINDOWS\dqqua1.dll (file missing)
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~2\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Open In &New Window - C:\Documents and Settings\Ulrich Green\Application Data\TuneUp Software\TuneUp Utilities\Web\tuofinw.tui
O8 - Extra context menu item: Search with &Google - C:\Documents and Settings\Ulrich Green\Application Data\TuneUp Software\TuneUp Utilities\Web\gsearch.tui
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: Profile CAPI 8,0,000,237 - https://udstedelse.certifikat.tdc.dk/person/applets/entrustprofileapplet-capi.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/0fddb359/enter.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {A590956F-AE99-4419-BB39-3C721276C625} - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-0504.exe
O16 - DPF: {B4F32846-56DD-4CF5-94FD-17DE1A12E9EB} - http://t058.com/cabtest/counter.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey®) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Synes godt om

var Nybegynder

27. august 2006 - 18:24 #2

Hi :)

Åbn Hijackthis og kør en skanning, sæt et flueben ud for disse linier:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {B9D572AB-9E8B-2AF8-A8E7-E84BCE158751} - C:\WINDOWS\dqqua1.dll (file missing)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

Luk alle vinduer og Browser undtagen Hijackthis klik derefter "Fix Checked"

Genstart

Find og Slet denne fil:

C:\WINDOWS\dqqua1.dll < Filen

Ewido kan du downloade her
Klik på Download now. Installer og kør Ewido. Opdater straks efter installationen programmet, (men lad være med at scanne endnu). Genstart i fejlsikret tilstand. Du skal klikke på f8 tasten under genstarten (ca. lige når der er talt ram), og så vælge fejlsikret tilstand. Er du i tvivl, så klik bare på f8 flere gange. Kør nu en fuld scanning med Ewido. Når den er færdig trykker du save report og kopier den report herind sammen med en log fra hijackthis. Se herunder, hvordan du skal køre en scanning med hijackthis.

Synes godt om

ejvindh Ekspert

27. august 2006 - 19:37 #3

Undskyld jeg blander mig, men der er tegn på en ny infektion, som er endog meget svær at håndtere i denne log. For at afgøre om det faktisk ER denne infektion, tror jeg det kunne være godt, hvis vi får en log ekstra:

Kopiér indholdet mellem de stiplede linier, ind i et notepad-vindue, og gem indholdet på skrivebordet. Når du gemmer filen, skal du kalde den visappinit.bat, og du skal sikre dig, at der under "Filtyper" står "Alle filer":

------------
reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" applook.hiv
ren applook.hiv applook.txt
start notepad applook.txt
------------
Dobbeltklik herefter på visappinit.bat. Efter kort tid vil et nyt notepad-vindue åbnes med en logfil. Læg denne fil herind.

Synes godt om

mr-baluba Nybegynder

27. august 2006 - 20:38 #4

Ewido log:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 20:28:18 27-08-2006

+ Scan result:

C:\Program Files\BearShare\BearShareZangoInstaller.exe/clientax.dll -> Adware.180Solutions : No action taken.
C:\WINDOWS\Downloaded Program Files\ClientAX.#ll -> Adware.180Solutions : No action taken.
HKLM\SYSTEM\ControlSet001\Services\Cbecddwovdr\\Type -> Adware.CommonName : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{0661D7C2-371C-C623-4982-2277DF99E129} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{069FEA99-1168-7949-95DD-D064A827ABDC} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{09042C0B-ADA3-569D-410C-F824C588F805} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{0B28B10C-0852-4322-CD8D-98680E44C015} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{0BC0C15E-A3A4-2929-0D83-D74D6EAC8BCE} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{0BF8535F-2B56-1DD4-44A7-D4F95713C8EB} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{0D9CFB82-A3DF-9213-83F6-7402E109CC33} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{0DC9678A-0260-8CEB-0563-594D9FB02903} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{0E21F25B-0D5F-DB07-A23E-096542875F23} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{0E960FFA-4C7E-B1B9-3DA4-97D6EFD00C2E} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{11B2E5EC-FEC2-6294-86A4-95682319ABD2} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{11D4CF53-13E8-21A0-5521-FBE13D2C1462} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{13708A17-1C77-4CDA-3971-6228791D346B} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{13FF2685-40D7-7B60-A183-0DE13E8A78EE} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{1430B49C-AF69-4F6D-F513-71EADE457EFD} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{14570B30-8EAD-750C-EC17-A00DFB10E964} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{1BA93373-201C-314A-722B-378A24BEFF9F} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{1DFFBD4D-E8D2-D6F9-3733-F3C0A037E369} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{1EADEC0E-92FE-44A9-A50B-058BFBC01820} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{202AB9A5-E207-A755-726D-C66D76015501} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{21E654F5-CF30-4A95-C97F-98763D1324F9} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{27622543-E879-3A47-D05A-97903406A96F} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{2E060147-D980-CDD2-64D5-AD18C7E395DE} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{2FB2AF82-A6CB-27AE-14B6-70AF241F452D} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{315E32CB-195A-8536-EB55-7CF4CDA121F2} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{31680D7A-0465-9307-C513-D7B794F073C8} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{32B40341-3648-02F0-7D04-5B8F58EEBA63} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{35211BE1-8EDF-F9D6-D61F-027B7DB286D4} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{353D04C8-A19B-A4F5-EF26-4ECE686C737F} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{35B3E72A-B6CB-82E0-FCAB-935DEAAF49CD} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{38AF1BB4-5940-C5E2-435F-08770DE172AB} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{3C4AC4EC-FE88-B619-D551-78D33D1F43F7} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{40959590-5A08-A012-E5CC-72E14627D513} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{4324EC06-E339-D60F-9E06-C4507E11B1F3} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{4516ED6C-8451-CE75-8028-102D999C00AA} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{47CF0D84-64D8-D3F0-DBD8-09D910B3172B} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{483D3142-9381-DD18-E21F-86A53A18F817} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{4B1013E8-F567-66FB-F819-618EA93458EB} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{4D563CE3-2AA6-0070-058D-1EB255E989CD} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{516B05B7-D345-D25A-1547-83C52F819898} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{52BF7431-38AF-F288-81A9-E5DD23CF1ECF} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{539B572E-7B0F-7CC3-9352-C94BF984726F} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{55BE37F8-1985-13E8-CD9B-5D824C0086C6} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{566A7648-21AD-C5B2-6784-38BED7933A1C} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{57C0C13E-E95C-411D-BCD9-A537E6B2AA24} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{5BCC6952-A400-DA5E-2572-D68C74339A1B} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{5C41979E-0C08-52D9-D1AE-1F0F1035ABB0} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{5CC0E8EC-B7CF-B661-BFB8-B1C4196F8038} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{5D05DF96-D875-77AB-A229-43E7371F233E} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{5E866BEC-2589-CDEB-F181-CC47A97B6C71} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{5E880ABF-397E-7169-9342-D26277AB758A} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{629FEEBC-8D1F-BA64-26C3-686D45062880} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{66A6B404-64CF-F22B-5DA9-5DE0B5DEB9EE} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{67AD8EEC-DBC9-81F8-1EAB-6D24CF242AC2} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{6824A711-0D9B-543C-AEA6-1F3DD4847F3E} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{68C5CF24-785E-97D7-630A-94036B407E7F} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{6982F8EB-30D8-8961-789D-1F285B499CAE} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{6A75C515-CC5F-6696-8035-27DB2757E092} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{6BEFD4B0-C0B5-475A-EEFC-3C81D2C22E10} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{6C9AE9E1-D36B-85B4-1F25-941CA52D764A} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{6D782F8C-5DE2-3548-935C-FEBC16AA150D} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{6E3BDCC0-A228-DCB8-7E88-ECF18F0D9B1C} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{6F2F7312-647A-C992-D9BF-8F4A5CC18F6E} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{6F61BA9A-5EA1-7903-5454-DCA081431490} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{70A958A9-264F-9AC5-C44F-6C683E36E06F} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{70C45587-7F30-0A1B-F987-3F25A1729A43} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{73374308-91E6-5E66-411F-8EDBA399652C} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{75BCC47F-FF73-DFD6-3935-55E8AFDD2820} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{79062573-086D-5A0F-D7B9-40FCC3638669} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{79070860-7C41-91F7-846B-070A0E3A7557} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{7ADEFF17-44D6-CB89-646C-A7E10B4A53BA} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{7C167707-1A73-2D53-6A0D-3C3EB55BCAAE} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{7C16C7E5-9CFA-188C-1391-6B30852F9DA6} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{7F97920A-F86E-E377-EB56-8C41D2539602} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{7FDF80D6-8DD1-87AC-455C-99F26D3210FB} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{7FEB58A4-D4D1-381B-004A-6035CD9E65E4} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{800DD44A-1A43-4B30-5E8B-4B4290DD31A1} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{81ECDBCA-1DE3-27FD-325A-F6E0C0C236CF} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{825929FA-938D-0933-A4AB-393513D1CAF5} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{834B70C4-08A7-7082-A675-EFDC4D348484} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{852FA20A-9E12-6825-3E86-D9C0B1C1184B} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{86CC2087-2C19-636E-123F-4A64629ED9B7} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{877B338B-0B25-FB35-72B8-272EF3FF6CDC} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{8BCC463E-389A-AC36-B7B5-0B7AF0E04FD4} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{9011BFD4-E203-0899-94F9-1C6851794380} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{910D4451-D597-05F5-D318-00556258E9E2} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{933D30C5-9078-8EAC-2095-31F02FC90427} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{939C3BB0-A463-713D-07C5-9DB1C8D60D81} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{95A3F09B-4262-4283-DBCC-7F94A44A9BA9} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{95BB2714-6F44-FBE4-5342-CE5B844818D6} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{983DCC8F-9AD3-E926-F6A9-07E2CB9D4AC7} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{9A8194E4-E89A-F96E-41AC-3B95DC66C7C0} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{9B3F0CB4-2255-5C21-D453-28516A995A1D} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{9B4033A4-E655-8EA0-1710-13B4831710E3} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{A0FE8830-AF81-1E4D-051B-1A46041255D0} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{A3C660FF-DEAB-ECF0-02FE-C8DC9874C708} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{A49D52A9-DE08-47DE-6764-86D278A7683C} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{A506E929-19D9-0C2F-5674-118C99313E95} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{A6AB0709-374D-2F77-3E70-0DE0910A9568} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{A6BCE966-302E-BD8D-25BA-12F8C7148266} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{A72C0FFC-C2D7-47B8-44CD-DA44AC623334} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{AA45A478-C680-E0A8-7624-BA5DC8CAD089} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{ABD7967C-3F51-655C-C22D-34A94C9679EE} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{AC8C8EF2-B1DB-E428-AE33-869E38C4F846} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{AF847AFA-7C36-11C8-DB41-199055BB86B2} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{B04EE120-83B9-B26D-500D-49A7F8C6CB92} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{B410DCF2-9A66-DC89-C3A1-07109FEC0D45} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{B5AF2512-211C-405D-363D-CE69CC13A318} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{B6F5FC8C-8EB9-1EA0-C3C9-D9121C64B33B} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{B9E394CA-9564-011C-9650-8855DA3C97AC} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{BB2E6852-7961-1E70-E3C8-8433F21B7649} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{BCDB07A7-963A-1258-24B6-815B7E32CDE2} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{BD69C2FB-6172-5494-95D3-8BA67650941E} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{BEE5AE94-A804-E8A2-F6F9-E353C5F4CD12} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{C0CDA43E-E64A-0E70-6EE5-255BDA98213E} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{C152FD32-565F-4149-CA19-48489A67658E} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{C45410F7-1A22-A509-8145-C396D0E0B9E0} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{C57A97CE-E8D2-2292-3692-AE5AD4A452E1} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{C5844CBD-D015-394D-8C9A-B52CFEA94E45} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{C713F792-9B34-C3C7-0713-07FE90101606} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{C78BA420-2354-CF49-9103-FA0AC2A41B6C} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{C8EE100B-191A-611C-5766-34F50DE08954} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{C927B7B7-4874-CFDC-07DA-DFCA91D1BB93} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{C92A7209-D878-CDBA-715F-0ADF6FD6C738} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{CAF4D771-8A18-BC86-F551-A768543394E9} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{CC47DD3F-46F7-6813-D89E-37FD2658A254} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{CC765202-E7E7-68C5-2938-535D74C66F51} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{CF295B84-1F3D-A13C-944E-90632373707E} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{D006F3DF-6883-5152-C428-17EFD3009EF0} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{D56772D5-4787-FEC2-2F9F-D3396F635202} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{D57750CD-6BCB-E411-D165-5E29E405BA5F} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{D7C43CFF-343D-063E-1C14-C8A0FEB6F6A4} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{D80FEE7E-3C7D-09E2-1B51-507D9B474CAE} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{D826572A-F77D-3941-607F-F390337030B9} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{DEABD788-8FB3-FD63-7965-389321DD0368} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{E68315F1-B546-67BA-D301-A1A15F225655} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{E8672AC7-8611-4002-4486-F4856A5C2E37} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{EA1C9599-38EA-A706-7B47-FE7D9CD0589B} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{EAB86C94-75BA-4E15-5B61-F49CC5FF8606} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{EC0DCF51-1005-877B-C873-10B3F0156A8C} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{ED7306F6-0886-680B-600C-69DD6DF87ADC} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{ED81D60C-C426-844A-2785-263DC930B5C4} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{EDCB31B0-4821-FE62-875A-52D24E43E8CB} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{F1A4571F-46C9-C368-C70C-9911C42A8A18} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{F1F9E29C-4912-7B61-F81C-8F9AAE86C8EE} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{F20ED84C-D847-D6C7-F794-2ED9DCB4B4D1} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{F2938D55-FF24-9FAE-0746-FFB05994C97B} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{F6961B99-762F-B1BE-0D43-513230AC094F} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{F78A49D8-1758-E0F2-CDE0-8BD0FD4FE086} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{F831BBBD-4EFD-0AD2-5B57-0067ABE2F1DD} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{F97F2532-4324-0DA9-21C3-64C1650A6515} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{F9AD27F1-50B4-A52F-10E5-9CAEB34A9715} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{FA6A3A0D-D848-BCFF-0F1B-3F3BAC75DED9} -> Adware.CoolWebSearch : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{FF394C8B-7899-97DB-8475-1BD5A14319C2} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02DCF31C-2541-DCF3-353D-4846FA480B0F} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0591DEAC-0877-0708-40E0-8A6CF49D6A25} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0661D7C2-371C-C623-4982-2277DF99E129} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{069FEA99-1168-7949-95DD-D064A827ABDC} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{072E058D-3046-1956-68F1-D9BA95C696E9} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07D9AB78-38D2-24CF-7AAF-10AB9B60E030} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0BC0C15E-A3A4-2929-0D83-D74D6EAC8BCE} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0D9CFB82-A3DF-9213-83F6-7402E109CC33} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0E21F25B-0D5F-DB07-A23E-096542875F23} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0E960FFA-4C7E-B1B9-3DA4-97D6EFD00C2E} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{13708A17-1C77-4CDA-3971-6228791D346B} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{13FF2685-40D7-7B60-A183-0DE13E8A78EE} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{14570B30-8EAD-750C-EC17-A00DFB10E964} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1AEA2593-C091-9686-442B-97F632D48210} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1B35DE21-9AF4-5FC7-322E-4DA5850C16BF} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1B9A9249-0B1B-BD6A-AB11-9FB99CB9FDF8} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1BA93373-201C-314A-722B-378A24BEFF9F} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1EADEC0E-92FE-44A9-A50B-058BFBC01820} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{202AB9A5-E207-A755-726D-C66D76015501} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2573652E-6CBC-E9E0-7AAB-A263B8448F21} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A66A06D-84AC-2F6A-FCAD-DF80B294F72D} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2B073C66-A72B-1166-86D6-0AD290B7868D} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2D5593F0-BD30-5DB0-E373-5DBEB4B6196F} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2E060147-D980-CDD2-64D5-AD18C7E395DE} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2FEADC72-1B9D-0091-9E66-846197ADA43C} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{315E32CB-195A-8536-EB55-7CF4CDA121F2} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31680D7A-0465-9307-C513-D7B794F073C8} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31711AF6-BB62-4698-168B-63F53647BB1A} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{32B40341-3648-02F0-7D04-5B8F58EEBA63} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{35211BE1-8EDF-F9D6-D61F-027B7DB286D4} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{35B3E72A-B6CB-82E0-FCAB-935DEAAF49CD} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3AE8EE7B-7C3E-6FBF-C653-255CFF23FF5E} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3C153A25-7148-197B-22B6-F454481A8292} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3EB3C3B8-C6A3-A391-CE99-432056782D22} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{40959590-5A08-A012-E5CC-72E14627D513} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4197FF54-5C18-A7E5-9CC3-32130092E2A4} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4324EC06-E339-D60F-9E06-C4507E11B1F3} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44B06760-8B11-338A-B7AC-7C1CD277B316} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4507A8EC-5346-58CC-214A-5C3941F3BB55} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4602BD0D-C987-DA51-337E-3BA373708489} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{483D3142-9381-DD18-E21F-86A53A18F817} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4C91ED05-E936-9DB3-A2FB-94E06016CC72} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4D563CE3-2AA6-0070-058D-1EB255E989CD} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4ECCDA5C-3EB8-D769-3EAD-C45654F9083C} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{513F3E88-F759-F9CD-2FD2-5D78D4E2369F} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{516B05B7-D345-D25A-1547-83C52F819898} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{539B572E-7B0F-7CC3-9352-C94BF984726F} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{53BBFA51-F2AF-9AA0-0B78-8BBCA1750B40} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5424B0AE-852E-6BF6-A56B-2CFEADEF8AE4} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{566A7648-21AD-C5B2-6784-38BED7933A1C} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{57C0C13E-E95C-411D-BCD9-A537E6B2AA24} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5CC0E8EC-B7CF-B661-BFB8-B1C4196F8038} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5E866BEC-2589-CDEB-F181-CC47A97B6C71} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{603960DA-2A41-E212-F1A7-5E1DBE5E69D6} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{629FEEBC-8D1F-BA64-26C3-686D45062880} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{66A6B404-64CF-F22B-5DA9-5DE0B5DEB9EE} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{67AD8EEC-DBC9-81F8-1EAB-6D24CF242AC2} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{69B27564-7681-CCA5-BB56-E910FC6B4E14} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BE5F351-F2D2-2264-8168-8EBE5F4A77D9} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6C9AE9E1-D36B-85B4-1F25-941CA52D764A} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6F302E46-19DB-FFB5-A681-8D4760FF8036} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{70C45587-7F30-0A1B-F987-3F25A1729A43} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{71323479-433A-3A56-DCB0-ABFEDE067C08} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{73676454-A932-7669-B377-AC3A0147A262} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{75BCC47F-FF73-DFD6-3935-55E8AFDD2820} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{79062573-086D-5A0F-D7B9-40FCC3638669} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7987430E-2E3A-D544-43EA-72B1F3C3F6D2} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7ADEFF17-44D6-CB89-646C-A7E10B4A53BA} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C16C7E5-9CFA-188C-1391-6B30852F9DA6} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C395C70-4770-1EBB-BEF0-A0B7926007FF} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7DB64B28-1BB0-D8F6-CB9A-E8FB11BD47AD} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7F97920A-F86E-E377-EB56-8C41D2539602} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7FEB58A4-D4D1-381B-004A-6035CD9E65E4} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7FFCC75E-5674-7B6F-24F8-13B92DA42ADF} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{81ECDBCA-1DE3-27FD-325A-F6E0C0C236CF} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{830EE2B4-CC5A-7C09-D6EE-9691152F9F01} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{833C2A45-D78C-FBD9-4797-2BF8F49B3F3F} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{852FA20A-9E12-6825-3E86-D9C0B1C1184B} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86CC2087-2C19-636E-123F-4A64629ED9B7} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{877B338B-0B25-FB35-72B8-272EF3FF6CDC} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8A21261B-1D1C-3E80-0116-95C04A8233EA} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8D0585C2-7837-436E-A1A5-25C507937285} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9011BFD4-E203-0899-94F9-1C6851794380} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9037343E-6802-1EC2-D767-E57CC2D9D83C} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{910D4451-D597-05F5-D318-00556258E9E2} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{935DFB05-7DED-A169-BFC9-B6F91461D1D1} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{939C3BB0-A463-713D-07C5-9DB1C8D60D81} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95BAC7DA-0DDB-6F51-2538-D3418AE96254} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95BB2714-6F44-FBE4-5342-CE5B844818D6} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{983DCC8F-9AD3-E926-F6A9-07E2CB9D4AC7} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{983EBB29-C8C7-06E8-B1BC-F3F1DF8BDB66} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9B3F0CB4-2255-5C21-D453-28516A995A1D} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9B4033A4-E655-8EA0-1710-13B4831710E3} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A0FE8830-AF81-1E4D-051B-1A46041255D0} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A2FBE3A0-A708-AF3A-EDD6-D569D53EC38B} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A398989A-7094-BD9E-0E29-9F952B2594B4} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3C660FF-DEAB-ECF0-02FE-C8DC9874C708} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A506E929-19D9-0C2F-5674-118C99313E95} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A69601D1-A4A9-AE71-9651-BB5AE6624B4B} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A6AB0709-374D-2F77-3E70-0DE0910A9568} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A72C0FFC-C2D7-47B8-44CD-DA44AC623334} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A758BCB9-66D2-5737-DE37-3927CE58D302} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A995C3ED-D258-1A44-4A69-0B0E177FD580} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AA45A478-C680-E0A8-7624-BA5DC8CAD089} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AC8C8EF2-B1DB-E428-AE33-869E38C4F846} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AEAE8BDF-EB6D-3455-2CB9-63C74F8A0DBF} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AF847AFA-7C36-11C8-DB41-199055BB86B2} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B04EE120-83B9-B26D-500D-49A7F8C6CB92} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B410DCF2-9A66-DC89-C3A1-07109FEC0D45} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B543DA16-5622-738B-5E88-D833B851F319} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B56A5F1A-1B05-A675-5C09-AD563EAF1965} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B6F5FC8C-8EB9-1EA0-C3C9-D9121C64B33B} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B877A895-E66D-9B51-2A5E-B2821E0C16B0} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B9E394CA-9564-011C-9650-8855DA3C97AC} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BAA0D3EB-6EAA-378D-EABD-428A8C6CBCDC} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BC18EDB1-7152-4300-9435-4B195A2401DF} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BCDB07A7-963A-1258-24B6-815B7E32CDE2} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BD1A5F1B-172C-8C65-3D5B-BAD25623F3D9} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BD69C2FB-6172-5494-95D3-8BA67650941E} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BD9F01E8-BBEC-4791-99A6-0B3141961A1C} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C0C3A22C-1EB7-A108-F824-1678C8D550B4} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C152FD32-565F-4149-CA19-48489A67658E} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C45410F7-1A22-A509-8145-C396D0E0B9E0} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C57A97CE-E8D2-2292-3692-AE5AD4A452E1} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5DD24AA-44CE-3AF3-2B3D-6EB6F2ECB4A6} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C713F792-9B34-C3C7-0713-07FE90101606} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C78BA420-2354-CF49-9103-FA0AC2A41B6C} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C8EE100B-191A-611C-5766-34F50DE08954} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CC08AA37-8C73-9A94-DD4C-F1ADE175874D} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CC47DD3F-46F7-6813-D89E-37FD2658A254} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CC765202-E7E7-68C5-2938-535D74C66F51} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE625DD3-CBD8-8AF1-9FFB-1F765070A92A} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFE850F2-39B6-74D2-5743-6A8EDC9429B3} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D006F3DF-6883-5152-C428-17EFD3009EF0} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D0592B04-69A4-47BC-1B9B-32D793341FAA} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4A6B035-FBFF-C0DC-E435-4B89825B905A} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D56772D5-4787-FEC2-2F9F-D3396F635202} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D57750CD-6BCB-E411-D165-5E29E405BA5F} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D7C43CFF-343D-063E-1C14-C8A0FEB6F6A4} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D826572A-F77D-3941-607F-F390337030B9} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D92F0399-F140-2CB8-8A36-B6009D6A202A} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DEABD788-8FB3-FD63-7965-389321DD0368} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E1855C39-8820-BABA-C94F-7C3D2AD1C652} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E38BBEC2-8E70-3C46-43FC-DD9D8553C2B0} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7A8D32E-66F3-8478-4596-9CD041EAC392} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E85F044E-692F-88A1-DCF0-A6CE8A4E910A} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8672AC7-8611-4002-4486-F4856A5C2E37} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EA1C9599-38EA-A706-7B47-FE7D9CD0589B} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EC0DCF51-1005-877B-C873-10B3F0156A8C} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{ED7306F6-0886-680B-600C-69DD6DF87ADC} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F02E0322-0CEA-35B7-970A-0D8E8BEE1301} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F1A4571F-46C9-C368-C70C-9911C42A8A18} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F1F9E29C-4912-7B61-F81C-8F9AAE86C8EE} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F20ED84C-D847-D6C7-F794-2ED9DCB4B4D1} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F2938D55-FF24-9FAE-0746-FFB05994C97B} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6961B99-762F-B1BE-0D43-513230AC094F} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F78A49D8-1758-E0F2-CDE0-8BD0FD4FE086} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F831BBBD-4EFD-0AD2-5B57-0067ABE2F1DD} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F9B855F1-C37E-F3A9-43FE-89E50B8A6AA5} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F9D7B838-0128-DA47-424A-9E6B5C35E7D6} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FBE082F8-A0D5-70CD-EB90-9C45156A5E8A} -> Adware.CoolWebSearch : No action taken.
HKU\S-1-5-21-73586283-1303643608-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD452CF8-EDCD-D7BA-05A1-83F0CCF1AE4F} -> Adware.CoolWebSearch : No action taken.
C:\WINDOWS\PSTRIP.DOC:hosgb -> Downloader.Agent.ap : No action taken.
C:\WINDOWS\PSTRIP.DOC:orksz -> Downloader.Agent.ap : No action taken.
C:\WINDOWS\PSTRIP.DOC:uvfhgz -> Downloader.Agent.ap : No action taken.
C:\WINDOWS\PSTRIP.DOC:yhqpz -> Downloader.Agent.ap : No action taken.
C:\Documents and Settings\Ulrich Green\Cookies\ulrich green@adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Ulrich Green\Cookies\ulrich green@adtech[2].txt -> TrackingCookie.Adtech : No action taken.
C:\Documents and Settings\Ulrich Green\Cookies\ulrich green@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\Ulrich Green\Cookies\ulrich green@trafic[1].txt -> TrackingCookie.Trafic : No action taken.

::Report end

Synes godt om

mr-baluba Nybegynder

27. august 2006 - 20:38 #5

Ny HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 20:29:57, on 27-08-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Documents and Settings\Ulrich Green\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Open In &New Window - C:\Documents and Settings\Ulrich Green\Application Data\TuneUp Software\TuneUp Utilities\Web\tuofinw.tui
O8 - Extra context menu item: Search with &Google - C:\Documents and Settings\Ulrich Green\Application Data\TuneUp Software\TuneUp Utilities\Web\gsearch.tui
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: Profile CAPI 8,0,000,237 - https://udstedelse.certifikat.tdc.dk/person/applets/entrustprofileapplet-capi.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/0fddb359/enter.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {A590956F-AE99-4419-BB39-3C721276C625} - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-0504.exe
O16 - DPF: {B4F32846-56DD-4CF5-94FD-17DE1A12E9EB} - http://t058.com/cabtest/counter.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Synes godt om

mr-baluba Nybegynder

27. august 2006 - 20:42 #6

ejvindh der kommer ikke nogen log frem når jeg kører filen, blot en meget kortvarig dos prompt thing.

Synes godt om

var Nybegynder

27. august 2006 - 21:20 #7

det er iorden du blander dig Ejvindh. Den infektion kender jeg ikke.. Hvad er navnet på den?

Synes godt om

var Nybegynder

27. august 2006 - 21:28 #8

sorry havde glemt at kigge i Hjt forum ;)

Jeg vil gerne have du fortsætter dette fix, Jeg kender nemlig ikke behandlingen af dette (skal lave research). Men jeg er da med på en lytter ;)

Synes godt om

ejvindh Ekspert

27. august 2006 - 23:08 #9

Alt i orden :-)

mr-baluba: Du bør køre Ewido igen, og denne gang, skal du give den lov til at fixe hvad den finder.

Angående den batch-fil jeg lagde, så prøv således i stedet:

Kopiér indholdet mellem de stiplede linier, ind i et notepad-vindue, og gem indholdet på skrivebordet. Når du gemmer filen, skal du udfor "filnavn" skrive c:\visai.bat, og du skal sikre dig, at der under "Filtyper" står "Alle filer":

------------
c:\WINDOWS\system32\reg.exe save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" applook.hiv
ren applook.hiv applook.txt
start c:\windows\notepad.exe applook.txt
------------
Klik så på Start-Kør, skriv CMD i feltet, og klik på OK. Så åbnes et lille dos-vindue. herinde skal du skrive følgende (efterfulgt af <enter>):
c:\visai.bat

Så vil der enten efter kort tid poppe et notepad-vindue op, hvis indhold du skal lægge herind. Eller også vil der komme en fejlmelding. Denne fejlmelding må du gerne lægge herind.

Synes godt om

mr-baluba Nybegynder

27. august 2006 - 23:15 #10

Høhø, ja det kunne jeg vel ha sagt mig selv. Gaaab det tager jo en krig :P
Først kommer lige indholdet af notepad'en der poppede op:

regf ÿÿøÐJ‹5ÐJ‹ØƒÄ…Û}WÿÖYØWÿÖ;ØY}‹ÃëWÿÖY…À}3ÛëWÿÖ;ØY|WÿÖY‹Ø‹…ø¿ÿÿfƒ8,uPƒ…ø¿ÿÿj …ø¿ÿÿPÿµø¿ÿÿÿøÐJƒÄ…À‰…ô¿ÿÿ}_PÿÖ…ô¿ÿÿYyƒ¥ô¿ÿÿ _SÿÖ9…ô¿ÿÿY|ë_SÿÖY‰…ô¿ÿÿÿµô¿ÿÿSWÿÈÐJ‹…ô¿ÿÿG3ÉƒÄf9tf‰‹…ø¿ÿÿf‹@@f;Ut
‹…ð¿ÿÿ‰é— +…ì¿ÿÿ‹ð¿ÿÿÑø‰éWÿÿÂ‰…ø¿ÿÿÇ…è¿ÿÿ é#sÿÿ‰ëgƒ½ô¿ÿÿ „ItÿÿPjhJ# è(ÿÿƒÄjÿÿµô¿ÿÿÿèÐJÂ‰…ø¿ÿÿf‹f…É…AsÿÿéFsÿÿWÿÈÐJ‹…ð¿ÿÿFP_PÿÐJƒÄé‰Vÿÿ3Àé„Vÿÿ‹øx×% hbin ¨ÿÿÿnk, ÌxòºÆ ÿÿÿÿ ÿÿÿÿÿÿÿÿ x ÿÿÿÿ 0 B F T Windows Èþÿÿsk x x ” ì
!
€ ! #
€ # ?
?
?
Ðÿÿÿvk à ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5 Ø(ÍW ° Ðÿÿÿvk €' zGDIProcessHandleQuota"þðÿÿÿ9 0 ! àÿÿÿvk X °ºSpooler2ðÿÿÿy e s À àÿÿÿvk € =pswapdisk ° ø 8 h Ðÿÿÿvk ( R¿TransmissionRetryTimeoutÐÿÿÿvk €' 0 USERProcessHandleQuotaH àÿÿÿ° ø 8 h Ð Øÿÿÿvk B H * AppInit_DLLs`ž* ¸ÿÿÿ\ \ ? \ C : \ W I N D O W S \ s y s t e m 3 2 \ l p t 1 . h u i eap

Synes godt om

mr-baluba Nybegynder

27. august 2006 - 23:16 #11

Gør jeg noget galt, eller bør det se sådan ud?

Synes godt om

mr-baluba Nybegynder

28. august 2006 - 01:18 #12

Ny ewido:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 23:52:28 27-08-2006

+ Scan result:

C:\Documents and Settings\Ulrich Green\Cookies\ulrich green@paypal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Ulrich Green\Cookies\ulrich green@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Ulrich Green\Cookies\ulrich green@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Ulrich Green\Cookies\ulrich green@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned.

::Report end

Jeg tror måske jeg kom til at trykke save log inden jeg trykkede apply actions - første gang jeg kørte ewido... hence the "no action taken" i første log.

Synes godt om

ejvindh Ekspert

28. august 2006 - 11:52 #13

Ok, der var faktisk bid i visai.bat. Så må vi se, om vi kan få den bekæmpet. Det kan godt tage et par forsøg, idet infektionen holder øje med forskellige værktøjer, og måske ikke vil lade dig køre dem. Men hvis du er tålmodig, skal vi nu nok få den "overtalt" :-)

-- Hent Combofix, og gem den på dit skrivebord:
http://download.bleepingcomputer.com/sUBs/combofix.exe

-- Hent Avenger her:
http://swandog46.geekstogo.com/avenger.zip

-- Pak Avenger-programmet ud og dobbeltklik på avenger.exe

-- Sæt en prik i "Input Script Manually" og klik på Luppen - nu dukker der et lille vindue op, hvor du skal kopiere indholdet mellem de stiplede linier ind:

-----------------------------
Files to delete:
c:\windows\system32\lpt1.hui

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
-----------------------------

-- Klik på Trafiklyset i Avenger. Programmet vil opfordre dig til at genstarte computeren straks, hvilket du skal gøre. Programmet vil lukke din computer, slette filerne og starte computeren igen.

-- Efter genstarten vil der dukke et notepad-vindue op, med en log for Avengers handlinger. Den må du gerne lægge ind i dit næste svar.

-- Kør så combo.exe, som du hentede tidligere, og følg anvisningerne.
Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Når combofix er færdig, og efter det har genstartet, skulle der gerne åbnes en logfil: combofix.txt
Indholdet af denne fil må du gerne lægge herind.

-- Derudover må du også gerne lave en ny log fra Hijackthis, som du lægger herind.

-- Endelig vil jeg også gerne have en ny tekstfil fra visai.bat.

Synes godt om

ejvindh Ekspert

28. august 2006 - 16:05 #14

Undskyld, hvis du ikke har kørt proceduren endnu, så vil jeg gerne bede dig om at det er følgende tekst, du kopierer ind i Avenger, i stedet for den jeg angav ovenfor:

Files to delete:
c:\windows\system32\lpt1.hui
C:\WINDOWS\dqqua1.dll

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Synes godt om

mr-baluba Nybegynder

28. august 2006 - 19:01 #15

Hold da op, så kan jeg lære at beskytte mig ordentligt fremover :P Er lige kommet fra job, går i gang når jeg har fået noget at spise. På forhånd tak.

Synes godt om

mr-baluba Nybegynder

28. august 2006 - 20:36 #16

Avenger log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\iwgorbqh

*******************

Script file located at: \??\C:\bmgkuaex.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File c:\windows\system32\lpt1.hui deleted successfully.
File C:\WINDOWS\dqqua1.dll deleted successfully.
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.

*******************

Finished! Terminate.

ComboFix:

Ulrich Green - 06-08-28 20:30:50,32
ComboFix 06.08.27BT - Running from: C:\Documents and Settings\Ulrich Green\Desktop

((((((((((((((((((((((((((((((( Files Created from 2006-07-28 to 2006-08-28 ))))))))))))))))))))))))))))))))))

2006-08-27 23:13 177 --a------ C:\visai.bat
2006-08-08 15:53 12,576 --a------ C:\WINDOWS\system32\opsd.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-08-28 15:17 -------- d-------- C:\Program Files\BitComet
2006-08-28 03:11 -------- d-------- C:\Program Files\Draw Poker Gold
2006-08-28 03:10 -------- d-------- C:\Program Files\Canasis
2006-08-27 19:15 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-27 14:57 -------- d-------- C:\Program Files\SUPERAntiSpyware
2006-08-27 11:34 -------- d-------- C:\Documents and Settings\Ulrich Green\Application Data\SUPERAntiSpyware.com
2006-08-12 03:05 -------- d-------- C:\Program Files\Internet Explorer
2006-08-10 17:52 -------- d-------- C:\Program Files\GfedUsden64F
2006-08-10 17:12 -------- d-------- C:\Program Files\Free Solitaire 3D
2006-08-03 22:25 -------- d-------- C:\Program Files\BearShare
2006-08-03 22:22 -------- d-------- C:\Program Files\MyGlobalSearch
2006-08-03 02:50 776096 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-08-03 02:50 27776 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-08-03 02:24 -------- d-------- C:\Program Files\YourWare Solutions
2006-08-03 02:16 -------- d-------- C:\Program Files\Zone Labs
2006-08-03 01:41 -------- d-------- C:\Program Files\Registry Mechanic
2006-08-03 01:39 -------- d-------- C:\Program Files\VideoLAN
2006-08-03 01:39 -------- d-------- C:\Program Files\UnPacker
2006-08-03 01:33 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-07-27 15:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 10:24 72704 --a------ C:\WINDOWS\system32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"AVG7_EMC"="C:\\PROGRA~2\\Grisoft\\AVGFRE~1\\avgemc.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"FreeRAM XP"="\"C:\\Program Files\\YourWare Solutions\\FreeRAM XP Pro\\FreeRAM XP Pro.exe\" -win"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoRecentDocsMenu"=hex:01,00,00,00
"NoRecentDocsNetHood"=hex:01,00,00,00
"NoDrives"=hex:00,00,00,00
"MaxRecentDocs"=dword:00000004
"NoUserNameInStartMenu"=dword:00000001
"NoLowDiskSpaceChecks"=dword:00000001
"NoRecentDocsHistory"=dword:00000001
"NoActiveDesktop"=hex:01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~2\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~2\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~2\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^TabUserW.exe.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\TabUserW.exe.lnk"
"backup"="C:\\WINDOWS\\pss\\TabUserW.exe.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\WTablet\\TabUserW.exe "
"item"="TabUserW.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"command"="C:\\PROGRA~2\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"iPodService"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"Camera Detector"="C:\\PROGRA~2\\ACDSYS~1\\DEVDET~1\\DEVDET~1.EXE -autorun"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SASWinLogon

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\New Task.job
C:\WINDOWS\tasks\Windows Update.job

Completion time: 28-08-2006 20:32:09.60
ComboFix.txt

Logfile of HijackThis v1.99.1
Scan saved at 20:33:20, on 28-08-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Ulrich Green\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {B9D572AB-9E8B-2AF8-A8E7-E84BCE158751} - C:\WINDOWS\dqqua1.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Open In &New Window - C:\Documents and Settings\Ulrich Green\Application Data\TuneUp Software\TuneUp Utilities\Web\tuofinw.tui
O8 - Extra context menu item: Search with &Google - C:\Documents and Settings\Ulrich Green\Application Data\TuneUp Software\TuneUp Utilities\Web\gsearch.tui
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: Profile CAPI 8,0,000,237 - https://udstedelse.certifikat.tdc.dk/person/applets/entrustprofileapplet-capi.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/0fddb359/enter.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {A590956F-AE99-4419-BB39-3C721276C625} - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-0504.exe
O16 - DPF: {B4F32846-56DD-4CF5-94FD-17DE1A12E9EB} - http://t058.com/cabtest/counter.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Visai.bat:
regf ÿÿøÐJ‹5ÐJ‹ØƒÄ…Û}WÿÖYØWÿÖ;ØY}‹ÃëWÿÖY…À}3ÛëWÿÖ;ØY|WÿÖY‹Ø‹…ø¿ÿÿfƒ8,uPƒ…ø¿ÿÿj …ø¿ÿÿPÿµø¿ÿÿÿøÐJƒÄ…À‰…ô¿ÿÿ}_PÿÖ…ô¿ÿÿYyƒ¥ô¿ÿÿ _SÿÖ9…ô¿ÿÿY|ë_SÿÖY‰…ô¿ÿÿÿµô¿ÿÿSWÿÈÐJ‹…ô¿ÿÿG3ÉƒÄf9tf‰‹…ø¿ÿÿf‹@@f;Ut
‹…ð¿ÿÿ‰é— +…ì¿ÿÿ‹ð¿ÿÿÑø‰éWÿÿÂ‰…ø¿ÿÿÇ…è¿ÿÿ é#sÿÿ‰ëgƒ½ô¿ÿÿ „ItÿÿPjhJ# è(ÿÿƒÄjÿÿµô¿ÿÿÿèÐJÂ‰…ø¿ÿÿf‹f…É…AsÿÿéFsÿÿWÿÈÐJ‹…ð¿ÿÿFP_PÿÐJƒÄé‰Vÿÿ3Àé„Vÿÿ‹øx×% hbin ¨ÿÿÿnk, ÌxòºÆ ÿÿÿÿ ÿÿÿÿÿÿÿÿ x ÿÿÿÿ 0 B F T Windows Èþÿÿsk x x ” ì
!
€ ! #
€ # ?
?
?
Ðÿÿÿvk à ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5 Ø(ÍW ° Ðÿÿÿvk €' zGDIProcessHandleQuota"þðÿÿÿ9 0 ! àÿÿÿvk X °ºSpooler2ðÿÿÿy e s À àÿÿÿvk € =pswapdisk ° ø 8 h Ðÿÿÿvk ( R¿TransmissionRetryTimeoutÐÿÿÿvk €' 0 USERProcessHandleQuotaH àÿÿÿ° ø 8 h Ð Øÿÿÿvk B H * AppInit_DLLs`ž* ¸ÿÿÿ\ \ ? \ C : \ W I N D O W S \ s y s t e m 3 2 \ l p t 1 . h u i eap

Synes godt om

mr-baluba Nybegynder

28. august 2006 - 20:36 #17

Hva siger kortene nu? ;)

Synes godt om

ejvindh Ekspert

28. august 2006 - 21:35 #18

Der var ikke helt det fremskridt som jeg håbede på. Til gengæld har jeg også nu fået lidt mere info på din infektion, som jeg kan arbejde videre med. Prøv derfor følgende:

-- Gå ind i kontrolpanel-tilføj/fjern programmer, og se om du kan få lov til at afinstallere følgende programmer:
BearShare
MyGlobalSearch

-- Kør Avenger igen. Sæt en prik i "Input Script Manually" og klik på Luppen - nu dukker der et lille vindue op, hvor du skal kopiere indholdet mellem de stiplede linier ind:

-----------------------------
Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Files to delete:
C:\WINDOWS\dqqua1.dll
C:\WINDOWS\system32\lpt1.hui
C:\WINDOWS\system32\opsd.dll

Folders to Delete:
C:\Program Files\GfedUsden64F
C:\Program Files\BearShare
C:\Program Files\MyGlobalSearch

Registry values to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|{AEB6717E-7E19-11d0-97EE-00C04FD91972}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}
-----------------------------

-- Klik på Trafiklyset i Avenger. Programmet vil opfordre dig til at genstarte computeren straks, hvilket du skal gøre. Programmet vil lukke din computer, slette filerne og starte computeren igen.

-- Efter genstarten vil der dukke et notepad-vindue op, med en log for Avengers handlinger. Den må du gerne lægge ind i dit næste svar.

-- Kør Hijackthis, vælg "Do a system scan only", sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {B9D572AB-9E8B-2AF8-A8E7-E84BCE158751} - C:\WINDOWS\dqqua1.dll (file missing)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {B4F32846-56DD-4CF5-94FD-17DE1A12E9EB} - http://t058.com/cabtest/counter.cab

-- Genstart computeren, og lav en ny log med Hijackthis, som du lægger herind sammen med loggen fra Avenger. Du må også gerne lave en ny log med visai.bat og med combofix, så jeg kan se hvor vidt vi nu er kommet :-)

Synes godt om

mr-baluba Nybegynder

28. august 2006 - 22:46 #19

Kunne afinstallere Bearshare, men ikke myglobalsearch (fandtes ikke sagde den).

Avenger log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gubvtyln

*******************

Script file located at: \??\C:\aehlrjca.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\dqqua1.dll not found!
Deletion of file C:\WINDOWS\dqqua1.dll failed!

Could not process line:
C:\WINDOWS\dqqua1.dll
Status: 0xc0000034

File C:\WINDOWS\system32\lpt1.hui not found!
Deletion of file C:\WINDOWS\system32\lpt1.hui failed!

Could not process line:
C:\WINDOWS\system32\lpt1.hui
Status: 0xc0000034

File C:\WINDOWS\system32\opsd.dll deleted successfully.
Folder C:\Program Files\GfedUsden64F deleted successfully.
Folder C:\Program Files\BearShare deleted successfully.
Folder C:\Program Files\MyGlobalSearch deleted successfully.
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.
Registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

HighjackThis:

Logfile of HijackThis v1.99.1
Scan saved at 22:41:19, on 28-08-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Ulrich Green\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Open In &New Window - C:\Documents and Settings\Ulrich Green\Application Data\TuneUp Software\TuneUp Utilities\Web\tuofinw.tui
O8 - Extra context menu item: Search with &Google - C:\Documents and Settings\Ulrich Green\Application Data\TuneUp Software\TuneUp Utilities\Web\gsearch.tui
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: Profile CAPI 8,0,000,237 - https://udstedelse.certifikat.tdc.dk/person/applets/entrustprofileapplet-capi.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/0fddb359/enter.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {A590956F-AE99-4419-BB39-3C721276C625} - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-0504.exe
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

ComboFix:

Ulrich Green - 06-08-28 22:42:32,53
ComboFix 06.08.27BT - Running from: C:\Documents and Settings\Ulrich Green\Desktop

((((((((((((((((((((((((((((((( Files Created from 2006-07-28 to 2006-08-28 ))))))))))))))))))))))))))))))))))

2006-08-27 23:13 177 --a------ C:\visai.bat

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-08-28 22:22 -------- d-------- C:\Program Files\Canasis
2006-08-28 15:17 -------- d-------- C:\Program Files\BitComet
2006-08-27 19:15 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-27 14:57 -------- d-------- C:\Program Files\SUPERAntiSpyware
2006-08-27 11:34 -------- d-------- C:\Documents and Settings\Ulrich Green\Application Data\SUPERAntiSpyware.com
2006-08-12 03:05 -------- d-------- C:\Program Files\Internet Explorer
2006-08-10 17:12 -------- d-------- C:\Program Files\Free Solitaire 3D
2006-08-03 02:50 776096 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-08-03 02:50 27776 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-08-03 02:24 -------- d-------- C:\Program Files\YourWare Solutions
2006-08-03 02:16 -------- d-------- C:\Program Files\Zone Labs
2006-08-03 01:41 -------- d-------- C:\Program Files\Registry Mechanic
2006-08-03 01:39 -------- d-------- C:\Program Files\VideoLAN
2006-08-03 01:39 -------- d-------- C:\Program Files\UnPacker
2006-08-03 01:33 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-07-27 15:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 10:24 72704 --a------ C:\WINDOWS\system32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"AVG7_EMC"="C:\\PROGRA~2\\Grisoft\\AVGFRE~1\\avgemc.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"FreeRAM XP"="\"C:\\Program Files\\YourWare Solutions\\FreeRAM XP Pro\\FreeRAM XP Pro.exe\" -win"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoRecentDocsMenu"=hex:01,00,00,00
"NoRecentDocsNetHood"=hex:01,00,00,00
"NoDrives"=hex:00,00,00,00
"MaxRecentDocs"=dword:00000004
"NoUserNameInStartMenu"=dword:00000001
"NoLowDiskSpaceChecks"=dword:00000001
"NoRecentDocsHistory"=dword:00000001
"NoActiveDesktop"=hex:01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~2\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~2\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~2\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^TabUserW.exe.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\TabUserW.exe.lnk"
"backup"="C:\\WINDOWS\\pss\\TabUserW.exe.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\WTablet\\TabUserW.exe "
"item"="TabUserW.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"command"="C:\\PROGRA~2\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"iPodService"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"Camera Detector"="C:\\PROGRA~2\\ACDSYS~1\\DEVDET~1\\DEVDET~1.EXE -autorun"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SASWinLogon

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\New Task.job
C:\WINDOWS\tasks\Windows Update.job

Completion time: 28-08-2006 22:43:44.29
ComboFix.txt
ComboFix2.txt

visai.bat:

regf ÿÿøÐJ‹5ÐJ‹ØƒÄ…Û}WÿÖYØWÿÖ;ØY}‹ÃëWÿÖY…À}3ÛëWÿÖ;ØY|WÿÖY‹Ø‹…ø¿ÿÿfƒ8,uPƒ…ø¿ÿÿj …ø¿ÿÿPÿµø¿ÿÿÿøÐJƒÄ…À‰…ô¿ÿÿ}_PÿÖ…ô¿ÿÿYyƒ¥ô¿ÿÿ _SÿÖ9…ô¿ÿÿY|ë_SÿÖY‰…ô¿ÿÿÿµô¿ÿÿSWÿÈÐJ‹…ô¿ÿÿG3ÉƒÄf9tf‰‹…ø¿ÿÿf‹@@f;Ut
‹…ð¿ÿÿ‰é— +…ì¿ÿÿ‹ð¿ÿÿÑø‰éWÿÿÂ‰…ø¿ÿÿÇ…è¿ÿÿ é#sÿÿ‰ëgƒ½ô¿ÿÿ „ItÿÿPjhJ# è(ÿÿƒÄjÿÿµô¿ÿÿÿèÐJÂ‰…ø¿ÿÿf‹f…É…AsÿÿéFsÿÿWÿÈÐJ‹…ð¿ÿÿFP_PÿÐJƒÄé‰Vÿÿ3Àé„Vÿÿ‹øx×% hbin ¨ÿÿÿnk, ÌxòºÆ ÿÿÿÿ ÿÿÿÿÿÿÿÿ x ÿÿÿÿ 0 B F T Windows Èþÿÿsk x x ” ì
!
€ ! #
€ # ?
?
?
Ðÿÿÿvk à ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5 Ø(ÍW ° Ðÿÿÿvk €' zGDIProcessHandleQuota"þðÿÿÿ9 0 ! àÿÿÿvk X °ºSpooler2ðÿÿÿy e s À àÿÿÿvk € =pswapdisk ° ø 8 h Ðÿÿÿvk ( R¿TransmissionRetryTimeoutÐÿÿÿvk €' 0 USERProcessHandleQuotaH àÿÿÿ° ø 8 h Ð Øÿÿÿvk B H * AppInit_DLLs`ž* ¸ÿÿÿ\ \ ? \ C : \ W I N D O W S \ s y s t e m 3 2 \ l p t 1 . h u i eap

Synes godt om

ejvindh Ekspert

29. august 2006 - 09:28 #20

Det begynder at se fornuftigt ud. Jeg tror den er ved at være slået ned. Kører computeren bedre nu end før?

Det meste af det følgende er sandsynligvis blot oprydning. Dog vil jeg også gerne se et par logs mere, idet indholdet af visai.bat undrer mig lidt.

-- Hent Silentrunners her:
http://www.silentrunners.org/Silent%20Runners.vbs
Kør programmet, klik på Ja. Klik på OK. Vent så indtil der kommer en besked om at logfilen er færdig. Find log-filen, og læg den herind (den lægger sig i samme mappe som silentrunner programmet ligger i).

-- Gå ned på bunden af denne side, og download Rootkitrevealer
http://www.sysinternals.com/Utilities/RootkitRevealer.html

Pak filen ud til en mappe på skrivebordet. Tag netstikket ud af computeren, og luk alle åbne vinduer. Åbn rootkitrevealer-mappen, og dobbeltklik på rootkitrevealer.exe
Klik på Options, og sørg for, at der er flueben ud for "Hide standard NTFS Metadata files". Klik så på Scan, nederst til højre. Imens programmet scanner må du ikke bruge computeren til andre ting. Når scanningen er færdig, klik på File igen, vælg Save og gem logfilen. Kopier RootkitReveal.txt herind.

-- Kopier indholdet mellem de stiplede linier ind i et notepad-vindue, og gem indholdet på skrivebordet som fixai.reg. Du skal sikre dig, at der ud for "filtyper" står "Alle filer"

---------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-
"AppInit_DLLs"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="about:blank"
---------------------------
Dobbeltklik herefter på den nye fil. Når Windows spørger om du vil tilføje oplysningerne til registreringsdatabasen, skal du svare ja. Hvis SuperAntispyware giver lyd fra sig her, skal du acceptere, at der bliver tilføjet nye oplysninger.

-- Download DelDomains.inf (højreklik på linket, og vælg "gem destination som"/"gem link til disk"):
http://www.mvps.org/winhelp2002/DelDomains.inf

Højreklik på DelDomains.inf og vælg: Install
Dette vil fjerne alle entries I trusted og restricted zone. Det betyder så, at hvis du har installeret IE-Spyad, eller selv har lagt sider ind i Klassificerede Websteder, er du nødt til at gøre det igen efter vi er færdige med at rense din PC.

-- Endelig må du også gerne lave en ny log med Hijackthis og visai.bat.

Synes godt om

mr-baluba Nybegynder

29. august 2006 - 14:04 #21

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"FreeRAM XP" = ""C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win" ["YourWare Solutions (TM)"]
"SUPERAntiSpyware" = "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"AVG7_EMC" = "C:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~2\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~2\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~2\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~2\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Logitech Pictures"
-> {HKLM...CLSID} = "My Logitech Pictures"
\InProcServer32\(Default) = "C:\Program Files\Logitech\Video\Namespc2.dll" ["Logitech Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"AppInit_DLLs" = (value not set)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL" ["SUPERAntiSpyware.com"]
INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"
\InProcServer32\(Default) = ""C:\Program Files\TuneUp Utilities 2004\sdshelex.dll"" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~2\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"
\InProcServer32\(Default) = ""C:\Program Files\TuneUp Utilities 2004\sdshelex.dll"" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~2\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~2\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Ulrich Green\My Documents\Flash Projekt\DoY\discovery-1600x.bmp"

Enabled Scheduled Tasks:
------------------------

"New Task" -> WARNING -- The file "New Task.job" is corrupt! (no executable)
"Windows Update" -> launches: "C:\WINDOWS\system32\wupdmgr.exe" [MS]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {HKLM...CLSID} = "Web Browser Applet Control"
\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points
------------------------------

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

Missing lines (compared with English-language version):
HIJACK WARNING! "TuneUp" = "file://C|/Documents and Settings/All Users.WINDOWS/Application Data/TuneUp Software/Common/base.css" [file not found]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
TabletService, TabletService, "C:\WINDOWS\system32\Tablet.exe" ["Wacom Technology, Corp."]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor i560\Driver = "CNMLM58.DLL" ["CANON INC."]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 42 seconds, including 12 seconds for message boxes)

Rootkit ting:

HKLM\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf40 2/21/2005 6:12 PM 0 bytes Hidden from Windows API.
C:\$AttrDef 1/5/2002 4:54 AM 2.50 KB Hidden from Windows API.
C:\$BadClus 1/5/2002 4:54 AM 0 bytes Hidden from Windows API.
C:\$BadClus:$Bad 1/5/2002 4:54 AM 74.52 GB Hidden from Windows API.
C:\$Bitmap 1/5/2002 4:54 AM 2.33 MB Hidden from Windows API.
C:\$Boot 1/5/2002 4:54 AM 8.00 KB Hidden from Windows API.
C:\$Extend 1/5/2002 4:54 AM 0 bytes Hidden from Windows API.
C:\$Extend\$ObjId 1/5/2002 4:11 AM 0 bytes Hidden from Windows API.
C:\$Extend\$Quota 1/5/2002 4:11 AM 0 bytes Hidden from Windows API.
C:\$Extend\$Reparse 1/5/2002 4:11 AM 0 bytes Hidden from Windows API.
C:\$LogFile 1/5/2002 4:54 AM 64.00 MB Hidden from Windows API.
C:\$MFT 1/5/2002 4:54 AM 129.28 MB Hidden from Windows API.
C:\$MFTMirr 1/5/2002 4:54 AM 4.00 KB Hidden from Windows API.
C:\$Secure 1/5/2002 4:54 AM 0 bytes Hidden from Windows API.
C:\$UpCase 1/5/2002 4:54 AM 128.00 KB Hidden from Windows API.
C:\$Volume 1/5/2002 4:54 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Ulrich Green\Local Settings\Temporary Internet Files\Content.IE5\SHEJWL6N\search[1].: 4/18/2005 8:20 PM 16.65 KB Hidden from Windows API.
C:\WINDOWS\_default.pif:qcabd 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qdaduo 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qddff 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qdoys 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qdtrr 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qeepv 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qepys 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qeyat 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qfblk 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qfqnlk 6/13/2005 4:27 PM 3.48 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qfuvu 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qfvap 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qgmvq 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qgvyj 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qhyua 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qhzqf 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qibvo 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qjirr 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qjuio 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qkajk 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qkhym 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qkvzd 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qlfzi 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qlocm 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qmarg 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qmfzz 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qnhfu 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qnosy 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qnqyz 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qnvln 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qormq 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qpvyq 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qqipe 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qqjuk 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qqqbx 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qrumv 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qswjx 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qtdxx 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qtjbh 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qtmzl 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qucsm 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qunfz 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qvbvo 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qvhgu 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qvnvz 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qwcjy 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qximw 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qytrr 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:qzbzj 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rahjt 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rbtpv 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rcnwc 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rcxnd 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rdijs 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rdtpe 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rehem 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:resni 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rfefn 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rfwld 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rgfki 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rgrzj 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rhcwu 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rhrwj 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rikrz 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rixim 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rjbip 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rjhbc 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rjvzw 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rkiez 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rksnw 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rkxea 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rlubh 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rmxqx 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rmyfm 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rnjmc 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rnlze 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:roaqr 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rohvf 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rotfu 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:roydm 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rpiim 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rqbty 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rqfgn 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rquhn 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rruwl 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rsppz 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rsszs 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rthxb 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rtlvv 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rtsox 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:ruksh 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:ruqth 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:ruxcfv 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rvhjg 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rvkmj 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rvxsj 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rwmkj 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rxisw 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rxudp 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:ryjee 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rymxw 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rzjxu 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rzomk 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:rzxnd 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:sacmy 6/13/2005 4:27 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:samklr 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:sasrd 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:saveh 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:sbauc 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:sbiuc 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:scsud 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:sdbio 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:sdkci 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:sdppj 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:sdwfi 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:seais 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:seuqq 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:seziw 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:sfeus 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:sfhwb 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:sfnub 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:sfuix 6/13/2005 4:27 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:sgyqj 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:shhgx 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:shnxw 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:siuof 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:sjhew 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:sjpkn 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:sjvin 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:skvrw 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:slmbv 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:slrpl 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:smdul 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:smjuz 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:smogb 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:smzol 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:snqtv 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:snyzt 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:sogkp 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:sorwg 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:spcvm 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:spjer 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:spsyi 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:spwdt 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:sqzyc 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:sriei 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:srsvp 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:srwbn 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:srzic 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:sscbv 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:ssycx 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:stbns 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:stfkg 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:stkbo 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:stuze 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:suafo 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:sumoi 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:svegg 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:swcsd 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:sxefh 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:sxvkb 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:sybex 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:sygog 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:symkt 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:syumto 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:szwgm 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tacry 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tajvi 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:takzu 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tamyw 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tatcs 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tbcfw 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tbkek 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tcdyi 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tchms 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tcjfb 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tcpoq 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tcstwo 6/13/2005 4:27 PM 11.46 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tdrtc 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tehbe 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tejsp 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:teqvr 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:teusb 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tfbrp 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tffpw 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tfgzr 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tfstg 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tgiak 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:thfno 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:thrcf 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tiayv 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tifnw 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tjedc 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tjnor 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tjqgr 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tkagl 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tkmgi 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tkzbi 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tlcnp 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tmkuv 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tnazw 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tndkc 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tnmez 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tnsor 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tnxoq 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:topjo 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:toydk 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tpuqd 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tqqfo 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:trfml 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:trtyr 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tsaxl 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tsizn 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tsjoh 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tswnl 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:ttfll 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:ttwxo 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tuwsn 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tvbyg 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:twhqb 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:twool 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:twrxd 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:txvcg 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:txypl 6/13/2005 4:27 PM 83.06 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tycgk 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tyjbe 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tyngu 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tyzxk 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tzlvx 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:tzowv 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uarwh 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:ubzdv 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:ucjmt 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:udhit 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:udprq 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:udrca 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uduvd 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uedrf 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:ufecn 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:ufismj 6/13/2005 4:27 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:ufwud 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:ugbdn 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:ughig 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:ugzql 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uhfkw 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uiazq 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uihwe 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uiqtl 6/13/2005 4:27 PM 83.06 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:ujfip 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:ujnik 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:ujzdn 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:ukrng 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:ukxsu 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:ulfcg 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:ullqi 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:ulwtv 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:umyfp 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:unsot 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uofrx 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uoqmf 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uosby 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:upylp 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uqcoy 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uqcyb 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uqjei 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uqoxn 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:urtcs 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:usazb 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:ushnq 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uslmv 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:usspg 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:usxlw 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uuefl 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uuuzd 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uuxgs 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uviuv 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uvzwj 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uwcnn 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uwyvv 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uxkcij 6/13/2005 4:27 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uxnkk 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uyaft 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uyory 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uyttz 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uzfte 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:uzycj 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vaiqb 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vaqog 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:varwdy 6/13/2005 4:27 PM 4.76 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vavwv 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vbfra 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vbiun 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vbqrr 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vcajl 6/13/2005 4:27 PM 82.36 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vddya 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vdjdo 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vdlih 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vduzb 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:velfy 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vgbjh 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vgshj 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vhfyh 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vhjws 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vialc 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:viwgz 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vjfub 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vjtvb 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vjyqv 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vkdto 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vkmja 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vkpke 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vksfy 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vkyax 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vmfcu 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vmmgn 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vmvtz 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vngdj 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vohsl 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:voutu 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vppwo 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vpxkk 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vqgpt 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vqnwn 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vrkcyf 6/13/2005 4:27 PM 16.64 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vsele 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vsrue 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vtahl 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vtlwe 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vtvlp 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vtzvr 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vugjq 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vvpwv 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vvvzfl 6/13/2005 4:27 PM 11.49 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vvxsg 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vvxzh 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vwzpb 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vxfkz 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vygnh 6/13/2005 4:27 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vyxjv 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vyxyi 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vzsaf 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:vzuvc 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:waojb 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:waosy 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:waxrv 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wbefj 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wckrt 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wcvcz 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wdbxx 6/13/2005 4:27 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wdisf 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wdnlh 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wdsdaq 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wdvmsb 6/13/2005 4:27 PM 65.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:weddm 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:weijr 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wetfo 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wfbfk 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wfkwdq 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wfxoz 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wgdub 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wghzf 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wgvoy 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:whbxk 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:whhyb 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:whrak 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:whxly 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wives 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wjflx 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wkfbb 6/13/2005 4:27 PM 83.06 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wknba 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wkqwj 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wmenq 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wmkyc 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wmmvp 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wmqlb 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wmyec 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wnxoj 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:woecd 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:woltl 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wotfk 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wpcnn 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wqdrd 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wqlol 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wqltf 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wqvwy 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wsbjr 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wsnkp 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wtbcl 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wtfeo 6/13/2005 4:27 PM 83.06 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wtoib 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wukqj 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wusdf 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wvsii 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wvyeo 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wwpuk 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wwzyo 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wxipo 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wxyzs 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wzete 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wzjbs 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:wzuje 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xamva 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xbkyp 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xbrue 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xbzzz 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xcikw 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xcstb 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xcvrh 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xddch 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xdlkl 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xeixr 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xensp 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xewpz 6/13/2005 4:27 PM 122.65 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xfnwa 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xgapg 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xgibq 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xgots 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xherh 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xhlsd 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xhrrp 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xiecu 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xioyv 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xisll 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xjsaow 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xjxvw 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xkdrm 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xkmpn 6/13/2005 4:27 PM 82.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xkuja 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xlccx 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xlemy 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xllff 6/13/2005 4:27 PM 82.23 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xlyyu 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xlzas 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xmvtf 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xneot 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xnklf 6/13/2005 4:27 PM 83.06 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xntkl 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xnykd 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xodfh 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xonxo 6/13/2005 4:27 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xpjpo 6/13/2005 4:27 PM 83.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xprlo 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xqfkv 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xqmzd 6/13/2005 4:27 PM 28.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\_default.pif:xqotd 6/13/2005 4:27 PM 83.08 KB Visible in Window

Synes godt om

mr-baluba Nybegynder

29. august 2006 - 14:05 #22

Ja det er en hel del bedre nu. CPU'en arbejder jo næsten kun når man ber den om noget nu :D

Synes godt om

ejvindh Ekspert

29. august 2006 - 14:28 #23

Det ser fornuftigt ud. Jeg har ikke lige tid til at se det hele igennem nu, men kør lige følgende:

Lav en batch-fil, med følgende indhold, og kør den.

ren C:\WINDOWS\_default.pif temp.txt
type temp.txt > C:\WINDOWS\_default.pif
del temp.txt

Derudover vil jeg også stadig gerne se loggen fra HJT og visai.bat ;-)

Synes godt om

ejvindh Ekspert

29. august 2006 - 19:20 #24

Ok, jeg kigger på det nu. Så bare vent med det sidste indlæg jeg lagde. Jeg indopererer det hele i næste post...

Synes godt om

ejvindh Ekspert

29. august 2006 - 19:43 #25

Kopiér indholdet mellem de stiplede linier, ind i et notepad-vindue, og gem indholdet på skrivebordet. Når du gemmer filen, skal du udfor "filnavn" skrive c:\Oprydning.bat, og du skal sikre dig, at der under "Filtyper" står "Alle filer":

------------
(cd c:\windows
echo ren _default.pif defaultpif.tmp
ren _default.pif defaultpif.tmp
type defaultpif.tmp > C:\WINDOWS\_default.pif
echo.
echo del defaultpif.tmp
del /q defaultpif.tmp
echo.
echo cd c:\WINDOWS\Tasks
cd c:\WINDOWS\Tasks
echo.
echo attrib -r -s -h "New Task.job"
attrib -r -s -h "New Task.job"
echo.
echo del /q "New Task.job"
del /q "New Task.job"
)>c:\oprydnlog.txt 2>&1
start c:\windows\notepad.exe c:\oprydnlog.txt
------------
Klik så på Start-Kør, skriv CMD i feltet, og klik på OK. Så åbnes et lille dos-vindue. herinde skal du skrive følgende (efterfulgt af <enter>):
c:\oprydning.bat

Så vil der enten efter kort tid poppe et notepad-vindue op, hvis indhold du skal lægge herind.

Når du har gjort dette må du gerne lægge en ny log fra rootkitrevealer herind, sammen med en log fra Hijackthis.

Synes godt om

mr-baluba Nybegynder

29. august 2006 - 23:38 #26

oprydning.bat:

ren _default.pif defaultpif.tmp

del defaultpif.tmp

cd c:\WINDOWS\Tasks

attrib -r -s -h "New Task.job"

del /q "New Task.job"

Rootkirevealer:

HKLM\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf40 2/21/2005 6:12 PM 0 bytes Hidden from Windows API.
C:\$AttrDef 1/5/2002 4:54 AM 2.50 KB Hidden from Windows API.
C:\$BadClus 1/5/2002 4:54 AM 0 bytes Hidden from Windows API.
C:\$BadClus:$Bad 1/5/2002 4:54 AM 74.52 GB Hidden from Windows API.
C:\$Bitmap 1/5/2002 4:54 AM 2.33 MB Hidden from Windows API.
C:\$Boot 1/5/2002 4:54 AM 8.00 KB Hidden from Windows API.
C:\$Extend 1/5/2002 4:54 AM 0 bytes Hidden from Windows API.
C:\$Extend\$ObjId 1/5/2002 4:11 AM 0 bytes Hidden from Windows API.
C:\$Extend\$Quota 1/5/2002 4:11 AM 0 bytes Hidden from Windows API.
C:\$Extend\$Reparse 1/5/2002 4:11 AM 0 bytes Hidden from Windows API.
C:\$LogFile 1/5/2002 4:54 AM 64.00 MB Hidden from Windows API.
C:\$MFT 1/5/2002 4:54 AM 129.28 MB Hidden from Windows API.
C:\$MFTMirr 1/5/2002 4:54 AM 4.00 KB Hidden from Windows API.
C:\$Secure 1/5/2002 4:54 AM 0 bytes Hidden from Windows API.
C:\$UpCase 1/5/2002 4:54 AM 128.00 KB Hidden from Windows API.
C:\$Volume 1/5/2002 4:54 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Ulrich Green\Local Settings\Temporary Internet Files\Content.IE5\SHEJWL6N\search[1].: 4/18/2005 8:20 PM 16.65 KB Hidden from Windows API.

Highjack:

Logfile of HijackThis v1.99.1
Scan saved at 23:34:55, on 29-08-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Ulrich Green\Desktop\hijackthis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Open In &New Window - C:\Documents and Settings\Ulrich Green\Application Data\TuneUp Software\TuneUp Utilities\Web\tuofinw.tui
O8 - Extra context menu item: Search with &Google - C:\Documents and Settings\Ulrich Green\Application Data\TuneUp Software\TuneUp Utilities\Web\gsearch.tui
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Profile CAPI 8,0,000,237 - https://udstedelse.certifikat.tdc.dk/person/applets/entrustprofileapplet-capi.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/0fddb359/enter.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {A590956F-AE99-4419-BB39-3C721276C625} - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-0504.exe
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Og viasi, hvis du skulle ønske det:

regf ÿÿøÐJ‹5ÐJ‹ØƒÄ…Û}WÿÖYØWÿÖ;ØY}‹ÃëWÿÖY…À}3ÛëWÿÖ;ØY|WÿÖY‹Ø‹…ø¿ÿÿfƒ8,uPƒ…ø¿ÿÿj …ø¿ÿÿPÿµø¿ÿÿÿøÐJƒÄ…À‰…ô¿ÿÿ}_PÿÖ…ô¿ÿÿYyƒ¥ô¿ÿÿ _SÿÖ9…ô¿ÿÿY|ë_SÿÖY‰…ô¿ÿÿÿµô¿ÿÿSWÿÈÐJ‹…ô¿ÿÿG3ÉƒÄf9tf‰‹…ø¿ÿÿf‹@@f;Ut
‹…ð¿ÿÿ‰é— +…ì¿ÿÿ‹ð¿ÿÿÑø‰éWÿÿÂ‰…ø¿ÿÿÇ…è¿ÿÿ é#sÿÿ‰ëgƒ½ô¿ÿÿ „ItÿÿPjhJ# è(ÿÿƒÄjÿÿµô¿ÿÿÿèÐJÂ‰…ø¿ÿÿf‹f…É…AsÿÿéFsÿÿWÿÈÐJ‹…ð¿ÿÿFP_PÿÐJƒÄé‰Vÿÿ3Àé„Vÿÿ‹øx×% hbin ¨ÿÿÿnk, ÌxòºÆ ÿÿÿÿ ÿÿÿÿÿÿÿÿ x ÿÿÿÿ 0 B F T Windows Èþÿÿsk x x ” ì
!
€ ! #
€ # ?
?
?
Ðÿÿÿvk à ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5 Ø(ÍW ° Ðÿÿÿvk €' zGDIProcessHandleQuota"þðÿÿÿ9 0 ! àÿÿÿvk X °ºSpooler2ðÿÿÿy e s À àÿÿÿvk € =pswapdisk ° ø 8 h Ðÿÿÿvk ( R¿TransmissionRetryTimeoutÐÿÿÿvk €' 0 USERProcessHandleQuotaH àÿÿÿ° ø 8 h Ð Øÿÿÿvk B H * AppInit_DLLs`ž* ¸ÿÿÿ\ \ ? \ C : \ W I N D O W S \ s y s t e m 3 2 \ l p t 1 . h u i eap

Synes godt om

mr-baluba Nybegynder

29. august 2006 - 23:48 #27

Det har virkeligt hjulpet. Bare kanon! Du sagde det var en ny infektion... Kan man sige noget om hvornår jeg fik den? Jeg mener er det inden for nogle nåneder, eller kan det være 1-2 år siden. For det er så lang tid siden jeg husker at den kørte ordentligt :P Har været glad for den bærbare i mellemtiden.

Synes godt om

ejvindh Ekspert

30. august 2006 - 08:40 #28

Du kan læse om infektionen og dens historie her:
http://194.177.97.44:85/gromozon.pdf

Alle stjerner i sol og måne tyder på, at infektionen er bekæmpet nu. Der er kun én oplysning, der får mig til at vakle lidt, og det er visai.bat-loggen, hvor det ser ud til at den "onde" entry stadig er at finde. Jeg vil gerne arbejde videre på at få den fjernet (jeg har endnu et par tricks i ærmet til, hvordan vi kan få den væk), men vil lade det være op til dig, om du vil fortsætte. Selvom entryen er i visai.bat, så tror jeg ikke den er virksom, idet vi har fået slettet den tilhørende fil. Så du kan lige melde tilbage, om du selv gider arbejde videre med det.

I mellemtiden får du lige den almindelige afskeds-salut omkring oprydning og sikring i fremtiden:

For at gøre arbejdet helt færdig:
Det kan være en god ide og rydde op i systemgendannelses filerne. Deaktiver systemgendannelse (http://www.spywarefri.dk/virusscannere.htm#alle) - genstart din computer - aktiver systemgendannelse.
Og så kan det også være en god ide at skjule dine systemfiler og -mapper igen, så du ikke ved en fejl kommer til at slette en vigtig fil. Det gør du samme sted, hvor du satte det til at vise alle filer, denne gang vælger du bare: Vis ikke skjulte filer og mapper.

Det kan også være en god ide at få renset ud i dine midlertidige filer. Det kan gøres på en hurtig og nem måde med denne fil
www.spywareinfo.dk/download/cleantempxp2k.bat
---------------------------

For at forhindre gentagelser, vil jeg anbefale dig at lægge nogle små programmer ind, som forhindrer spyware i at komme ind i første omgang. Du finder links og gode råd her:
http://www.spywarefri.dk/manualer/sikkerhedspakke.htm

Jeg vil også foreslå, at du læser denne artikel om hvordan du kan undgå at blive inficeret i fremtiden:
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=14414

Synes godt om

mr-baluba Nybegynder

30. august 2006 - 15:34 #29

Ok, Jeg tror jeg lader den stå som den er nu. Jeg skal nemlig på rustur i morgen, så der går nogle dage inden det bliver aktuelt.

Men du skal have 1000 tak for fantastisk og udførlig hjælp. Jeg ved jo ikke rigtigt hvad du gjorde, men det virkede :)

Synes godt om

ejvindh Ekspert

30. august 2006 - 16:17 #30

Du er velkommen -- og ja, rusture må man respektere ;-)

Synes godt om

Titel	Indlæg	Oprettet	Seneste aktivitet
Vil skrifte antivirusprogram. Af ErikHg i Virus	22	26/11/202510:42	23/12/202514:29
Er gratis Bitdefender værd at installere ? Af Ikke-ekspert i Virus	8	31/08/202519:08	01/09/202514:18
Ukendte filer på min Pc Af jonpet i Virus	10	03/02/202514:20	04/02/202511:05
mulig ukendt virus Af jackie18 i Virus	3	18/01/202514:07	18/01/202516:39
virus popper op med jævne mellemrum Af Malm i Virus	13	18/01/202511:40	20/01/202517:53

I går 21:19	Lydindstilling Prosonic TV Af TageArent i Fjernsyn & projektorer
I går 15:37	Sort skærm Af mort1 i Windows
09/0412:32	iPadOS 26.4.1 kan ikke opdatere Af claes57 i Apps til iOS
08/0410:38	Indholdsfortegnelse ændrer sig, når jeg gemmer som PDF Af Jan K i Word
06/0419:53	installer mange programmer på en gang Af Overgaard1654 i Andet software

Notifikationer

HijackThis log til gennemsyn

Log ind eller opret profil

Hov!