Tech Support Forum - View Single Post - Isearch registry entries can not be cleaned

geesan · 04-15-2005, 01:43 AM

Hi,

Here you have the two logs:

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:40:51, on 15/04/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
c:\centenn.ial\audit\CAgent32.exe
c:\centenn.ial\audit\xferwan.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\OWSTIMER.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\gl\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.18.101.4:3128
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [HitwarePKLite] C:\Program Files\Hitware Popup Killer Lite\HitwarePKLite.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: Download Images by Picture Finder - C:\Program Files\Super Picture Finder Grabber\pf_link.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://appser2.vmw.be:8001/jinitiator/oajinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PSTestware.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PSTestware.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PSTestware.com
O20 - Winlogon Notify: MediaContentIndex - C:\WINNT\system32\kt4ml7h11.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: CentennialClientAgent - Centennial UK Ltd. - c:\centenn.ial\audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial UK Ltd. - c:\centenn.ial\audit\xferwan.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

Startdreck Log:

StartDreck (build 2.1.7 public stable) - 2005-04-15 @ 09:38:48 (GMT +02:00)
Platform: Windows 2000 (Win NT 5.0.2195 Service Pack 4)
Internet Explorer: 6.0.2800.1106
Logged in as GL at PSTMOB079

»Registry
»Run Keys
»Current User
»Run
*HitwarePKLite=C:\Program Files\Hitware Popup Killer Lite\HitwarePKLite.exe
*SpySweeper="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
»RunOnce
»Default User
»Run
»RunOnce
*^SetupICWDesktop=
»Local Machine
»Run
*Synchronization Manager=mobsync.exe /logon
*ATIModeChange=Ati2mdxx.exe
*NeroCheck=C:\WINNT\System32\NeroCheck.exe
*CloneCDElbyCDFL="C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
*ShStatEXE="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
*McAfeeUpdaterUI="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINNT\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile="C:\Program Files\Macromedia\Dreamweaver UltraDev 4\UltraDev.exe" "%1"
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Internet Explorer Access/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath="C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Outlook Express Access/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath="C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+EnableRevocation/{6A5110B5-E14B-4268-A065-EF89FF33C325}
*StubPath=regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub
+Address Book 5/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\System32\ie4uinit.exe
+CRLUpdate/{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}
*StubPath=%SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl
»Browser Helper Objects (LM)
»Internet Explorer
»Current User
*Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Local Page=c:\winnt\system32\blank.htm
*Search Bar=http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=about:blank
*Window Title=Microsoft Internet Explorer
*CustomizeSearch=http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
+SearchUrl
*provider=
*=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
»Default User
»Local Machine
*Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Local Page=c:\winnt\system32\blank.htm
*Search Bar=http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
*CustomizeSearch=http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
»ShellServiceObjectDelayLoad (LM)
*Network.ConnectionTray={7007ACCF-3202-11D1-AAD2-00805FC1270E}
`InprocServer32=C:\WINNT\system32\NETSHELL.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=stobject.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=C:\WINNT\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
»Default User
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Professional" /fastdetect
*C:\msdos.sys
*C:\config.sys
*C:\WINNT\system32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\WINNT\wininit.ini
`[Rename]
`NUL=
*C:\WINNT\system32\drivers\etc\hosts
`127.0.0.1 localhost
`127.0.0.1 www.igetnet.com
`127.0.0.1 code.ignphrases.com
`127.0.0.1 clear-search.com
`127.0.0.1 r1.clrsch.com
`127.0.0.1 sds.clrsch.com
`127.0.0.1 status.clrsch.com
`127.0.0.1 www.clrsch.com
`127.0.0.1 clr-sch.com
`127.0.0.1 sds-qckads.com
`127.0.0.1 status.qckads.com
`127.0.0.1 status.qckads.com
`127.0.0.1 status.qckads.com
`127.0.0.1 status.qckads.com
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINNT\system32\win.com
*C:\WINNT\explorer.exe
»%PATH% Companion Files
+C:\WINNT\system32\notepad.exe
*C:\WINNT\NOTEPAD.EXE
+C:\WINNT\system32\taskman.exe
*C:\WINNT\TASKMAN.EXE
+C:\WINNT\system32\winhlp32.exe
*C:\WINNT\winhlp32.exe
»System/Drivers
»Running Processes
+0=<idle>
+8=<system>
+180=\SystemRoot\System32\smss.exe
+204=<unkown>
+224=\??\C:\WINNT\system32\winlogon.exe
+252=C:\WINNT\system32\services.exe
+264=C:\WINNT\system32\lsass.exe
+412=C:\WINNT\system32\svchost.exe
+452=C:\WINNT\System32\svchost.exe
+504=C:\WINNT\system32\spoolsv.exe
+548=C:\WINNT\System32\Ati2evxx.exe
+568=c:\centenn.ial\audit\CAgent32.exe
+600=c:\centenn.ial\audit\xferwan.exe
+696=C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
+744=C:\Program Files\Network Associates\VirusScan\mcshield.exe
+760=C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
+828=C:\WINNT\system32\regsvc.exe
+844=C:\WINNT\system32\MSTask.exe
+924=C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\OWSTIMER.EXE
+976=C:\WINNT\System32\WBEM\WinMgmt.exe
+992=C:\WINNT\System32\mspmspsv.exe
+1008=C:\WINNT\system32\svchost.exe
+1036=<unkown>
+1304=C:\WINNT\system32\rundll32.exe
+1388=C:\WINNT\Explorer.EXE
+1496=C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
+1484=C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
+1480=C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
+1560=C:\Program Files\Internet Explorer\iexplore.exe
+1568=C:\Program Files\interMute\SpySubtract\SpySub.exe
+1436=C:\Program Files\Internet Explorer\iexplore.exe
+1760=C:\Program Files\Internet Explorer\iexplore.exe
+1792=C:\Program Files\Internet Explorer\iexplore.exe
+2020=D:\Prive\GL\software\startdreck\StartDreck.exe
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
*C:\Program Files\Microsoft Office\Office\STARTUP\MSCREATE.DIR
*C:\Program Files\Microsoft Office\Office\STARTUP\PDFMaker.dot
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User

04-15-2005, 01:43 AM	#8 (permalink)
geesan Registered User Join Date: Apr 2005 Posts: 8 OS: W2K	Logs Hi, Here you have the two logs: HJT log: Logfile of HijackThis v1.99.1 Scan saved at 9:40:51, on 15/04/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\Ati2evxx.exe c:\centenn.ial\audit\CAgent32.exe c:\centenn.ial\audit\xferwan.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\mcshield.exe C:\Program Files\Network Associates\VirusScan\vstskmgr.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\OWSTIMER.EXE C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\rundll32.exe C:\WINNT\Explorer.EXE C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\interMute\SpySubtract\SpySub.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\WinZip\winzip32.exe C:\DOCUME~1\gl\LOCALS~1\Temp\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.18.101.4:3128 O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [HitwarePKLite] C:\Program Files\Hitware Popup Killer Lite\HitwarePKLite.exe O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe O8 - Extra context menu item: Download Images by Picture Finder - C:\Program Files\Super Picture Finder Grabber\pf_link.htm O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://appser2.vmw.be:8001/jinitiator/oajinit.exe O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PSTestware.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PSTestware.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PSTestware.com O20 - Winlogon Notify: MediaContentIndex - C:\WINNT\system32\kt4ml7h11.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe O23 - Service: CentennialClientAgent - Centennial UK Ltd. - c:\centenn.ial\audit\CAgent32.exe O23 - Service: CentennialIPTransferAgent - Centennial UK Ltd. - c:\centenn.ial\audit\xferwan.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe Startdreck Log: StartDreck (build 2.1.7 public stable) - 2005-04-15 @ 09:38:48 (GMT +02:00) Platform: Windows 2000 (Win NT 5.0.2195 Service Pack 4) Internet Explorer: 6.0.2800.1106 Logged in as GL at PSTMOB079 »Registry »Run Keys »Current User »Run HitwarePKLite=C:\Program Files\Hitware Popup Killer Lite\HitwarePKLite.exe SpySweeper="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 »RunOnce »Default User »Run »RunOnce ^SetupICWDesktop= »Local Machine »Run Synchronization Manager=mobsync.exe /logon ATIModeChange=Ati2mdxx.exe NeroCheck=C:\WINNT\System32\NeroCheck.exe CloneCDElbyCDFL="C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL ShStatEXE="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE McAfeeUpdaterUI="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime +OptionalComponents +MSFS Installed=1 +MAPI NoChange=1 Installed=1 +MAPI NoChange=1 Installed=1 »RunOnce »RunServices »RunServicesOnce »RunOnceEx »RunServicesOnceEx »File Associations (CR) +.bat batfile="%1" %* +.com comfile="%1" % +.disabled SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1" +.exe exefile="%1" %* +.hta htafile=C:\WINNT\System32\mshta.exe "%1" % +.htm htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.html htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.js JSFile="C:\Program Files\Macromedia\Dreamweaver UltraDev 4\UltraDev.exe" "%1" +.jse JSEFile=%SystemRoot%\System32\WScript.exe "%1" %* +.pif piffile="%1" % +.reg regfile=regedit.exe "%1" +.scr scrfile="%1" /S +.txt txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1 +.vbs VBSFile=%SystemRoot%\System32\WScript.exe "%1" %* +.vbe VBEFile=%SystemRoot%\System32\WScript.exe "%1" % +.wsh WSHFile=%SystemRoot%\System32\WScript.exe "%1" % +.wsf WSFFile=%SystemRoot%\System32\WScript.exe "%1" % +.lnk `lnkfile= [key or value does not exist] »Active Setup (LM) +Internet Explorer Access/>{26923b43-4d38-484f-9b9e-de460746276c} StubPath="C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE +Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP +Outlook Express Access/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} StubPath="C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE +Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C} StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install +NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT +EnableRevocation/{6A5110B5-E14B-4268-A065-EF89FF33C325} StubPath=regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll +Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub +Address Book 5/{7790769C-0471-11d2-AF11-00C04FA35D02} StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install +Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340} StubPath=regsvr32.exe /s /n /i:U shell32.dll +Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383} StubPath=%SystemRoot%\System32\ie4uinit.exe +CRLUpdate/{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11} StubPath=%SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl »Browser Helper Objects (LM) »Internet Explorer »Current User Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Local Page=c:\winnt\system32\blank.htm Search Bar=http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Start Page=about:blank Window Title=Microsoft Internet Explorer CustomizeSearch=http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchcust.htm SearchAssistant=http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm +SearchUrl provider= =http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch »Default User »Local Machine Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Local Page=c:\winnt\system32\blank.htm Search Bar=http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Start Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome CustomizeSearch=http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchcust.htm SearchAssistant=http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm »ShellServiceObjectDelayLoad (LM) Network.ConnectionTray={7007ACCF-3202-11D1-AAD2-00805FC1270E} `InprocServer32=C:\WINNT\system32\NETSHELL.dll WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED} `InprocServer32=%SystemRoot%\System32\webcheck.dll SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153} `InprocServer32=stobject.dll »Special NT Values »Current User Load= Run= Programs=com exe bat pif cmd SHELL= »Default User Load= Run= Programs=com exe bat pif cmd SHELL= »Local Machine AppInit_DLLs= SHELL=Explorer.exe Userinit=C:\WINNT\system32\userinit.exe, »Files »Autostart Folders »Current User »Default User »Local Machine C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk »INI-Files »WIN.INI\[windows] LOAD= RUN= »SYSTEM.INI\[boot] SHELL=Explorer.exe »Text Files C:\boot.ini `[boot loader] `timeout=30 `default=multi(0)disk(0)rdisk(0)partition(1)\WINNT `[operating systems] `multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Professional" /fastdetect C:\msdos.sys C:\config.sys C:\WINNT\system32\config.nt `dos=high, umb `device=%SystemRoot%\system32\himem.sys `files=40 C:\WINNT\wininit.ini `[Rename] `NUL= C:\WINNT\system32\drivers\etc\hosts `127.0.0.1 localhost `127.0.0.1 www.igetnet.com `127.0.0.1 code.ignphrases.com `127.0.0.1 clear-search.com `127.0.0.1 r1.clrsch.com `127.0.0.1 sds.clrsch.com `127.0.0.1 status.clrsch.com `127.0.0.1 www.clrsch.com `127.0.0.1 clr-sch.com `127.0.0.1 sds-qckads.com `127.0.0.1 status.qckads.com `127.0.0.1 status.qckads.com `127.0.0.1 status.qckads.com `127.0.0.1 status.qckads.com »Program Files C:\ntldr C:\ntdetect.com C:\io.sys C:\WINNT\system32\win.com C:\WINNT\explorer.exe »%PATH% Companion Files +C:\WINNT\system32\notepad.exe C:\WINNT\NOTEPAD.EXE +C:\WINNT\system32\taskman.exe C:\WINNT\TASKMAN.EXE +C:\WINNT\system32\winhlp32.exe C:\WINNT\winhlp32.exe »System/Drivers »Running Processes +0=<idle> +8=<system> +180=\SystemRoot\System32\smss.exe +204=<unkown> +224=\??\C:\WINNT\system32\winlogon.exe +252=C:\WINNT\system32\services.exe +264=C:\WINNT\system32\lsass.exe +412=C:\WINNT\system32\svchost.exe +452=C:\WINNT\System32\svchost.exe +504=C:\WINNT\system32\spoolsv.exe +548=C:\WINNT\System32\Ati2evxx.exe +568=c:\centenn.ial\audit\CAgent32.exe +600=c:\centenn.ial\audit\xferwan.exe +696=C:\Program Files\Network Associates\Common Framework\FrameworkService.exe +744=C:\Program Files\Network Associates\VirusScan\mcshield.exe +760=C:\Program Files\Network Associates\VirusScan\vstskmgr.exe +828=C:\WINNT\system32\regsvc.exe +844=C:\WINNT\system32\MSTask.exe +924=C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\OWSTIMER.EXE +976=C:\WINNT\System32\WBEM\WinMgmt.exe +992=C:\WINNT\System32\mspmspsv.exe +1008=C:\WINNT\system32\svchost.exe +1036=<unkown> +1304=C:\WINNT\system32\rundll32.exe +1388=C:\WINNT\Explorer.EXE +1496=C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE +1484=C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe +1480=C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe +1560=C:\Program Files\Internet Explorer\iexplore.exe +1568=C:\Program Files\interMute\SpySubtract\SpySub.exe +1436=C:\Program Files\Internet Explorer\iexplore.exe +1760=C:\Program Files\Internet Explorer\iexplore.exe +1792=C:\Program Files\Internet Explorer\iexplore.exe +2020=D:\Prive\GL\software\startdreck\StartDreck.exe »VMM32Files (LM) »%System%\VMM32 »%System%\IOSUBSYS »Application specific »MS Office 97/8.0 STARTUP-PATH »Current User C:\Program Files\Microsoft Office\Office\STARTUP\MSCREATE.DIR C:\Program Files\Microsoft Office\Office\STARTUP\PDFMaker.dot »Default User »Local Machine »ICQ NetDetect »Current User »Default User